Skip to content

PoC: add docker provenance & SBOM #802

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
fmigneault merged 5 commits into from
May 2, 2025
Merged

PoC: add docker provenance & SBOM #802

fmigneault merged 5 commits into from
May 2, 2025

Conversation

@fmigneault
Copy link
Collaborator

@fmigneault fmigneault commented Mar 8, 2025

Summary

In order to offer better traceability of the code and runtime environment (not just the underlying execution artifacts annotated by CWLProv / W3C PROV when running processing), annotate the provided docker image with best practice provenance details.

Detail

Employ docker traceability attestations:

Requires an intermediate step to setup the docker-container driver as builder:
https://docs.docker.com/build/builders/drivers/docker-container/

Allows a better Docker Scout health score (other items remaining to iron out the score to be addressed in separate PRs).

Before

https://hub.docker.com/layers/pavics/weaver/6.4.0/images/sha256-17ed69160f769eb88f019b77a46223ed20e5ef98319e2d0392f8009aa7378294

image

After

https://hub.docker.com/layers/pavics/weaver/6.5.0-rc/images/sha256-85cc04f422d81ec0e637e77d918684c6c702ca4b6a55c1c28e069cbd1900cc98

image

Usage / Validation

docker buildx imagetools inspect pavics/weaver:6.5.0-rc --format "{{ json .Provenance.SLSA }}"
{
  "buildConfig": {
    "digestMapping": {
      "sha256:00179c39b0f4e127ac749504e6305f3e9c8e51aec06a49f076d0e4081a4fd928": "step0",
      "sha256:16b20880cb9e9c3270a91df3581ac597ccaa1bf558381f4bfd4e125d0dc08a4f": "step1",
      "sha256:6ce196c295f360bb6906c6eadb12439f6c74422c6d0fcf38b52c99564bfe42a2": "step2",
      "sha256:7164064266a98617a1fced0e7b0d5e3cab5753cfc06a9b5f7a73016750fec212": "step6",
      "sha256:7e20492911c4fa3374b646b92627379e0bf58278c082f387a4a1262fe93373a4": "step8",
      "sha256:af60562792c43f60230073a4389ab8296db13062cabd68007c0f7fa122e9acf8": "step5",
      "sha256:be6cc100c75d5c9a26433a92f29455f4c5e43caf27b06b3157776bfa3d13326a": "step3",
      "sha256:c2f4f4abe1c0cef6281960651916225f2cf93d8f1c16cbe3241fb05f8a2174f1": "step4",
      "sha256:e0d1f64b8ff5f43bdfe08090679323b3f4010205eaab3313375bf5a49961f3f2": "step7"
    },
    "llbDefinition": [
      {
        "id": "step0",
        "op": {
          "Op": {
            "source": {
              "identifier": "docker-image://docker.io/library/python:3.11-slim@sha256:614c8691ab74150465ec9123378cd4dde7a6e57be9e558c3108df40664667a4c"
            }
          },
          "constraints": {},
          "platform": {
            "Architecture": "amd64",
            "OS": "linux"
          }
        }
      },
      {
        "id": "step1",
        "inputs": [
          "step0:0"
        ],
        "op": {
          "Op": {
            "file": {
              "actions": [
                {
                  "Action": {
                    "mkdir": {
                      "makeParents": true,
                      "mode": 493,
                      "path": "/opt/local/src/weaver",
                      "timestamp": -1
                    }
                  },
                  "input": 0,
                  "output": 0,
                  "secondaryInput": -1
                }
              ]
            }
          },
          "constraints": {}
        }
      },
      {
        "id": "step2",
        "op": {
          "Op": {
            "source": {
              "attrs": {
                "local.excludepatterns": "[\"docker\",\".dockerignore\",\".git\",\".github\",\".gitignore\",\"[Mm]akefile.config\",\"downloads\",\"env\",\"package.json\",\"package-lock.json\",\"node_modules\",\"celeryconfig*\",\"celery-config*\",\"celerybeat-schedule.*\",\"*~\",\"*.mo\",\"*.so\",\"*.py[cod]\",\"*.bak\",\"*.sqlite\",\"*.egg[s]\",\"*.egg-info\",\"*egg[s]__pycache__\",\".python_history\",\".cache\",\".coverage\",\"coverage\",\".pylint.d\",\".pytest_cache\",\".tox\",\"nosetests.xml\",\"unit_tests/testdata.json\",\"tests\",\"**/*.log\",\"**/*.lock\",\"testdata.json\",\"reports\",\"*.Rhistory\",\".project\",\".pydevproject\",\".settings\",\"*.idea\",\"*.run\",\"*.iml\",\"*.kate-swp\",\"*.sublime*\",\"docs\",\"[Bb]uild\",\"src\",\".ipynb_checkpoints\",\"**/*.o\",\"**/*.a\",\"**/*.mod\",\"**/*.out\",\"workflows\",\"**/*.tif\",\"archive\",\"*.zip\",\"*.tar.gz\",\"**/*.zip\",\"**/*.tag.gz\",\"!config/*.example\",\"config/*\",\"[Bb]in\"]",
                "local.sharedkeyhint": "context"
              },
              "identifier": "local://context"
            }
          },
          "constraints": {}
        }
      },
      {
        "id": "step3",
        "inputs": [
          "step1:0",
          "step2:0"
        ],
        "op": {
          "Op": {
            "file": {
              "actions": [
                {
                  "Action": {
                    "copy": {
                      "allowEmptyWildcard": true,
                      "allowWildcard": true,
