From 5b69a9d65227d55f4e4b27e814e283c821bac7a7 Mon Sep 17 00:00:00 2001
From: Johnny Fredheim Horvi <johnny@horvi.no>
Date: Thu, 14 Nov 2024 15:39:10 +0100
Subject: [PATCH] Simplify vuln docs

---
 docs/services/vulnerabilities/README.md       | 30 ++-----------------
 docs/services/vulnerabilities/how-to/.pages   |  4 ---
 .../vulnerabilities/how-to/console.md         | 16 ----------
 .../vulnerabilities/how-to/dependencytrack.md | 18 -----------
 .../vulnerabilities/how-to/insight.md         | 27 -----------------
 .../how-to/{attestation.md => sbom.md}        |  7 -----
 6 files changed, 3 insertions(+), 99 deletions(-)
 delete mode 100644 docs/services/vulnerabilities/how-to/.pages
 delete mode 100644 docs/services/vulnerabilities/how-to/console.md
 delete mode 100644 docs/services/vulnerabilities/how-to/dependencytrack.md
 delete mode 100644 docs/services/vulnerabilities/how-to/insight.md
 rename docs/services/vulnerabilities/how-to/{attestation.md => sbom.md} (76%)

diff --git a/docs/services/vulnerabilities/README.md b/docs/services/vulnerabilities/README.md
index f15808d86..2e4eef8cd 100644
--- a/docs/services/vulnerabilities/README.md
+++ b/docs/services/vulnerabilities/README.md
@@ -1,38 +1,14 @@
 ---
 tags: [salsa, slsa, supply-chain, vulnerabilities, explanation]
-description: Nais provides a set of services to help you secure your software supply chain and manage vulnerabilities in your workloads.
 ---
 
 # Vulnerability insights and management
 
-Nais provides a set of tools and services to help you secure your software supply chain and manage vulnerabilities in your workloads:
+Nais provides what you need to secure your software supply chain and manage vulnerabilities in your workloads.
 
-<div class="grid cards" markdown>
+Get started by using our [GitHub Actions](how-to/sbom.md) to generate SBOMs and attestations for your workloads.
 
-- [**Attestation**][Attestation] (nais/docker-build-push)
+Once this is in place, you can use the [Console](../../operate/console.md) to view and manage vulnerabilities in your workloads. 
 
-    GitHub action that helps to secure a supply chain for software artifacts.
 
-- [**Vulnerability Insights**][Insights]
 
-    Tools to manage vulnerabilities in your workloads.
-
-</div>
-
-## Getting started with vulnerability insights
-
-The setup of vulnerability insights for an workload is straightforward and only requires you to add the [nais/docker-build-push][Attestation] action to your GitHub workflow.
-Once added, the action will automatically generate a signed attestation, including a SBOM
-(Software Bill of Materials) for your container image and its dependencies.
-This is bundled as an attestation and pushed to your container registry along with your image and plays a key role in providing proof that the software supply chain follows secure processes.
-
-## Acknowledge vulnerabilities
-
-Nais continuously monitors deployed container images in the cluster. 
-When a new image is detected, Nais automatically uploads its SBOM to [Dependency-track][Insights] for vulnerability analysis.
-
-The results of the Dependency-track analysis, including vulnerability insights, can then be viewed in the Nais Console.
-The [Nais Console][Insights] provides a platform for viewing and managing vulnerabilities at the team level.
-
-[Attestation]: how-to/attestation.md
-[Insights]: how-to/insight.md
diff --git a/docs/services/vulnerabilities/how-to/.pages b/docs/services/vulnerabilities/how-to/.pages
deleted file mode 100644
index 62961bffa..000000000
--- a/docs/services/vulnerabilities/how-to/.pages
+++ /dev/null
@@ -1,4 +0,0 @@
-nav:
-- attestation.md
-- insight.md
-- ...
diff --git a/docs/services/vulnerabilities/how-to/console.md b/docs/services/vulnerabilities/how-to/console.md
deleted file mode 100644
index 921c3f9d3..000000000
--- a/docs/services/vulnerabilities/how-to/console.md
+++ /dev/null
@@ -1,16 +0,0 @@
----
-tags: [ console, vulnerabilities, how-to ]
----
-
-# Nais Console 
-
-Teams can visit the Console to view their workload vulnerabilities, for example:
-
-https://console.[tenant].cloud.nais.io/team/[team]/vulnerabilities
-
-In the Console vulnerability overview, you can sort vulnerabilities by severity and cluster to get a better overview of the vulnerabilities in your workloads.
-
-You will get the status of the teams' total, like coverage, total critical or risk score ranking. 
-
-
-
diff --git a/docs/services/vulnerabilities/how-to/dependencytrack.md b/docs/services/vulnerabilities/how-to/dependencytrack.md
deleted file mode 100644
index 09fa2e7e5..000000000
--- a/docs/services/vulnerabilities/how-to/dependencytrack.md
+++ /dev/null
@@ -1,18 +0,0 @@
----
-tags: [ dependencytrack, how-to ]
----
-
-# Dependencytrack
-
-You can access the Dependency-track user interface through the following URL:
-
-https://salsa.[tenant].cloud.nais.io
-
-In Dependency-track, each image in a deployment or job is linked to its own project.
-A project can be associated with multiple workloads, teams, and clusters.
-The project name is based on the image name. For Google Artifact Registry (GAR),
-the project name follows this format: `europe-north1-docker.pkg.dev/nais-management-233d/[team]/[application]`,
-with the image version set as the project version.
-
-[Dependency-track](https://dependencytrack.org/) has a ton of features so check out
-the [documentation](https://docs.dependencytrack.org/) for more information.
\ No newline at end of file
diff --git a/docs/services/vulnerabilities/how-to/insight.md b/docs/services/vulnerabilities/how-to/insight.md
deleted file mode 100644
index 0156c5e24..000000000
--- a/docs/services/vulnerabilities/how-to/insight.md
+++ /dev/null
@@ -1,27 +0,0 @@
----
-tags: [slsa, salsa, console, vulnerabilities, how-to] 
----
-
-# Vulnerability insights
-
-NAIS provides a set of tools and services to help you secure your software supply chain and manage vulnerabilities in your applications.
-
-## Dependency-track
-
-Dependency-track is a Component Analysis platform that allows you to identify and reduce risk in the software supply chain.
-[Dependency-Track](https://dependencytrack.org/) operates as a single instance that manages all clusters and stores both
-attestations and vulnerabilities for all signed attestations successfully deployed.
-
-:dart: [**Explore Dependency-track**](dependencytrack.md)
-
-## NAIS Console
-
-The NAIS Console is a web-based interface that provides developers and teams with tools to manage, monitor, and
-interact with their worloads and resources deployed on the NAIS (NAV Application Infrastructure Services) platform. 
-It offers a centralized way to view and handle various aspects of workloads, such as:
-
-**Vulnerability insights 🛡️:** Access detailed reports about security vulnerabilities in deployed container images.  
-**Vulnerability analysis 📊:** Get an overview of the vulnerabilities in your workloads and clusters.  
-**Vulnerability management 🛠️:** Manage vulnerabilities and take action to mitigate risks.  
-
-:dart: [**Explore Console**](console.md)
\ No newline at end of file
diff --git a/docs/services/vulnerabilities/how-to/attestation.md b/docs/services/vulnerabilities/how-to/sbom.md
similarity index 76%
rename from docs/services/vulnerabilities/how-to/attestation.md
rename to docs/services/vulnerabilities/how-to/sbom.md
index 33f1fa3fa..38b30cfd1 100644
--- a/docs/services/vulnerabilities/how-to/attestation.md
+++ b/docs/services/vulnerabilities/how-to/sbom.md
@@ -39,10 +39,3 @@ If you want to push to another registry, you can use the [nais/attest-sign](http
      sbom: my-image.json # optional
      # ... other options removed for readability
 ```
-
-### Attestation
-
-The action automatically generates a signed attestation with the help of [Trivy](https://github.com/aquasecurity/trivy-action) and [cosign](https://github.com/sigstore/cosign).  
-The attestation envelope includes a SBOM (Software Bill of Materials) for your container image and its dependencies.
-
-The SBOM is uploaded to the same registry alongside your image.
\ No newline at end of file