diff --git a/content/build/attestations/_index.md b/content/build/attestations/_index.md index b8c4bed0ae..b2ed9e6939 100644 --- a/content/build/attestations/_index.md +++ b/content/build/attestations/_index.md @@ -47,6 +47,19 @@ You can opt in to add either the SBOM or provenance attestation type, or both. $ docker buildx build --sbom=true --provenance=true . ``` +> **Note** +> +> The default image store doesn't support attestations. If you're using the +> default image store and you build an image using the default `docker` driver, +> or using a different driver with the `--load` flag, the attestations are +> lost. +> +> To make sure the attestations are preserved, you can: +> +> - Use a `docker-container` driver with the `--push` flag to push the image to +> a registry directly. +> - Enable the [containerd image store](../../desktop/containerd/_index.md). + > **Note** > > Provenance attestations are enabled by default, with the `mode=min` option. diff --git a/content/scout/policy/_index.md b/content/scout/policy/_index.md index 532f387ba0..7669047c5a 100644 --- a/content/scout/policy/_index.md +++ b/content/scout/policy/_index.md @@ -59,6 +59,7 @@ Docker Scout ships the following out-of-the-box policies: - [Copyleft licenses](#copyleft-licenses) - [Outdated base images](#outdated-base-images) - [High-profile vulnerabilities](#high-profile-vulnerabilities) +- [Supply chain attestations](#supply-chain-attestations) These policies are turned on by default for Scout-enabled repositories. There's currently no way to turn off or configure these policies. @@ -135,3 +136,23 @@ The list includes the following vulnerabilities: - [CVE-2021-44228 (Log4Shell)](https://scout.docker.com/v/CVE-2021-44228) - [CVE-2023-38545 (cURL SOCKS5 heap buffer overflow)](https://scout.docker.com/v/CVE-2023-38545) - [CVE-2023-44487 (HTTP/2 Rapid Reset)](https://scout.docker.com/v/CVE-2023-44487) + +### Supply chain attestations + +The Supply chain attestations policy requires that your artifacts have +[SBOM](../../build/attestations/sbom.md) and +[provenance](../../build/attestations/slsa-provenance.md) attestations. + +This policy is unfulfilled if an artifact lacks either an SBOM attestation or a +provenance attestation, or if the provenance attestation lacks information +about the Git repository and base images being used. To ensure compliance, +update your build command to attach these attestations at build-time: + +```console +$ docker buildx build --provenance=true --sbom=true -t --push . +``` + +BuildKit automatically detects the Git repository and base images when this +information is available in the build context. For more information about +building with attestations, see +[Attestations](../../build/attestations/_index.md).