                      "createDestPath": true,
                      "dest": "/opt/local/src/weaver/weaver/",
                      "dirCopyContents": true,
                      "followSymlink": true,
                      "mode": -1,
                      "src": "/weaver/__init__.py",
                      "timestamp": -1
                    }
                  },
                  "input": 0,
                  "output": -1,
                  "secondaryInput": 1
                },
                {
                  "Action": {
                    "copy": {
                      "allowEmptyWildcard": true,
                      "allowWildcard": true,
                      "createDestPath": true,
                      "dest": "/opt/local/src/weaver/weaver/",
                      "dirCopyContents": true,
                      "followSymlink": true,
                      "mode": -1,
                      "src": "/weaver/__meta__.py",
                      "timestamp": -1
                    }
                  },
                  "input": 2,
                  "output": 0,
                  "secondaryInput": 1
                }
              ]
            }
          },
          "constraints": {}
        }
      },
      {
        "id": "step4",
        "inputs": [
          "step3:0",
          "step2:0"
        ],
        "op": {
          "Op": {
            "file": {
              "actions": [
                {
                  "Action": {
                    "copy": {
                      "allowEmptyWildcard": true,
                      "allowWildcard": true,
                      "createDestPath": true,
                      "dest": "/opt/local/src/weaver/",
                      "dirCopyContents": true,
                      "followSymlink": true,
                      "mode": -1,
                      "src": "/requirements*",
                      "timestamp": -1
                    }
                  },
                  "input": 0,
                  "output": -1,
                  "secondaryInput": 1
                },
                {
                  "Action": {
                    "copy": {
                      "allowEmptyWildcard": true,
                      "allowWildcard": true,
                      "createDestPath": true,
                      "dest": "/opt/local/src/weaver/",
                      "dirCopyContents": true,
                      "followSymlink": true,
                      "mode": -1,
                      "src": "/setup.py",
                      "timestamp": -1
                    }
                  },
                  "input": 2,
                  "output": -1,
                  "secondaryInput": 1
                },
                {
                  "Action": {
                    "copy": {
                      "allowEmptyWildcard": true,
                      "allowWildcard": true,
                      "createDestPath": true,
                      "dest": "/opt/local/src/weaver/",
                      "dirCopyContents": true,
                      "followSymlink": true,
                      "mode": -1,
                      "src": "/README.rst",
                      "timestamp": -1
                    }
                  },
                  "input": 3,
                  "output": -1,
                  "secondaryInput": 1
                },
                {
                  "Action": {
                    "copy": {
                      "allowEmptyWildcard": true,
                      "allowWildcard": true,
                      "createDestPath": true,
                      "dest": "/opt/local/src/weaver/",
                      "dirCopyContents": true,
                      "followSymlink": true,
                      "mode": -1,
                      "src": "/CHANGES.rst",
                      "timestamp": -1
                    }
                  },
                  "input": 4,
                  "output": 0,
                  "secondaryInput": 1
                }
              ]
            }
          },
          "constraints": {}
        }
      },
      {
        "id": "step5",
        "inputs": [
          "step4:0"
        ],
        "op": {
          "Op": {
            "exec": {
              "meta": {
                "args": [
                  "/bin/sh",
                  "-c",
                  "apt-get update \u0026\u0026 apt-get install -y --no-install-recommends         ca-certificates         netbase         gcc         g++         git         nodejs     \u0026\u0026 pip install --no-cache-dir --upgrade -r requirements-sys.txt     \u0026\u0026 pip install --no-cache-dir -r requirements.txt     \u0026\u0026 pip install --no-cache-dir -e ${APP_DIR}     \u0026\u0026 apt-get remove -y         gcc         g++         git     \u0026\u0026 rm -rf /var/lib/apt/lists/*"
                ],
                "cwd": "/opt/local/src/weaver",
                "env": [
