Skip to content

Commit afc46ae

Browse files
aevesdockeraevesdocker
committed
build: seo updates
1 parent a96c7a7 commit afc46ae

File tree

1 file changed

+4
-12
lines changed
  • content/manuals/build/metadata/attestations

1 file changed

+4
-12
lines changed

content/manuals/build/metadata/attestations/sbom.md

Lines changed: 4 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -2,30 +2,22 @@
22
title: SBOM attestations
33
keywords: build, attestations, sbom, spdx, metadata, packages
44
description: |
5-
SBOM build attestations describe the contents of your image,
6-
and the packages used to build it.
5+
SBOM attestations describe what software artifacts an image contains and the artifacts used to create the image.
76
aliases:
87
- /build/attestations/sbom/
98
---
109

11-
Software Bill of Materials (SBOM) attestations describe what software artifacts
12-
an image contains, and artifacts used to create the image. Metadata included in
13-
an SBOM for describing software artifacts may include:
10+
SBOM attestations help ensure [software supply chain transparency](/guides/docker-scout/s3c.md) by verifying the software artifacts an image contains and the artifacts used to create the image. Metadata included in an [SBOM](/guides/docker-scout/sbom.md) for describing software artifacts may include:
1411

1512
- Name of the artifact
1613
- Version
1714
- License type
1815
- Authors
1916
- Unique package identifier
2017

21-
There are benefits to indexing contents of an image during the build, as opposed
22-
to scanning a final image. When scanning happens as part of the build, you're
23-
able to detect software you use to build the image, that may not show up in the
24-
final image.
18+
Indexing the contents of an image during the build has benefits over scanning a final image. When scanning happens as part of the build, you can detect software you used to build the image, which may not show up in the final image.
2519

26-
The SBOMs generated by BuildKit follow the SPDX standard. SBOMs attach to the
27-
final image as a JSON-encoded SPDX document, using the format defined by the
28-
[in-toto SPDX predicate](https://github.com/in-toto/attestation/blob/main/spec/predicates/spdx.md).
20+
Docker supports SBOM generation and attestation through an SLSA-compliant build process using BuildKit and attestations. The SBOMs generated by [BuildKit](/manuals/build/buildkit/_index.md) follow the SPDX standard and attach to the final image as a JSON-encoded SPDX document, using the format defined by the [in-toto SPDX predicate](https://github.com/in-toto/attestation/blob/main/spec/predicates/spdx.md). On this page, you’ll learn how to create, manage, and verify SBOM attestations using Docker tooling.
2921

3022
## Create SBOM attestations
3123

0 commit comments

Comments
 (0)