doi-attestations
A script that checks whether SBOM and Provenance attestations are present in the latest
tag of DOI (Docker Official Image).
Usage
- Generate a text file with the up-to-date list of DOI. Each line should contain a single DOI. You can use the
doi.txt
from this repo as an example.
./get-doi.sh > doi.txt
- Run the script to check whether SBOM and Provenance attestations are present in the
latest
tag of DOI.
sort doi.txt | parallel -j 8 ./check-attestations.sh --image {} > output.txt 2>&1
Example of output:
[❌] SBOM - [❌] Provenance - [debian]
[✅] SBOM - [✅] Provenance - [cassandra]
[✅] SBOM - [✅] Provenance - [docker]
[❌] SBOM - [❌] Provenance - [eclipse-mosquitto]
[❌] SBOM - [❌] Provenance - [eggdrop]
...