                  "PATH=/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
                  "LANG=C.UTF-8",
                  "GPG_KEY=A035C8C19219BA821ECEA86B64E628F8D684696D",
                  "PYTHON_VERSION=3.11.11",
                  "PYTHON_SHA256=2a9920c7a0cd236de33644ed980a13cbbc21058bfdc528febb6081575ed73be3",
                  "APP_DIR=/opt/local/src/weaver",
                  "APP_CONFIG_DIR=/opt/local/src/weaver/config",
                  "APP_ENV_DIR=/opt/local/src/weaver/env"
                ],
                "removeMountStubsRecursive": true
              },
              "mounts": [
                {
                  "dest": "/"
                }
              ]
            }
          },
          "constraints": {},
          "platform": {
            "Architecture": "amd64",
            "OS": "linux"
          }
        }
      },
      {
        "id": "step6",
        "inputs": [
          "step5:0",
          "step2:0"
        ],
        "op": {
          "Op": {
            "file": {
              "actions": [
                {
                  "Action": {
                    "copy": {
                      "allowEmptyWildcard": true,
                      "allowWildcard": true,
                      "createDestPath": true,
                      "dest": "/opt/local/src/weaver",
                      "dirCopyContents": true,
                      "followSymlink": true,
                      "mode": -1,
                      "src": "/",
                      "timestamp": -1
                    }
                  },
                  "input": 0,
                  "output": 0,
                  "secondaryInput": 1
                }
              ]
            }
          },
          "constraints": {}
        }
      },
      {
        "id": "step7",
        "inputs": [
          "step6:0"
        ],
        "op": {
          "Op": {
            "exec": {
              "meta": {
                "args": [
                  "/bin/sh",
                  "-c",
                  "pip install --no-dependencies -e ${APP_DIR}"
                ],
                "cwd": "/opt/local/src/weaver",
                "env": [
                  "PATH=/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
                  "LANG=C.UTF-8",
                  "GPG_KEY=A035C8C19219BA821ECEA86B64E628F8D684696D",
                  "PYTHON_VERSION=3.11.11",
                  "PYTHON_SHA256=2a9920c7a0cd236de33644ed980a13cbbc21058bfdc528febb6081575ed73be3",
                  "APP_DIR=/opt/local/src/weaver",
                  "APP_CONFIG_DIR=/opt/local/src/weaver/config",
                  "APP_ENV_DIR=/opt/local/src/weaver/env"
                ],
                "removeMountStubsRecursive": true
              },
              "mounts": [
                {
                  "dest": "/"
                }
              ]
            }
          },
          "constraints": {},
          "platform": {
            "Architecture": "amd64",
            "OS": "linux"
          }
        }
      },
      {
        "id": "step8",
        "inputs": [
          "step7:0"
        ],
        "op": {
          "Op": {}
        }
      }
    ]
  },
  "buildType": "https://mobyproject.org/buildkit@v1",
  "builder": {
    "id": ""
  },
  "invocation": {
    "configSource": {
      "entryPoint": "Dockerfile-base"
    },
    "environment": {
      "platform": "linux/amd64"
    },
    "parameters": {
      "args": {
        "build-arg:DOCKER_BASE": "pavics/weaver:6.5.0-rc"
      },
      "frontend": "dockerfile.v0",
      "locals": [
        {
          "name": "context"
        },
        {
          "name": "dockerfile"
        }
      ]
    }
  },
  "materials": [
    {
      "digest": {
        "sha256": "434b49272c090c4788e38c8d8d6008c3741c4a8d4638e62dff5cdc6409d7927a"
      },
      "uri": "pkg:docker/docker/buildkit-syft-scanner@stable-1"
    },
    {
      "digest": {
        "sha256": "614c8691ab74150465ec9123378cd4dde7a6e57be9e558c3108df40664667a4c"
      },
      "uri": "pkg:docker/[email protected]?platform=linux%2Famd64"
    }
  ],
  "metadata": {
    "buildFinishedOn": "2025-03-08T04:10:20.400776296Z",
    "buildInvocationID": "tqbbjiwx96085ey7dqx8bp9vb",
    "buildStartedOn": "2025-03-08T04:10:11.51635378Z",
    "completeness": {
      "environment": true,
      "materials": false,
      "parameters": true
    },
    "https://mobyproject.org/buildkit@v1#metadata": {
      "layers": {
        "step0:0": [
          [
            {
              "digest": "sha256:7cf63256a31a4cc44f6defe8e1af95363aee5fa75f30a248d95cae684f87c53c",
              "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
              "size": 28219301
            },
            {
              "digest": "sha256:183f0922284a8cedfbb884126f80363579bb8dbca1911951bfd7f0ee1d710f11",
              "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
              "size": 3511492
            },
