Merge pull request #18606 from dvdksn/scout-attest-ootb-policy

scout attest ootb policy
docker · Nov 10, 2023 · dadaefc · dadaefc
2 parents ac3e0af + 241040e
commit dadaefc
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 0 deletions.
diff --git a/content/build/attestations/_index.md b/content/build/attestations/_index.md
@@ -47,6 +47,19 @@ You can opt in to add either the SBOM or provenance attestation type, or both.
 $ docker buildx build --sbom=true --provenance=true .
 ```
 
+> **Note**
+>
+> The default image store doesn't support attestations. If you're using the
+> default image store and you build an image using the default `docker` driver,
+> or using a different driver with the `--load` flag, the attestations are
+> lost.
+>
+> To make sure the attestations are preserved, you can:
+>
+> - Use a `docker-container` driver with the `--push` flag to push the image to
+>   a registry directly.
+> - Enable the [containerd image store](../../desktop/containerd/_index.md).
+
 > **Note**
 >
 > Provenance attestations are enabled by default, with the `mode=min` option.

diff --git a/content/scout/policy/_index.md b/content/scout/policy/_index.md
@@ -59,6 +59,7 @@ Docker Scout ships the following out-of-the-box policies:
 - [Copyleft licenses](#copyleft-licenses)
 - [Outdated base images](#outdated-base-images)
 - [High-profile vulnerabilities](#high-profile-vulnerabilities)
+- [Supply chain attestations](#supply-chain-attestations)
 
 These policies are turned on by default for Scout-enabled repositories. There's
 currently no way to turn off or configure these policies.
@@ -135,3 +136,23 @@ The list includes the following vulnerabilities:
 - [CVE-2021-44228 (Log4Shell)](https://scout.docker.com/v/CVE-2021-44228)
 - [CVE-2023-38545 (cURL SOCKS5 heap buffer overflow)](https://scout.docker.com/v/CVE-2023-38545)
 - [CVE-2023-44487 (HTTP/2 Rapid Reset)](https://scout.docker.com/v/CVE-2023-44487)
+
+### Supply chain attestations
+
+The Supply chain attestations policy requires that your artifacts have
+[SBOM](../../build/attestations/sbom.md) and
+[provenance](../../build/attestations/slsa-provenance.md) attestations.
+
+This policy is unfulfilled if an artifact lacks either an SBOM attestation or a
+provenance attestation, or if the provenance attestation lacks information
+about the Git repository and base images being used. To ensure compliance,
+update your build command to attach these attestations at build-time:
+
+```console
+$ docker buildx build --provenance=true --sbom=true -t <IMAGE> --push .
+```
+
+BuildKit automatically detects the Git repository and base images when this
+information is available in the build context. For more information about
+building with attestations, see
+[Attestations](../../build/attestations/_index.md).