scout.docker.com does not display sbom/provenance in large images

[danilapog]

Hey!

I hope I created an issue in the right repository.

I discovered that Docker Scout doesn't display sbom/provenance when uploading a large image, and it downgrades the rank from A to D. If you view the manifest using Docker BuildX ImageTools, all this is visible.

Apparently, something has changed in the scanner's behavior, since I didn't change the build, but for previous builds, sbom and provenance were noted on the report page.

Also, for some reason, it stops displaying the outdated base image, etc.

Just a build ############

After im added alot of packages ###########################

[crazy-max]

@danilapog Can you share the image name so scout team can take a look at this?

[danilapog]

@crazy-max Shure!

A smaller image where sbom/prov are displayed danilaworker/prov-docs:9.2.0.125 Hub.docker.link

The same image after installing a large number of packages through the apt danilaworker/prov-docs:9.2.0.126 Hub.docker.link

I discovered the image size dependency through my test builds.

The initial problem arose in our project. As you can see from the screenshot, we were simply building images, and at some point the rating dropped, even though we hadn't changed the build commands.

Our build command:

docker buildx bake --sbom=true --provenance=mode=max -f docker-bake.hcl "${IMAGE}" --push

Screen

[crazy-max]

Sorry for the delay, the scout team is looking at it.

Closing since this is not directly related to BuildKit but you can open a new issue on https://github.com/docker/scout-cli for better tracking :pray: