How to Attach an SBOM and Provenance to an Image in CI
build-push-action can emit an SBOM and SLSA provenance attestation attached to the pushed image.
Set sbom: true and provenance: mode=max on docker/build-push-action. BuildKit attaches both as OCI attestations to the manifest.
Steps
- Use Buildx with
docker/setup-buildx-action. - Set
sbom: trueon the build step. - Set
provenance: mode=maxfor full build provenance.
Workflow
.github/workflows/ci.yml
steps:
- uses: docker/setup-buildx-action@v3
- uses: docker/build-push-action@v6
with:
context: .
push: true
tags: ghcr.io/${{ github.repository }}:latest
sbom: true
provenance: mode=maxGotchas
- Attestations require the registry to support OCI 1.1 referrers; most modern registries do.
- Inspect them with
docker buildx imagetools inspect <image> --format '{{ json .Provenance }}'.
Related guides
How to Sign a Container Image With Cosign Keyless in CISign a container image in GitHub Actions with cosign keyless signing over OIDC, producing a verifiable signat…
How to Add OCI Labels to an Image in CIAdd standard OCI annotation labels (source, revision, created, version) to a container image in GitHub Action…