Merge pull request #20308 from dvdksn/exceptions-additions

scout: exceptions follow-ups
2024-07-03 05:49:47 +02:00 · 2024-07-03 05:49:47 +02:00 · 51e2bd4667
parent e8a420f302 416f5aa375
commit 51e2bd4667
1 changed files with 17 additions and 0 deletions
--- a/content/scout/explore/exceptions.md
+++ b/content/scout/explore/exceptions.md
@ -76,6 +76,9 @@ Here's a description of the options in this example:
  specify the `--subcomponents` flag multiple times for a single `create`
  command.

+  You can also omit `--subcomponents`, in which case the VEX statement applies
+  to the entire image.
+
 `--vuln`
 : ID of the CVE that the VEX statement addresses.

@ -254,6 +257,20 @@ exception later. Image layers are immutable, so anything you put in the image's
 filesystem is there forever. Attaching the document as an
 [attestation](#attestation) provides better flexibility.

+> **Note**
+>
+> VEX documents embedded in the image filesystem are not considered for images
+> that have attestations. If your image has **any** attestations, Docker Scout
+> will only look for exceptions in the attestations, and not in the image
+> filesystem.
+>
+> If you want to use the VEX document embedded in the image filesystem, you
+> must remove the attestation from the image. Note that provenance attestations
+> may be added automatically for images. To ensure that no attestations are
+> added to the image, you can explicitly disable both SBOM and provenance
+> attestations using the `--provenance=false` and `--sbom=false` flags when
+> building the image.
+
 To embed a VEX document on the image filesystem, `COPY` the file into the image
 as part of the image build. The following example shows how to copy all VEX
 documents under `.vex/` in the build context, to `/var/lib/db` in the image.