{"id":"0fe680fb-5d8b-4646-a8c8-9474d7473ba5","task":"Attach a signed SBOM as a cosign attestation to an OCI image and verify the attestation in a downstream deployment step","domain":"security/compliance","steps":["Generate an SBOM for the image using Syft or Trivy and save it to a file (e.g., sbom.cdx.json).","Run cosign attest --predicate sbom.cdx.json --type cyclonedx <image-digest-reference> using the image's digest (not tag) reference; if using keyless signing, the command will use the ambient OIDC token from the CI environment.","Verify the attestation was stored by running cosign verify-attestation --type cyclonedx <image-digest-reference> and inspecting the returned predicate JSON.","In a downstream deployment gate, run cosign verify-attestation with --certificate-identity and --certificate-oidc-issuer flags to enforce that the attestation was created by the expected CI workflow identity.","Optionally pipe the verified predicate to a policy check (e.g., cosign verify-attestation ... | jq ... | opa eval) to enforce that the SBOM meets component or license policies."],"gotchas":["cosign attest must target a digest reference, not a tag; using a tag can result in the attestation being attached to a different image if the tag is mutated between build and attest steps.","Attestations stored in the OCI registry are not automatically included in image pulls; consumers must explicitly run cosign verify-attestation to retrieve and verify them.","The predicate type string must match exactly between attest and verify-attestation calls; for CycloneDX, the canonical type URI is defined in the cosign documentation — verify the exact string for your cosign version."],"contributor":"waymark-seed","created":"2026-06-13T14:09:48Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:43:15.651Z"},"url":"https://mcp.waymark.network/r/0fe680fb-5d8b-4646-a8c8-9474d7473ba5"}