Provenance issue with public repository

[nsphung]

Contributing guidelines

• I've read the contributing guidelines and wholeheartedly agree

I've found a bug, and:

• The documentation does not mention anything about my problem
• There are no open or closed issues that are related to my problem

Description

Hello,

My repository is public (https://github.com/nsphung/mcp-snowflake-server/blob/main/Dockerfile). And from my understanding, using docker/github-builder (7d2a024 # v1.6.0), it should use docker/buildx provenance = mode=max,version=v1. But I don't have the expected results.

Expected behaviour

This is what I have without using docker/github-builder:

docker buildx imagetools inspect nsphung/mcp-snowflake-server-nsp:0.8.0 --format "{{ json .Provenance.SLSA }}"
# This one is working

This was build with:

docker buildx build \                                                     
    --tag nsphung/mcp-snowflake-server-nsp:0.8.0 \      
    --sbom=true \                 
    --attest type=provenance,mode=max,version=v1 \
    .

Is there any way to have the same feature in docker/github-builder ? Or maybe I'm missing a configuration.

Actual behaviour

docker buildx imagetools inspect nsphung/mcp-snowflake-server-nsp:0.11.2 --format "{{ json .Provenance.SLSA }}"
null%                                                          

Here we can see null when inspecting for provenance.

Repository URL

https://github.com/nsphung/mcp-snowflake-server/tree/main

Workflow run URL

https://github.com/nsphung/mcp-snowflake-server/actions/runs/25457043001

YAML workflow

You can checkout the yaml at:

https://github.com/nsphung/mcp-snowflake-server/blob/main/.github/workflows/publish.yml#L176

Workflow logs

No response

BuildKit logs

Additional info

No response

[mathieu-benoit]

Hi @nsphung, I'm not a maintainer of this repo, but just for your information, this docker buildx imagetools inspect nsphung/mcp-snowflake-server-nsp:0.11.2 --format "{{ json .Provenance }}" will show you that there are two .Provenance, one per platform.

So to get it properly for one platform, you'll need to do that instead:

docker buildx imagetools inspect nsphung/mcp-snowflake-server-nsp:0.11.2 --format '{{ json (index .Provenance "linux/amd64").SLSA }}'

[nsphung]

Hi @mathieu-benoit I didn't know about this! Thank you.

I was thinking about this because I have this in Docker Scout:

But the provenance looks fine with the command you provide. I don't understand how to work with base images policies from Docker Scout.