jprdonnelly/opentf
1
0
Fork 0
mirror of https://github.com/opentffoundation/opentf.git synced 2025-12-19 17:59:05 -05:00
Code Issues Packages Projects Releases Wiki Activity

Module attestations

Browse Source 
Signed-off-by: AbstractionFactory <179820029+abstractionfactory@users.noreply.github.com>
Co-authored-by: Martin Atkins <mart@degeneration.co.uk>
This commit is contained in:
AbstractionFactory
2025-02-04 15:59:57 +01:00
committed by Martin Atkins
parent f279684009
commit f64a45113d
1 changed files with 3 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
rfc/20241206-oci-registries/6-modules.md
View File

@@ -56,9 +56,10 @@ oras push \
terraform-your-module.zip:archive/zip
```
We also intend to provide a tool similar to how [providers work](5-providers.md) that will allow for publishing and mirroring modules.
We also intend to provide a tool similar to how [providers work](5-providers.md) that will allow for publishing and mirroring modules. Similar to providers, the mirroring tool will attach detected SBOM and attestation artifacts to the modules in OCI. Specifically, the mirroring tool will detect:
⚠ TODO: what do we do with SBOM and signature artifacts?
- `*.spdx.json` as `application/spdx+json` containing an SPDX SBOM file.
- `*.intoto.jsonl` as `application/vnd.in-toto+json` containing an [in-toto attestation framework](https://github.com/in-toto/attestation)/[SLSA Provenance](https://slsa.dev/spec/v1.0/provenance) file.
---