Images are now being pushed to OCI registries with more and more metadata, including attestations, signatures, and SBOMs. What is involved with adding your own artifacts? This talk walks through how OCI recently standardized the process, and describes how additional data can be added to an image with an immutable digest. You'll learn how tooling can ship SBOMs along side images, both for the vendor generating the SBOM and the user searching for it. And this talk will cover many of the gotchas you may encounter when implementing this yourself.
Speaker Bio:
Brandon Mitchell is a Senior Solutions Architect for BoxBoat an IBM company, Docker Captain, OCI Maintainer, and maintainer of various OSS projects. He focuses on defining specs in OCI, improving software supply chain security, and implementing reproducible builds for container images. He can often be found answering questions on Stack Overflow unless the weather is good enough for a bike ride.