Home Explore Blog CI



docker
2nd chunk of `content/manuals/build/metadata/attestations/slsa-provenance.md`
44b00615a9e92309e58c8a0e42689e03d6990f58995d662e0000000100000fab
      "configSource": { "entryPoint": "Dockerfile" },
      "parameters": {
        "frontend": "gateway.v0",
        "args": {
          "cmdline": "docker/dockerfile:1",
          "source": "docker/dockerfile:1",
          "target": "binaries"
        },
        "locals": [{ "name": "context" }, { "name": "dockerfile" }]
      },
      "environment": { "platform": "linux/arm64" }
    },
    "metadata": {
      "buildInvocationID": "c4a87v0sxhliuewig10gnsb6v",
      "buildStartedOn": "2022-12-16T08:26:28.651359794Z",
      "buildFinishedOn": "2022-12-16T08:26:29.625483253Z",
      "reproducible": false,
      "completeness": {
        "parameters": true,
        "environment": true,
        "materials": false
      },
      "https://mobyproject.org/buildkit@v1#metadata": {
        "vcs": {
          "revision": "a9ba846486420e07d30db1107411ac3697ecab68",
          "source": "git@github.com:<org>/<repo>.git"
        }
      }
    }
  }
}
```

### Max

The `max` mode includes all of the information included in the `min` mode, as
well as:

- The LLB definition of the build. These show the exact steps taken to produce
  the image.
- Information about the Dockerfile, including a full base64-encoded version of
  the file.
- Source maps describing the relationship between build steps and image layers.

When possible, you should prefer `mode=max` as it contains significantly more
detailed information for analysis.

> [!WARNING]
>
> Note that `mode=max` exposes the values of
> [build arguments](/reference/cli/docker/buildx/build.md#build-arg).
>
> If you're misusing build arguments to pass credentials, authentication
> tokens, or other secrets, you should refactor your build to pass the secrets using
> [secret mounts](/reference/cli/docker/buildx/build.md#secret) instead.
> Secret mounts don't leak outside of the build and are never included in provenance attestations.

## Inspecting Provenance

To explore created Provenance exported through the `image` exporter, you can
use [`imagetools inspect`](/reference/cli/docker/buildx/imagetools/inspect.md).

Using the `--format` option, you can specify a template for the output. All
provenance-related data is available under the `.Provenance` attribute. For
example, to get the raw contents of the Provenance in the SLSA format:

```console
$ docker buildx imagetools inspect <namespace>/<image>:<version> \
    --format "{{ json .Provenance.SLSA }}"
{
  "buildType": "https://mobyproject.org/buildkit@v1",
  ...
}
```

You can also construct more complex expressions using the full functionality of
Go templates. For example, for provenance generated with `mode=max`, you can
extract the full source code of the Dockerfile used to build the image:

```console
$ docker buildx imagetools inspect <namespace>/<image>:<version> \
    --format '{{ range (index .Provenance.SLSA.metadata "https://mobyproject.org/buildkit@v1#metadata").source.infos }}{{ if eq .filename "Dockerfile" }}{{ .data }}{{ end }}{{ end }}' | base64 -d
FROM ubuntu:24.04
RUN apt-get update
...
```

## Provenance attestation example

<!-- TODO: add a link to the definitions page, imported from moby/buildkit -->

The following example shows what a JSON representation of a provenance
attestation with `mode=max` looks like:

```json
{
  "_type": "https://in-toto.io/Statement/v0.1",
  "predicateType": "https://slsa.dev/provenance/v0.2",
  "subject": [
    {
      "name": "pkg:docker/<registry>/<image>@<tag/digest>?platform=<platform>",
      "digest": {
        "sha256": "e8275b2b76280af67e26f068e5d585eb905f8dfd2f1918b3229db98133cb4862"
      }
    }
  ],
  "predicate": {
    "builder": { "id": "" },
    "buildType": "https://mobyproject.org/buildkit@v1",
    "materials": [
      {
        "uri": "pkg:docker/docker/dockerfile@1",
        "digest": {
          "sha256": "9ba7531bd80fb0a858632727cf7a112fbfd19b17e94c4e84ced81e24ef1a0dbc"
        }
      },
      {
        "uri": "pkg:docker/golang@1.19.4-alpine?platform=linux%2Farm64",
        "digest": {
Title: Max Mode Provenance Attestations and Inspection
Summary
This section details the 'max' mode for provenance attestations, which includes all information from 'min' mode, as well as the LLB definition of the build, the full base64-encoded Dockerfile content, and source maps. While 'max' mode provides more detailed information, it also exposes build arguments, making it crucial to avoid misusing build arguments for secrets. The section also explains how to inspect provenance using `docker buildx imagetools inspect`, showing how to extract the raw SLSA format or the full source code of the Dockerfile using Go templates. The document concludes with a link to a complete example of a JSON representation of a max mode provenance attestation.