Image Annotations & Attestations

[rkistner]

This adds annotations attestations to the built docker image.

The world of attestations/SBOM/provenance is confusing. What this does:

1. Pre-scans the built image using Syft, as part of Docker buildx.
   1. This generates and uploads a Software Bill of Materials (SBOM) file.
   2. This includes npm packages in the service, npm packages in the base image, and deb packages in the base image.
   3. This can be be used to scan for vulnerabilities, for example using grype, as an alternative for scanning the image directly.
   4. This can be used to generate a list of dependencies with their licenses.
2. This adds some basic labels and annotations.

Docker Scout does automatic vulnerability analysis after the image is pushed, but this is not visible publically.

A separate PR fixes some dependency and metadata issues: #320, reducing the number of reported vulnerabilities.

Annotations

Annotations just contain basic data such as service version, license and other metadata.

docker buildx imagetools inspect journeyapps/powersync-service:0.0.0-dev-20250811142346 --raw

Example output:

  "annotations": {
    "org.opencontainers.image.created": "2025-08-11T14:23:48.739Z",
    "org.opencontainers.image.description": "PowerSync Service is the server-side component of the PowerSync sync engine.",
    "org.opencontainers.image.licenses": "FSL-1.1-ALv2",
    "org.opencontainers.image.revision": "86dca00cd5337134330c41d831050dc2d2c45f9c",
    "org.opencontainers.image.source": "https://github.com/powersync-ja/powersync-service",
    "org.opencontainers.image.title": "powersync-service",
    "org.opencontainers.image.url": "https://github.com/powersync-ja/powersync-service",
    "org.opencontainers.image.vendor": "Journey Mobile, Inc",
    "org.opencontainers.image.version": "0.0.0-dev-20250811142346"
  }

Note that annotations are separately added to the manifest and the index. For viewing the manifest annotations, see:
https://docs.docker.com/build/metadata/annotations/#inspect-annotations

SBOM

This gives the SBOM in SPDX format. This can be used for vulnerability scanning and viewing licenses of all dependencies.

docker buildx imagetools inspect journeyapps/powersync-service:0.0.0-dev-20250811142346 --format "{{ json .SBOM }}" | jq '.["linux/amd64"].SPDX'> spdx.json
# Analyze for vulnerabilities:
grype sbom:spdx.json

View the dependencies and licenses using: https://apps.rancher.io/sbom-viewer

Or with jq:

jq -r '
  (["package","version","license"] | @tsv),
  ((.packages // .predicate.packages // [])[]
    | [ .name,
        (.versionInfo // ""),
        (.licenseDeclared // (.licenseInfoFromFiles // [] | join(" AND ")) // "NOASSERTION")
      ]
    | @tsv)
' spdx.json

Provenance data

This describes how the image was built, including the repo, revision, and individual steps.

This is included by default, this PR just makes it explicit.

docker buildx imagetools inspect journeyapps/powersync-service:0.0.0-dev-20250811142346 --format "{{ json .Provenance }}" | jq '.["linux/amd64"].SLSA.builder'

[changeset-bot]

🦋 Changeset detected

Latest commit: 86dca00

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 11 packages

Name	Type
@powersync/service-image	Patch
@powersync/service-core	Patch
@powersync/service-schema	Patch
@powersync/service-core-tests	Patch
@powersync/service-module-core	Patch
@powersync/service-module-mongodb-storage	Patch
@powersync/service-module-mongodb	Patch
@powersync/service-module-mysql	Patch
@powersync/service-module-postgres-storage	Patch
@powersync/service-module-postgres	Patch
test-client	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR