Skip to content

dhi: update attestations #24143

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
craig-osterhout merged 2 commits into from
Feb 13, 2026
Merged

dhi: update attestations #24143

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e8acd0c
dhi: update attestations
craig-osterhout Feb 13, 2026
70c0675
agent feedback
craig-osterhout Feb 13, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
89 changes: 49 additions & 40 deletions content/manuals/dhi/core-concepts/attestations.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,27 +62,33 @@ While every DHI variant includes a set of attestations, the attestations may
vary based on the image variant. For example, some images may include a STIG
scan attestation. The following table is a comprehensive list of all
attestations that may be included with a DHI. To see which attestations are
available for a specific image variant, you can [view the image variant
details](../how-to/explore.md#view-image-variant-details) in Docker Hub.

| Attestation type | Description | Predicate type URI |
|----------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------|
| CycloneDX SBOM | A software bill of materials in [CycloneDX](https://cyclonedx.org/) format, listing components, libraries, and versions. | `https://cyclonedx.org/bom/v1.6` |
| STIG scan | Results of a STIG scan, with output in HTML and XCCDF formats. | `https://docker.com/dhi/stig/v0.1` |
| CVEs (In-Toto format) | A list of known vulnerabilities (CVEs) affecting the image's components, based on package and distribution scanning. | `https://in-toto.io/attestation/vulns/v0.1` |
| VEX | A [Vulnerability Exploitability eXchange (VEX)](https://openvex.dev/) document that identifies vulnerabilities that do not apply to the image and explains why (e.g., not reachable or not present). | `https://openvex.dev/ns/v0.2.0` |
| Scout health score | A signed attestation from Docker Scout that summarizes the overall security and quality posture of the image. | `https://scout.docker.com/health/v0.1` |
| Scout provenance | Provenance metadata generated by Docker Scout, including the source Git commit, build parameters, and environment details. | `https://scout.docker.com/provenance/v0.1` |
| Scout SBOM | An SBOM generated and signed by Docker Scout, including additional Docker-specific metadata. | `https://scout.docker.com/sbom/v0.1` |
| Secrets scan | Results of a scan for accidentally included secrets, such as credentials, tokens, or private keys. | `https://scout.docker.com/secrets/v0.1` |
| Tests | A record of automated tests run against the image, such as functional checks or validation scripts. | `https://scout.docker.com/tests/v0.1` |
| Virus scan | Results of antivirus scans performed on the image layers. | `https://scout.docker.com/virus/v0.1` |
| CVEs (Scout format) | A vulnerability report generated by Docker Scout, listing known CVEs and severity data. | `https://scout.docker.com/vulnerabilities/v0.1` |
| SLSA provenance | A standard [SLSA](https://slsa.dev/) provenance statement describing how the image was built, including build tool, parameters, and source. | `https://slsa.dev/provenance/v0.2` |
| SLSA verification summary | A summary attestation indicating the image's compliance with SLSA requirements. | `https://slsa.dev/verification_summary/v1` |
| SPDX SBOM | An SBOM in [SPDX](https://spdx.dev/) format, widely adopted in open-source ecosystems. | `https://spdx.dev/Document` |
| FIPS compliance | An attestation that verifies the image uses FIPS 140-validated cryptographic modules. | `https://docker.com/dhi/fips/v0.1` |
| DHI Image Sources | Links to a corresponding source image containing all materials used to build the image, including package source code, git repos, and local files, ensuring compliance with open source license requirements. | `https://docker.com/dhi/source/v0.1` |
available for a specific image variant, including the specific predicate type URIs,
use Docker Scout:

```console
$ docker scout attest list dhi.io/<image>:<tag>
```

For more details, see [Verify image attestations](../how-to/verify.md#verify-image-attestations).

| Attestation type | Description |
|----------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| CycloneDX SBOM | A software bill of materials in [CycloneDX](https://cyclonedx.org/) format, listing components, libraries, and versions. |
| STIG scan | Results of a STIG scan, with output in HTML and XCCDF formats. |
| CVEs (In-Toto format) | A list of known vulnerabilities (CVEs) affecting the image's components, based on package and distribution scanning. |
| VEX | A [Vulnerability Exploitability eXchange (VEX)](https://openvex.dev/) document that identifies vulnerabilities that do not apply to the image and explains why (e.g., not reachable or not present). |
| Scout health score | A signed attestation from Docker Scout that summarizes the overall security and quality posture of the image. |
| Scout provenance | Provenance metadata generated by Docker Scout, including the source Git commit, build parameters, and environment details. |
| Scout SBOM | An SBOM generated and signed by Docker Scout, including additional Docker-specific metadata. |
| Secrets scan | Results of a scan for accidentally included secrets, such as credentials, tokens, or private keys. |
| Tests | A record of automated tests run against the image, such as functional checks or validation scripts. |
| Virus scan | Results of antivirus scans performed on the image layers. |
| CVEs (Scout format) | A vulnerability report generated by Docker Scout, listing known CVEs and severity data. |
| SLSA provenance | A standard [SLSA](https://slsa.dev/) provenance statement describing how the image was built, including build tool, parameters, and source. |
| SLSA verification summary | A summary attestation indicating the image's compliance with SLSA requirements. |
| SPDX SBOM | An SBOM in [SPDX](https://spdx.dev/) format, widely adopted in open-source ecosystems. |
| FIPS compliance | An attestation that verifies the image uses FIPS 140-validated cryptographic modules. |
| DHI Image Sources | Links to a corresponding source image containing all materials used to build the image, including package source code, Git repositories, and local files, ensuring compliance with open source license requirements. |

