Skip to content

Generate SBOM

Simply add nais/docker-build-push to your workflow.

 - uses: nais/docker-build-push@v0
   id: docker-push
   with:
     team: myteam # required
     salsa: true # optional, defaults to true
     project_id: ${{ vars.NAIS_MANAGEMENT_PROJECT_ID }} # required, but is defined as an organization variable
     identity_provider: ${{ secrets.NAIS_WORKLOAD_IDENTITY_PROVIDER }} # required, but is defined as an organization secret
     # ... other options removed for readability
Note

Opt-out from salsa

If you want to opt-out from salsa you can set the salsa input to false

salsa: false

Attest sign

The nais/docker-build-push action default push to Google Container Registry (GAR). If you want to push to another registry, you can use the nais/attest-sign to generate sbom and sign the attestation.

 - uses: nais/attest-sign@v1
   id: attest-sign
   with:
     image_ref: my-image@sha256:12345 # required
     sbom: my-image.json # optional
     # ... other options removed for readability

Attestation

The action automatically generates a signed attestation with the help of Trivy and cosign.
The attestation envelope includes a SBOM (Software Bill of Materials) for your container image and its dependencies.

The SBOM is uploaded to the same registry alongside your image.