@@ -77,25 +77,27 @@ By integrating SLSA-compliant DHIs into your development and deployment processe
7777- Streamline audits: Utilize verifiable build records and signatures to simplify
7878 security audits and assessments.
7979
80- ## How to verify SLSA compliance
80+ ## Get and verify SLSA provenance for Docker Hardened Images
8181
82- Each DHI is cryptographically signed and complies with the SLSA framework,
83- ensuring verifiable build provenance and integrity.
82+ Each Docker Hardened Image (DHI) is cryptographically signed and includes
83+ attestations. These attestations provide verifiable build provenance and
84+ demonstrate adherence to SLSA Build Level 3 standards.
8485
85- To evaluate whether a DHI complies with SLSA standards, you can use the
86- [ slsa-verifier tool] ( https://github.com/slsa-framework/slsa-verifier ) . This tool
87- verifies the SLSA provenance of an image, ensuring that it was built according
88- to the specified security levels.
89-
90- To use the slsa-verifier tool after installation, run the following command.
91- Replace ` <your-namespace>/dhi-<image>:<tag> ` with the image name and tag.
86+ To get and verify SLSA provenance for a DHI, you can use Docker Scout.
9287
9388``` console
94- $ slsa-verifier verify-image < your-namespace> /dhi-< image> :< tag>
89+ $ docker scout attest get < your-namespace> /dhi-< image> :< tag> \
90+ --predicate-type https://slsa.dev/provenance/v0.2 \
91+ --verify
9592```
9693
97- This command will verify the SLSA provenance of the image, checking that it
98- meets the specified security levels.
94+ For example:
95+
96+ ``` console
97+ $ docker scout attest get docs/dhi-node:20.19-debian12-fips-20250701182639 \
98+ --predicate-type https://slsa.dev/provenance/v0.2 \
99+ --verify
100+ ```
99101
100102## Resources
101103
0 commit comments