From 04d32f1acbd83797131c23e0c9c156200230c371 Mon Sep 17 00:00:00 2001 From: Craig Osterhout Date: Fri, 13 Feb 2026 11:26:26 -0800 Subject: [PATCH] dhi: update attestations (#24143) ## Description SLSA v1 attestation is now available. This info is just duplicating what's in the UI. To minimize maintenance, removed the predicate URI column and pointed the user where to find it in the UI, and kept the non-versioned descriptions that don't change as often. ## Related issues or tickets ENGDOCS-3192 ## Reviews - [ ] Editorial review --------- Signed-off-by: Craig Osterhout --- .../manuals/dhi/core-concepts/attestations.md | 83 ++++++++++--------- 1 file changed, 46 insertions(+), 37 deletions(-) diff --git a/content/manuals/dhi/core-concepts/attestations.md b/content/manuals/dhi/core-concepts/attestations.md index b7bc68203d..b9218efa49 100644 --- a/content/manuals/dhi/core-concepts/attestations.md +++ b/content/manuals/dhi/core-concepts/attestations.md @@ -62,27 +62,33 @@ While every DHI variant includes a set of attestations, the attestations may vary based on the image variant. For example, some images may include a STIG scan attestation. The following table is a comprehensive list of all attestations that may be included with a DHI. To see which attestations are -available for a specific image variant, you can [view the image variant -details](../how-to/explore.md#view-image-variant-details) in Docker Hub. +available for a specific image variant, including the specific predicate type URIs, +use Docker Scout: -| Attestation type | Description | Predicate type URI | -|----------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------| -| CycloneDX SBOM | A software bill of materials in [CycloneDX](https://cyclonedx.org/) format, listing components, libraries, and versions. | `https://cyclonedx.org/bom/v1.6` | -| STIG scan | Results of a STIG scan, with output in HTML and XCCDF formats. | `https://docker.com/dhi/stig/v0.1` | -| CVEs (In-Toto format) | A list of known vulnerabilities (CVEs) affecting the image's components, based on package and distribution scanning. | `https://in-toto.io/attestation/vulns/v0.1` | -| VEX | A [Vulnerability Exploitability eXchange (VEX)](https://openvex.dev/) document that identifies vulnerabilities that do not apply to the image and explains why (e.g., not reachable or not present). | `https://openvex.dev/ns/v0.2.0` | -| Scout health score | A signed attestation from Docker Scout that summarizes the overall security and quality posture of the image. | `https://scout.docker.com/health/v0.1` | -| Scout provenance | Provenance metadata generated by Docker Scout, including the source Git commit, build parameters, and environment details. | `https://scout.docker.com/provenance/v0.1` | -| Scout SBOM | An SBOM generated and signed by Docker Scout, including additional Docker-specific metadata. | `https://scout.docker.com/sbom/v0.1` | -| Secrets scan | Results of a scan for accidentally included secrets, such as credentials, tokens, or private keys. | `https://scout.docker.com/secrets/v0.1` | -| Tests | A record of automated tests run against the image, such as functional checks or validation scripts. | `https://scout.docker.com/tests/v0.1` | -| Virus scan | Results of antivirus scans performed on the image layers. | `https://scout.docker.com/virus/v0.1` | -| CVEs (Scout format) | A vulnerability report generated by Docker Scout, listing known CVEs and severity data. | `https://scout.docker.com/vulnerabilities/v0.1` | -| SLSA provenance | A standard [SLSA](https://slsa.dev/) provenance statement describing how the image was built, including build tool, parameters, and source. | `https://slsa.dev/provenance/v0.2` | -| SLSA verification summary | A summary attestation indicating the image's compliance with SLSA requirements. | `https://slsa.dev/verification_summary/v1` | -| SPDX SBOM | An SBOM in [SPDX](https://spdx.dev/) format, widely adopted in open-source ecosystems. | `https://spdx.dev/Document` | -| FIPS compliance | An attestation that verifies the image uses FIPS 140-validated cryptographic modules. | `https://docker.com/dhi/fips/v0.1` | -| DHI Image Sources | Links to a corresponding source image containing all materials used to build the image, including package source code, git repos, and local files, ensuring compliance with open source license requirements. | `https://docker.com/dhi/source/v0.1` | +```console +$ docker scout attest list dhi.io/: +``` + +For more details, see [Verify image attestations](../how-to/verify.md#verify-image-attestations). + +| Attestation type | Description | +|----------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| CycloneDX SBOM | A software bill of materials in [CycloneDX](https://cyclonedx.org/) format, listing components, libraries, and versions. | +| STIG scan | Results of a STIG scan, with output in HTML and XCCDF formats. | +| CVEs (In-Toto format) | A list of known vulnerabilities (CVEs) affecting the image's components, based on package and distribution scanning. | +| VEX | A [Vulnerability Exploitability eXchange (VEX)](https://openvex.dev/) document that identifies vulnerabilities that do not apply to the image and explains why (e.g., not reachable or not present). | +| Scout health score | A signed attestation from Docker Scout that summarizes the overall security and quality posture of the image. | +| Scout provenance | Provenance metadata generated by Docker Scout, including the source Git commit, build parameters, and environment details. | +| Scout SBOM | An SBOM generated and signed by Docker Scout, including additional Docker-specific metadata. | +| Secrets scan | Results of a scan for accidentally included secrets, such as credentials, tokens, or private keys. | +| Tests | A