Skip to content
Latchkey

How to Attach an SBOM and Provenance to an Image in CI

build-push-action can emit an SBOM and SLSA provenance attestation attached to the pushed image.

Set sbom: true and provenance: mode=max on docker/build-push-action. BuildKit attaches both as OCI attestations to the manifest.

Steps

  • Use Buildx with docker/setup-buildx-action.
  • Set sbom: true on the build step.
  • Set provenance: mode=max for full build provenance.

Workflow

.github/workflows/ci.yml
steps:
  - uses: docker/setup-buildx-action@v3
  - uses: docker/build-push-action@v6
    with:
      context: .
      push: true
      tags: ghcr.io/${{ github.repository }}:latest
      sbom: true
      provenance: mode=max

Gotchas

  • Attestations require the registry to support OCI 1.1 referrers; most modern registries do.
  • Inspect them with docker buildx imagetools inspect <image> --format '{{ json .Provenance }}'.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →