docs: update docker-based docs about the resolved dependencies (#1903)

asraa · laurentsimon · web-flow · commit 31e83d73ff15 · 2023-03-31T14:28:15.000-05:00
Fixes #1766 Signed-off-by: Asra Ali <asraa@google.com> Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
diff --git a/internal/builders/docker/README.md b/internal/builders/docker/README.md
@@ -237,6 +237,8 @@ The `buildDefinition` contains the following fields:
 | `externalParameters.buildConfig.Command` | `"["npm", "run", "all"]"`                                               | The build command invoked in the container image to produce the output artifacts. |
 | `externalParameters.resolvedDependencies` | `slsa.ArtifactReference`                                               | An artifact reference specifying the binary used by the reusable workflow to build the artifact and generate the build definition. See the [CLI tool](#command-line-tool) below. |
 
+The [CLI tool](#command-line-tool) described in `externalParameters.resolvedDependencies` contains the `uri` of the source that was used to build the artifact (from this GitHub repository). The `digest` referes to the cryptographic digest of the built binary. Using this information, a verifier may download the source artifact from the GitHub releases inferred by the URI and verify its digest.
+
 ### Provenance Example
 
 The following is an example of the generated provenance. Provenance is generated
