aster.cloud aster.cloud
  • /
  • Platforms
    • Public Cloud
    • On-Premise
    • Hybrid Cloud
    • Data
  • Architecture
    • Design
    • Solutions
    • Enterprise
  • Engineering
    • Automation
    • Software Engineering
    • Project Management
    • DevOps
  • Programming
    • Learning
  • Tools
  • About
  • /
  • Platforms
    • Public Cloud
    • On-Premise
    • Hybrid Cloud
    • Data
  • Architecture
    • Design
    • Solutions
    • Enterprise
  • Engineering
    • Automation
    • Software Engineering
    • Project Management
    • DevOps
  • Programming
    • Learning
  • Tools
  • About
aster.cloud aster.cloud
  • /
  • Platforms
    • Public Cloud
    • On-Premise
    • Hybrid Cloud
    • Data
  • Architecture
    • Design
    • Solutions
    • Enterprise
  • Engineering
    • Automation
    • Software Engineering
    • Project Management
    • DevOps
  • Programming
    • Learning
  • Tools
  • About
  • Programming

Trusting SBOMs In The Software Supply Chain: Syft Now Creates Attestations Using Sigstore

  • aster.cloud
  • April 1, 2022
  • 4 minute read

With the recent release of Syft v0.40.0, you can now create signed SBOM attestations directly in Syft. This is made possible by Project Sigstore, which makes signing and verification of software artifacts insanely easy.

Why do attestations matter for SBOMs?

Attestations help users to validate that an SBOM comes from a trusted source in the software supply chain. As an example, I may use a container image without knowing all the software components or dependencies that are included in that image. However, if I trust whatever the producer of the container image says about what software is present, I can use the producer’s attestation to rely on that SBOM. This means that I can proceed to use the SBOM safely in my workflow in place of having done the analysis myself.


Partner with aster.cloud
for your next big idea.
Let us know here.



From our partners:

CITI.IO :: Business. Institutions. Society. Global Political Economy.
CYBERPOGO.COM :: For the Arts, Sciences, and Technology.
DADAHACKS.COM :: Parenting For The Rest Of Us.
ZEDISTA.COM :: Entertainment. Sports. Culture. Escape.
TAKUMAKU.COM :: For The Hearth And Home.
ASTER.CLOUD :: From The Cloud And Beyond.
LIWAIWAI.COM :: Intelligence, Inside and Outside.
GLOBALCLOUDPLATFORMS.COM :: For The World's Computing Needs.
FIREGULAMAN.COM :: For The Fire In The Belly Of The Coder.
ASTERCASTER.COM :: Supra Astra. Beyond The Stars.
BARTDAY.COM :: Prosperity For Everyone.

What is an attestation?

An attestation is a cryptographically signed “statement” that claims something (a “predicate”) is true about another thing (a “subject”).

In the container example above, the SBOM is the predicate and the container image is the subject, which means that the “signer” is attesting that the SBOM is an accurate representation of the contents of the container image.

The fact that this statement is signed means that consumers of this data can decide for themselves whether or not they trust the statement based on their trust of the identity (a public key, a person, a company, or some other entity) that did the signing. It also means that consumers can detect if the data they’re ingesting has been tampered with since the attestation was created.

Read More  Operating Multiple High-Density Bare-Metal Clusters In A Highly Regulated Industry

The “statement” concept is extremely versatile because the subject can be anything someone is interested in: a commit in a repository, an executable file, a container image, and so on. And the predicate can describe anything about the subject: a code review, information on where the subject originally came from, or what software packages compose the subject, to name just a few examples.

Why was attestation added to Syft?

Syft gathers data that’s used in downstream security analysis (like vulnerability scanning), so it’s important that you have ways to safely rely on SBOM data, especially when SBOMs cross organizational boundaries. Thanks to tools like Sigstore’s Cosign, it has become incredibly easy to publish trusted data for other people to use.

Syft had already been able to produce SBOMs that could then be consumed in Cosign-based workflows (both Syft and Cosign support SBOMs in CycloneDX, SPDX, and Syft’s native format), but by bringing attestation closer to the point of data generation (directly in Syft’s execution), Syft enables a safer creation of trusted information because the statement (which includes the SBOM, itself) is signed before any data is exposed beyond the Syft process. This means there’s no chance for anyone to sneak changes into the SBOM before it gets sealed in the attestation.

How to create SBOM attestations using Syft and Sigstore

On top of that, the Syft and Cosign integration makes it easier to create SBOM attestations now that it’s just one command from a single tool.

How to create SBOM attestations with Syft

To create an SBOM attestation in Syft, just use the new `attest` command. Syft uses in-toto attestations, which is a particular framework and specification for creating and using attestations. In one fell swoop, Syft will generate an SBOM for the specified target and create an in-toto attestation for that SBOM, using Cosign’s library internally to generate and sign the in-toto statement.

Read More  Keep Calm And Trust A/B Testing With Flux, Flagger, And Linkerd

1. If you don’t have a Cosign key pair, generate one.

$ cosign generate-key-pair

Note: Your private key is encrypted with a password. When you’re generating the key pair, you can store a password in the `COSIGN_PASSWORD` environment variable to get prompted by Cosign. Additionally, if you’ve already stored your password in `COSIGN_PASSWORD`, Syft will find this password and won’t need to ask you for it when signing the SBOM attestation.

2. To create the SBOM attestation and write the attestation to a file, use `syft attest` with a file redirect. (Note that aside from the `–key` argument, `syft attest <image>` just uses the same syntax as `syft <image>`!)

