Skip to content
Latchkey

How to Push an SBOM to a Registry in GitHub Actions

An SBOM only helps if it travels with the image; attaching it to the registry artifact keeps provenance together.

Generate the SBOM with syft, then attach it to the pushed image as an OCI attestation using cosign.

Steps

  • Build and push the container image.
  • Generate the SBOM from the image with syft.
  • Authenticate cosign with OIDC keyless signing.
  • Attach the SBOM to the image digest with cosign attest.

Workflow

.github/workflows/push-sbom.yml
name: Push SBOM
on: [push]
permissions:
  id-token: write
  packages: write
jobs:
  sbom:
    runs-on: ubuntu-latest
    steps:
      - uses: anchore/sbom-action@v0
        with:
          image: ghcr.io/acme/app:${{ github.sha }}
          output-file: sbom.spdx.json
      - uses: sigstore/cosign-installer@v3
      - run: |
          cosign attest --yes --predicate sbom.spdx.json \
            --type spdxjson ghcr.io/acme/app:${{ github.sha }}

Notes

  • Attest against the image digest, not a mutable tag, so the attestation stays bound to one build.
  • Latchkey managed runners run these SBOM and signing jobs cheaper and self-heal mid-run.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →