diff --git a/content/manuals/dhi/core-concepts/attestations.md b/content/manuals/dhi/core-concepts/attestations.md index b7bc68203d..b9218efa49 100644 --- a/content/manuals/dhi/core-concepts/attestations.md +++ b/content/manuals/dhi/core-concepts/attestations.md @@ -62,27 +62,33 @@ While every DHI variant includes a set of attestations, the attestations may vary based on the image variant. For example, some images may include a STIG scan attestation. The following table is a comprehensive list of all attestations that may be included with a DHI. To see which attestations are -available for a specific image variant, you can [view the image variant -details](../how-to/explore.md#view-image-variant-details) in Docker Hub. +available for a specific image variant, including the specific predicate type URIs, +use Docker Scout: -| Attestation type | Description | Predicate type URI | -|----------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------| -| CycloneDX SBOM | A software bill of materials in [CycloneDX](https://cyclonedx.org/) format, listing components, libraries, and versions. | `https://cyclonedx.org/bom/v1.6` | -| STIG scan | Results of a STIG scan, with output in HTML and XCCDF formats. | `https://docker.com/dhi/stig/v0.1` | -| CVEs (In-Toto format) | A list of known vulnerabilities (CVEs) affecting the image's components, based on package and distribution scanning. | `https://in-toto.io/attestation/vulns/v0.1` | -| VEX | A [Vulnerability Exploitability eXchange (VEX)](https://openvex.dev/) document that identifies vulnerabilities that do not apply to the image and explains why (e.g., not reachable or not present). | `https://openvex.dev/ns/v0.2.0` | -| Scout health score | A signed attestation from Docker Scout that summarizes the overall security and quality posture of the image. | `https://scout.docker.com/health/v0.1` | -| Scout provenance | Provenance metadata generated by Docker Scout, including the source Git commit, build parameters, and environment details. | `https://scout.docker.com/provenance/v0.1` | -| Scout SBOM | An SBOM generated and signed by Docker Scout, including additional Docker-specific metadata. | `https://scout.docker.com/sbom/v0.1` | -| Secrets scan | Results of a scan for accidentally included secrets, such as credentials, tokens, or private keys. | `https://scout.docker.com/secrets/v0.1` | -| Tests | A record of automated tests run against the image, such as functional checks or validation scripts. | `https://scout.docker.com/tests/v0.1` | -| Virus scan | Results of antivirus scans performed on the image layers. | `https://scout.docker.com/virus/v0.1` | -| CVEs (Scout format) | A vulnerability report generated by Docker Scout, listing known CVEs and severity data. | `https://scout.docker.com/vulnerabilities/v0.1` | -| SLSA provenance | A standard [SLSA](https://slsa.dev/) provenance statement describing how the image was built, including build tool, parameters, and source. | `https://slsa.dev/provenance/v0.2` | -| SLSA verification summary | A summary attestation indicating the image's compliance with SLSA requirements. | `https://slsa.dev/verification_summary/v1` | -| SPDX SBOM | An SBOM in [SPDX](https://spdx.dev/) format, widely adopted in open-source ecosystems. | `https://spdx.dev/Document` | -| FIPS compliance | An attestation that verifies the image uses FIPS 140-validated cryptographic modules. | `https://docker.com/dhi/fips/v0.1` | -| DHI Image Sources | Links to a corresponding source image containing all materials used to build the image, including package source code, git repos, and local files, ensuring compliance with open source license requirements. | `https://docker.com/dhi/source/v0.1` | +```console +$ docker scout attest list dhi.io/: +``` + +For more details, see [Verify image attestations](../how-to/verify.md#verify-image-attestations). + +| Attestation type | Description | +|----------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| CycloneDX SBOM | A software bill of materials in [CycloneDX](https://cyclonedx.org/) format, listing components, libraries, and versions. | +| STIG scan | Results of a STIG scan, with output in HTML and XCCDF formats. | +| CVEs (In-Toto format) | A list of known vulnerabilities (CVEs) affecting the image's components, based on package and distribution scanning. | +| VEX | A [Vulnerability Exploitability eXchange (VEX)](https://openvex.dev/) document that identifies vulnerabilities that do not apply to the image and explains why (e.g., not reachable or not present). | +| Scout health score | A signed attestation from Docker Scout that summarizes the overall security and quality posture of the image. | +| Scout provenance | Provenance metadata generated by Docker Scout, including the source Git commit, build parameters, and environment details. | +| Scout SBOM | An SBOM generated and signed by Docker Scout, including additional Docker-specific metadata. | +| Secrets scan | Results of a scan for accidentally included secrets, such as credentials, tokens, or private keys. | +| Tests | A record of automated tests run against the image, such as functional checks or validation scripts. | +| Virus scan | Results of antivirus scans performed on the image layers. | +| CVEs (Scout format) | A vulnerability report generated by Docker Scout, listing known CVEs and severity data. | +| SLSA provenance | A standard [SLSA](https://slsa.dev/) provenance