Home Explore Blog CI



docker
content/guides/docker-scout/attestations.md
549bebefd3e9a1a90c58881a17da8668221012dcb34be547000000030000062b
---
title: Attestations
keywords: build, attestations, sbom, provenance, metadata
description: |
  Introduction to SBOM and provenance attestations with Docker Build,
  what they are, and why they exist
weight: 50
---

{{< youtube-embed qOzcycbTs4o >}}

[Build attestations](/manuals/build/metadata/attestations/_index.md) give you
detailed information about how an image was built and what it contains. These
attestations, generated by BuildKit during build-time, attach to the final
image as metadata, allowing you to inspect an image to see its origin, creator,
and contents. This information helps you make informed decisions about the
security and impact of the image on your supply chain.

Docker Scout uses these attestations to evaluate the image's security and
supply chain posture, and to provide remediation recommendations for issues. If
issues are detected, such as missing or outdated attestations, Docker Scout can
guide you on how to add or update them, ensuring compliance and improving
visibility into the image's security status.

There are two key types of attestations:

- SBOM, which lists the software artifacts within the image.
- Provenance, which details how the image was built.

You can create attestations by using `docker buildx build` with the
`--provenance` and `--sbom` flags. Attestations attach to the image index,
allowing you to inspect them without pulling the entire image. Docker Scout
leverages this metadata to give you more precise recommendations and better
control over your image's security.

<div id="scout-lp-survey-anchor"></div>
Chunks
872fb69d (1st chunk of `content/guides/docker-scout/attestations.md`)
Title: Understanding Build Attestations: SBOM and Provenance
Summary
Build attestations, including SBOM (Software Bill of Materials) and provenance, provide detailed information about an image's contents and how it was built. Generated by BuildKit during build-time, these attestations attach to the image as metadata, which can be used by Docker Scout to evaluate the image's security and supply chain posture, as well as provide remediation recommendations. Attestations can be created using `docker buildx build` with the `--provenance` and `--sbom` flags and can be inspected without pulling the entire image.