From b481d15b48a8b23f40b137f91fd4ad57db963fe2 Mon Sep 17 00:00:00 2001
From: Justin Chadwell <me@jedevc.com>
Date: Tue, 10 Jan 2023 16:53:47 +0000
Subject: [PATCH 1/2] build: add imagetools examples for inspecting
 attestations

Signed-off-by: Justin Chadwell <me@jedevc.com>
---
 build/attestations/sbom.md            | 36 +++++++++++++++++++++++++++
 build/attestations/slsa-provenance.md | 36 ++++++++++++++++++++++++++-
 2 files changed, 71 insertions(+), 1 deletion(-)

diff --git a/build/attestations/sbom.md b/build/attestations/sbom.md
index af4f5f8bbd5..a6fc9e95a6c 100644
--- a/build/attestations/sbom.md
+++ b/build/attestations/sbom.md
@@ -168,6 +168,42 @@ sbom-hugo.spdx.json
 sbom.spdx.json
 ```
 
+## Inspecting SBOMs
+
+To explore created SBOMs exported through the `image` exporter, you can use
+[`imagetools inspect`](../../engine/reference/commandline/buildx_imagetools_inspect.md).
+
+Using the `--format` option, you can specify a template for the output. All
+SBOM-related data is available under the `.SBOM` attribute. For example, to get
+the raw contents of an SBOM in SPDX format:
+
+{% raw %}
+```console
+$ docker buildx imagetools inspect <namespace>/<image>:<version> \
+    --format "{{ json .SBOM.SPDX }}"
+{
+  "SPDXID": "SPDXRef-DOCUMENT",
+  ...
+}
+```
+{% endraw %}
+
+You can also construct more complex expressions using the full functionality
+of go templates. For example, you can list all the installed packages and their
+version identifiers:
+
+{% raw %}
+```console
+$ docker buildx imagetools inspect <namespace>/<image>:<version> \
+    --format "{{ range .SBOM.SPDX.packages }}{{ .name }}@{{ .versionInfo }}{{ println }}{{ end }}"
+adduser@3.118ubuntu2
+apt@2.0.9
+base-files@11ubuntu5.6
+base-passwd@3.5.47
+...
+```
+{% endraw %}
+
 ## SBOM attestation example
 
 The following JSON example shows what an SBOM attestation might look like.
diff --git a/build/attestations/slsa-provenance.md b/build/attestations/slsa-provenance.md
index e28064dbcc6..500a9328611 100644
--- a/build/attestations/slsa-provenance.md
+++ b/build/attestations/slsa-provenance.md
@@ -142,7 +142,41 @@ using build arguments, consider refactoring builds to pass secret values using
 [build secrets](../../engine/reference/commandline/buildx_build.md#secret), to
 prevent leaking of sensitive information.
 
-## Example
+## Inspecting Provenance
+
+To explore created Provenance exported through the `image` exporter, you can
+use [`imagetools inspect`](../../engine/reference/commandline/buildx_imagetools_inspect.md).
+
+Using the `--format` option, you can specify a template for the output. All
+provenance-related data is available under the `.Provenance` attribute. For
+example, to get the raw contents of the Provenance in the SLSA format:
+
+{% raw %}
+```console
+$ docker buildx imagetools inspect <namespace>/<image>:<version> \
+    --format "{{ json .Provenance.SLSA }}"
+{
+  "buildType": "https://mobyproject.org/buildkit@v1",
+  ...
+}
+```
+{% endraw %}
+
+You can also construct more complex expressions using the full functionality of
+go templates. For example, for provenance generated with `mode=max`, you can
+extract the full source code of the Dockerfile used to build the image:
+
+{% raw %}
+```console
+$ docker buildx imagetools inspect <namespace>/<image>:<version> \
+    --format '{{ range (index .Provenance.SLSA.metadata "https://mobyproject.org/buildkit@v1#metadata").source.infos }}{{ if eq .filename "Dockerfile" }}{{ .data }}{{ end }}{{ end }}' | base64 -d
+FROM ubuntu:20.04
+RUN apt-get update
+...
+```
+{% endraw %}
+
+## Provenance attestation example
 
 <!-- TODO: add a link to the definitions page, imported from moby/buildkit -->
 

From 97514cca00c7cbb11947e325ae8b91d4a9e6a56a Mon Sep 17 00:00:00 2001
From: Justin Chadwell <github@jedevc.com>
Date: Wed, 11 Jan 2023 11:10:15 +0000
Subject: [PATCH 2/2] docs: typo for go templates in attestations

Co-authored-by: David Karlsson <35727626+dvdksn@users.noreply.github.com>
---
 build/attestations/sbom.md            | 2 +-
 build/attestations/slsa-provenance.md | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/build/attestations/sbom.md b/build/attestations/sbom.md
index a6fc9e95a6c..c85ecee3c09 100644
--- a/build/attestations/sbom.md
+++ b/build/attestations/sbom.md
@@ -189,7 +189,7 @@ $ docker buildx imagetools inspect <namespace>/<image>:<version> \
 {% endraw %}
 
 You can also construct more complex expressions using the full functionality
-of go templates. For example, you can list all the installed packages and their
+of Go templates. For example, you can list all the installed packages and their
 version identifiers:
 
 {% raw %}
diff --git a/build/attestations/slsa-provenance.md b/build/attestations/slsa-provenance.md
index 500a9328611..ea76c2f4feb 100644
--- a/build/attestations/slsa-provenance.md
+++ b/build/attestations/slsa-provenance.md
@@ -163,7 +163,7 @@ $ docker buildx imagetools inspect <namespace>/<image>:<version> \
 {% endraw %}
 
 You can also construct more complex expressions using the full functionality of
-go templates. For example, for provenance generated with `mode=max`, you can
+Go templates. For example, for provenance generated with `mode=max`, you can
 extract the full source code of the Dockerfile used to build the image:
 
 {% raw %}