statement describing how the image was built, including build tool, parameters, and source. | +| SLSA verification summary | A summary attestation indicating the image's compliance with SLSA requirements. | +| SPDX SBOM | An SBOM in [SPDX](https://spdx.dev/) format, widely adopted in open-source ecosystems. | +| FIPS compliance | An attestation that verifies the image uses FIPS 140-validated cryptographic modules. | +| DHI Image Sources | Links to a corresponding source image containing all materials used to build the image, including package source code, Git repositories, and local files, ensuring compliance with open source license requirements. | ## Helm chart attestations @@ -91,25 +97,28 @@ that provide transparency and verification for your Kubernetes deployments. Like DHI container images, these charts are built following SLSA Build Level 3 practices and include extensive security metadata. -DHI Helm charts include the following attestations: +DHI Helm charts include the following attestations. To view the specific predicate +type URIs for these attestations, use Docker Scout: -| Attestation type | Description | Predicate type URI | -|----------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------| -| CycloneDX SBOM | A software bill of materials in [CycloneDX](https://cyclonedx.org/) format, listing the chart itself and all container images and tools referenced by the chart. | `https://cyclonedx.org/bom/v1.6` | -| CVEs (In-Toto format) | A list of known vulnerabilities (CVEs) affecting the container images and components referenced by the chart. | `https://in-toto.io/attestation/vulns/v0.1` | -| Scout health score | A signed attestation from Docker Scout that summarizes the overall security and quality posture of the chart and its referenced images. | `https://scout.docker.com/health/v0.1` | -| Scout provenance | Provenance metadata generated by Docker Scout, including the chart source repository, build images used, and build parameters. | `https://scout.docker.com/provenance/v0.1` | -| Scout SBOM | An SBOM generated and signed by Docker Scout, including the chart and container images it references, with additional Docker-specific metadata. | `https://scout.docker.com/sbom/v0.1` | -| Secrets scan | Results of a scan for accidentally included secrets, such as credentials, tokens, or private keys, in the chart package. | `https://scout.docker.com/secrets/v0.1` | -| Tests | A record of automated tests run against the chart to validate functionality and compatibility with referenced images. | `https://scout.docker.com/tests/v0.1` | -| Virus scan | Results of antivirus scans performed on the chart package. | `https://scout.docker.com/virus/v0.1` | -| CVEs (Scout format) | A vulnerability report generated by Docker Scout, listing known CVEs and severity data for the chart's referenced images. | `https://scout.docker.com/vulnerabilities/v0.1` | -| SLSA provenance | A standard [SLSA](https://slsa.dev/) provenance statement describing how the chart was built, including build tool, source repository, referenced images, and build materials. | `https://slsa.dev/provenance/v0.2` | -| SPDX SBOM | An SBOM in [SPDX](https://spdx.dev/) format, listing the chart and all container images and tools it references. | `https://spdx.dev/Document` | +```console +$ docker scout attest list dhi.io/: +``` -For instructions on how to view and verify Helm chart attestations, see [Verify -Helm chart -attestations](../how-to/verify.md#verify-helm-chart-attestations-with-docker-scout). +For more details, see [Verify Helm chart attestations](../how-to/verify.md#verify-helm-chart-attestations-with-docker-scout). + +| Attestation type | Description | +|----------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| CycloneDX SBOM | A software bill of materials in [CycloneDX](https://cyclonedx.org/) format, listing the chart itself and all container images and tools referenced by the chart. | +| CVEs (In-Toto format) | A list of known vulnerabilities (CVEs) affecting the container images and components referenced by the chart. | +| Scout health score | A signed attestation from Docker Scout that summarizes the overall security and quality posture of the chart and its referenced images. | +| Scout provenance | Provenance metadata generated by Docker Scout, including the chart source repository, build images used, and build parameters. | +| Scout SBOM | An SBOM generated and signed by Docker Scout, including the chart and container images it references, with additional Docker-specific metadata. | +| Secrets scan | Results of a scan for accidentally included secrets, such as credentials, tokens, or private keys, in the chart package. | +| Tests | A record of automated tests run against the chart to validate functionality and compatibility with referenced images. | +| Virus scan | Results of antivirus scans performed on the chart package. | +| CVEs (Scout format) | A vulnerability report generated by Docker Scout, listing known CVEs and severity data for the chart's referenced images. | +| SLSA provenance | A standard [SLSA](https://slsa.dev/) provenance statement describing how the chart was built, including build tool, source repository, referenced images, and build materials. | +| SPDX SBOM | An SBOM in [SPDX](https://spdx.dev/) format, listing the chart and all container images and tools it references. | ## View and verify attestations