Simplify vuln docs

nais · Nov 14, 2024 · 5b69a9d · 5b69a9d
1 parent ea07dad
commit 5b69a9d
Show file tree

Hide file tree

Showing 6 changed files with 3 additions and 99 deletions.
diff --git a/docs/services/vulnerabilities/README.md b/docs/services/vulnerabilities/README.md
@@ -1,38 +1,14 @@
 ---
 tags: [salsa, slsa, supply-chain, vulnerabilities, explanation]
-description: Nais provides a set of services to help you secure your software supply chain and manage vulnerabilities in your workloads.
 ---
 
 # Vulnerability insights and management
 
-Nais provides a set of tools and services to help you secure your software supply chain and manage vulnerabilities in your workloads:
+Nais provides what you need to secure your software supply chain and manage vulnerabilities in your workloads.
 
-<div class="grid cards" markdown>
+Get started by using our [GitHub Actions](how-to/sbom.md) to generate SBOMs and attestations for your workloads.
 
-- [**Attestation**][Attestation] (nais/docker-build-push)
+Once this is in place, you can use the [Console](../../operate/console.md) to view and manage vulnerabilities in your workloads. 
 
-    GitHub action that helps to secure a supply chain for software artifacts.
 
-- [**Vulnerability Insights**][Insights]
 
-    Tools to manage vulnerabilities in your workloads.
-
-</div>
-
-## Getting started with vulnerability insights
-
-The setup of vulnerability insights for an workload is straightforward and only requires you to add the [nais/docker-build-push][Attestation] action to your GitHub workflow.
-Once added, the action will automatically generate a signed attestation, including a SBOM
-(Software Bill of Materials) for your container image and its dependencies.
-This is bundled as an attestation and pushed to your container registry along with your image and plays a key role in providing proof that the software supply chain follows secure processes.
-
-## Acknowledge vulnerabilities
-
-Nais continuously monitors deployed container images in the cluster. 
-When a new image is detected, Nais automatically uploads its SBOM to [Dependency-track][Insights] for vulnerability analysis.
-
-The results of the Dependency-track analysis, including vulnerability insights, can then be viewed in the Nais Console.
-The [Nais Console][Insights] provides a platform for viewing and managing vulnerabilities at the team level.
-
-[Attestation]: how-to/attestation.md
-[Insights]: how-to/insight.md
diff --git a/docs/services/vulnerabilities/how-to/.pages b/docs/services/vulnerabilities/how-to/.pages
diff --git a/docs/services/vulnerabilities/how-to/console.md b/docs/services/vulnerabilities/how-to/console.md
diff --git a/docs/services/vulnerabilities/how-to/dependencytrack.md b/docs/services/vulnerabilities/how-to/dependencytrack.md
diff --git a/docs/services/vulnerabilities/how-to/insight.md b/docs/services/vulnerabilities/how-to/insight.md
diff --git a/...ces/vulnerabilities/how-to/attestation.md → docs/services/vulnerabilities/how-to/sbom.md b/...ces/vulnerabilities/how-to/attestation.md → docs/services/vulnerabilities/how-to/sbom.md
@@ -39,10 +39,3 @@ If you want to push to another registry, you can use the [nais/attest-sign](http
      sbom: my-image.json # optional
      # ... other options removed for readability
 ```
-
-### Attestation
-
-The action automatically generates a signed attestation with the help of [Trivy](https://github.com/aquasecurity/trivy-action) and [cosign](https://github.com/sigstore/cosign).  
-The attestation envelope includes a SBOM (Software Bill of Materials) for your container image and its dependencies.
-
-The SBOM is uploaded to the same registry alongside your image.