A Software Bill of Materials (SBOM) is a list of software components that a software artifact depends on. Having a list of dependencies can be helpful in determining whether any vulnerable components were used to build the software artifact.
ko generates and uploads an SBOM for every image it produces by default.
These SBOMs can be downloaded using the
cosign download sbom command.