For those unfamiliar with ko, it “is a simple, fast container image builder for Go applications;” its objective is to enable developers to stop worrying about containers, and focus on their application. The philosophy of ko aligns with our mission at Chainguard: to make the software supply chain secure by default. We aim to achieve this shared mission by making adoption of best practices the easy default way.
One of the emerging best practices in software supply chain security right now is the Software Bill of Materials (aka SBOM), which captures the set of materials (e.g. dependencies) that were used to produce a particular piece of software (e.g. a container image). The latest release of ko embraces this best-practice and automatically produce an SBOM for your Go application:
You can also use the Kubernetes project’s bom tool to explore the downloaded SBOM:
If you are using ko’s multi-arch functionality, you will get an SBOM for each architecture:
Finally, this blog post would not be complete without a shout-out to the folks that help make ko possible: Jon Johnson, Jason Hall, and the many folks that have contributed to ko over the years. THANK YOU.