IntenseWebs/opentofu
3
0
Fork 0
mirror of https://github.com/opentofu/opentofu.git synced 2025-02-25 18:45:20 -06:00
Code Issues Packages Projects Releases Wiki Activity

Module attestations

Browse Source 
Signed-off-by: AbstractionFactory <179820029+abstractionfactory@users.noreply.github.com>
Co-authored-by: Martin Atkins <mart@degeneration.co.uk>
This commit is contained in:
AbstractionFactory 2025-02-04 15:59:57 +01:00 committed by Martin Atkins
parent 26534ed2b5
commit 33d12f346e
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
rfc/20241206-oci-registries/6-modules.md
View File

@ -56,9 +56,10 @@ oras push \
terraform-your-module.zip:archive/zip
```
We also intend to provide a tool similar to how [providers work](5-providers.md) that will allow for publishing and mirroring modules.
We also intend to provide a tool similar to how [providers work](5-providers.md) that will allow for publishing and mirroring modules. Similar to providers, the mirroring tool will attach detected SBOM and attestation artifacts to the modules in OCI. Specifically, the mirroring tool will detect:
⚠ TODO: what do we do with SBOM and signature artifacts?
- `*.spdx.json` as `application/spdx+json` containing an SPDX SBOM file.
- `*.intoto.jsonl` as `application/vnd.in-toto+json` containing an [in-toto attestation framework](https://github.com/in-toto/attestation)/[SLSA Provenance](https://slsa.dev/spec/v1.0/provenance) file.
---