Add support for writing SBOMs when the build.Result is oci.Signed*.

.github/workflows/kind-e2e.yaml

@@ -39,6 +39,7 @@ jobs:
           [plugins."io.containerd.grpc.v1.cri".registry.mirrors."$REGISTRY_NAME:$REGISTRY_PORT"]
             endpoint = ["http://$REGISTRY_NAME:$REGISTRY_PORT"]
         EOF
+
     - uses: helm/kind-action@v1.2.0
       with:
         cluster_name: kind
@@ -61,6 +62,11 @@ jobs:
       run: |
         kubectl wait --timeout=2m --for=condition=Ready nodes --all
 
+    - name: Install Cosign
+      uses: sigstore/cosign-installer@main
+      with:
+        cosign-release: 'v1.3.1'
+
     - name: Run Smoke Test
       run: |
         # Test with kind load
@@ -73,6 +79,29 @@ jobs:
         kubectl wait --timeout=60s --for=condition=Ready pod/kodata
         kubectl delete pod kodata
 
+
+    - name: Check SBOM
+      run: |
+        set -o pipefail
+
+        IMAGE=$(ko publish ./test)
+        # Strip the first line of each which contains garbage filenames.
+        SBOM=$(cosign download sbom ${IMAGE} | sed 1d)
+        KO_DEPS=$(ko deps ${IMAGE} | sed 1d)
+
+        echo '::group:: SBOM'
+        echo "${SBOM}"
+        echo '::endgroup::'
+
+        echo '::group:: ko deps'
+        echo "${KO_DEPS}"
+        echo '::endgroup::'
+
+        if [ "${SBOM}" != "${KO_DEPS}" ] ; then
+          echo Wanted SBOM and 'ko deps' to match, got differences!
+          exit 1
+        fi
+
     - name: Collect logs
       if: ${{ always() }}
       run: |

doc/ko_apply.md

@@ -72,6 +72,7 @@ ko apply -f FILENAME [flags]
       --push                           Push images to KO_DOCKER_REPO (default true)
   -R, --recursive                      Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory.
       --request-timeout string         The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. (DEPRECATED)
+      --sbom string                    The SBOM media type to use (none will disable SBOM synthesis and upload). (default "go.version-m")
   -l, --selector string                Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2)
   -s, --server string                  The address and port of the Kubernetes API server (DEPRECATED)
       --tag-only                       Include tags but not digests in resolved image references. Useful when digests are not preserved when images are repopulated.

doc/ko_build.md

@@ -55,6 +55,7 @@ ko build IMPORTPATH... [flags]
       --platform string          Which platform to use when pulling a multi-platform base. Format: all | <os>[/<arch>[/<variant>]][,platform]*
   -P, --preserve-import-paths    Whether to preserve the full import path after KO_DOCKER_REPO.
       --push                     Push images to KO_DOCKER_REPO (default true)
+      --sbom string              The SBOM media type to use (none will disable SBOM synthesis and upload). (default "go.version-m")
       --tag-only                 Include tags but not digests in resolved image references. Useful when digests are not preserved when images are repopulated.
   -t, --tags strings             Which tags to use for the produced image instead of the default 'latest' tag (may not work properly with --base-import-paths or --bare). (default [latest])
       --tarball string           File to save images tarballs

doc/ko_create.md

@@ -72,6 +72,7 @@ ko create -f FILENAME [flags]
       --push                           Push images to KO_DOCKER_REPO (default true)
   -R, --recursive                      Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory.
       --request-timeout string         The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. (DEPRECATED)
+      --sbom string                    The SBOM media type to use (none will disable SBOM synthesis and upload). (default "go.version-m")
   -l, --selector string                Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2)
   -s, --server string                  The address and port of the Kubernetes API server (DEPRECATED)
       --tag-only                       Include tags but not digests in resolved image references. Useful when digests are not preserved when images are repopulated.

doc/ko_resolve.md

@@ -52,6 +52,7 @@ ko resolve -f FILENAME [flags]
   -P, --preserve-import-paths    Whether to preserve the full import path after KO_DOCKER_REPO.
       --push                     Push images to KO_DOCKER_REPO (default true)
   -R, --recursive                Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory.
+      --sbom string              The SBOM media type to use (none will disable SBOM synthesis and upload). (default "go.version-m")
   -l, --selector string          Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2)
       --tag-only                 Include tags but not digests in resolved image references. Useful when digests are not preserved when images are repopulated.
   -t, --tags strings             Which tags to use for the produced image instead of the default 'latest' tag (may not work properly with --base-import-paths or --bare). (default [latest])

doc/ko_run.md

@@ -42,6 +42,7 @@ ko run IMPORTPATH [flags]
       --platform string          Which platform to use when pulling a multi-platform base. Format: all | <os>[/<arch>[/<variant>]][,platform]*
   -P, --preserve-import-paths    Whether to preserve the full import path after KO_DOCKER_REPO.
       --push                     Push images to KO_DOCKER_REPO (default true)
+      --sbom string              The SBOM media type to use (none will disable SBOM synthesis and upload). (default "go.version-m")
       --tag-only                 Include tags but not digests in resolved image references. Useful when digests are not preserved when images are repopulated.
   -t, --tags strings             Which tags to use for the produced image instead of the default 'latest' tag (may not work properly with --base-import-paths or --bare). (default [latest])
       --tarball string           File to save images tarballs

go.mod

@@ -6,20 +6,18 @@ require (
 	github.com/containerd/stargz-snapshotter/estargz v0.10.1
 	github.com/docker/docker v20.10.11+incompatible
 	github.com/dprotaso/go-yit v0.0.0-20191028211022-135eb7262960
-	github.com/evanphx/json-patch/v5 v5.5.0 // indirect
 	github.com/fsnotify/fsnotify v1.5.1
 	github.com/go-training/helloworld v0.0.0-20200225145412-ba5f4379d78b
 	github.com/google/go-cmp v0.5.6
 	github.com/google/go-containerregistry v0.7.0
 	github.com/mattmoor/dep-notify v0.0.0-20190205035814-a45dec370a17
 	github.com/mattn/go-isatty v0.0.13 // indirect
 	github.com/opencontainers/image-spec v1.0.2-0.20210730191737-8e42a01fb1b7
+	github.com/sigstore/cosign v1.3.2-0.20211120003522-90e2dcfe7b92
 	github.com/spf13/cobra v1.2.1
 	github.com/spf13/pflag v1.0.5
 	github.com/spf13/viper v1.9.0
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
-	golang.org/x/text v0.3.7 // indirect
-	golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac // indirect
 	golang.org/x/tools v0.1.7
 	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b
 	k8s.io/apimachinery v0.22.4