Merge pull request #21108 from sbenhoff007/sssc-docker-concepts

guides: add videos to scout learning path

Author: dvdksn

content/guides/docker-scout/_index.md

@@ -14,16 +14,14 @@ aliases:
 params:
   featured: true
   image: images/learning-paths/scout.png
-  time: 10 minutes
+  time: 20 minutes
   resource_links:
     - title: Docker Scout overview
       url: /scout/
     - title: Docker Scout quickstart
       url: /scout/quickstart/
     - title: Install Docker Scout
       url: /scout/install/
-    - title: Software Bill of Materials
-      url: /scout/concepts/sbom/
 ---
 
 When container images are insecure, significant risks can arise. Around 60% of

content/guides/docker-scout/attestations.md

@@ -0,0 +1,36 @@
+---
+title: Attestations
+keywords: build, attestations, sbom, provenance, metadata
+description: |
+  Introduction to SBOM and provenance attestations with Docker Build,
+  what they are, and why they exist
+weight: 50
+---
+
+{{< youtube-embed qOzcycbTs4o >}}
+
+[Build attestations](/manuals/build/metadata/attestations/_index.md) give you
+detailed information about how an image was built and what it contains. These
+attestations, generated by BuildKit during build-time, attach to the final
+image as metadata, allowing you to inspect an image to see its origin, creator,
+and contents. This information helps you make informed decisions about the
+security and impact of the image on your supply chain.
+
+Docker Scout uses these attestations to evaluate the image's security and
+supply chain posture, and to provide remediation recommendations for issues. If
+issues are detected, such as missing or outdated attestations, Docker Scout can
+guide you on how to add or update them, ensuring compliance and improving
+visibility into the image's security status.
+
+There are two key types of attestations:
+
+- SBOM, which lists the software artifacts within the image.
+- Provenance, which details how the image was built.
+
+You can create attestations by using `docker buildx build` with the
+`--provenance` and `--sbom` flags. Attestations attach to the image index,
+allowing you to inspect them without pulling the entire image. Docker Scout
+leverages this metadata to give you more precise recommendations and better
+control over your image's security.
+
+<div id="scout-lp-survey-anchor"></div>

content/guides/docker-scout/common-questions.md

@@ -1,7 +1,6 @@
 ---
 title: Common challenges and questions
 description: Explore common challenges and questions related to Docker Scout.
-weight: 30
 ---
 
 <!-- vale Docker.HeadingLength = NO -->

content/guides/docker-scout/demo.md

@@ -1,9 +1,12 @@
 ---
 title: Docker Scout demo
+linkTitle: Demo
 description: Learn about Docker Scout's powerful features for enhanced supply chain security.
 weight: 20
 ---
 
+{{< youtube-embed "TkLwJ0p46W8" >}}
+
 Docker Scout has powerful features for enhancing containerized application
 security and ensuring a robust software supply chain.
 
@@ -15,6 +18,4 @@ security and ensuring a robust software supply chain.
   removing unnecessary packages
 - Verify and validate remediation efforts using Docker Scout
 
-{{< youtube-embed "TkLwJ0p46W8" >}}
-
 <div id="scout-lp-survey-anchor"></div>

content/guides/docker-scout/remediation.md

@@ -0,0 +1,27 @@
+---
+title: Remediation
+description: Learn how Docker Scout can help you improve your software quality automatically, using remediation
+keywords: scout, supply chain, security, remediation, automation
+weight: 60
+---
+
+{{< youtube-embed jM9zLBf8M-8 >}}
+
+Docker Scout's [remediation feature](/manuals/scout/policy/remediation.md)
+helps you address supply chain and security issues by offering tailored
+recommendations based on policy evaluations. These recommendations guide you in
+improving policy compliance or enhancing image metadata, allowing Docker Scout
+to perform more accurate evaluations in the future.
+
+You can use this feature to ensure that your base images are up-to-date and
+that your supply chain attestations are complete. When a violation occurs,
+Docker Scout provides recommended fixes, such as updating your base image or
+adding missing attestations. If there isn’t enough information to determine
+compliance, Docker Scout suggests actions to help resolve the issue.
+
+In the Docker Scout Dashboard, you can view and act on these recommendations by
+reviewing violations or compliance uncertainties. With integrations like
+GitHub, you can even automate updates, directly fixing issues from the
+dashboard.
+
+<div id="scout-lp-survey-anchor"></div>

content/manuals/scout/concepts/s3c.md renamed to content/guides/docker-scout/s3c.md

@@ -2,8 +2,13 @@
 title: Software supply chain security
 description: Learn about software supply chain security (S3C), what it means, and why it is important.
 keywords: docker scout, secure, software, supply, chain, security, sssc, sscs, s3c
+aliases:
+  - /scout/concepts/s3c/
+weight: 30
 ---
 
+{{< youtube-embed YzNK6E7APv0 >}}
+
 The term "software supply chain" refers to the end-to-end process of developing
 and delivering software, from the development to deployment and maintenance.
 Software supply chain security, or "S3C" for short, is the practice for
@@ -39,7 +44,7 @@ day where software is built using multiple components from different sources.
 Organizations need to have a clear understanding of the software components
 they use, and the security risks associated with them.
 
-## Docker Scout
+## How Docker Scout is different
 
 Docker Scout is a platform designed to help organizations secure their software
 supply chain. It provides tools and services for identifying and managing
@@ -53,9 +58,11 @@ updated risk assessment is available within seconds, and earlier in the
 development process.
 
 Docker Scout works by analyzing the composition of your images to create a
-[Software Bill of Materials (SBOM)](/manuals/scout/concepts/sbom.md). The SBOM is
-cross-referenced against the security advisories to identify CVEs that affect
-your images. Docker Scout integrates with [over 20 different security
+Software Bill of Materials (SBOM). The SBOM is cross-referenced against the
+security advisories to identify CVEs that affect your images. Docker Scout
+integrates with [over 20 different security
 advisories](/manuals/scout/deep-dive/advisory-db-sources.md), and updates its
 vulnerability database in real-time. This ensures that your security posture is
 represented using the latest available information.
+
+<div id="scout-lp-survey-anchor"></div>

content/manuals/scout/concepts/sbom.md renamed to content/guides/docker-scout/sbom.md

@@ -2,8 +2,13 @@
 title: Software Bill of Materials
 description: Learn about Software Bill of Materials (SBOM) and how Docker Scout uses it.
 keywords: scout, sbom, software bill of materials, analysis, composition
+aliases:
+  - /scout/concepts/sbom/
+weight: 40
 ---
 
+{{< youtube-embed PbS4y7C7h4A >}}
+
 A Bill of Materials (BOM) is a list of materials, parts, and the quantities of
 each needed to manufacture a product. For example, a BOM for a computer might
 list the motherboard, CPU, RAM, power supply, storage devices, case, and other
@@ -35,16 +40,10 @@ An SBOM typically includes the following information:
 
 Docker Scout uses SBOMs to determine the components that are used in a Docker
 image. When you analyze an image, Docker Scout will either use the SBOM that is
-attached to the image (using [attestations](/manuals/build/metadata/attestations/_index.md)), or
-it will generate an SBOM on the fly by analyzing the contents of the image.
+attached to the image as an attestation, or it will generate an SBOM on the fly
+by analyzing the contents of the image.
 
 The SBOM is cross-referenced with the [advisory database](/manuals/scout/deep-dive/advisory-db-sources.md)
 to determine if any of the components in the image have known vulnerabilities.
 
-## Additional resources
-
-To learn more about generating SBOMs and how SBOMs are used in Docker Scout,
-see:
-
-- [Image analysis in Docker Scout](/manuals/scout/explore/analysis.md)
-- [View and create SBOMs](/manuals/scout/how-tos/view-create-sboms.md)
+<div id="scout-lp-survey-anchor"></div>

content/guides/docker-scout/why.md

@@ -4,6 +4,8 @@ description: Learn how Docker Scout can help you secure your supply chain.
 weight: 10
 ---
 
+{{< youtube-embed "-omsQ7Uqyc4" >}}
+
 Organizations face significant challenges from data breaches,
 including financial losses, operational disruptions, and long-term damage to
 brand reputation and customer trust. Docker Scout addresses critical problems
@@ -22,6 +24,4 @@ development process. It also integrates with popular development tools like
 Docker Desktop and GitHub Actions, providing seamless security management and
 compliance checks within existing workflows.
 
-{{< youtube-embed "-omsQ7Uqyc4" >}}
-
 <div id="scout-lp-survey-anchor"></div>

content/manuals/build/metadata/attestations/_index.md

@@ -8,6 +8,8 @@ aliases:
   - /build/attestations/
 ---
 
+{{< youtube-embed qOzcycbTs4o >}}
+
 Build attestations describe how an image was built, and what it contains. The
 attestations are created at build-time by BuildKit, and become attached to the
 final image as metadata.