Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Attestations docs #3260

Merged
merged 2 commits into from
Dec 5, 2022
Merged

Attestations docs #3260

merged 2 commits into from
Dec 5, 2022

Conversation

jedevc
Copy link
Member

@jedevc jedevc commented Nov 8, 2022
edited
Loading

This PR adds two pieces of documentation:

  • A user-facing guide to how to enable and use attestations (to likely be later migrated to the buildx repository, once we implement an appropriate user-facing syntax). For now this includes SBOM documentation, but we can later expand this to also include SLSA provenance info (Support for provenance attestations #3240).
  • A developer-facing guide for how the SBOM scanning protocol works, which should be useful for anyone building custom integrations down the road.

tonistiigi
tonistiigi reviewed Nov 8, 2022
View reviewed changes
docs/attestations.md Outdated
--opt build-arg:SBOM_SCAN_CONTEXT=true \
--opt attest:sbom=generator=jedevc/buildkit-syft-scanner
```

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could show a snippet of how the SPDX content actually looks like.

How to add custom packages to SBOM using the nested SBOM technique.

How to read the layer info from the SPDX record.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. Added an SPDX snippet ✔️
  2. This is scanner-specific behaviour - we should document this in the scanner itself, since a scanner may not include this information. Also, this behaviour isn't fully implemented in syft, and is partially blocked on SBOM cataloger anchore/syft#1029. ✖️
  3. Added info on the layer data ✔️

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CC @wagoodman @kzantow 🎉

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does the default scanner support the nested files now that the PR looks to be merged?

I think this should be documented in the regular sbom docs like the Dockerfile ARGs. This is something that we expect the users to know and modify their Dockerfiles to get better sboms. We can mention that this works in default scanner and if user uses custom scanner then it is up to that implementation to decide if it is supported.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ahh, so yes syft has merged it, but it's not made into a release.

I think we should aim to follow syft releases for buildkit-syft-scanner, instead of building off of master?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We already vendor a syft release right? https://github.com/docker/buildkit-syft-scanner/blob/6a7324fe9deac77f3a6f22770b7a8a09b4ce1723/go.mod#L8

docs/sbom-protocol.md

> **Note**
>
> Currently, only SBOMs in the [SPDX](https://spdx.dev) JSON format are
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Follow-up: could we use some labels to track what is supported so we have a upgrade path?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I assume you mean in the image labels? Yup, I'll do a follow-up 😄

AkihiroSuda
AkihiroSuda reviewed Nov 9, 2022
View reviewed changes
AkihiroSuda
AkihiroSuda reviewed Nov 9, 2022
View reviewed changes
@jedevc
Copy link
Member Author

jedevc commented Nov 9, 2022
edited
Loading

Added do-not-merge label - this PR documents functionality that is added in:

Additionally, we need to move jedevc/buildkit-syft-scanner to another location 😄

@jedevc jedevc force-pushed the attestations-docs branch from 7261129 to 7ead879 Compare November 9, 2022 11:42
@jedevc jedevc force-pushed the attestations-docs branch 2 times, most recently from ed2e9c4 to ea4a476 Compare November 23, 2022 18:43
@jedevc
docs: add integration docs for the sbom generator protocol
8fbc904 
Signed-off-by: Justin Chadwell <me@jedevc.com>
@jedevc
docs: add user-facing attestation docs
db5489f 
Signed-off-by: Justin Chadwell <me@jedevc.com>
crazy-max
crazy-max approved these changes Nov 30, 2022
View reviewed changes
Copy link
Member

@crazy-max crazy-max left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@jedevc jedevc merged commit 9624ab4 into moby:master Dec 5, 2022
@jedevc jedevc deleted the attestations-docs branch December 5, 2022 15:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tonistiigi tonistiigi tonistiigi left review comments

@AkihiroSuda AkihiroSuda AkihiroSuda left review comments

@crazy-max crazy-max crazy-max approved these changes

Assignees
No one assigned
Labels
area/attestations kind/docs
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jedevc @tonistiigi @crazy-max @AkihiroSuda