A Software Bill of Materials (SBOM) is a list of software components that a software artifact depends on. Having a list of dependencies can be helpful in determining whether any vulnerable components were used to build the software artifact.
ko generates and uploads an SBOM for every image it produces by default.
ko will generate an SBOM in the SPDX format by default, but you can select the CycloneDX format instead with the
--sbom=cyclonedx flag. To disable SBOM generation, pass
These SBOMs can be downloaded using the
cosign download sbom command.