We're producing SBOMs associated with all container images in registry.redhat.io.
We want ACS to start using those when it does vulnerability reporting.
But, if customers don't mirror those SBOMs to their registries when they mirror our images, then ACS won't be able to reach them.

So, the RFE is to please also mirror the SBOMs.

—

You can inspect SBOM content with the `cosign` command:

# An arch-specific SBOM
cosign download sbom --platform linux/amd64 registry.redhat.io/ubi9/ubi:latest
# A multi-arch image-index SBOM
cosign download sbom registry.redhat.io/ubi9/ubi:latest

Technical detail: the SBOMs are discoverable using the algorithm implemented by `cosign triangulate` which takes the digest of the image in question and constructs a tag from that digest with the suffix ".sbom".

cosign triangulate --type sbom registry.redhat.io/ubi9/ubi:latest 2> /dev/null
registry.redhat.io/ubi9/ubi:sha256-dbc1e98d14a022542e45b5f22e0206d3f86b5bdf237b58ee7170c9ddd1b3a283.sbom

We eventually want to start publishing these using the OCI 1.1 distribution spec's "referrer's API". Even though we don't publish SBOMs in a way that can be discovered via the API, the most future proof way to implement this is using that API.

—

NOTE: the details of this (above) will change once KONFLUX-4134 goes live.