The recent introduction of Docker’s support for build-time attestations and SBOMs has allowed publishers to create images that include a sort of manifest that lists all the packages and dependencies that forms the image.
This helps you answer important questions like:
”What’s inside this software artifact”?
“Where it came from?”
Here, we’ll talk about what attestations are and how they work.
Attestations
By definition:
“An official verification of something as true or authentic. The person verifying the authenticity or validity of something or someone is an attester.”
In software, it’s a record that tells us how an image was made. This helps us see where the image came from, who made it, how it was made, and what it has.
Types of attestations available:
- SBOM (Software Bill of Material) — Attestation describing the content of
- Provenance: Attestation about the history of an image. How the image was built?
Let’s examine it in practice and see how it works.
First we need to make sure we have the latest Buildx and BuildKit and that you are using the latest release of buildKit.
docker buildx create --use --name=buildkit-container --driver=docker-container
Building an image with attestations
We’re going to build an image with a Dockerfile, generate de SBOM and publish it along side with the image in one step.
FROM httpd:2.4
COPY ./public-html/ /usr/local/apache2/htdocs/
docker buildx b . -t fabiosegredo/attestations:1.0.0 --sbom=true (or --sbom=1) --push
and we’re done! Simple right?
The process of generating the SBOM with the scanner plugin docker/buildkit-syft-scanner:stable-1 can be seen in the logs of the build.
If you want to include the provenance in the image, just add the option — provenance=true
docker buildx b . -t fabiosegredo/attestations:1.0.0 --sbom=true --provenance=true(or --provenance=1) --push
and me managed to publish an image with attestations.
“How can we see the content of the SBOM and Provenance?”
We can analyize the image with buildx and extract the SBOM and provenance.
#extract SBOM
docker buildx imagetools inspect fabiosegredo/attestations:1.0.1 --format "{{json .SBOM.SPDX}}"
#extract Provenance
docker buildx imagetools inspect fabiosegredo/attestations:1.0.1 --format "{{json .Provenance.SLSA}}"
Finally we have enough data regarding the artifacts and build of images to make informed decisions about the security of the images.
EXTRA
Verify attestations
Let’s say you don’t want to make and push an image, but you just want to check the content and attestations files.
docker buildx build \
--sbom=true \
--output type=local,dest=out .
Which will generate the content that would be the image along side the attestations files.
The SBOM file will appear on the root of the dest folder named sbom.spdx.json and the provenance with the name provenance.json.
List sbom (Software Bill of materials) of an image
docker sbom <namespace>/<image>:<version> -o output.txt
It will list the packages names, version and type
MultiStage Builds
Keep in my that by default the buildkit only scans the final stage of an image, which means SBOM won’t include dependencies installed in earlier stages.
FROM alpine AS build
# build the software ...
FROM RuntimeImage
COPY --from=build /path/to/bin /bin
ENTRYPOINT [ "/bin" ]
To scan more than just the final stage set the argument BUILDKIT_SBOM_SCAN_STAGE = true in your dockerfile.
FROM alpine AS build
ARG BUILDKIT_SBOM_SCAN_STAGE=true
# build the software ...
FROM RuntimeImage
COPY --from=build /path/to/bin /bin
ENTRYPOINT [ "/bin" ]
On the next article, we will talk about the new Docker Scout command and how it connects with SBOM, now that we have a simple idea of what it is.
If this post was helpful, please click the clap 👏 button below a few times to show your support for the author 👇