From 13980d45cb5f5d74eda2a0ddce8e39caa305b5b0 Mon Sep 17 00:00:00 2001 From: David Karlsson <35727626+dvdksn@users.noreply.github.com> Date: Wed, 8 Nov 2023 18:38:50 +0100 Subject: [PATCH 1/2] build: clarify default image store limitation Signed-off-by: David Karlsson <35727626+dvdksn@users.noreply.github.com> --- content/build/attestations/_index.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/content/build/attestations/_index.md b/content/build/attestations/_index.md index b8c4bed0ae..b2ed9e6939 100644 --- a/content/build/attestations/_index.md +++ b/content/build/attestations/_index.md @@ -47,6 +47,19 @@ You can opt in to add either the SBOM or provenance attestation type, or both. $ docker buildx build --sbom=true --provenance=true . ``` +> **Note** +> +> The default image store doesn't support attestations. If you're using the +> default image store and you build an image using the default `docker` driver, +> or using a different driver with the `--load` flag, the attestations are +> lost. +> +> To make sure the attestations are preserved, you can: +> +> - Use a `docker-container` driver with the `--push` flag to push the image to +> a registry directly. +> - Enable the [containerd image store](../../desktop/containerd/_index.md). + > **Note** > > Provenance attestations are enabled by default, with the `mode=min` option. From 241040e7c765c608e0bea18ed1033654cbccec9d Mon Sep 17 00:00:00 2001 From: David Karlsson <35727626+dvdksn@users.noreply.github.com> Date: Mon, 6 Nov 2023 15:56:45 +0100 Subject: [PATCH 2/2] scout: add attestation ootb policy Signed-off-by: David Karlsson <35727626+dvdksn@users.noreply.github.com> --- content/scout/policy/_index.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/content/scout/policy/_index.md b/content/scout/policy/_index.md index 7a4d8e351c..52d1a45cb7 100644 --- a/content/scout/policy/_index.md +++ b/content/scout/policy/_index.md @@ -59,6 +59,7 @@ Docker Scout ships the following out-of-the-box policies: - [Packages with AGPLv3, GPLv3 licenses](#packages-with-agplv3-gplv3-licenses) - [Base images not up-to-date](#base-images-not-up-to-date) - [High-profile vulnerabilities](#high-profile-vulnerabilities) +- [Supply chain attestations](#supply-chain-attestations) These policies are turned on by default for Scout-enabled repositories. There's currently no way to turn off or configure these policies. @@ -135,3 +136,23 @@ The list includes the following vulnerabilities: - [CVE-2021-44228 (Log4Shell)](https://scout.docker.com/v/CVE-2021-44228) - [CVE-2023-38545 (cURL SOCKS5 heap buffer overflow)](https://scout.docker.com/v/CVE-2023-38545) - [CVE-2023-44487 (HTTP/2 Rapid Reset)](https://scout.docker.com/v/CVE-2023-44487) + +### Supply chain attestations + +The Supply chain attestations policy requires that your artifacts have +[SBOM](../../build/attestations/sbom.md) and +[provenance](../../build/attestations/slsa-provenance.md) attestations. + +This policy is unfulfilled if an artifact lacks either an SBOM attestation or a +provenance attestation, or if the provenance attestation lacks information +about the Git repository and base images being used. To ensure compliance, +update your build command to attach these attestations at build-time: + +```console +$ docker buildx build --provenance=true --sbom=true -t --push . +``` + +BuildKit automatically detects the Git repository and base images when this +information is available in the build context. For more information about +building with attestations, see +[Attestations](../../build/attestations/_index.md).