discover-baseimage-attestations

Download attestations (SBOM, VEX, …) for the base image used in a Dockerfile

Synopsis

Read a Dockerfile or Containerfile, extract the FROM line (the base image), and download any attestations attached to that base image.

This is the same operation as 'devguard-scanner attestations ' but instead of providing the image reference manually, the command reads it from the FROM line of your Containerfile.

Use this when you want to inherit upstream security metadata from your base image as part of your own build pipeline. For example, if your base image ships a VEX document that suppresses a CVE, you can re-use it via 'devguard-scanner attest' instead of triaging the vulnerability yourself. Each discovered attestation is saved as a separate JSON file in the output directory.

Examples

Options

Options inherited from parent commands

Have feedback? We want to hear from you!

Fields marked with * are required