            {
              "digest": "sha256:5dbb3b698b727bb06ce21e20ef60f7929e05ea0746047bb970d01e34ee6129ad",
              "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
              "size": 16204764
            },
            {
              "digest": "sha256:0c5ce2cb4ecc4aadbe1ed2f03df63b0a280a041c1b61fe1cde8d9af1ee5de163",
              "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
              "size": 250
            }
          ]
        ],
        "step1:0": [
          [
            {
              "digest": "sha256:7cf63256a31a4cc44f6defe8e1af95363aee5fa75f30a248d95cae684f87c53c",
              "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
              "size": 28219301
            },
            {
              "digest": "sha256:183f0922284a8cedfbb884126f80363579bb8dbca1911951bfd7f0ee1d710f11",
              "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
              "size": 3511492
            },
            {
              "digest": "sha256:5dbb3b698b727bb06ce21e20ef60f7929e05ea0746047bb970d01e34ee6129ad",
              "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
              "size": 16204764
            },
            {
              "digest": "sha256:0c5ce2cb4ecc4aadbe1ed2f03df63b0a280a041c1b61fe1cde8d9af1ee5de163",
              "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
              "size": 250
            },
            {
              "digest": "sha256:5388b38f6f9655a573989452ab8d3d76ea11212e54b5a9f1267a5a4fa1564260",
              "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
              "size": 150
            }
          ]
        ],
        "step3:0": [
          [
            {
              "digest": "sha256:7cf63256a31a4cc44f6defe8e1af95363aee5fa75f30a248d95cae684f87c53c",
              "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
              "size": 28219301
            },
            {
              "digest": "sha256:183f0922284a8cedfbb884126f80363579bb8dbca1911951bfd7f0ee1d710f11",
              "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
              "size": 3511492
            },
            {
              "digest": "sha256:5dbb3b698b727bb06ce21e20ef60f7929e05ea0746047bb970d01e34ee6129ad",
              "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
              "size": 16204764
            },
            {
              "digest": "sha256:0c5ce2cb4ecc4aadbe1ed2f03df63b0a280a041c1b61fe1cde8d9af1ee5de163",
              "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
              "size": 250
            },
            {
              "digest": "sha256:5388b38f6f9655a573989452ab8d3d76ea11212e54b5a9f1267a5a4fa1564260",
              "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
              "size": 150
            },
            {
              "digest": "sha256:bba822e7648ca37d5bf3dfc2343a8fcf953598dd53121335e73b12a127dc94f0",
              "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
              "size": 1575
            }
          ]
        ],
        "step4:0": [
          [
            {
              "digest": "sha256:7cf63256a31a4cc44f6defe8e1af95363aee5fa75f30a248d95cae684f87c53c",
              "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
              "size": 28219301
            },
            {
              "digest": "sha256:183f0922284a8cedfbb884126f80363579bb8dbca1911951bfd7f0ee1d710f11",
              "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
              "size": 3511492
            },
            {
              "digest": "sha256:5dbb3b698b727bb06ce21e20ef60f7929e05ea0746047bb970d01e34ee6129ad",
              "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
              "size": 16204764
            },
            {
              "digest": "sha256:0c5ce2cb4ecc4aadbe1ed2f03df63b0a280a041c1b61fe1cde8d9af1ee5de163",
              "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
              "size": 250
            },
            {
              "digest": "sha256:5388b38f6f9655a573989452ab8d3d76ea11212e54b5a9f1267a5a4fa1564260",
              "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
              "size": 150
            },
            {
              "digest": "sha256:bba822e7648ca37d5bf3dfc2343a8fcf953598dd53121335e73b12a127dc94f0",
              "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
              "size": 1575
            },
            {
              "digest": "sha256:08a5daca288a27a74a6db045d454d864218248e5e712fa636b424cd48f2ae4e2",
              "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
              "size": 65212
            }
          ]
        ],
        "step5:0": [
          [
            {
              "digest": "sha256:7cf63256a31a4cc44f6defe8e1af95363aee5fa75f30a248d95cae684f87c53c",
              "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
              "size": 28219301
