From 1d2c789231994ceb9005969a159bb23caf64fa33 Mon Sep 17 00:00:00 2001
From: Nils Hanke <nils.hanke@outlook.de>
Date: Tue, 21 Feb 2023 17:09:26 +0100
Subject: [PATCH] feat: set cosign attest predicate type based on Syft output
 type

Signed-off-by: Nils Hanke <nils.hanke@outlook.de>
---
 cmd/syft/cli/attest/attest.go | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/cmd/syft/cli/attest/attest.go b/cmd/syft/cli/attest/attest.go
index a4d18236ac2..075a7772582 100644
--- a/cmd/syft/cli/attest/attest.go
+++ b/cmd/syft/cli/attest/attest.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"os"
 	"os/exec"
+	"strings"
 
 	"github.com/wagoodman/go-partybus"
 	"github.com/wagoodman/go-progress"
@@ -130,7 +131,21 @@ func execWorker(app *config.Application, si source.Input, writer sbom.Writer) <-
 				return
 			}
 
-			args := []string{"attest", si.UserInput, "--predicate", f.Name()}
+			// Select Cosign predicate type based on defined output type
+			// As orientation, check: https://github.com/sigstore/cosign/blob/main/pkg/cosign/attestation/attestation.go
+			var predicateType string
+			switch strings.ToLower(o) {
+			case "cyclonedx-json":
+				predicateType = "cyclonedx"
+			case "spdx-tag-value":
+				predicateType = "spdx"
+			case "spdx-json":
+				predicateType = "spdxjson"
+			default:
+				predicateType = "custom"
+			}
+
+			args := []string{"attest", si.UserInput, "--predicate", f.Name(), "--type", predicateType}
 			if app.Attest.Key != "" {
 				args = append(args, "--key", app.Attest.Key)
 			}