Discovering Base Image Attestations

DevGuard can automatically discover and extract attestations from container base images referenced in your Dockerfile. This enables you to ingest upstream vulnerability information from your container supply chain.

This feature is releated to the Ingesting Upstream Information guide, which explains how DevGuard processes VEX documents and SBOMs.

Usage

Use the DevGuard scanner to discover attestations from a Dockerfile:

How It Works

The scanner analyzes your Dockerfile to identify base images and attempts to retrieve any associated attestations from the container registry. Attestations are saved to your local filesystem, with filenames derived from the predicate type.

Extracting and Uploading VEX Data

To use the discovered attestations with DevGuard:

  1. Extract the predicate: The VEX document is nested within the predicate field of the in-toto statement
  2. Save the predicate content: Extract the JSON from the predicate field to a separate file
  3. Upload to DevGuard: Use the standard VEX upload process (UI or CLI) with the extracted predicate content

Example Dockerfile

Handling In-Toto Attestations

Important: The discovered attestations are not raw VEX documents, but rather in-toto statements that contain VEX documents as predicates.

Structure:

Example extraction workflow:

Have feedback? We want to hear from you!

Fields marked with * are required