DEPRECATED: Attach sbom to the supplied container image
Attach sbom to the supplied container image
WARNING: SBOM attachments are deprecated and support will be removed in a Cosign release soon after 2024-02-22 (see sigstore#2755). Instead, please use SBOM attestations.
cosign attach sbom [flags]
cosign attach sbom <image uri>
--allow-http-registry whether to allow using HTTP protocol while connecting to registries. Don't use this for anything but testing
--allow-insecure-registry whether to allow insecure connections to registries (e.g., with expired or self-signed TLS certificates). Don't use this for anything but testing
--attachment-tag-prefix [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] optional custom prefix to use for attached image tags. Attachment images are tagged as: [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName]
-h, --help help for sbom
--input-format string type of sbom input format (json|xml|text)
--k8s-keychain whether to use the kubernetes keychain instead of the default keychain (supports workload identity).
--registry-password string registry basic auth password
--registry-referrers-mode registryReferrersMode mode for fetching references from the registry. allowed: legacy, oci-1-1
--registry-token string registry bearer auth token
--registry-username string registry basic auth username
--sbom string path to the sbom, or {-} for stdin
--type string type of sbom (spdx|cyclonedx|syft) (default "spdx")
--output-file string log output to a file
-t, --timeout duration timeout for commands (default 3m0s)
-d, --verbose log debug output
- cosign attach - Provides utilities for attaching artifacts to other artifacts in a registry