mirror of https://github.com/docker/docs.git
37 lines
1.5 KiB
Markdown
37 lines
1.5 KiB
Markdown
---
|
|
title: Attestations
|
|
keywords: build, attestations, sbom, provenance, metadata
|
|
description: |
|
|
Introduction to SBOM and provenance attestations with Docker Build,
|
|
what they are, and why they exist
|
|
weight: 50
|
|
---
|
|
|
|
{{< youtube-embed qOzcycbTs4o >}}
|
|
|
|
[Build attestations](/manuals/build/metadata/attestations/_index.md) give you
|
|
detailed information about how an image was built and what it contains. These
|
|
attestations, generated by BuildKit during build-time, attach to the final
|
|
image as metadata, allowing you to inspect an image to see its origin, creator,
|
|
and contents. This information helps you make informed decisions about the
|
|
security and impact of the image on your supply chain.
|
|
|
|
Docker Scout uses these attestations to evaluate the image's security and
|
|
supply chain posture, and to provide remediation recommendations for issues. If
|
|
issues are detected, such as missing or outdated attestations, Docker Scout can
|
|
guide you on how to add or update them, ensuring compliance and improving
|
|
visibility into the image's security status.
|
|
|
|
There are two key types of attestations:
|
|
|
|
- SBOM, which lists the software artifacts within the image.
|
|
- Provenance, which details how the image was built.
|
|
|
|
You can create attestations by using `docker buildx build` with the
|
|
`--provenance` and `--sbom` flags. Attestations attach to the image index,
|
|
allowing you to inspect them without pulling the entire image. Docker Scout
|
|
leverages this metadata to give you more precise recommendations and better
|
|
control over your image's security.
|
|
|
|
<div id="scout-lp-survey-anchor"></div>
|