$ syft attest --key ./cosign.key <my-image> -o cyclonedx-json > ./my-image-sbom.att.json

3. If you want, you can use Cosign to attach the attestation to an image in a container registry.

$ cosign attach attestation <my-image> --attestation ./my-image-sbom.att.json

Great! Now anyone who has your public key can use Cosign to verify your SBOM attestation, which means they can trust the SBOM’s representation of your container image.

$ cosign verify-attestation <my-image> --key ./cosign.pub

SBOM formats used for attestations

In-toto statements are flexible with the format of the predicate data (which is the SBOM, in this case). Statements declare the type of the predicate with a “predicateType” field. Since the statement is JSON data, the predicate data within the statement should also be JSON data.

Syft can create attestations with the CycloneDX JSON format, the SPDX JSON format, and with Syft’s own lossless JSON format. If you don’t specify a format, Syft defaults to its lossless JSON format.

Read More  Google I/O 2019 | Build Apps for the Next Billion Users

Read more about Syft’s attestation workflow.

Looking ahead with Syft, Grype, and Sigstore

We plan to integrate Syft more deeply with Sigstore in the coming months, starting by adding support for Sigstore’s “keyless workflow,” which eliminates the need for users to manage their own key pairs.

We also plan to extend attestation support into Grype to enable vulnerability scans based on trusted SBOM analysis and to provide attestations for vulnerability scans. We view attestations as a significant enhancement to the existing security workflows of the Syft and Grype ecosystem.

Be sure to grab the latest release of Syft and try out SBOM attestation for yourself!

Shout-outs <3

Big thanks to Chris Phillips for the engineering work to make this integration happen. Thanks to Santiago Torres-Arias for expert guidance on using the in-toto attestation framework. And thanks to Jake Sanders and Matt Moore for helping to make Cosign integration more accessible for other projects.

 

 

Guest post originally published on the Anchore blog by Dan Luhring
Source CNCF


For enquiries, product placements, sponsorships, and collaborations, connect with us at [email protected]. We'd love to hear from you!

Our humans need coffee too! Your support is highly appreciated, thank you!

aster.cloud

Related Topics
  • CNCF
  • Project Sigstore
  • SBOMs
  • Syft
You May Also Like
View Post
  • Architecture
  • Data
  • Engineering
  • People
  • Programming
  • Software Engineering
  • Technology
  • Work & Jobs

Predictions: Top 25 Careers Likely In High Demand In The Future

  • June 6, 2023
View Post
  • Programming
  • Software Engineering
  • Technology

Build a Python App to Alert You When Asteroids Are Close to Earth

  • May 22, 2023
View Post
  • Programming

Illuminating Interactions: Visual State In Jetpack Compose

  • May 20, 2023
View Post
  • Computing
  • Data
  • Programming
  • Software
  • Software Engineering

The Top 10 Data Interchange Or Data Exchange Format Used Today

  • May 11, 2023
View Post
  • Architecture
  • Programming
  • Public Cloud

From Receipts To Riches: Save Money W/ Google Cloud & Supermarket Bills – Part 1

  • May 8, 2023
View Post
  • Programming
  • Public Cloud

3 New Ways To Authorize Users To Your Private Workloads On Cloud Run

  • May 4, 2023
View Post
  • Programming
  • Public Cloud

Buffer HTTP Requests With Cloud Tasks

  • May 4, 2023
View Post
  • Programming
  • Public Cloud
  • Software
  • Software Engineering

Learn About Google Cloud’s Updated Renderer For The Maps SDK For Android

  • May 4, 2023

Stay Connected!
LATEST
  • 1
    Pure Accelerate 2025: All the news and updates live from Las Vegas
    • June 18, 2025
  • 2
    ‘This was a very purposeful strategy’: Pure Storage unveils Enterprise Data Cloud in bid to unify data storage, management
    • June 18, 2025
  • What is cloud bursting?
    • June 18, 2025
  • 4
    There’s a ‘cloud reset’ underway, and VMware Cloud Foundation 9.0 is a chance for Broadcom to pounce on it
    • June 17, 2025
  • What is confidential computing?
    • June 17, 2025
  • Oracle adds xAI Grok models to OCI
    • June 17, 2025
  • Fine-tune your storage-as-a-service approach
    • June 16, 2025
  • 8
    Advanced audio dialog and generation with Gemini 2.5
    • June 15, 2025
  • 9
    A Father’s Day Gift for Every Pop and Papa
    • June 13, 2025
  • 10
    Global cloud spending might be booming, but AWS is trailing Microsoft and Google
    • June 13, 2025
about
Hello World!

We are aster.cloud. We’re created by programmers for programmers.

Our site aims to provide guides, programming tips, reviews, and interesting materials for tech people and those who want to learn in general.

We would like to hear from you.

If you have any feedback, enquiries, or sponsorship request, kindly reach out to us at:

[email protected]
Most Popular
  • Google Cloud, Cloudflare struck by widespread outages
    • June 12, 2025
  • What is PC as a service (PCaaS)?
    • June 12, 2025
  • 3
    Crayon targets mid-market gains with expanded Google Cloud partnership
    • June 10, 2025
  • By the numbers: Use AI to fill the IT skills gap
    • June 11, 2025
  • 5
    Apple services deliver powerful features and intelligent updates to users this autumn
    • June 11, 2025
  • /
  • Technology
  • Tools
  • About
  • Contact Us

Input your search keywords and press Enter.