            },
            {
              "digest": "sha256:183f0922284a8cedfbb884126f80363579bb8dbca1911951bfd7f0ee1d710f11",
              "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
              "size": 3511492
            },
            {
              "digest": "sha256:5dbb3b698b727bb06ce21e20ef60f7929e05ea0746047bb970d01e34ee6129ad",
              "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
              "size": 16204764
            },
            {
              "digest": "sha256:0c5ce2cb4ecc4aadbe1ed2f03df63b0a280a041c1b61fe1cde8d9af1ee5de163",
              "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
              "size": 250
            },
            {
              "digest": "sha256:5388b38f6f9655a573989452ab8d3d76ea11212e54b5a9f1267a5a4fa1564260",
              "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
              "size": 150
            },
            {
              "digest": "sha256:bba822e7648ca37d5bf3dfc2343a8fcf953598dd53121335e73b12a127dc94f0",
              "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
              "size": 1575
            },
            {
              "digest": "sha256:08a5daca288a27a74a6db045d454d864218248e5e712fa636b424cd48f2ae4e2",
              "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
              "size": 65212
            },
            {
              "digest": "sha256:b8a973fc54b8c29177560617beb7d6253b70be506bad8492560e0f0f0e36f5fa",
              "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
              "size": 286841141
            }
          ]
        ],
        "step6:0": [
          [
            {
              "digest": "sha256:7cf63256a31a4cc44f6defe8e1af95363aee5fa75f30a248d95cae684f87c53c",
              "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
              "size": 28219301
            },
            {
              "digest": "sha256:183f0922284a8cedfbb884126f80363579bb8dbca1911951bfd7f0ee1d710f11",
              "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
              "size": 3511492
            },
            {
              "digest": "sha256:5dbb3b698b727bb06ce21e20ef60f7929e05ea0746047bb970d01e34ee6129ad",
              "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
              "size": 16204764
            },
            {
              "digest": "sha256:0c5ce2cb4ecc4aadbe1ed2f03df63b0a280a041c1b61fe1cde8d9af1ee5de163",
              "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
              "size": 250
            },
            {
              "digest": "sha256:5388b38f6f9655a573989452ab8d3d76ea11212e54b5a9f1267a5a4fa1564260",
              "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
              "size": 150
            },
            {
              "digest": "sha256:bba822e7648ca37d5bf3dfc2343a8fcf953598dd53121335e73b12a127dc94f0",
              "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
              "size": 1575
            },
            {
              "digest": "sha256:08a5daca288a27a74a6db045d454d864218248e5e712fa636b424cd48f2ae4e2",
              "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
              "size": 65212
            },
            {
              "digest": "sha256:b8a973fc54b8c29177560617beb7d6253b70be506bad8492560e0f0f0e36f5fa",
              "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
              "size": 286841141
            },
            {
              "digest": "sha256:750115c113447421deb66709f9fb12ea7c770a5cfc9a2aa64af5e5b564d7177f",
              "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
              "size": 1258463
            }
          ]
        ],
        "step7:0": [
          [
            {
              "digest": "sha256:7cf63256a31a4cc44f6defe8e1af95363aee5fa75f30a248d95cae684f87c53c",
              "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
              "size": 28219301
            },
            {
              "digest": "sha256:183f0922284a8cedfbb884126f80363579bb8dbca1911951bfd7f0ee1d710f11",
              "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
              "size": 3511492
            },
            {
              "digest": "sha256:5dbb3b698b727bb06ce21e20ef60f7929e05ea0746047bb970d01e34ee6129ad",
              "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
              "size": 16204764
            },
            {
              "digest": "sha256:0c5ce2cb4ecc4aadbe1ed2f03df63b0a280a041c1b61fe1cde8d9af1ee5de163",
              "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
              "size": 250
            },
            {
              "digest": "sha256:5388b38f6f9655a573989452ab8d3d76ea11212e54b5a9f1267a5a4fa1564260",
              "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
              "size": 150
            },
            {
