Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

scout attest ootb policy #18606

Merged
merged 2 commits into from
Nov 10, 2023
Merged

scout attest ootb policy #18606

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
13980d4
build: clarify default image store limitation
dvdksn Nov 8, 2023
241040e
scout: add attestation ootb policy
dvdksn Nov 6, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 13 additions & 0 deletions content/build/attestations/_index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,19 @@ You can opt in to add either the SBOM or provenance attestation type, or both.
$ docker buildx build --sbom=true --provenance=true .
```

> **Note**
>
> The default image store doesn't support attestations. If you're using the
> default image store and you build an image using the default `docker` driver,
> or using a different driver with the `--load` flag, the attestations are
> lost.
>
> To make sure the attestations are preserved, you can:
>
> - Use a `docker-container` driver with the `--push` flag to push the image to
> a registry directly.
> - Enable the [containerd image store](../../desktop/containerd/_index.md).

> **Note**
>
> Provenance attestations are enabled by default, with the `mode=min` option.
Expand Down
21 changes: 21 additions & 0 deletions content/scout/policy/_index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,7 @@ Docker Scout ships the following out-of-the-box policies:
- [Packages with AGPLv3, GPLv3 licenses](#packages-with-agplv3-gplv3-licenses)
- [Base images not up-to-date](#base-images-not-up-to-date)
- [High-profile vulnerabilities](#high-profile-vulnerabilities)
- [Supply chain attestations](#supply-chain-attestations)

These policies are turned on by default for Scout-enabled repositories. There's
currently no way to turn off or configure these policies.
Expand Down Expand Up @@ -135,3 +136,23 @@ The list includes the following vulnerabilities:
- [CVE-2021-44228 (Log4Shell)](https://scout.docker.com/v/CVE-2021-44228)
- [CVE-2023-38545 (cURL SOCKS5 heap buffer overflow)](https://scout.docker.com/v/CVE-2023-38545)
- [CVE-2023-44487 (HTTP/2 Rapid Reset)](https://scout.docker.com/v/CVE-2023-44487)

### Supply chain attestations

The Supply chain attestations policy requires that your artifacts have
[SBOM](../../build/attestations/sbom.md) and
[provenance](../../build/attestations/slsa-provenance.md) attestations.

This policy is unfulfilled if an artifact lacks either an SBOM attestation or a
provenance attestation, or if the provenance attestation lacks information
about the Git repository and base images being used. To ensure compliance,
update your build command to attach these attestations at build-time:

```console
$ docker buildx build --provenance=true --sbom=true -t <IMAGE> --push .
```

BuildKit automatically detects the Git repository and base images when this
information is available in the build context. For more information about
building with attestations, see
[Attestations](../../build/attestations/_index.md).