## Helm chart attestations

Expand All @@ -91,25 +97,28 @@ that provide transparency and verification for your Kubernetes deployments. Like
DHI container images, these charts are built following SLSA Build Level 3
practices and include extensive security metadata.

DHI Helm charts include the following attestations:

| Attestation type | Description | Predicate type URI |
|----------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------|
| CycloneDX SBOM | A software bill of materials in [CycloneDX](https://cyclonedx.org/) format, listing the chart itself and all container images and tools referenced by the chart. | `https://cyclonedx.org/bom/v1.6` |
| CVEs (In-Toto format) | A list of known vulnerabilities (CVEs) affecting the container images and components referenced by the chart. | `https://in-toto.io/attestation/vulns/v0.1` |
| Scout health score | A signed attestation from Docker Scout that summarizes the overall security and quality posture of the chart and its referenced images. | `https://scout.docker.com/health/v0.1` |
| Scout provenance | Provenance metadata generated by Docker Scout, including the chart source repository, build images used, and build parameters. | `https://scout.docker.com/provenance/v0.1` |
| Scout SBOM | An SBOM generated and signed by Docker Scout, including the chart and container images it references, with additional Docker-specific metadata. | `https://scout.docker.com/sbom/v0.1` |
| Secrets scan | Results of a scan for accidentally included secrets, such as credentials, tokens, or private keys, in the chart package. | `https://scout.docker.com/secrets/v0.1` |
| Tests | A record of automated tests run against the chart to validate functionality and compatibility with referenced images. | `https://scout.docker.com/tests/v0.1` |
| Virus scan | Results of antivirus scans performed on the chart package. | `https://scout.docker.com/virus/v0.1` |
| CVEs (Scout format) | A vulnerability report generated by Docker Scout, listing known CVEs and severity data for the chart's referenced images. | `https://scout.docker.com/vulnerabilities/v0.1` |
| SLSA provenance | A standard [SLSA](https://slsa.dev/) provenance statement describing how the chart was built, including build tool, source repository, referenced images, and build materials. | `https://slsa.dev/provenance/v0.2` |
| SPDX SBOM | An SBOM in [SPDX](https://spdx.dev/) format, listing the chart and all container images and tools it references. | `https://spdx.dev/Document` |

For instructions on how to view and verify Helm chart attestations, see [Verify
Helm chart
attestations](../how-to/verify.md#verify-helm-chart-attestations-with-docker-scout).
DHI Helm charts include the following attestations. To view the specific predicate
type URIs for these attestations, use Docker Scout:

```console
$ docker scout attest list dhi.io/<chart>:<version>
```

For more details, see [Verify Helm chart attestations](../how-to/verify.md#verify-helm-chart-attestations-with-docker-scout).

| Attestation type | Description |
|----------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| CycloneDX SBOM | A software bill of materials in [CycloneDX](https://cyclonedx.org/) format, listing the chart itself and all container images and tools referenced by the chart. |
| CVEs (In-Toto format) | A list of known vulnerabilities (CVEs) affecting the container images and components referenced by the chart. |
| Scout health score | A signed attestation from Docker Scout that summarizes the overall security and quality posture of the chart and its referenced images. |
| Scout provenance | Provenance metadata generated by Docker Scout, including the chart source repository, build images used, and build parameters. |
| Scout SBOM | An SBOM generated and signed by Docker Scout, including the chart and container images it references, with additional Docker-specific metadata. |
| Secrets scan | Results of a scan for accidentally included secrets, such as credentials, tokens, or private keys, in the chart package. |
| Tests | A record of automated tests run against the chart to validate functionality and compatibility with referenced images. |
| Virus scan | Results of antivirus scans performed on the chart package. |
| CVEs (Scout format) | A vulnerability report generated by Docker Scout, listing known CVEs and severity data for the chart's referenced images. |
| SLSA provenance | A standard [SLSA](https://slsa.dev/) provenance statement describing how the chart was built, including build tool, source repository, referenced images, and build materials. |
| SPDX SBOM | An SBOM in [SPDX](https://spdx.dev/) format, listing the chart and all container images and tools it references. |

## View and verify attestations

Expand Down
Loading