docs: add slsa provenance documentation #3375
Conversation
jedevc
force-pushed
the
attestations-provenance-docs
branch
from
daa0989 to
fb72ae8
Compare
jedevc
force-pushed
the
attestations-provenance-docs
branch
from
fb72ae8 to
c35741d
Compare
docs/slsa.md
Outdated
| | -------------- | -------------- | ---------------- | ----------------------------------------------------------------------------------------------------------- | | ||
| | `mode` | `min`,`max` | `max` | Configures the amount of provenance to be generated. See [mode](#mode) | | ||
| | `builder-id` | String | | Explicitly set SLSA [`builder.id`](https://slsa.dev/provenance/v0.2#builder.id) field | | ||
| | `reproducible` | `true`,`false` | `false` | Explicitly set SLSA [`metadata.reproducible`](https://slsa.dev/provenance/v0.2#metadata.reproducible) field | |
There was a problem hiding this comment.
Setting SOURCE_DATE_EPOCH might influence this field as well as build timestamps?
|
Added another commit with updates. PTAL @dvdksn (feel free to update directly) |
|
Couldn't push directly to this branch so I opened a PR: jedevc#3 |
Signed-off-by: Justin Chadwell <me@jedevc.com>
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Signed-off-by: David Karlsson <david.karlsson@docker.com>
Signed-off-by: David Karlsson <david.karlsson@docker.com>
Signed-off-by: David Karlsson <david.karlsson@docker.com>
jedevc
force-pushed
the
attestations-provenance-docs
branch
from
fa99051 to
4664605
Compare
|
Merged @dvdksn's fixes, this should be ready to merge now. |
|
as discussed yesterday on sync, we might want to make the cross-links between the not sure if there is any issue with relative cross-linking when the page gets pulled in the docs repo, if the cross-linked page is not included but another one exists in it's place. Hopefully it's fine, I guess we'll find out :-) |
Signed-off-by: Justin Chadwell <me@jedevc.com>
Signed-off-by: Justin Chadwell <me@jedevc.com>
docs/slsa.md
Outdated
| @@ -0,0 +1,99 @@ | |||
| # SLSA provenance | |||
There was a problem hiding this comment.
Should the file be named slsa-provenance.md instead?
Also as discussed, we could replace this section https://github.com/moby/buildkit/blob/master/docs/build-repro.md#build-dependencies and link to this file?
There was a problem hiding this comment.
I think we can do the build dependencies update as a follow-up? I think the whole page probably needs reworking with the introduction of provenance, since we're reworking how buildinfo works entirely.
Agreed on the slsa-provenance.md rename 🎉
Signed-off-by: Justin Chadwell <me@jedevc.com>
🛠️ Fixes #3335.
⬆️ Follow up to #3240 (comment).
We should revisit both this and the sbom docs once docker/buildx#1444 is merged, so we can give more detailed commands about how to view the example outputs.