Add provenance to Docker image (#568)

nginxinc · Dec 5, 2023 · 82961d6 · 82961d6
1 parent 512f1af
commit 82961d6
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 2 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -190,7 +190,7 @@ jobs:
           push: ${{ github.event_name != 'pull_request' }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
-          provenance: false
+          provenance: ${{ github.event_name != 'pull_request' && 'mode=max' || 'false' }}
           sbom: ${{ github.event_name != 'pull_request' }}
 
       - name: Scan image

diff --git a/README.md b/README.md
@@ -465,7 +465,8 @@ The SBOMs for the binaries are available in the releases page. The SBOMs are gen
 
 ### Docker Image
 
-The SBOM for the Docker image is available in the [DockerHub](https://hub.docker.com/r/nginx/nginx-prometheus-exporter),
+The SBOM for the Docker image is available in the
+[DockerHub](https://hub.docker.com/r/nginx/nginx-prometheus-exporter),
 [GitHub Container registry](https://github.com/nginxinc/nginx-prometheus-exporter/pkgs/container/nginx-prometheus-exporter),
 [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-prometheus-exporter) and
 [Quay.io](https://quay.io/repository/nginx/nginx-prometheus-exporter) repositories. The SBOMs are generated using
@@ -478,6 +479,21 @@ For example to retrieve the SBOM for `linux/amd64` from Docker Hub and analyze i
 docker buildx imagetools inspect nginx/nginx-prometheus-exporter:edge --format '{{ json (index .SBOM "linux/amd64").SPDX }}' | grype
 ```
 
+## Provenance
+
+We generate provenance for the Docker image and it's available in the
+[DockerHub](https://hub.docker.com/r/nginx/nginx-prometheus-exporter),
+[GitHub Container registry](https://github.com/nginxinc/nginx-prometheus-exporter/pkgs/container/nginx-prometheus-exporter),
+[Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-prometheus-exporter) and
+[Quay.io](https://quay.io/repository/nginx/nginx-prometheus-exporter) repositories, stored as an attestation in the
+image manifest.
+
+For example to retrieve the provenance for `linux/amd64` from Docker Hub you can run the following command:
+
+```console
+docker buildx imagetools inspect nginx/nginx-prometheus-exporter:edge --format '{{ json (index .Provenance "linux/amd64").SLSA }}'
+```
+
 ## Contacts
 
 We’d like to hear your feedback! If you have any suggestions or experience issues with the NGINX Prometheus Exporter,