[feature] Provide the ability to show/download SBOM/VULN attestations

Question

[feature] Provide the ability to show/download SBOM/VULN attestations

Opened this issue 4 months ago · 0 comments

Is this RFE related to an Existing Problem? If so, please describe:
When using Hauler to pull down images from Carbide, those images provide sbom and vulnerability reports in the form of attestations. Currently, if someone wants to view those attestations, they need to download 'cosign' and docker, figure out if the image is single arch or multi-arch, and then use the appropriate cosign commands to show / validate those attestations. Having either a wrapper script or having this functionality built into Hauler would allow customers to not have to use any other tooling.

Describe Proposed Solution(s):
Add functionality to Hauler to download/view those attestations

Describe Possible Alternatives:
Possibly a wrapper script? But that's just another external tool that's needed.