guac icon indicating copy to clipboard operation
guac copied to clipboard
verified publisher icon guacsec

[feature] Support Docker BuildKit's Image Attestation Storage

Open ridhoq opened this issue 2 years ago • 0 comments

Is your feature request related to a problem? Please describe. Today, GUAC supports collection from OCI artifacts via fallback artifacts and, soon, OCI referrers (#1277). Another way that supply chain artifacts are stored in OCI registries is Docker Buildkit's Image Attestation Storage. The high level approach is that attestations like SBOMs and SLSA Provenance are stored as manifests in a manifest list along side the image manifests. The attestations are marked with annotations to identify itself as an annotation. Here is an example manifest list with an attestation:

{
  "mediaType": "application/vnd.oci.image.index.v1+json",
  "schemaVersion": 2,
  "manifests": [
    {
      "mediaType": "application/vnd.oci.image.manifest.v1+json",
      "digest": "sha256:23678f31b3b3586c4fb318aecfe64a96a1f0916ba8faf9b2be2abee63fa9e827",
      "size": 1234,
      "platform": {
        "architecture": "amd64",
        "os": "linux"
      }
    },
    {
      "mediaType": "application/vnd.oci.image.manifest.v1+json",
      "digest": "sha256:02cb9aa7600e73fcf41ee9f0f19cc03122b2d8be43d41ce4b21335118f5dd943",
      "size": 1234,
      "annotations": {
        "vnd.docker.reference.digest": "sha256:23678f31b3b3586c4fb318aecfe64a96a1f0916ba8faf9b2be2abee63fa9e827",
        "vnd.docker.reference.type": "attestation-manifest"
      },
      "platform": {
         "architecture": "unknown",
         "os": "unknown"
      }
    }
  ]
}

Describe the solution you'd like Add support for this in the OCI collector

ridhoq avatar Oct 09 '23 20:10 ridhoq