How to Push an SBOM to a Registry in GitHub Actions
An SBOM only helps if it travels with the image; attaching it to the registry artifact keeps provenance together.
Generate the SBOM with syft, then attach it to the pushed image as an OCI attestation using cosign.
Steps
- Build and push the container image.
- Generate the SBOM from the image with syft.
- Authenticate cosign with OIDC keyless signing.
- Attach the SBOM to the image digest with cosign attest.
Workflow
.github/workflows/push-sbom.yml
name: Push SBOM
on: [push]
permissions:
id-token: write
packages: write
jobs:
sbom:
runs-on: ubuntu-latest
steps:
- uses: anchore/sbom-action@v0
with:
image: ghcr.io/acme/app:${{ github.sha }}
output-file: sbom.spdx.json
- uses: sigstore/cosign-installer@v3
- run: |
cosign attest --yes --predicate sbom.spdx.json \
--type spdxjson ghcr.io/acme/app:${{ github.sha }}Notes
- Attest against the image digest, not a mutable tag, so the attestation stays bound to one build.
- Latchkey managed runners run these SBOM and signing jobs cheaper and self-heal mid-run.
Related guides
How to Generate and Upload an SBOM in GitHub ActionsGenerate a software bill of materials in GitHub Actions with Syft and upload it as a build artifact, so every…
How to Sign a Container Image with Cosign in GitHub ActionsSign a container image with Sigstore cosign in GitHub Actions using keyless OIDC signing, so consumers can ve…