Support for docker buildx/moby provenance and build attestations #826
Description
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Description
Docker has native support for provenance and SBOM meta using syft and build attestations.
It would be nice to support cosign signing when registry image is pushed, as well.
New or Affected Resource(s)
docker_image
docker_registry_image
Potential Terraform Configuration
resource "docker_image" "attested" {
attest {
provenance='max' // sets to `--provenance=mode=max`
provenance='min' // sets to `--provenance=mode=min`
sbom=true // sets `--sbom=true` buildx arg
}
}Docker CLI args are a bit conflicting when both sbom and provenance attestation mentioned, respective shortcuts must be used.
resource "docker_registry_image" "distroless" {
name = docker_image.attested.name
signing {
key = "cosign.key"
password = "pa55w01<D" // sets COSIGN_PASSWORD env var before calling cosign
}
}