---
title: Provenance attestations
keywords: build, attestations, provenance, slsa, git, metadata
description: >
  Provenance build attestations describe how and where your image was built.
aliases:
  - /build/attestations/slsa-provenance/
---

The provenance attestations include facts about the build process, including
details such as:

- Build timestamps
- Build parameters and environment
- Version control metadata
- Source code details
- Materials (files, scripts) consumed during the build

Provenance attestations follow the
[SLSA provenance schema, version 0.2](https://slsa.dev/provenance/v0.2#schema).

For more information about how BuildKit populates these provenance properties, refer to
[SLSA definitions](slsa-definitions.md).

## Create provenance attestations

To create a provenance attestation, pass the `--attest type=provenance` option
to the `docker buildx build` command:

```console
$ docker buildx build --tag <namespace>/<image>:<version> \
    --attest type=provenance,mode=[min,max] .
```

Alternatively, you can use the shorthand `--provenance=true` option instead of `--attest type=provenance`.
To specify the `mode` parameter using the shorthand option, use: `--provenance=mode=max`.

For an example on how to add provenance attestations with GitHub Actions, see
[Add attestations with GitHub Actions](/manuals/build/ci/github-actions/attestations.md).

## Mode

You can use the `mode` parameter to define the level of detail to be included in
the provenance attestation. Supported values are `mode=min` (default) and
`mode=max`.

### Min

In `min` mode, the provenance attestations include a minimal set of information,
such as:

- Build timestamps
- The frontend used
- Build materials
- Source repository and revision
- Build platform
- Reproducibility

Values of build arguments, the identities of secrets, and rich layer metadata is
not included `mode=min`. The `min`-level provenance is safe to use for all
builds, as it doesn't leak information from any part of the build environment.

The following JSON example shows the information included in a provenance
attestations created using the `min` mode:

```json
{
  "_type": "https://in-toto.io/Statement/v0.1",
  "predicateType": "https://slsa.dev/provenance/v0.2",
  "subject": [
    {
      "name": "pkg:docker/<registry>/<image>@<tag/digest>?platform=<platform>",
      "digest": {
        "sha256": "e8275b2b76280af67e26f068e5d585eb905f8dfd2f1918b3229db98133cb4862"
      }
    }
  ],
  "predicate": {
    "builder": { "id": "" },
    "buildType": "https://mobyproject.org/buildkit@v1",
    "materials": [
      {
        "uri": "pkg:docker/docker/dockerfile@1",
        "digest": {
          "sha256": "9ba7531bd80fb0a858632727cf7a112fbfd19b17e94c4e84ced81e24ef1a0dbc"
        }
      },
      {
        "uri": "pkg:docker/golang@1.19.4-alpine?platform=linux%2Farm64",
        "digest": {
          "sha256": "a9b24b67dc83b3383d22a14941c2b2b2ca6a103d805cac6820fd1355943beaf1"
        }
      }
    ],
    "invocation": {
      "configSource": { "entryPoint": "Dockerfile" },
      "parameters": {
        "frontend": "gateway.v0",
        "args": {
          "cmdline": "docker/dockerfile:1",
          "source": "docker/dockerfile:1",
          "target": "binaries"
        },
        "locals": [{ "name": "context" }, { "name": "dockerfile" }]
      },
      "environment": { "platform": "linux/arm64" }
    },
    "metadata": {
      "buildInvocationID": "c4a87v0sxhliuewig10gnsb6v",
      "buildStartedOn": "2022-12-16T08:26:28.651359794Z",
      "buildFinishedOn": "2022-12-16T08:26:29.625483253Z",
      "reproducible": false,
      "completeness": {
        "parameters": true,
        "environment": true,
        "materials": false
      },
      "https://mobyproject.org/buildkit@v1#metadata": {
        "vcs": {
          "revision": "a9ba846486420e07d30db1107411ac3697ecab68",
          "source": "git@github.com:<org>/<repo>.git"
        }
      }
    }
  }
}
```

### Max

The `max` mode includes all of the information included in the `min` mode, as