The slsactl is a Command Line Interface (CLI) tool to provide a consolidated
experience while handling supply chain aspects of projects across the Rancher
ecosystem.
go install github.com/rancherlabs/slsactl@latestThe provenance data can be extracted from an image with the command below. Note that the image must have been built with a Provenance layer baked to it.
slsactl download provenance rancher/cis-operator:v1.0.15
slsactl download provenance --format=slsav1 rancher/cis-operator:v1.0.15By default, the returned provenance will be for linux/amd64, if one exists.
To select a different platform use --platform.
The latest container images have baked into them a layer containing their SPDX SBOM, which can be extracted with:
slsactl download sbom rancher/cis-operator:v1.0.15If Cyclonedx is required instead:
slsactl download sbom -format cyclonedxjson rancher/cis-operator:v1.0.15By default, the returned provenance will be for linux/amd64, if one exists.
To select a different platform use --platform.
Note that images that haven't got a SBOM layer attached to them, the same command will generate a SBOM manifest on-demand, which will take longer. An example being:
slsactl download sbom rancher/rancher:v2.8.1The cosign verification of Rancher Prime images can be done with:
slsactl verify <prime_image>:<tag>Copyright (c) 2014-2024 Rancher Labs, Inc.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.