I'm trying to get a Docker image and its corresponding SBOM into my company's private Docker registry.
I'm currently using this call:
docker buildx build --sbom=true -t <myorg>/<myreg>:$BUILD_ID --push .
This successfully builds and pushes an image to the registry, but when I inspect the image via
docker buildx imagetools inspect <myorg>/<myreg>:$BUILD_ID
the only output is
Name: <myorg>/<myreg>:$BUILD_ID
MediaType: application/vnd.docker.distribution.manifest.v2+json
Digest: sha256:32c9038f4f4e9b4b252cd33e82a4d2b1bea0a4122be435f7c045279c57047f51
So it looks like the SBOM is being stripped on push.
What am I missing?