Skip to content

feat(sbom): add support for SPDX attestations #9828

New issue
New issue
Closed
Feature
#9829
Closed
feat(sbom): add support for SPDX attestations#9828
Feature
#9829
Assignees
knqyf263
Labels
kind/featureCategorizes issue or PR as related to a new feature.
Milestone
v0.68.0
@knqyf263

Description

@knqyf263
knqyf263
opened on Nov 20, 2025

Description

Add support for reading SPDX 2.3 attestations in DSSE envelope format (in-toto attestation).

Motivation

Currently, Trivy supports CycloneDX attestations but lacks support for SPDX attestations. This feature would enable Trivy to scan SPDX-based SBOMs wrapped in in-toto attestation format.

Proposed Implementation

  • Add FormatAttestSPDXJSON format constant
  • Implement detection logic for DSSE-wrapped SPDX attestations
  • Support https://spdx.dev/Document predicate type
  • Reuse existing SPDX unmarshaling logic

Scope

  • Reading SPDX attestations (generation is out of scope)
  • SPDX 2.3 version support
  • DSSE envelope format following in-toto spec

References

Metadata

Metadata

Assignees

Labels

kind/featureCategorizes issue or PR as related to a new feature.

Type

Feature

Projects

Trivy Roadmap

Status

No status

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions