docker · aevesdocker · Jul 24, 2025 · Jul 24, 2025 · Jul 24, 2025
@@ -23,7 +23,7 @@ For more detailed information, see the [release notes in the Compose repo](https
 
 - Added `--models` flag to `config` command to list models
 - Added `--since` and `--until` flags to `events`
-- Introduced `provenance` and `sbom` attributes to `develop` section
+- Introduced `provenance` and `sbom` attributes to `build` section
 - Fixed `bridge convert` issue on Windows 
 - Fixed multiple issues with `bake` builds
 

diff --git a/content/reference/compose-file/build.md b/content/reference/compose-file/build.md
@@ -424,11 +424,52 @@ build:
   privileged: true
 ```
 
+### `provenance`
+
+{{< summary-bar feature_name="Compose provenance" >}} 
+
+`provenance` configures the builder to add a [provenance attestation](https://slsa.dev/provenance/v0.2#schema) to the published image. 
+
+The value can be either a boolean to enable/disable provenance attestation, or a key=value string to set provenance configuration. You can
+use this to select the level of detail to be included in the provenance attestation by setting the `mode` parameter.
+
+```yaml
+build:
+  context: .
+  provenance: true
+```
+
+```yaml
+build:
+  context: .
+  provenance: mode=max
+```
+
 ### `pull`
 
 `pull` requires the image builder to pull referenced images (`FROM` Dockerfile directive), even if those are already
 available in the local image store.
 
+### `sbom`
+
+{{< summary-bar feature_name="Compose sbom" >}}
+
+`sbom` configures the builder to add a [provenance attestation](https://slsa.dev/provenance/v0.2#schema) to the published image. 
+The value can be either a boolean to enable/disable sbom attestation, or a key=value string to set SBOM generator configuration. This let you
+select an alternative SBOM generator image (see https://github.com/moby/buildkit/blob/master/docs/attestations/sbom-protocol.md)
+
+```yaml
+build:
+  context: .
+  sbom: true
+```
+
+```yaml
+build:
+  context: .
+  sbom: generator=docker/scout-sbom-indexer:latest # Use an alternative SBOM generator
+```
+
 ### `secrets`
 
 `secrets` grants access to sensitive data defined by [secrets](services.md#secrets) on a per-service build basis. Two

diff --git a/data/summary.yaml b/data/summary.yaml
@@ -125,10 +125,14 @@ Compose post start:
   requires: Docker Compose [2.30.0](/manuals/compose/releases/release-notes.md#2300) and later
 Compose pre stop:
   requires: Docker Compose [2.30.0](/manuals/compose/releases/release-notes.md#2300) and later
+Compose provenance:
+  requires: Docker Compose [2.39.0](/manuals/compose/releases/release-notes.md#2390) and later
 Compose uts:
   requires: Docker Compose [2.15.1](/manuals/compose/releases/release-notes.md#2151) and later
 Composefile include:
   requires: Docker Compose [2.20.0](/manuals/compose/releases/release-notes.md#2200) and later
+Compose sbom:
+  requires: Docker Compose [2.39.0](/manuals/compose/releases/release-notes.md#2390) and later
 containerd:
   availability: Experimental
 Dev Environments: