Discovering the associated metadata

Prerequisites

  • Install the Cosign CLI tool.

  • Install the jq CLI tool.

  • Login to Konflux.

Procedure

In the CLI, complete the following steps to discover the associated metadata for a component:

  1. Find the image for a recently completed build pipeline and export the value to the IMAGE environment variable

    Example:

    IMAGE=quay.io/redhat-user-workloads/your-tenant/application/component@sha256:<output omitted>

  2. Print a high-level overview of the artifact’s metadata that Konflux has created for a component:

    cosign tree $IMAGE

    Example output:

    📦 Supply Chain Security Related artifacts for an image: quay.io/redhat-user-workload/your-tenant/application/component@sha256:<sha-digest>
└── 📦 SBOMs for an image tag: quay.io/redhat-user-workload/your-tenant/application/component:sha256-<sha-digest>.sbom
   └── 🍒 sha256:<sbom-sha-digest>
└── 💾 Attestations for an image tag: quay.io/redhat-user-workload/your-tenant/application/component:sha256-<sha-digest>.att
   └── 🍒 sha256:<attestation-sha-digest>
└── 🔐 Signatures for an image tag: quay.io/redhat-user-workload/your-tenant/application/component:sha256-<sha-digest>.sig
   └── 🍒 sha256:<signature-sha-digest>

The cosign tree command will show all metadata associated to the artifact via the referrers API. The SBOM artifact contains the Software Bill of Materials. We have provided further procedures for you to view and inspect the attestations and SBOMs by Konflux.