Skip to main content
This document describes how to verify the cryptographic signatures and attestations created by the vantage-packager image publishing pipeline.

Overview

The vantage-packager pipeline creates several security artifacts for each published image:
  • Container Image Signature: Cryptographic signature using Cosign
  • SPDX SBOM Attestation: Software Bill of Materials in SPDX 2.3 format
  • Vulnerability Scan Attestation: Security scan results in SARIF format All artifacts are signed with the same private key and can be verified using the corresponding public key.

Prerequisites

You’ll need the following tools installed:
  • cosign - for signature and attestation verification
  • jq - for JSON parsing and analysis
  • curl - for downloading artifacts (optional)

Signature Verification

Basic Verification

Verify an image signature using the public key: 
# Verify signature (skip transparency log for private registries)
cosign verify --key cosign.key.pub --insecure-ignore-tlog \
  abyvtgonprm27.azurecr.io/vantage-installer:2.7.1

With TLS Verification Disabled

For registries with self-signed certificates: 
cosign verify --key cosign.key.pub --insecure-ignore-tlog --allow-insecure-registry \
  abyvtgonprm27.azurecr.io/vantage-installer:2.7.1
Expected output: 
[{
  "critical": {
    "identity": {
      "docker-reference": "abyvtgonprm27.azurecr.io/vantage-installer"
    },
    "image": {
      "docker-manifest-digest": "sha256:a4190ad9d5289d7ad2d02d05749c10713a7aac217e8010b5e4ef15161b181c94"
    },
    "type": "cosign container image signature"
  }
}]

Attestation Verification

SPDX SBOM Attestation

Verify the SPDX Software Bill of Materials attestation: 
# Verify SPDX attestation
cosign verify-attestation --key cosign.key.pub --type spdx --insecure-ignore-tlog \
  abyvtgonprm27.azurecr.io/vantage-installer:2.7.1

Vulnerability Scan Attestation

Verify the vulnerability scan attestation: 
# Verify vulnerability scan attestation
cosign verify-attestation --key cosign.key.pub --type vuln --insecure-ignore-tlog \
  abyvtgonprm27.azurecr.io/vantage-installer:2.7.1

Retrieving Attestation Data

Download SPDX SBOM

Extract the SPDX SBOM from the attestation: 
# Download and extract SPDX SBOM
cosign download attestation --predicate-type spdx \
  abyvtgonprm27.azurecr.io/vantage-installer:2.7.1 | \
  jq -r '.payload' | base64 -d | jq -r '.predicate' > sbom.json

Download Vulnerability Scan

Extract the vulnerability scan results: 
# Download and extract vulnerability scan
cosign download attestation --predicate-type vuln \
  abyvtgonprm27.azurecr.io/vantage-installer:2.7.1 | \
  jq -r '.payload' | base64 -d | jq -r '.predicate' > vuln-scan.sarif

Analyzing SPDX SBOM Data

Basic SBOM Information

# View SBOM metadata
jq '{
  name: .name,
  spdxVersion: .spdxVersion,
  creationInfo: .creationInfo,
  packageCount: (.packages | length)
}' sbom.json

List All Packages

# List all packages with versions
jq -r '.packages[] | "\(.name) \(.versionInfo // "unknown")"' sbom.json | sort

Find Packages with Known Vulnerabilities

# List packages with CPE identifiers (vulnerability references)
jq -r '.packages[] | select(.externalRefs[]?.referenceType == "cpe23Type") |
  "\(.name) \(.versionInfo // "unknown") - \(.externalRefs[0].referenceLocator)"' sbom.json

License Information

# Show packages with declared licenses
jq -r '.packages[] | select(.licenseDeclared != "NOASSERTION") |
  "\(.name): \(.licenseDeclared)"' sbom.json

Analyzing Vulnerability Scan Data

Basic Scan Information

# View scan metadata
jq '{
  version: .version,
  tool: .runs[0].tool.driver.name,
  toolVersion: .runs[0].tool.driver.version,
  resultCount: (.runs[0].results | length)
}' vuln-scan.sarif

List Vulnerabilities

# List all vulnerabilities found
jq -r '.runs[0].results[] |
  "\(.ruleId) - \(.level // "unknown") - \(.message.text)"' vuln-scan.sarif

High Severity Vulnerabilities

# Show only high severity vulnerabilities
jq -r '.runs[0].results[] | select(.level == "error") |
  "\(.ruleId): \(.message.text)"' vuln-scan.sarif

SBOM Visualization Tools

CLI Tools

CycloneDX SBOM Utility

Install and use the CycloneDX SBOM utility for advanced analysis: 
# Install sbom-utility (if available)
go install github.com/CycloneDX/sbom-utility@latest

# Validate SPDX SBOM
sbom-utility validate --input-file sbom.json

# Generate component report
sbom-utility query --input-file sbom.json --select "name,version" --from "packages"

Custom Analysis with jq

# Create a dependency tree view
jq -r '.packages[] |
  select(.name != null) |
  "\(.name)@\(.versionInfo // "unknown") (\(.supplier // "unknown"))"' sbom.json |
  sort | uniq

Web-based Visualization

SBOM.sh Online Viewer

  1. Visit https://sbom.sh/
  2. Upload your sbom.json file
  3. Explore the interactive component and dependency visualization

Artifact Reference Discovery

Find Signature Artifacts

# Find signature artifact reference
cosign triangulate --type signature \
  abyvtgonprm27.azurecr.io/vantage-installer:2.7.1

Find Attestation Artifacts

# Find attestation artifact reference
cosign triangulate --type attestation \
  abyvtgonprm27.azurecr.io/vantage-installer:2.7.1