DHI Policy fails to validate base image verification summary attestation #215
Description
DHI Policy fails to validate base image verification summary attestation
Description
The "Valid Docker Hardened Image (DHI) or DHI base image" policy fails with "1 deviation" even when the base image has a valid SLSA verification summary attestation. According to the policy documentation, it should pass if "the base image used in the build (identified from SLSA provenance attestations) has a valid Docker signed verification summary attestation."
Environment
- Docker Scout CLI version: v1.19.0
- Platform: darwin/arm64
- Base image:
dhi.io/static:20230311 - Built image:
zx8086/authentication-v2:latest
Steps to Reproduce
- Build an image using
dhi.io/static:20230311as the base image withprovenance: mode=maxandsbom: true - Push the image to Docker Hub
- Enable the DHI policy in Docker Scout
- Run policy evaluation:
docker scout policy --org <ORG> <IMAGE>:latestExpected Behavior
The DHI policy should PASS because:
- The base image
dhi.io/static:20230311has a valid verification summary attestation:
$ docker scout attestation get dhi.io/static:20230311 --predicate-type https://slsa.dev/verification_summary/v1Output shows:
{
"predicateType": "https://slsa.dev/verification_summary/v1",
"predicate": {
"verifier": {
"id": "https://github.com/docker-hardened-images/definitions/actions/runs/17140723538/attempts/2"
},
"verificationResult": "PASSED",
"verifiedLevels": ["SLSA_BUILD_LEVEL_3"],
"slsaVersion": "1.0"
}
}- The built image has SLSA provenance that correctly identifies the base image:
$ docker scout attestation list <IMAGE>:latestOutput shows:
Base image │ dhi.io/static:20230311
...
https://slsa.dev/provenance/v0.2 SLSA provenance
Actual Behavior
The DHI policy FAILS with "1 deviation":
Policy status FAILED (7/8 policies met)
Status │ Policy │ Results
────────┼──────────────────────────────────────────────────────────────────┼─────────────────────────────
! │ Invalid or Missing Docker Hardened Image (DHI) or DHI base image │ 1 deviation
## "Valid Docker Hardened Image (DHI) or DHI base image" policy evaluation results
The image must be a Docker Hardened Image (DHI) or be built with a DHI as the base image. This is validated by checking the image for a valid Docker signed verification summary attestation or by checking the base image from SLSA provenance attestations has a valid Docker signed verification summary attestation.
Message │ Detail
─────────┼────────
│
Note: The "Message" and "Detail" columns are empty, providing no information about why validation failed.
Additional Context
-
When checking a DHI image directly in a different org, the policy shows "No data" instead of evaluating:
? │ Valid Docker Hardened Image (DHI) or DHI base image │ No data -
The web UI (scout.docker.com) also shows "No data" for all policies, suggesting a backend sync issue
-
All 7 default policies pass correctly; only the DHI policy fails
Possible Root Causes
- The policy may require a "Docker signed" attestation specifically, not just any valid verification summary
- The policy evaluation may not be properly traversing from the built image's provenance to the base image's attestations
- There may be a backend/server-side component required for DHI policy evaluation that isn't being triggered
Workaround
None identified. Disabling the DHI policy is the only option currently.
Request
- Please clarify what "valid Docker signed verification summary attestation" means - does it require a specific signing key?
- Please provide more detailed error messages in the "Message" and "Detail" columns when the policy fails
- Please fix the policy to properly validate base image attestations when the built image's provenance references a DHI base image