docs: lead with concept on DHI attestations page

Rewrite the opening paragraph to define attestations in general terms
before framing them in a DHI-specific context, consistent with other
pages under core-concepts/.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: dvdksn

content/manuals/dhi/core-concepts/attestations.md

@@ -4,10 +4,10 @@ description: Review the full set of signed attestations included with each Docke
 keywords: container image attestations, signed sbom, build provenance, slsa compliance, vex document
 ---
 
-Docker Hardened Images (DHIs) and charts include comprehensive, signed security
-attestations that verify the image's build process, contents, and security
-posture. These attestations are a core part of secure software supply chain
-practices and help users validate that an image is trustworthy and
+Attestations are signed statements about an image or chart — verifiable
+metadata that describes how it was built, what it contains, and what security
+checks it has passed. Attestations are a core part of secure software supply
+chain practices, and help you validate that an image is trustworthy and
 policy-compliant.
 
 ## What is an attestation?
@@ -27,9 +27,9 @@ scan results, or custom provenance.
 
 Attestations provide critical visibility into the software supply chain by:
 
-- Documenting *what* went into an image (e.g., SBOMs)
-- Verifying *how* it was built (e.g., build provenance)
-- Capturing *what security scans* it has passed or failed (e.g., CVE reports,
+- Documenting _what_ went into an image (e.g., SBOMs)
+- Verifying _how_ it was built (e.g., build provenance)
+- Capturing _what security scans_ it has passed or failed (e.g., CVE reports,
   secrets scans, test results)
 - Helping organizations enforce compliance and security policies
 - Supporting runtime trust decisions and CI/CD policy gates
@@ -50,7 +50,7 @@ to:
 - Review scan results to check for vulnerabilities or embedded secrets
 - Confirm the build and deployment history of each image
 
-Attestations are automatically published and associated with each  DHI
+Attestations are automatically published and associated with each DHI
 and chart. They can be inspected using tools like [Docker
 Scout](../how-to/verify.md) or
 [Cosign](https://docs.sigstore.dev/cosign/overview), and are consumable by CI/CD
@@ -71,24 +71,24 @@ $ docker scout attest list dhi.io/<image>:<tag>
 
 For more details, see [Verify image attestations](../how-to/verify.md#verify-image-attestations).
 
-| Attestation type           | Description                                                                                                                                                                                                                     |
-|----------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| CycloneDX SBOM             | A software bill of materials in [CycloneDX](https://cyclonedx.org/) format, listing components, libraries, and versions.                                                                                                      |
-| STIG scan                  | Results of a STIG scan, with output in HTML and XCCDF formats.                                                                                                                           |
-| CVEs (In-Toto format)      | A list of known vulnerabilities (CVEs) affecting the image's components, based on package and distribution scanning.                                                                           |
-| VEX                        | A [Vulnerability Exploitability eXchange (VEX)](https://openvex.dev/) document that identifies vulnerabilities that do not apply to the image and explains why (e.g., not reachable or not present).                         |
-| Scout health score         | A signed attestation from Docker Scout that summarizes the overall security and quality posture of the image.                                                                           |
-| Scout provenance           | Provenance metadata generated by Docker Scout, including the source Git commit, build parameters, and environment details.                                                               |
-| Scout SBOM                 | An SBOM generated and signed by Docker Scout, including additional Docker-specific metadata.                                                                                             |
-| Secrets scan               | Results of a scan for accidentally included secrets, such as credentials, tokens, or private keys.                                                                                       |
-| Tests                      | A record of automated tests run against the image, such as functional checks or validation scripts.                                                                                      |
-| Virus scan                 | Results of antivirus scans performed on the image layers. For details, see [Malware scanning](../explore/malware-scanning.md).                                                            |
-| CVEs (Scout format)        | A vulnerability report generated by Docker Scout, listing known CVEs and severity data.                                                                                                  |
-| SLSA provenance            | A standard [SLSA](https://slsa.dev/) provenance statement describing how the image was built, including build tool, parameters, and source.                                               |
-| SLSA verification summary  | A summary attestation indicating the image's compliance with SLSA requirements.                                                                                                          |
-| SPDX SBOM                  | An SBOM in [SPDX](https://spdx.dev/) format, widely adopted in open-source ecosystems.                                                                                                   |
-| FIPS compliance            | An attestation that verifies the image uses FIPS 140-validated cryptographic modules.                              |
-| DHI Image Sources          | Links to a corresponding source image containing all materials used to build the image, including package source code, Git repositories, and local files, ensuring compliance with open source license requirements. |
+| Attestation type          | Description                                                                                                                                                                                                          |
+| ------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| CycloneDX SBOM            | A software bill of materials in [CycloneDX](https://cyclonedx.org/) format, listing components, libraries, and versions.                                                                                             |
+| STIG scan                 | Results of a STIG scan, with output in HTML and XCCDF formats.                                                                                                                                                       |
+| CVEs (In-Toto format)     | A list of known vulnerabilities (CVEs) affecting the image's components, based on package and distribution scanning.                                                                                                 |
+| VEX                       | A [Vulnerability Exploitability eXchange (VEX)](https://openvex.dev/) document that identifies vulnerabilities that do not apply to the image and explains why (e.g., not reachable or not present).                 |
+| Scout health score        | A signed attestation from Docker Scout that summarizes the overall security and quality posture of the image.                                                                                                        |
+| Scout provenance          | Provenance metadata generated by Docker Scout, including the source Git commit, build parameters, and environment details.                                                                                           |
+| Scout SBOM                | An SBOM generated and signed by Docker Scout, including additional Docker-specific metadata.                                                                                                                         |
+| Secrets scan              | Results of a scan for accidentally included secrets, such as credentials, tokens, or private keys.                                                                                                                   |
+| Tests                     | A record of automated tests run against the image, such as functional checks or validation scripts.                                                                                                                  |
+| Virus scan                | Results of antivirus scans performed on the image layers. For details, see [Malware scanning](../explore/malware-scanning.md).                                                                                       |
+| CVEs (Scout format)       | A vulnerability report generated by Docker Scout, listing known CVEs and severity data.                                                                                                                              |
+| SLSA provenance           | A standard [SLSA](https://slsa.dev/) provenance statement describing how the image was built, including build tool, parameters, and source.                                                                          |
+| SLSA verification summary | A summary attestation indicating the image's compliance with SLSA requirements.                                                                                                                                      |
+| SPDX SBOM                 | An SBOM in [SPDX](https://spdx.dev/) format, widely adopted in open-source ecosystems.                                                                                                                               |
+| FIPS compliance           | An attestation that verifies the image uses FIPS 140-validated cryptographic modules.                                                                                                                                |
+| DHI Image Sources         | Links to a corresponding source image containing all materials used to build the image, including package source code, Git repositories, and local files, ensuring compliance with open source license requirements. |
 
 ## Package attestations
 
@@ -121,19 +121,19 @@ $ docker scout attest list dhi.io/<chart>:<version>
 
 For more details, see [Verify Helm chart attestations](../how-to/verify.md#verify-helm-chart-attestations-with-docker-scout).
 
-| Attestation type           | Description                                                                                                                                                                                                                     |
-|----------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| CycloneDX SBOM             | A software bill of materials in [CycloneDX](https://cyclonedx.org/) format, listing the chart itself and all container images and tools referenced by the chart.                                                              |
-| CVEs (In-Toto format)      | A list of known vulnerabilities (CVEs) affecting the container images and components referenced by the chart.                                                                                                                   |
-| Scout health score         | A signed attestation from Docker Scout that summarizes the overall security and quality posture of the chart and its referenced images.                                                                                        |
-| Scout provenance           | Provenance metadata generated by Docker Scout, including the chart source repository, build images used, and build parameters.                                                                                                  |
-| Scout SBOM                 | An SBOM generated and signed by Docker Scout, including the chart and container images it references, with additional Docker-specific metadata.                                                                                |
-| Secrets scan               | Results of a scan for accidentally included secrets, such as credentials, tokens, or private keys, in the chart package.                                                                                                       |
-| Tests                      | A record of automated tests run against the chart to validate functionality and compatibility with referenced images.                                                                                                          |
-| Virus scan                 | Results of antivirus scans performed on the chart package. For details, see [Malware scanning](../explore/malware-scanning.md).                                                                                                |
-| CVEs (Scout format)        | A vulnerability report generated by Docker Scout, listing known CVEs and severity data for the chart's referenced images.                                                                                                      |
-| SLSA provenance            | A standard [SLSA](https://slsa.dev/) provenance statement describing how the chart was built, including build tool, source repository, referenced images, and build materials.                                                 |
-| SPDX SBOM                  | An SBOM in [SPDX](https://spdx.dev/) format, listing the chart and all container images and tools it references.                                                                                                              |
+| Attestation type      | Description                                                                                                                                                                    |
+| --------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| CycloneDX SBOM        | A software bill of materials in [CycloneDX](https://cyclonedx.org/) format, listing the chart itself and all container images and tools referenced by the chart.               |
+| CVEs (In-Toto format) | A list of known vulnerabilities (CVEs) affecting the container images and components referenced by the chart.                                                                  |
+| Scout health score    | A signed attestation from Docker Scout that summarizes the overall security and quality posture of the chart and its referenced images.                                        |
+| Scout provenance      | Provenance metadata generated by Docker Scout, including the chart source repository, build images used, and build parameters.                                                 |
+| Scout SBOM            | An SBOM generated and signed by Docker Scout, including the chart and container images it references, with additional Docker-specific metadata.                                |
+| Secrets scan          | Results of a scan for accidentally included secrets, such as credentials, tokens, or private keys, in the chart package.                                                       |
+| Tests                 | A record of automated tests run against the chart to validate functionality and compatibility with referenced images.                                                          |
+| Virus scan            | Results of antivirus scans performed on the chart package. For details, see [Malware scanning](../explore/malware-scanning.md).                                                |
+| CVEs (Scout format)   | A vulnerability report generated by Docker Scout, listing known CVEs and severity data for the chart's referenced images.                                                      |
+| SLSA provenance       | A standard [SLSA](https://slsa.dev/) provenance statement describing how the chart was built, including build tool, source repository, referenced images, and build materials. |
+| SPDX SBOM             | An SBOM in [SPDX](https://spdx.dev/) format, listing the chart and all container images and tools it references.                                                               |
 
 ## View and verify attestations
 
@@ -156,4 +156,4 @@ These attestations can then be verified downstream using tools
 like Cosign or Docker Scout.
 
 To learn how to attach custom attestations during the build process, see [Build
-attestations](/manuals/build/metadata/attestations.md).
+metadata](/manuals/build/metadata/_index.md).