Skip to main content
This document describes how to verify the cryptographic signatures and attestations created by the vantage-packager image publishing pipeline.

Overview

The vantage-packager pipeline creates several security artifacts for each published image:
  • Container Image Signature: Cryptographic signature using Cosign
  • SPDX SBOM Attestation: Software Bill of Materials in SPDX 2.3 format
  • Vulnerability Scan Attestation: Security scan results in SARIF format All artifacts are signed with the same private key and can be verified using the corresponding public key.

Prerequisites

You’ll need the following tools installed:
  • cosign - for signature and attestation verification
  • jq - for JSON parsing and analysis
  • curl - for downloading artifacts (optional)

Signature Verification

Basic Verification

Verify an image signature using the public key:

With TLS Verification Disabled

For registries with self-signed certificates:
Expected output:

Attestation Verification

SPDX SBOM Attestation

Verify the SPDX Software Bill of Materials attestation:

Vulnerability Scan Attestation

Verify the vulnerability scan attestation:

Retrieving Attestation Data

Download SPDX SBOM

Extract the SPDX SBOM from the attestation:

Download Vulnerability Scan

Extract the vulnerability scan results:

Analyzing SPDX SBOM Data

Basic SBOM Information

List All Packages

Find Packages with Known Vulnerabilities

License Information

Analyzing Vulnerability Scan Data

Basic Scan Information

List Vulnerabilities

High Severity Vulnerabilities

SBOM Visualization Tools

CLI Tools

CycloneDX SBOM Utility

Install and use the CycloneDX SBOM utility for advanced analysis:

Custom Analysis with jq

Web-based Visualization

SBOM.sh Online Viewer

  1. Visit https://sbom.sh/
  2. Upload your sbom.json file
  3. Explore the interactive component and dependency visualization

Artifact Reference Discovery

Find Signature Artifacts

Find Attestation Artifacts