docs: improve documentation

docs/README.md

@@ -2,13 +2,14 @@
 
 All workflows, security best practices, and artifact verification are documented in the following files:
 
-| Topic                  | Documentation                                                               | Summary                                                                                                                                                                                               |
-| :--------------------- | :-------------------------------------------------------------------------- | :---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| **GitHub Actions**     | [GitHub Actions Best Practices](./gh-actions/)                              | Best practices for using GitHub Actions in your repository, including managing secrets, updating dependencies, and using the OpenSSF Scorecard, Allstar, Best Practices Badge, and Security Insights. |
-|                        | [PodSalsa GitHub Workflows](../.github/workflows/README.md)                 | Description of all the workflows used in this repository.                                                                                                                                             |
-| **SLSA**               | [Verifying the release artifacts](../SECURITY.md#release-verification)      | How to verify all artifacts with `cosign` or `slsa-verifier`.                                                                                                                                         |
-|                        | [Enforcing SLSA verification on Kubernetes](./slsa/enforcement-kubernetes/) | Enforcing SLSA verification with Kyverno on a Kubernetes cluster.                                                                                                                                     |
-|                        | [Sigstore](./slsa/sigstore/)                                                | How the keyless signing works with the Sigstore project.                                                                                                                                              |
-| **Component analysis** | [Overview](./component-analysis/)                                           | Overview of component analysis tools.                                                                                                                                                                 |
-|                        | [Dependency-Track](./component-analysis/dependency-track/)                  | Use OWASP's Dependency Track for continuous component analysis.                                                                                                                                       |
-|                        | [GUAC](./component-analysis/guac/)                                          | Use the OpenSSF GUAC software for component analysis.                                                                                                                                                 |
+| Topic                  | Documentation                                                                               | Summary                                                                                                                                                                                               |
+| :--------------------- | :------------------------------------------------------------------------------------------ | :---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| **GitHub Actions**     | [GitHub Actions Best Practices](./gh-actions/)                                              | Best practices for using GitHub Actions in your repository, including managing secrets, updating dependencies, and using the OpenSSF Scorecard, Allstar, Best Practices Badge, and Security Insights. |
+|                        | [PodSalsa GitHub Workflows](../.github/workflows/README.md)                                 | Description of all the workflows used in this repository.                                                                                                                                             |
+| **SLSA**               | [Verifying the release artifacts](../SECURITY.md#release-verification)                      | How to verify all artifacts with `cosign` or `slsa-verifier`.                                                                                                                                         |
+|                        | [Enforcing SLSA verification on Kubernetes](./slsa/enforcement-kubernetes/)                 | Enforcing SLSA verification with Kyverno on a local Kubernetes cluster with Kind.                                                                                                                     |
+|                        | [Sigstore](./slsa/sigstore/)                                                                | How the keyless signing works with the Sigstore project.                                                                                                                                              |
+| **Component analysis** | [Overview](./component-analysis/)                                                           | Overview of component analysis tools.                                                                                                                                                                 |
+|                        | [Dependency-Track](./component-analysis/dependency-track/)                                  | Use OWASP's Dependency Track for continuous component analysis.                                                                                                                                       |
+|                        | [GUAC](./component-analysis/guac/)                                                          | Use the OpenSSF GUAC software for component analysis.                                                                                                                                                 |
+|                        | [Deployment in local Kubernetes cluster](./component-analysis/dependency-track/deployment/) | Deployment of Dependency-Track, sbom-operator on a local Kubernetes cluster with Kind.                                                                                                                |

docs/component-analysis/dependency-track/README.md

@@ -61,3 +61,11 @@ For example you can create a policy that checks if the component has a vulnerabi
 After importing some SBOMs in Dependency-Track, you can see the vulnerability count and a risk score in the Dashboard.
 
 There are many more features in Dependency-Track which you can explore. Some ideas for further steps are to add the GitHub Advisory vulnerability source, create notifications for new vulnerabilities and implement Dependency-Track in your CI/CD pipeline.
+
+## Cleanup
+
+To stop the containers, run:
+
+```bash
+docker-compose down
+```

docs/component-analysis/dependency-track/deployment/README.md

@@ -39,7 +39,8 @@ Install Dependency-Track with the following commands:
 helm repo add dependencytrack https://dependencytrack.github.io/helm-charts
 helm repo update
 
-helm install dependencytrack dependencytrack/dependency-track -n dependencytrack --create-namespace -f values-dtrack.yaml
+helm install dependencytrack dependencytrack/dependency-track \
+    -n dependencytrack --create-namespace -f values-dtrack.yaml
 
 # check if the deployment is ready
 kubectl get pods -n dependencytrack 
@@ -75,10 +76,14 @@ helm repo update
 
 # create namespace and secret
 kubectl create ns sbom-operator
-kubectl create secret generic --from-literal=accessToken=$API_TOKEN sbom-operator -n sbom-operator
+kubectl create secret generic \
+    --from-literal=accessToken=$API_TOKEN \
+    sbom-operator -n sbom-operator
 
 # install sbom-operator
-helm install sbom-operator ckotzbauer/sbom-operator -n sbom-operator --create-namespace -f values-sbom-operator.yaml
+helm install sbom-operator ckotzbauer/sbom-operator \
+    -n sbom-operator --create-namespace \
+    -f values-sbom-operator.yaml
 
 # check if the deployment is ready
 kubectl get pods -n sbom-operator
@@ -101,3 +106,11 @@ Verify that the SBOMs are uploaded to Dependency-Track and the vulnerabilities a
 ![Dependency-Track](../../../assets/sbom-operator/dtrack.png)
 
 You could also upload SBOMs manually to the api [http://0.0.0.0:30080](http://0.0.0.0:30080) (see [manual sbom import](../manual-sbom-import.md))
+
+## Cleanup
+
+Delete the local kind cluster:
+
+```bash
+kind delete cluster
+```

docs/component-analysis/guac/install-guac-locally.md

@@ -74,3 +74,11 @@ yarn dev
 ```
 
 Now the `guac-visualizer` is running on [http://localhost:3000](http://localhost:3000).
+
+## Cleanup
+
+To stop and remove the containers, run:
+
+```bash
+docker compose -f guac-demo-compose.yaml down
+```

docs/slsa/enforcement-kubernetes/README.md

@@ -58,3 +58,11 @@ verify-slsa-provenance-keyless:
   autogen-check-slsa-keyless: 'image attestations verification failed, verifiedCount:
     0, requiredCount: 1, error: no matching attestations: '
 ```
+
+## Cleanup
+
+Delete the local kind cluster:
+
+```bash
+kind delete cluster
+```