Attach a signed SBOM to a container image

A Software Bill of Materials (SBOM) is a build manifest that lists the components used to build a piece of software. An SBOM can be used to track the provenance of a piece of software, including container images, throughout its lifecycle. This article shows you how to create an SBOM for a container image, sign it, and attach it to the image using CLI tools. Other approaches are possible, including using a CI/CD pipeline to automate the process.

Prerequisites

Before you being, make sure you have the following:

• An Azure subscription. If you don't have an Azure subscription, create a free account before you begin.
• The latest version of the Azure CLI installed and configured for your subscription.
• An existing Azure Container Registry (ACR) in your subscription.
• Notation CLI installed.
• ORAS CLI installed.
• sbom-tool installed.

Sign in to your registry

Sign in to your ACR and get the access token for your registry. For example, the following commands use the Azure CLI to sign in to your registry and sets the access token for your that registry to the PASSWORD environment variable.

# Update the ACR_NAME variable with the name of your registry
ACR_NAME=<acr-name>
PASSWORD=$(az acr login --name $ACR_NAME --expose-token --output tsv --query accessToken)

Note

ACR and ORAS support multiple authentication options for users and system automation. This article uses individual identity, using an Azure token. For more authentication options see Authenticate with an Azure container registry.

Build and push a container image

Use az acr build to build and push a container image to your registry.

REPO=net-monitor
TAG=v1
REGISTRY=$ACR_NAME.azurecr.io
IMAGE=$REGISTRY/${REPO}:$TAG
IMAGE_SOURCE=https://github.com/wabbit-networks/net-monitor.git#main

az acr build -r $ACR_NAME -t $IMAGE $IMAGE_SOURCE

Sign in with the Notation CLI

Use notation login to sign in to your registry.

Important

When using the access token for your ACR, you must use 00000000-0000-0000-0000-000000000000 as the user name.

export USER_NAME="00000000-0000-0000-0000-000000000000"
notation login -u $USER_NAME -p $PASSWORD $REGISTRY

Sign the image

Use notation sign to sign the image.

Important

You must have a signing certificate and key pair to sign the image. For example, Build, sign, and verify container images using Notary and Azure Key Vault shows how to use Azure Key Vault to create a signing certificate and key pair.

notation sign $IMAGE

Use notation ls to list the signatures on the image.

notation ls $IMAGE

The following example output shows the signature on the image.

<acr-name>.azurecr.io/net-monitor@sha256:1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef
└── application/vnd.cncf.notary.signature
    └── sha256:111222333444555666777888999000aaabbbcccdddeeefff1112223334445556

Create an SBOM

Use sbom-tool to create an SBOM for the image. For example, the following commands create an SBOM for the image and store it in the ./sbom directory.

SBOM_DIR=./sbom
PACKAGE_SUPPLIER=MyCompany
PACKAGE_NAME=TestProject
PACKAGE_VERSION=1.0.0
mkdir $SBOM_DIR
sbom-tool generate -m $SBOM_DIR -di $IMAGE -ps $PACKAGE_SUPPLIER -pn $PACKAGE_NAME -pv $PACKAGE_VERSION

Attach the SBOM to the image

Use oras attach to attach the SBOM to the image. For example, the following command attaches the manifest.spdx.json file to the image.

SBOM_FILE=$SBOM_DIR/_manifest/spdx_2.2/manifest.spdx.json
oras attach $IMAGE $SBOM_FILE --artifact-type example/sbom

Sign the SBOM

Use oras discover to get the digest for the SBOM.

oras discover $IMAGE -o tree

The following example output shows digests for both the signature and the the image.

$ oras discover $IMAGE -o tree

<acr-name>.azurecr.io/net-monitor@sha256:1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef
├── example/sbom
│   └── sha256:fffeeedddcccbbbaaa000999888777666555444333222111fffeeedddcccbbba
└── application/vnd.cncf.notary.signature
    └── sha256:111222333444555666777888999000aaabbbcccdddeeefff1112223334445556

Use notation sign to sign the SBOM using the digest value of the SBOM from the previous command.

SBOM=$REGISTRY/${REPO}@sha256:fffeeedddcccbbbaaa000999888777666555444333222111fffeeedddcccbbba
notation sign $SBOM

Use notation ls to list the signatures on the SBOM.

notation ls $SBOM

The following example shows the signature on the SBOM.

$ notation ls $SBOM

<acr-name>.azurecr.io/net-monitor@sha256:fffeeedddcccbbbaaa000999888777666555444333222111fffeeedddcccbbba
└── application/vnd.cncf.notary.signature
    └── sha256:fedcba0987654321fedcba0987654321fedcba0987654321fedcba0987654321

Next Steps

See overview of each stage for more information:

• Build, sign, and verify container images using Notary and Azure Key Vault