You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As I understand it, when you use the syft attest command, it invokes cosign and pushes the signed SBOM w/attestation alongside the image using the same OCI registry. This means there really aren't files on the filesystem that get produced, so outputting to a file isn't implemented today. But it seems like a reasonable request to output the contents that would otherwise get pushed to the registry to a specified file -- is this what you are hoping to do?
What happened:
What you expected to happen:
I'm trying to sign and generate a SBOM and output it to a file. One of the options
syft attest --help
tells me exist is:-o, --output stringArray report output format (<format>=<file> to output to a file), formats=[cyclonedx-json cyclonedx-xml github-json spdx-json spdx-tag-value syft-json syft-table syft-text template] (default [syft-json])
But when I try this option, it outputs the following error:
ERROR unable to write SBOM to file: unable to find encoder for "spdx-json=spdx.json"
I looked in the source and this behavior doesn't seem to be implemented. Any thoughts?
Steps to reproduce the issue:
go run cmd/syft/main.go attest DIGEST --key=KEY -o spdx-json=spdx.json
or
syft attest DIGEST --key=KEY -o spdx-json=spdx.json
The text was updated successfully, but these errors were encountered: