Skip to content

Commit

Permalink
document rekor cataloger
Browse files Browse the repository at this point in the history 
Signed-off-by: Marco Deicas <mdeicas@google.com>
  • Loading branch information
@mdeicas
mdeicas committed Aug 17, 2022
1 parent c1292ac commit 582177f
Showing 1 changed file with 10 additions and 0 deletions.
10 changes: 10 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -177,6 +177,7 @@ registry:yourrepo/yourimage:tag pull image directly from a registry (no

#### Non Default:
- cargo-auditable-binary
- rekor

### Excluding file paths

Expand Down Expand Up @@ -663,3 +664,12 @@ The following checks were performed on each of these signatures:
```

Consumers of your image can now trust that the SBOM associated with your image is correct and from a trusted source.

## Discovery of SBOMs on Rekor (experimental)
Syft can search the Rekor transparency log for SBOMs of binaries it finds while scanning and incorporate the results into the SBOMs it produces. This allows the use of SBOMs produced at build time (such as by a trusted builder), which can provide more information about a binary than a post-compilation analysis.

The rekor-cataloger searches Rekor by hash for binaries and performs verification to ensure that the SBOMs and attestations have not been tampered with. In the SBOM that Syft produces, the information is represented as an external document reference containing the URI and hash of the SBOM.

This is an experimental feature. It uses external sources, a functionality that is new to Syft. The use of trusted builders to produce SBOMs has not yet been fully established, and more consideration of what external sources to trust is necessary. Currently, Syft accepts any SBOM attestation that has a valid certificate issued by Fulcio.

To enable the rekor-cataloger, use the flag ``` --catalogers all ```.

0 comments on commit 582177f

Please # to comment.