docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #18606 from dvdksn/scout-attest-ootb-policy 

scout attest ootb policy
This commit is contained in:
David Karlsson 2023-11-10 16:08:40 +01:00 committed by GitHub
parent ac3e0af07d 241040e7c7
commit dadaefce3f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 34 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
content/build/attestations/_index.md
View File

@ -47,6 +47,19 @@ You can opt in to add either the SBOM or provenance attestation type, or both.
$ docker buildx build --sbom=true --provenance=true .
```
> **Note**
>
> The default image store doesn't support attestations. If you're using the
> default image store and you build an image using the default `docker` driver,
> or using a different driver with the `--load` flag, the attestations are
> lost.
>
> To make sure the attestations are preserved, you can:
>
> - Use a `docker-container` driver with the `--push` flag to push the image to
> a registry directly.
> - Enable the [containerd image store](../../desktop/containerd/_index.md).
> **Note**
>
> Provenance attestations are enabled by default, with the `mode=min` option.

21
content/scout/policy/_index.md
View File

@ -59,6 +59,7 @@ Docker Scout ships the following out-of-the-box policies:
- [Copyleft licenses](#copyleft-licenses)
- [Outdated base images](#outdated-base-images)
- [High-profile vulnerabilities](#high-profile-vulnerabilities)
- [Supply chain attestations](#supply-chain-attestations)
These policies are turned on by default for Scout-enabled repositories. There's
currently no way to turn off or configure these policies.
@ -135,3 +136,23 @@ The list includes the following vulnerabilities:
- [CVE-2021-44228 (Log4Shell)](https://scout.docker.com/v/CVE-2021-44228)
- [CVE-2023-38545 (cURL SOCKS5 heap buffer overflow)](https://scout.docker.com/v/CVE-2023-38545)
- [CVE-2023-44487 (HTTP/2 Rapid Reset)](https://scout.docker.com/v/CVE-2023-44487)
### Supply chain attestations
The Supply chain attestations policy requires that your artifacts have
[SBOM](../../build/attestations/sbom.md) and
[provenance](../../build/attestations/slsa-provenance.md) attestations.
This policy is unfulfilled if an artifact lacks either an SBOM attestation or a
provenance attestation, or if the provenance attestation lacks information
about the Git repository and base images being used. To ensure compliance,
update your build command to attach these attestations at build-time:
```console
$ docker buildx build --provenance=true --sbom=true -t <IMAGE> --push .
```
BuildKit automatically detects the Git repository and base images when this
information is available in the build context. For more information about
building with attestations, see
[Attestations](../../build/attestations/_index.md).