docs: add provenance flags to CI/CD workflow example in DHI scan page#24326
docs: add provenance flags to CI/CD workflow example in DHI scan page#24326ajeetraina wants to merge 12 commits intodocker:mainfrom
Conversation
Updated the "Build Docker image" step in the GitHub Actions workflow example under "Automate DHI scanning in CI/CD with Docker Scout" to include `--provenance=mode=max`, `--sbom=true`, and `--push` flags.
✅ Deploy Preview for docsdocker ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
content/manuals/dhi/how-to/scan.md
Outdated
| > | ||
| > The `--provenance=mode=max` and `--sbom=true` flags are required so that | ||
| > Docker Scout can trace the DHI base image lineage and correctly apply its | ||
| > VEX statements. The `--push` flag is also required, as attestations can |
There was a problem hiding this comment.
if the --push option is mandatory, I would prefer to have the same reasoning mentioned here to be consistent.
However, if there is a way we could avoid --push, I would prefer that approach as the usual flow in CI would be to push the image to the registry only if the CVE scan passes their requirements. Having to to push the image and attestations before the CVE scan, might be a problem in most workflows.
There was a problem hiding this comment.
@fazlan-nazeem Great point. I investigated into this and tested two approaches on GHA. https://github.com/ajeetraina/dhi-containerd-test/actions/runs/22900957211
The --push flag can be avoided by enabling the containerd image store, which allows attestations to be stored locally without pushing to a registry first. This enables the correct CI order: build → scan → push only if clean.
Without the containerd image store, Docker Engine rejects the build entirely with:
Attestation is not supported for the docker driver.
Switch to a different driver, or turn on the containerd image store, and try again.
I've validated this with a two-job GitHub Actions workflow (test run here):
- test-with-containerd - build → scan → push succeeded
- test-without-containerd - build failed immediately with the above error
I'll update the PR to use docker/setup-docker-action with the containerd image store enabled, remove --push from the build step, and gate the push behind if: success() after the scan. This gives users the security-correct workflow they'd expect.
|
@craig-osterhout would you be able to review and merge this, please? |
2 participants
Description
Updated the "Build Docker image" step in the GitHub Actions workflow example under "Automate DHI scanning in CI/CD with Docker Scout" to include
--provenance=mode=max,--sbom=true, and--pushflags.Related issues or tickets
Reviews