Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

build: add imagetools examples for inspecting attestations #16490

Merged
merged 2 commits into from
Jan 13, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 36 additions & 0 deletions build/attestations/sbom.md
Original file line number Diff line number Diff line change
Expand Up @@ -168,6 +168,42 @@ sbom-hugo.spdx.json
sbom.spdx.json
```

## Inspecting SBOMs

To explore created SBOMs exported through the `image` exporter, you can use
[`imagetools inspect`](../../engine/reference/commandline/buildx_imagetools_inspect.md).

Using the `--format` option, you can specify a template for the output. All
SBOM-related data is available under the `.SBOM` attribute. For example, to get
the raw contents of an SBOM in SPDX format:

{% raw %}
```console
$ docker buildx imagetools inspect <namespace>/<image>:<version> \
--format "{{ json .SBOM.SPDX }}"
{
"SPDXID": "SPDXRef-DOCUMENT",
...
}
```
{% endraw %}

You can also construct more complex expressions using the full functionality
of Go templates. For example, you can list all the installed packages and their
version identifiers:

{% raw %}
```console
$ docker buildx imagetools inspect <namespace>/<image>:<version> \
--format "{{ range .SBOM.SPDX.packages }}{{ .name }}@{{ .versionInfo }}{{ println }}{{ end }}"
[email protected]
[email protected]
[email protected]
[email protected]
...
```
{% endraw %}

## SBOM attestation example

The following JSON example shows what an SBOM attestation might look like.
Expand Down
36 changes: 35 additions & 1 deletion build/attestations/slsa-provenance.md
Original file line number Diff line number Diff line change
Expand Up @@ -142,7 +142,41 @@ using build arguments, consider refactoring builds to pass secret values using
[build secrets](../../engine/reference/commandline/buildx_build.md#secret), to
prevent leaking of sensitive information.

## Example
## Inspecting Provenance

To explore created Provenance exported through the `image` exporter, you can
use [`imagetools inspect`](../../engine/reference/commandline/buildx_imagetools_inspect.md).

Using the `--format` option, you can specify a template for the output. All
provenance-related data is available under the `.Provenance` attribute. For
example, to get the raw contents of the Provenance in the SLSA format:

{% raw %}
```console
$ docker buildx imagetools inspect <namespace>/<image>:<version> \
--format "{{ json .Provenance.SLSA }}"
{
"buildType": "https://mobyproject.org/buildkit@v1",
...
}
```
{% endraw %}

You can also construct more complex expressions using the full functionality of
Go templates. For example, for provenance generated with `mode=max`, you can
extract the full source code of the Dockerfile used to build the image:

{% raw %}
```console
$ docker buildx imagetools inspect <namespace>/<image>:<version> \
--format '{{ range (index .Provenance.SLSA.metadata "https://mobyproject.org/buildkit@v1#metadata").source.infos }}{{ if eq .filename "Dockerfile" }}{{ .data }}{{ end }}{{ end }}' | base64 -d
FROM ubuntu:20.04
RUN apt-get update
...
```
{% endraw %}

## Provenance attestation example

<!-- TODO: add a link to the definitions page, imported from moby/buildkit -->

Expand Down