🏷️ Verify platform binaries before deploying

Contents

🏷️ Verify platform binaries before deploying#

SBOM

SBOM stands for Software Bill of Materials, a detailed, machine-readable inventory of all software components, libraries, dependencies, and their versions used to build a software application.

It serves as a foundational tool for software supply chain security, enabling organizations to:

Identify and respond to vulnerabilities (e.g., Log4j) quickly.
Ensure license compliance and avoid legal risks.
Maintain transparency and traceability across complex software ecosystems.
Meet regulatory requirements in sectors like healthcare (FDA), finance (PCI DSS), and government (U.S. Executive Order 14028).

SBOMs are typically generated using standardized formats like SPDX and CycloneDX.

https://kubernetes.io/docs/tasks/administer-cluster/verify-signed-artifacts/

Cosign#

https://docs.sigstore.dev/cosign/system_config/installation/#with-the-cosign-binary-or-rpmdpkg-package

LATEST_VERSION=$(curl https://api.github.com/repos/sigstore/cosign/releases/latest | grep tag_name | cut -d : -f2 | tr -d "v\", ")
curl -O -L "https://github.com/sigstore/cosign/releases/latest/download/cosign_${LATEST_VERSION}_amd64.deb"
sudo dpkg -i cosign_${LATEST_VERSION}_amd64.deb

Syft#

curl -sSfL https://get.anchore.io/syft | sudo sh -s -- -b /usr/local/bin -v
[info] checking github for the current release tag
[info] fetching release script for tag='v1.42.3'
[info] checking github for the current release tag
[info] using release tag='v1.42.3' version='1.42.3' os='linux' arch='amd64'
[info] signature verification succeeded
[info] installed /usr/local/bin/syft

Scan docker images#

# scan an image
sudo syft scan docker.io/library/bash:latest
 ✔ Pulled image
 ✔ Loaded image                              docker.io/library/bash:latest
 ✔ Parsed image                              sha256:b66e847d14ac8547c7c03d34b10ef62664de5875030c9c75b7276ab39ca5e4a7
 ✔ Cataloged contents                        d50b66b4a49fae3668c4f5ed85fc852e0970cbe53ae74b338df2202a821b80fb
   ├── ✔ Packages                        [20 packages]
   ├── ✔ Executables                     [59 executables]
   ├── ✔ File digests                    [121 files]
   └── ✔ File metadata                   [121 locations]
NAME                    VERSION           TYPE
.bash-rundeps           20260128.021412   apk
alpine-baselayout       3.7.1-r8          apk
alpine-baselayout-data  3.7.1-r8          apk
alpine-keys             2.6-r0            apk
alpine-release          3.23.3-r0         apk
apk-tools               3.0.3-r1          apk
bash                    5.3.9             binary
busybox                 1.37.0-r30        apk
busybox-binsh           1.37.0-r30        apk
ca-certificates-bundle  20251003-r0       apk
libapk                  3.0.3-r1          apk
libcrypto3              3.5.5-r0          apk
libncursesw             6.5_p20251123-r0  apk
libssl3                 3.5.5-r0          apk
musl                    1.2.5-r21         apk
musl-utils              1.2.5-r21         apk
ncurses-terminfo-base   6.5_p20251123-r0  apk
scanelf                 1.3.8-r2          apk
ssl_client              1.37.0-r30        apk
zlib                    1.3.1-r2          apk

Create SBOM#

# generate a sbom cyclonedx
sudo syft docker.io/library/bash:latest -o cyclonedx-json > bash.sbom.cdx.json
# generate a sbom spdx
sudo syft docker.io/library/bash:latest -o spdx-json > bash.sbom.spdx.json

Grype#

curl -sSfL https://get.anchore.io/grype | sudo sh -s -- -b /usr/local/bin -v