diff --git a/content/manuals/dhi/about/test.md b/content/manuals/dhi/about/test.md index e515864b029b..8dc3aa625ef2 100644 --- a/content/manuals/dhi/about/test.md +++ b/content/manuals/dhi/about/test.md @@ -142,7 +142,7 @@ You can view and verify this attestation using the Docker Scout CLI. ``` If the attestation is valid, Docker Scout will confirm the signature and show -the matching Cosign verify-attestation command. +the matching `cosign verify` command. To view other attestations, such as SBOMs or vulnerability reports, see [Verify an image](../how-to/verify.md). diff --git a/content/manuals/dhi/core-concepts/sbom.md b/content/manuals/dhi/core-concepts/sbom.md index 2517c789e7da..18c6dd876570 100644 --- a/content/manuals/dhi/core-concepts/sbom.md +++ b/content/manuals/dhi/core-concepts/sbom.md @@ -67,27 +67,23 @@ $ docker scout sbom : ## Verify the SBOM of a Docker Hardened Image -Since Docker Hardened Images come with signed SBOMs, you can use Cosign to +Since Docker Hardened Images come with signed SBOMs, you can use Docker Scout to verify the authenticity and integrity of the SBOM attached to the image. This ensures that the SBOM has not been tampered with and that the image's contents are trustworthy. -To verify the SBOM of a Docker Hardened Image using Cosign, use the following command: +To verify the SBOM of a Docker Hardened Image using Docker Scout, use the following command: ```console -$ cosign verify-attestation \ - --key https://registry.scout.docker.com/keyring/dhi/latest.pub \ - --type sbom \ - +$ docker scout attest get : \ + --predicate-type https://scout.docker.com/sbom/v0.1 --verify --platform ``` -For example, to verify the SBOM attestation for the dhi/node image: +For example, to verify the SBOM attestation for the `dhi/node:20.19-debian12-fips-20250701182639` image: ```console -$ cosign verify-attestation \ - --key https://registry.scout.docker.com/keyring/dhi/latest.pub \ - --type sbom \ - registry.scout.docker.com/dhi/node@sha256:6de8ac9c07367652496bf926675425a22bf93e487cc2690d6778a82dd0159c4f +$ docker scout attest get docs/dhi-node:20.19-debian12-fips-20250701182639 \ + --predicate-type https://scout.docker.com/sbom/v0.1 --verify --platform linux/amd64 ``` ## Resources diff --git a/content/manuals/dhi/core-concepts/slsa.md b/content/manuals/dhi/core-concepts/slsa.md index 750d9b05327d..7178a368a043 100644 --- a/content/manuals/dhi/core-concepts/slsa.md +++ b/content/manuals/dhi/core-concepts/slsa.md @@ -77,25 +77,27 @@ By integrating SLSA-compliant DHIs into your development and deployment processe - Streamline audits: Utilize verifiable build records and signatures to simplify security audits and assessments. -## How to verify SLSA compliance +## Get and verify SLSA provenance for Docker Hardened Images -Each DHI is cryptographically signed and complies with the SLSA framework, -ensuring verifiable build provenance and integrity. +Each Docker Hardened Image (DHI) is cryptographically signed and includes +attestations. These attestations provide verifiable build provenance and +demonstrate adherence to SLSA Build Level 3 standards. -To evaluate whether a DHI complies with SLSA standards, you can use the -[slsa-verifier tool](https://github.com/slsa-framework/slsa-verifier). This tool -verifies the SLSA provenance of an image, ensuring that it was built according -to the specified security levels. - -To use the slsa-verifier tool after installation, run the following command. -Replace `/dhi-:` with the image name and tag. +To get and verify SLSA provenance for a DHI, you can use Docker Scout. ```console -$ slsa-verifier verify-image /dhi-: +$ docker scout attest get /dhi-: \ + --predicate-type https://slsa.dev/provenance/v0.2 \ + --verify ``` -This command will verify the SLSA provenance of the image, checking that it -meets the specified security levels. +For example: + +```console +$ docker scout attest get docs/dhi-node:20.19-debian12-fips-20250701182639 \ + --predicate-type https://slsa.dev/provenance/v0.2 \ + --verify +``` ## Resources diff --git a/content/manuals/dhi/how-to/verify.md b/content/manuals/dhi/how-to/verify.md index 1087e7d1e8ff..8b305afcaa81 100644 --- a/content/manuals/dhi/how-to/verify.md +++ b/content/manuals/dhi/how-to/verify.md @@ -57,8 +57,6 @@ offers several key advantages when working with Docker Hardened Images: In short, Docker Scout streamlines the verification process and reduces the chances of human error, while still giving you full visibility and the option to fall back to cosign when needed. - - ### List available attestations To list attestations for a mirrored DHI: @@ -105,9 +103,26 @@ $ docker scout attest get \ docs/dhi-python:3.13 --platform linux/amd64 ``` -### Validate and show the equivalent cosign command +### Validate the attestation with Docker Scout + +To validate the attestation using Docker Scout, you can use the `--verify` flag: + +```console +$ docker scout attest get : \ + --predicate-type https://scout.docker.com/sbom/v0.1 --verify +``` -You can use the `--verify` flag to validate the attestation and print the corresponding [cosign](https://docs.sigstore.dev/) command: +For example, to verify the SBOM attestation for the `dhi/node:20.19-debian12-fips-20250701182639` image: + +```console +$ docker scout attest get docs/dhi-node:20.19-debian12-fips-20250701182639 \ + --predicate-type https://scout.docker.com/sbom/v0.1 --verify +``` + +### Show the equivalent cosign command + +When using the `--verify` flag, it also prints the corresponding +[cosign](https://docs.sigstore.dev/) command to verify the image signature: ```console $ docker scout attest get \ @@ -137,6 +152,21 @@ Example output: ... ``` +> [!IMPORTANT] +> +> When using cosign, you must first authenticate to both the Docker Hub registry +> and the Docker Scout registry. +> +> For example: +> +> ```console +> $ docker login +> $ docker login registry.scout.docker.com +> $ cosign verify \ +> registry.scout.docker.com/docker/dhi-python@sha256:b5418da893ada6272add2268573a3d5f595b5c486fb7ec58370a93217a9785ae \ +> --key https://registry.scout.docker.com/keyring/dhi/latest.pub --experimental-oci11 +> ``` + ## Available DHI attestations See [available