record of automated tests run against the image, such as functional checks or validation scripts. | +| Virus scan | Results of antivirus scans performed on the image layers. | +| CVEs (Scout format) | A vulnerability report generated by Docker Scout, listing known CVEs and severity data. | +| SLSA provenance | A standard [SLSA](https://slsa.dev/) provenance statement describing how the image was built, including build tool, parameters, and source. | +| SLSA verification summary | A summary attestation indicating the image's compliance with SLSA requirements. | +| SPDX SBOM | An SBOM in [SPDX](https://spdx.dev/) format, widely adopted in open-source ecosystems. | +| FIPS compliance | An attestation that verifies the image uses FIPS 140-validated cryptographic modules. | +| DHI Image Sources | Links to a corresponding source image containing all materials used to build the image, including package source code, Git repositories, and local files, ensuring compliance with open source license requirements. | ## Helm chart attestations @@ -91,25 +97,28 @@ that provide transparency and verification for your Kubernetes deployments. Like DHI container images, these charts are built following SLSA Build Level 3 practices and include extensive security metadata. -DHI Helm charts include the following attestations: +DHI Helm charts include the following attestations. To view the specific predicate +type URIs for these attestations, use Docker Scout: -| Attestation type | Description | Predicate type URI | -|----------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------| -| CycloneDX SBOM | A software bill of materials in [CycloneDX](https://cyclonedx.org/) format, listing the chart itself and all container images and tools referenced by the chart. | `https://cyclonedx.org/bom/v1.6` | -| CVEs (In-Toto format) | A list of known vulnerabilities (CVEs) affecting the container images and components referenced by the chart. | `https://in-toto.io/attestation/vulns/v0.1` | -| Scout health score | A signed attestation from Docker Scout that summarizes the overall security and quality posture of the chart and its referenced images. | `https://scout.docker.com/health/v0.1` | -| Scout provenance | Provenance metadata generated by Docker Scout, including the chart source repository, build images used, and build parameters. | `https://scout.docker.com/provenance/v0.1` | -| Scout SBOM | An SBOM generated and signed by Docker Scout, including the chart and container images it references, with additional Docker-specific metadata. | `https://scout.docker.com/sbom/v0.1` | -| Secrets scan | Results of a scan for accidentally included secrets, such as credentials, tokens, or private keys, in the chart package. | `https://scout.docker.com/secrets/v0.1` | -| Tests | A record of automated tests run against the chart to validate functionality and compatibility with referenced images. | `https://scout.docker.com/tests/v0.1` | -| Virus scan | Results of antivirus scans performed on the chart package. | `https://scout.docker.com/virus/v0.1` | -| CVEs (Scout format) | A vulnerability report generated by Docker Scout, listing known CVEs and severity data for the chart's referenced images. | `https://scout.docker.com/vulnerabilities/v0.1` | -| SLSA provenance | A standard [SLSA](https://slsa.dev/) provenance statement describing how the chart was built, including build tool, source repository, referenced images, and build materials. | `https://slsa.dev/provenance/v0.2` | -| SPDX SBOM | An SBOM in [SPDX](https://spdx.dev/) format, listing the chart and all container images and tools it references. | `https://spdx.dev/Document` | +```console +$ docker scout attest list dhi.io/: +``` -For instructions on how to view and verify Helm chart attestations, see [Verify -Helm chart -attestations](../how-to/verify.md#verify-helm-chart-attestations-with-docker-scout). +For more details, see [Verify Helm chart attestations](../how-to/verify.md#verify-helm-chart-attestations-with-docker-scout). + +| Attestation type | Description | +|----------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| CycloneDX SBOM | A software bill of materials in [CycloneDX](https://cyclonedx.org/) format, listing the chart itself and all container images and tools referenced by the chart. | +| CVEs (In-Toto format) | A list of known vulnerabilities (CVEs) affecting the container images and components referenced by the chart. | +| Scout health score | A signed attestation from Docker Scout that summarizes the overall security and quality posture of the chart and its referenced images. | +| Scout provenance | Provenance metadata generated by Docker Scout, including the chart source repository, build images used, and build parameters. | +| Scout SBOM | An SBOM generated and signed by Docker Scout, including the chart and container images it references, with additional Docker-specific metadata. | +| Secrets scan | Results of a scan for accidentally included secrets, such as credentials, tokens, or private keys, in the chart package. | +| Tests | A record of automated tests run against the chart to validate functionality and compatibility with referenced images. | +| Virus scan | Results of antivirus scans performed on the chart package. | +| CVEs (Scout format) | A vulnerability report generated by Docker Scout, listing known CVEs and severity data for the chart's referenced images. | +| SLSA provenance | A standard [SLSA](https://slsa.dev/) provenance statement describing how the chart was built, including build tool, source repository, referenced images, and build materials. | +| SPDX SBOM | An SBOM in [SPDX](https://spdx.dev/) format, listing the chart and all container images and tools it references. | ## View and verify attestations