SBOMs

A Software Bill of Materials (SBOM) is a list of software components that a software artifact depends on. Having a list of dependencies can be helpful in determining whether any vulnerable components were used to build the software artifact.

From v0.9+, ko generates and uploads an SBOM for every image it produces by default.

ko will generate an SBOM in the SPDX format by default. To disable SBOM generation, pass --sbom=none.

These SBOMs can be downloaded using the cosign download sbom command.