              "digest": "sha256:bba822e7648ca37d5bf3dfc2343a8fcf953598dd53121335e73b12a127dc94f0",
              "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
              "size": 1575
            },
            {
              "digest": "sha256:08a5daca288a27a74a6db045d454d864218248e5e712fa636b424cd48f2ae4e2",
              "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
              "size": 65212
            },
            {
              "digest": "sha256:b8a973fc54b8c29177560617beb7d6253b70be506bad8492560e0f0f0e36f5fa",
              "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
              "size": 286841141
            },
            {
              "digest": "sha256:750115c113447421deb66709f9fb12ea7c770a5cfc9a2aa64af5e5b564d7177f",
              "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
              "size": 1258463
            },
            {
              "digest": "sha256:e9b3c256973171dc89120c68dda0f99fc07a606d31e8d0e5818da0261802e599",
              "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
              "size": 103951
            }
          ]
        ]
      },
      "source": {
        "infos": [
          {
            "data": "RlJPTSBweXRob246My4xMS1zbGltCkxBQkVMIGRlc2NyaXB0aW9uLnNob3J0PSJXZWF2ZXIgQmFzZSIKTEFCRUwgZGVzY3JpcHRpb24ubG9uZz0iV29ya2Zsb3cgRXhlY3V0aW9uIE1hbmFnZW1lbnQgU2VydmljZSAoRU1TKTsgQXBwbGljYXRpb24sIERlcGxveW1lbnQgYW5kIEV4ZWN1dGlvbiBTZXJ2aWNlIChBREVTKSIKTEFCRUwgbWFpbnRhaW5lcj0iRnJhbmNpcyBDaGFyZXR0ZS1NaWduZWF1bHQgPGZyYW5jaXMuY2hhcmV0dGUtbWlnbmVhdWx0QGNyaW0uY2E+IgpMQUJFTCB2ZW5kb3I9IkNSSU0iCkxBQkVMIHZlcnNpb249IjYuNC4wIgoKIyBzZXR1cCBwYXRocwpFTlYgQVBQX0RJUj0vb3B0L2xvY2FsL3NyYy93ZWF2ZXIKRU5WIEFQUF9DT05GSUdfRElSPSR7QVBQX0RJUn0vY29uZmlnCkVOViBBUFBfRU5WX0RJUj0ke0FQUF9ESVJ9L2VudgpXT1JLRElSICR7QVBQX0RJUn0KCiMgb2J0YWluIHNvdXJjZSBmaWxlcwpDT1BZIHdlYXZlci9fX2luaXRfXy5weSB3ZWF2ZXIvX19tZXRhX18ucHkgJHtBUFBfRElSfS93ZWF2ZXIvCkNPUFkgcmVxdWlyZW1lbnRzKiBzZXR1cC5weSBSRUFETUUucnN0IENIQU5HRVMucnN0ICR7QVBQX0RJUn0vCgojIGluc3RhbGwgcnVudGltZS9wYWNrYWdlIGRlcGVuZGVuY2llcwpSVU4gYXB0LWdldCB1cGRhdGUgJiYgYXB0LWdldCBpbnN0YWxsIC15IC0tbm8taW5zdGFsbC1yZWNvbW1lbmRzIFwKICAgICAgICBjYS1jZXJ0aWZpY2F0ZXMgXAogICAgICAgIG5ldGJhc2UgXAogICAgICAgIGdjYyBcCiAgICAgICAgZysrIFwKICAgICAgICBnaXQgXAogICAgICAgIG5vZGVqcyBcCiAgICAmJiBwaXAgaW5zdGFsbCAtLW5vLWNhY2hlLWRpciAtLXVwZ3JhZGUgLXIgcmVxdWlyZW1lbnRzLXN5cy50eHQgXAogICAgJiYgcGlwIGluc3RhbGwgLS1uby1jYWNoZS1kaXIgLXIgcmVxdWlyZW1lbnRzLnR4dCBcCiAgICAmJiBwaXAgaW5zdGFsbCAtLW5vLWNhY2hlLWRpciAtZSAke0FQUF9ESVJ9IFwKICAgICYmIGFwdC1nZXQgcmVtb3ZlIC15IFwKICAgICAgICBnY2MgXAogICAgICAgIGcrKyBcCiAgICAgICAgZ2l0IFwKICAgICYmIHJtIC1yZiAvdmFyL2xpYi9hcHQvbGlzdHMvKgoKIyBpbnN0YWxsIHBhY2thZ2UKQ09QWSAuLyAke0FQUF9ESVJ9CiMgZXF1aXZhbGVudCBvZiBgbWFrZSBpbnN0YWxsYCB3aXRob3V0IGNvbmRhIGVudiBhbmQgcHJlLWluc3RhbGxlZCBwYWNrYWdlcwpSVU4gcGlwIGluc3RhbGwgLS1uby1kZXBlbmRlbmNpZXMgLWUgJHtBUFBfRElSfQoKQ01EIFsiYmFzaCJdCg==",
            "digestMapping": {
              "sha256:2cda967b8064767f2d3b6d14fd2f7eab82d9c4cb758e5718de6381047da36a8e": "step1",
              "sha256:3ab9882ac673e61226109b3573d14b2e933f69cd8d35529eb87892f27549d625": "step0"
            },
            "filename": "Dockerfile-base",
            "language": "Dockerfile",
            "llbDefinition": [
              {
                "id": "step0",
                "op": {
                  "Op": {
                    "source": {
                      "attrs": {
                        "local.differ": "none",
                        "local.followpaths": "[\"Dockerfile-base\",\"Dockerfile-base.dockerignore\"]",
                        "local.sharedkeyhint": "dockerfile"
                      },
                      "identifier": "local://dockerfile"
                    }
                  },
                  "constraints": {}
                }
              },
              {
                "id": "step1",
                "inputs": [
                  "step0:0"
                ],
                "op": {
                  "Op": {}
                }
              }
            ]
          }
        ],
        "locations": {
          "step0": {
            "locations": [
              {
                "ranges": [
                  {
                    "end": {
                      "line": 1
                    },
                    "start": {
                      "line": 1
                    }
                  }
                ]
              }
            ]
          },
          "step1": {
            "locations": [
              {
                "ranges": [
                  {
                    "end": {
                      "line": 12
                    },
                    "start": {
                      "line": 12
                    }
                  }
                ]
              }
            ]
          },
          "step2": {},
          "step3": {
            "locations": [
              {
                "ranges": [
                  {
                    "end": {
