mirror of https://github.com/docker/docs.git
Merge pull request #20308 from dvdksn/exceptions-additions
scout: exceptions follow-ups
This commit is contained in:
commit
51e2bd4667
|
@ -76,6 +76,9 @@ Here's a description of the options in this example:
|
|||
specify the `--subcomponents` flag multiple times for a single `create`
|
||||
command.
|
||||
|
||||
You can also omit `--subcomponents`, in which case the VEX statement applies
|
||||
to the entire image.
|
||||
|
||||
`--vuln`
|
||||
: ID of the CVE that the VEX statement addresses.
|
||||
|
||||
|
@ -254,6 +257,20 @@ exception later. Image layers are immutable, so anything you put in the image's
|
|||
filesystem is there forever. Attaching the document as an
|
||||
[attestation](#attestation) provides better flexibility.
|
||||
|
||||
> **Note**
|
||||
>
|
||||
> VEX documents embedded in the image filesystem are not considered for images
|
||||
> that have attestations. If your image has **any** attestations, Docker Scout
|
||||
> will only look for exceptions in the attestations, and not in the image
|
||||
> filesystem.
|
||||
>
|
||||
> If you want to use the VEX document embedded in the image filesystem, you
|
||||
> must remove the attestation from the image. Note that provenance attestations
|
||||
> may be added automatically for images. To ensure that no attestations are
|
||||
> added to the image, you can explicitly disable both SBOM and provenance
|
||||
> attestations using the `--provenance=false` and `--sbom=false` flags when
|
||||
> building the image.
|
||||
|
||||
To embed a VEX document on the image filesystem, `COPY` the file into the image
|
||||
as part of the image build. The following example shows how to copy all VEX
|
||||
documents under `.vex/` in the build context, to `/var/lib/db` in the image.
|
||||
|
|
Loading…
Reference in New Issue