Skip to content

docs: make VEX prerequisites method-specific #24913

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Rohan5commit wants to merge 1 commit into
base: main
Choose a base branch
from
Open

docs: make VEX prerequisites method-specific #24913

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 11 additions & 3 deletions content/manuals/scout/how-tos/create-exceptions-vex.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,8 +24,13 @@ To create exceptions using OpenVEX documents, you need:

- The latest version of Docker Desktop or the Docker Scout CLI plugin
- The [`vexctl`](https://github.com/openvex/vexctl) command line tool.
- The [containerd image store](/manuals/desktop/features/containerd.md) must be enabled

Additional requirements depend on how you attach the VEX document:

- The [containerd image store](/manuals/desktop/features/containerd.md)
must be enabled to attach the document as an attestation.
- Write permissions to the registry repository where the image is stored
are required to attach the document as an attestation.

## Introduction to VEX

Expand Down Expand Up @@ -246,7 +251,9 @@ change the VEX document.

To attach VEX documents as an attestation, you can use the `docker scout
attestation add` CLI command. Using attestations is the recommended option for
attaching exceptions to images when using VEX.
attaching exceptions to images when using VEX. This method requires the
[containerd image store](/manuals/desktop/features/containerd.md) and write
access to the registry repository where the image is stored.

You can attach attestations to images that have already been pushed to a
registry. You don't need to build or push the image again. Additionally, having
Expand Down Expand Up @@ -280,6 +287,8 @@ To attach an attestation to an image:
Embedding VEX documents directly on the image filesystem is a good option if
you know the exceptions ahead of time, before you build the image. And it's
relatively easy; just `COPY` the VEX document to the image in your Dockerfile.
Unlike attestations, this method doesn't require the containerd image store or
write access to a registry before the image is pushed.

The downside with this approach is that you can't change or update the
exception later. Image layers are immutable, so anything you put in the image's
Expand Down Expand Up @@ -315,4 +324,3 @@ It doesn't matter where on the image's filesystem you store the file.

Note that the copied files must be part of the filesystem of the final image,
For multi-stage builds, the documents must persist in the final stage.