About
Virtru includes a Software Bill of Materials for the latest releases of the Customer Key Server, Client Side Encryption Server, and the Data Protection Gateway. The SBOM information is available as SPDX JSON, and generated from a container image using Syft. The SBOM is attached to an image in a form of attestation, and cryptographically protected against tampering.
Install Steps
To download an SBOM for a given Virtru Container, follow the below steps:
- Install the Cosign CLI
- Save the Virtru public key to a new file:
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE4Ym5UdrxvXGtlV+yx208z7Ovc62b
jbSdZpLnGh2k+8Kr55UD8fC8ZwdEPzDPiJKc+Z+BQYu9Acz+ybIbYJw6Dg==
-----END PUBLIC KEY-----
- Use the Cosign CLI to get the SBOM from the release, for example for the latest Virtru Gateway Container
- For this command, you may need to have the jq library installed on your machine before execution
After execution, you should find the SPDX sbom.json file located in the same directory where you've executed the above command. This can be run against and container URL of your choice, depending on which Virtru product you currently leverage.