                      "line": 15
                    },
                    "start": {
                      "line": 15
                    }
                  }
                ]
              }
            ]
          },
          "step4": {
            "locations": [
              {
                "ranges": [
                  {
                    "end": {
                      "line": 16
                    },
                    "start": {
                      "line": 16
                    }
                  }
                ]
              }
            ]
          },
          "step5": {
            "locations": [
              {
                "ranges": [
                  {
                    "end": {
                      "line": 19
                    },
                    "start": {
                      "line": 19
                    }
                  },
                  {
                    "end": {
                      "line": 20
                    },
                    "start": {
                      "line": 20
                    }
                  },
                  {
                    "end": {
                      "line": 21
                    },
                    "start": {
                      "line": 21
                    }
                  },
                  {
                    "end": {
                      "line": 22
                    },
                    "start": {
                      "line": 22
                    }
                  },
                  {
                    "end": {
                      "line": 23
                    },
                    "start": {
                      "line": 23
                    }
                  },
                  {
                    "end": {
                      "line": 24
                    },
                    "start": {
                      "line": 24
                    }
                  },
                  {
                    "end": {
                      "line": 25
                    },
                    "start": {
                      "line": 25
                    }
                  },
                  {
                    "end": {
                      "line": 26
                    },
                    "start": {
                      "line": 26
                    }
                  },
                  {
                    "end": {
                      "line": 27
                    },
                    "start": {
                      "line": 27
                    }
                  },
                  {
                    "end": {
                      "line": 28
                    },
                    "start": {
                      "line": 28
                    }
                  },
                  {
                    "end": {
                      "line": 29
                    },
                    "start": {
                      "line": 29
                    }
                  },
                  {
                    "end": {
                      "line": 30
                    },
                    "start": {
                      "line": 30
                    }
                  },
                  {
                    "end": {
                      "line": 31
                    },
                    "start": {
                      "line": 31
                    }
                  },
                  {
                    "end": {
                      "line": 32
                    },
                    "start": {
                      "line": 32
                    }
                  },
                  {
                    "end": {
                      "line": 33
                    },
                    "start": {
                      "line": 33
                    }
                  }
                ]
              }
            ]
          },
          "step6": {
            "locations": [
              {
                "ranges": [
                  {
                    "end": {
                      "line": 36
                    },
                    "start": {
                      "line": 36
                    }
                  }
                ]
              }
            ]
          },
          "step7": {
            "locations": [
              {
                "ranges": [
                  {
                    "end": {
                      "line": 38
                    },
                    "start": {
                      "line": 38
                    }
                  }
                ]
              }
            ]
          }
        }
      },
      "vcs": {
        "localdir:context": ".",
        "localdir:dockerfile": "docker",
        "revision": "d97a03ac5304a581add4d404c8262e1426ebf016",
        "source": "git@github-perso:crim-ca/weaver"
      }
    },
    "reproducible": false
  }
}

