Software Bill of Materials

A Software Bill of Materials (SBOM) is a complete, formally structured list of components that are required to build a given piece of software. SBOM provides insight into the software supply chain and any potential concerns related to license compliance and security that might exist.

The Cilium SBOM is generated using the syft tool. To learn more about SBOM, see what an SBOM can do for you.

Prerequisites

Download SBOM

You can download the SBOM in-toto attestation from the supplied Cilium image using the following command:

$ cosign download attestation --predicate-type spdxjson <Image URI> | jq -r .payload | base64 -d | jq .predicate > ciliumSBOM.spdx.json

Verify SBOM attestation

To verify the SBOM in-toto attestation on the supplied Cilium image, run the following command:

$ TAG = v1.17.0-dev
$ cosign verify-attestation --certificate-github-workflow-repository cilium/cilium --certificate-oidc-issuer https://token.actions.githubusercontent.com --certificate-identity-regexp https://github.com/cilium/cilium/.github/workflows --type spdxjson <Image URI> | 2>&1   | head -n 13

For example:

$ cosign verify-attestation --certificate-github-workflow-repository cilium/cilium \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity-regexp https://github.com/cilium/cilium/.github/workflows \
--type spdxjson quay.io/cilium/cilium-ci:d2d270a42b674ca1e7c536186691d8ac8317fd64  2>&1 | head -n 13

Verification for quay.io/cilium/cilium-ci:d2d270a42b674ca1e7c536186691d8ac8317fd64 --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- Existence of the claims in the transparency log was verified offline
- The code-signing certificate was verified using trusted certificate authority certificates
Certificate subject: https://github.com/cilium/cilium/.github/workflows/build-images-ci.yaml@refs/pull/34011/merge
Certificate issuer URL: https://token.actions.githubusercontent.com
GitHub Workflow Trigger: pull_request
GitHub Workflow SHA: 7d967b8355489cef6a787558ac70c9c619463284
GitHub Workflow Name: Image CI Build
GitHub Workflow Repository: cilium/cilium
GitHub Workflow Ref: refs/pull/34011/merge

It can be validated that the image was signed using GitHub Actions in the Cilium repository from the Certificate subject and Certificate issuer URL fields of the output.

Note

The in-toto Attestation Framework provides a specification for generating verifiable claims about any aspect of how a piece of software is produced. Consumers or users of software can then validate the origins of the software, and establish trust in its supply chain, using in-toto attestations.