Attestations

Build attestations give you detailed information about how an image was built and what it contains. These attestations, generated by BuildKit during build-time, attach to the final image as metadata, allowing you to inspect an image to see its origin, creator, and contents. This information helps you make informed decisions about the security and impact of the image on your supply chain.

Docker Scout uses these attestations to evaluate the image's security and supply chain posture, and to provide remediation recommendations for issues. If issues are detected, such as missing or outdated attestations, Docker Scout can guide you on how to add or update them, ensuring compliance and improving visibility into the image's security status.

There are two key types of attestations:

  • SBOM, which lists the software artifacts within the image.
  • Provenance, which details how the image was built.

You can create attestations by using docker buildx build with the --provenance and --sbom flags. Attestations attach to the image index, allowing you to inspect them without pulling the entire image. Docker Scout leverages this metadata to give you more precise recommendations and better control over your image's security.

Remediation »