Attestations

SecureBuild produces build attestations for the images it builds. Attestations are signed statements (DSSE envelopes) that bind a predicate—such as an SBOM—to the image, so you can verify what is in the image and who produced it.

What’s in an attestation

Each attestation is a DSSE (Dead Simple Signing Envelope) that contains a predicate. SecureBuild uses the SPDX SBOM as the predicate type (https://spdx.dev/Document), so the attestation carries the Software Bill of Materials for the image in a signed, verifiable form.

Storage

Attestations are stored as OCI artifacts alongside the image in your registry. They are exposed via the standard OCI referrers API, so any tool that supports OCI artifacts (including Cosign) can discover and fetch them using the image reference.

Downloading an attestation

Use Cosign to download the attestation and inspect the predicate (e.g. the SPDX SBOM):

cosign download attestation \
  --predicate-type=https://spdx.dev/Document \
  <image-ref> | jq -r .payload | base64 -d | jq .predicate

Replace <image-ref> with the full image reference (e.g. <registry-host>/<repo>:<tag>). The example above decodes the payload and runs jq .predicate to print the SBOM JSON.

Verifying an attestation

To verify that an attestation was produced by SecureBuild and matches the image, use cosign verify-attestation with the same predicate type. For keyless verification you must pass --certificate-oidc-issuer and --certificate-identity; for key-based verification use --key. The exact values and commands for your environment are available in the SecureBuild dashboard for each image.

cosign verify-attestation \
  --type https://spdx.dev/Document \
  --certificate-oidc-issuer=<issuer> \
  --certificate-identity=<identity> \
  <image-ref>

For image signing and verification (without attestations), see the Image Signing and Attestations sections of Supply Chain Security.