Skip to main content
Version: 0.2.x

cosign_attach

Implementation details for attach rule

Rules

cosign_attach

Attach an attachment to an oci_image at a remote registry using cosign.

oci_image(
name = "image"
)

cosign_attach(
name = "attach_sbom",
type = "sbom"
attachment = "image.sbom.spdx.json",
repository = "index.docker.io/org/image"
)

repository attribute can be overridden using the --repository flag.

oci_image(
name = "image"
)

cosign_attach(
name = "attach_sbom",
type = "sbom"
attachment = "image.sbom.spdx.json",
repository = "index.docker.io/org/image"
)

via bazel run :attach_sbom -- --repository=index.docker.io/org/test

Example usage (generated):

load("@contrib_rules_oci//cosign/private:attach.bzl", "cosign_attach")

cosign_attach(
# A unique name for this target.
name = "",
# Label to the attachment
attachment = "",
# Label to an oci_image
image = "",
# Repository URL where the image will be signed at, e.g.: `index.docker.io/<user>/image`
repository = "",
# Type of attachment
type = "",
)

name

Required name.

A unique name for this target.

attachment

Required label.

Label to the attachment. Only files are allowed. eg: sbom.spdx, in-toto.json

image

Required label.

Label to an oci_image

repository

Required string.

    Repository URL where the image will be signed at, e.g.: `index.docker.io/<user>/image`.

Digests and tags are not allowed.

type

Required string.

Type of attachment. Acceptable values are: attestation, sbom, and signature