Synadia Platform
Software Bill of Materials
What is it?
The Software Bill of Materials (SBOM) is an inventory of components used in the building of Control Plane. The SBOM provides transparency into software dependencies, including versions and licensing, and allows for easier compliance and vulnerability identification.
Access
The SBOM for Control Plane is published in the SPDX format.
It is available:
- As a release asset in our GitHub Releases
- As part of a signed In-Toto attestation alongside our OCI image
Signed Attestation
The attestation stored alongside our OCI image is signed by a Synadia key to allow for verification of authenticity. This can be validated using Sigstore Cosign.
Signature Verification:
cosign verify-attestation \
--certificate-identity-regexp '^https://github.com/ConnectEverything' \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
registry.synadia.io/control-plane > /dev/null
In the above command, we redirected STDOUT to /dev/null because it contains the complete SBOM as base64-encoded JSON. We are able to decode this if we want to see the SBOM itself.
cosign verify-attestation \
--certificate-identity-regexp '^https://github.com/ConnectEverything' \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
registry.synadia.io/control-plane \
| jq -r '.payload' | base64 -d | jq '.predicate.Data | fromjson'