v4.1.0 - Add SBOM generation

[JeroenKnoops]

Create SBOM - Software Bill of Material

You can create a SPDX file. This feature is using VMWare Tern.
Add sbom: true to the arguments and a sbom-spdx.json file is created.
The filename is exported as output in sbom-file.
See: https://github.com/philips-software/docker-ci-scripts#with-sbom

Attach SBOM to Image

When you are creating the SBOM file and you provided the sign arguments and cosign environment variables, the SBOM file will be attached to the image.
You can verify the provenance by doing the following thing:

repodigest=$(docker inspect <image-name> | jq -r .[0].RepoDigests[0])
cosign verify-attestation --key cosign.pub $repodigest | jq -r '.payload' | base64 -d | jq .

What's Changed

• Add sbom by @JeroenKnoops in Add sbom #100

Full Changelog: v4.0.0...v4.1.0

---

This discussion was created from the release v4.1.0 - Add SBOM generation.