Example parts extracts that can be tracked with guaranteed using provenance:

[...]
      "vcs": {
        "localdir:context": ".",
        "localdir:dockerfile": "docker",
        "revision": "d97a03ac5304a581add4d404c8262e1426ebf016",
        "source": "git@github-perso:crim-ca/weaver"
      }
[...]
[...]
  "materials": [
    {
      "digest": {
        "sha256": "434b49272c090c4788e38c8d8d6008c3741c4a8d4638e62dff5cdc6409d7927a"
      },
      "uri": "pkg:docker/docker/buildkit-syft-scanner@stable-1"
    },
    {
      "digest": {
        "sha256": "614c8691ab74150465ec9123378cd4dde7a6e57be9e558c3108df40664667a4c"
      },
      "uri": "pkg:docker/[email protected]?platform=linux%2Famd64"
    }
  ],
[...]

... and many other references that are usually "assumed" but not actually guaranteed (eg: manual push of a tag or any other atypical environment build configuration).

Comparison with other PAVICS-related images

image

@fmigneault fmigneault added the ci/operations Related to CI operations (actions, execution, install, builds, etc.) label Mar 8, 2025
@fmigneault fmigneault self-assigned this Mar 8, 2025
@github-actions github-actions bot added the ci/doc Issue related to documentation of the package label Mar 8, 2025
@fmigneault
Copy link
Collaborator Author

fmigneault commented Mar 8, 2025

@mishaschwartz @huard

FYI
Docker Provenance/SBOM as discussed during the DACCS meeting (DACCS-Climate/DACCS-executive-committee#40)

@codecov
Copy link

codecov bot commented Mar 8, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 87.76%. Comparing base (d97a03a) to head (a894cd9).

✅ All tests successful. No failed tests found.

Additional details and impacted files 
@@           Coverage Diff           @@
##           master     #802   +/-   ##
=======================================
  Coverage   87.76%   87.76%           
=======================================
  Files          82       82           
  Lines       21346    21346           
  Branches     2893     2893           
=======================================
  Hits        18734    18734           
  Misses       1851     1851           
  Partials      761      761

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

Nazim-crim
Nazim-crim previously approved these changes Mar 13, 2025
View reviewed changes
@fmigneault fmigneault merged commit 7b35b79 into master May 2, 2025
14 of 40 checks passed
@fmigneault fmigneault deleted the docker-prov branch May 2, 2025 15:33
@fmigneault fmigneault added the feature/provenance Issue related to any provenance metadata functionality. label May 16, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Nazim-crim Nazim-crim Nazim-crim left review comments

@languith languith Awaiting requested review from languith

Assignees

@fmigneault fmigneault

Labels

ci/doc Issue related to documentation of the package ci/operations Related to CI operations (actions, execution, install, builds, etc.) feature/provenance Issue related to any provenance metadata functionality.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@fmigneault @Nazim-crim