docker · craig-osterhout · Jul 3, 2025 · Jul 3, 2025 · Jul 3, 2025
@@ -142,7 +142,7 @@ You can view and verify this attestation using the Docker Scout CLI.
     ```
 
 If the attestation is valid, Docker Scout will confirm the signature and show
-the matching Cosign verify-attestation command.
+the matching `cosign verify` command.
 
 To view other attestations, such as SBOMs or vulnerability reports, see [Verify
 an image](../how-to/verify.md).
@@ -67,27 +67,23 @@ $ docker scout sbom <image-name>:<tag>
 
 ## Verify the SBOM of a Docker Hardened Image
 
-Since Docker Hardened Images come with signed SBOMs, you can use Cosign to
+Since Docker Hardened Images come with signed SBOMs, you can use Docker Scout to
 verify the authenticity and integrity of the SBOM attached to the image. This
 ensures that the SBOM has not been tampered with and that the image's contents
 are trustworthy.
 
-To verify the SBOM of a Docker Hardened Image using Cosign, use the following command:
+To verify the SBOM of a Docker Hardened Image using Docker Scout, use the following command:
 
 ```console
-$ cosign verify-attestation \
-  --key https://registry.scout.docker.com/keyring/dhi/latest.pub \
-  --type sbom \
-  <image-reference>
+$ docker scout attest get <image-name>:<tag> \
+   --predicate-type https://scout.docker.com/sbom/v0.1 --verify --platform <platform>
 ```
 
-For example, to verify the SBOM attestation for the dhi/node image:
+For example, to verify the SBOM attestation for the `dhi/node:20.19-debian12-fips-20250701182639` image:
 
 ```console
-$ cosign verify-attestation \
-  --key https://registry.scout.docker.com/keyring/dhi/latest.pub \
-  --type sbom \
-  registry.scout.docker.com/dhi/node@sha256:6de8ac9c07367652496bf926675425a22bf93e487cc2690d6778a82dd0159c4f
+$ docker scout attest get docs/dhi-node:20.19-debian12-fips-20250701182639 \
+   --predicate-type https://scout.docker.com/sbom/v0.1 --verify --platform linux/amd64
 ```
 
 ## Resources

@@ -77,25 +77,27 @@ By integrating SLSA-compliant DHIs into your development and deployment processe
 - Streamline audits: Utilize verifiable build records and signatures to simplify
   security audits and assessments.
 
-## How to verify SLSA compliance
+## Get and verify SLSA provenance for Docker Hardened Images
 
-Each DHI is cryptographically signed and complies with the SLSA framework,
-ensuring verifiable build provenance and integrity.
+Each Docker Hardened Image (DHI) is cryptographically signed and includes
+attestations. These attestations provide verifiable build provenance and
+demonstrate adherence to SLSA Build Level 3 standards.
 
-To evaluate whether a DHI complies with SLSA standards, you can use the
-[slsa-verifier tool](https://github.com/slsa-framework/slsa-verifier). This tool
-verifies the SLSA provenance of an image, ensuring that it was built according
-to the specified security levels.
-
-To use the slsa-verifier tool after installation, run the following command.
-Replace `<your-namespace>/dhi-<image>:<tag>` with the image name and tag.
+To get and verify SLSA provenance for a DHI, you can use Docker Scout.
 
 ```console
-$ slsa-verifier verify-image <your-namespace>/dhi-<image>:<tag>
+$ docker scout attest get <your-namespace>/dhi-<image>:<tag> \
+  --predicate-type https://slsa.dev/provenance/v0.2 \
+  --verify
 ```
 
-This command will verify the SLSA provenance of the image, checking that it
-meets the specified security levels.
+For example:
+
+```console
+$ docker scout attest get docs/dhi-node:20.19-debian12-fips-20250701182639 \
+  --predicate-type https://slsa.dev/provenance/v0.2 \
+  --verify
+```
 
 ## Resources
 

@@ -57,8 +57,6 @@ offers several key advantages when working with Docker Hardened Images:
 
 In short, Docker Scout streamlines the verification process and reduces the chances of human error, while still giving you full visibility and the option to fall back to cosign when needed.
 
-
-
 ### List available attestations
 
 To list attestations for a mirrored DHI:
@@ -105,9 +103,26 @@ $ docker scout attest get \
   docs/dhi-python:3.13 --platform linux/amd64
 ```
 
-### Validate and show the equivalent cosign command
+### Validate the attestation with Docker Scout
+
+To validate the attestation using Docker Scout, you can use the `--verify` flag:
+
+```console
+$ docker scout attest get <image-name>:<tag> \
+   --predicate-type https://scout.docker.com/sbom/v0.1 --verify
+```
 
-You can use the `--verify` flag to validate the attestation and print the corresponding [cosign](https://docs.sigstore.dev/) command:
+For example, to verify the SBOM attestation for the `dhi/node:20.19-debian12-fips-20250701182639` image:
+
+```console
+$ docker scout attest get docs/dhi-node:20.19-debian12-fips-20250701182639 \
+   --predicate-type https://scout.docker.com/sbom/v0.1 --verify
+```
+
+### Show the equivalent cosign command
+
+When using the `--verify` flag, it also prints the corresponding
+[cosign](https://docs.sigstore.dev/) command to verify the image signature:
 
 ```console
 $ docker scout attest get \
@@ -137,6 +152,21 @@ Example output:
     ...
 ```
 
+> [!IMPORTANT]
+>
+> When using cosign, you must first authenticate to both the Docker Hub registry
+> and the Docker Scout registry.
+>
+> For example:
+>
+> ```console
+> $ docker login
+> $ docker login registry.scout.docker.com
+> $ cosign verify \
+>     registry.scout.docker.com/docker/dhi-python@sha256:b5418da893ada6272add2268573a3d5f595b5c486fb7ec58370a93217a9785ae \
+>     --key https://registry.scout.docker.com/keyring/dhi/latest.pub --experimental-oci11
+> ```
+
 ## Available DHI attestations
 
 See [available