Merge pull request #20308 from dvdksn/exceptions-additions

scout: exceptions follow-ups
This commit is contained in:
David Karlsson 2024-07-03 05:49:47 +02:00 committed by GitHub
commit 51e2bd4667
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 17 additions and 0 deletions

View File

@ -76,6 +76,9 @@ Here's a description of the options in this example:
specify the `--subcomponents` flag multiple times for a single `create`
command.
You can also omit `--subcomponents`, in which case the VEX statement applies
to the entire image.
`--vuln`
: ID of the CVE that the VEX statement addresses.
@ -254,6 +257,20 @@ exception later. Image layers are immutable, so anything you put in the image's
filesystem is there forever. Attaching the document as an
[attestation](#attestation) provides better flexibility.
> **Note**
>
> VEX documents embedded in the image filesystem are not considered for images
> that have attestations. If your image has **any** attestations, Docker Scout
> will only look for exceptions in the attestations, and not in the image
> filesystem.
>
> If you want to use the VEX document embedded in the image filesystem, you
> must remove the attestation from the image. Note that provenance attestations
> may be added automatically for images. To ensure that no attestations are
> added to the image, you can explicitly disable both SBOM and provenance
> attestations using the `--provenance=false` and `--sbom=false` flags when
> building the image.
To embed a VEX document on the image filesystem, `COPY` the file into the image
as part of the image build. The following example shows how to copy all VEX
documents under `.vex/` in the build context, to `/var/lib/db` in the image.