fix(salsa): simply salsa doc

* remove old doc
* move to other services
* only use how-to and ref
* remove information not needed, details.

docs/operate/cli/reference/debug.md

@@ -21,8 +21,6 @@ If you exit this command with `exit`, you can reconnect or attach again by
 running `nais debug app --copy app` again. See [tidy](#tidy) to clean up the pod you just debugged.
 
 ```bash
-to clean up the pod you just debugged.
-
 ```bash
 nais debug app
 ```

docs/vulnerabilities/attestation/.pages → docs/services/vulnerabilities/.pages

@@ -1,4 +1,3 @@
-title: Attestation
 nav:
 - README.md
 - 🎯 How-To: how-to

docs/vulnerabilities/README.md → docs/services/vulnerabilities/README.md

@@ -19,24 +19,20 @@ Nais provides a set of tools and services to help you secure your software suppl
 
 </div>
 
-The Nais [SLSA](explanations/README.md#slsa) is built on a security framework designed to prevent tampering, enhance integrity, and secure both packages and infrastructure within software projects.
-Se the different tools below and follow the links to the respective tool for more details.
-
 ## Getting started with vulnerability insights
 
 The setup of vulnerability insights for an workload is straightforward and only requires you to add the [nais/docker-build-push][Attestation] action to your GitHub workflow.
-Once added, the action will automatically generate a signed attestation, including a [SBOM][SBOM]
+Once added, the action will automatically generate a signed attestation, including a SBOM
 (Software Bill of Materials) for your container image and its dependencies.
-This is bundled as an [attestation](explanations/README.md#attestation) and pushed to your container registry along with your image and plays a key role in providing proof that the software supply chain follows secure processes.
+This is bundled as an attestation and pushed to your container registry along with your image and plays a key role in providing proof that the software supply chain follows secure processes.
 
 ## Acknowledge vulnerabilities
 
 Nais continuously monitors deployed container images in the cluster. 
-When a new image is detected, Nais automatically uploads its [SBOM][SBOM] to [Dependency-track][Insights] for vulnerability analysis.
+When a new image is detected, Nais automatically uploads its SBOM to [Dependency-track][Insights] for vulnerability analysis.
 
 The results of the Dependency-track analysis, including vulnerability insights, can then be viewed in the Nais Console.
 The [Nais Console][Insights] provides a platform for viewing and managing vulnerabilities at the team level.
 
-[Attestation]: attestation/README.md
-[Insights]: insights/README.md
-[SBOM]: explanations/README.md#software-bill-of-materials
+[Attestation]: how-to/attestation.md
+[Insights]: how-to/insight.md

docs/services/vulnerabilities/how-to/.pages

@@ -0,0 +1,4 @@
+nav:
+- attestation.md
+- insight.md
+- ...

docs/vulnerabilities/attestation/how-to/attestation.md → docs/services/vulnerabilities/how-to/attestation.md

@@ -1,8 +1,8 @@
 ---
-tags: [attestation, docker-build-push, how-to]
+tags: [attestation, sbom, how-to]
 ---
 
-# Docker Build Push
+# Generate SBOM
 
 Simply add [nais/docker-build-push](https://github.com/nais/docker-build-push) to your workflow.
 
@@ -40,17 +40,9 @@ If you want to push to another registry, you can use the [nais/attest-sign](http
      # ... other options removed for readability
 ```
 
-## Known limitations and alternatives
+### Attestation
 
-Due to [Trivy](https://github.com/aquasecurity/trivy-action), you'll receive a simplified dependency graph, as Trivy 
-doesn't support Gradle or Maven's dependency resolution. 
+The action automatically generates a signed attestation with the help of [Trivy](https://github.com/aquasecurity/trivy-action) and [cosign](https://github.com/sigstore/cosign).  
+The attestation envelope includes a SBOM (Software Bill of Materials) for your container image and its dependencies.
 
-Dependency-track integrates with Trivy at runtime, ensuring that vulnerabilities from the Docker container are still detected.
-
-Trivy directly parses the .jar files without access to full dependency resolution details.
-
-Gradle and Maven plugins provide a deeper graph of nested transitive dependencies.
-However, if you're using [Distroless](../../explanations/README.md#distroless-google) images or
-[Chainguard images](../../explanations/README.md#chainguard), updates are managed and kept to a minimum.
-
-See [limitations and alternatives](../reference/README.md#known-limitations-and-alternatives) for more information.
+The SBOM is uploaded to the same registry alongside your image.

docs/vulnerabilities/insights/how-to/console.md → docs/services/vulnerabilities/how-to/console.md

@@ -2,7 +2,7 @@
 tags: [ console, vulnerabilities, how-to ]
 ---
 
-# Vulnerability insights in Nais Console 
+# Nais Console 
 
 Teams can visit the Console to view their workload vulnerabilities, for example:
 
@@ -12,7 +12,5 @@ In the Console vulnerability overview, you can sort vulnerabilities by severity
 
 You will get the status of the teams' total, like coverage, total critical or risk score ranking. 
 
-![NAIS Console](../../../assets/salsa-team.png)
-
 
 

docs/vulnerabilities/insights/how-to/dependencytrack.md → docs/services/vulnerabilities/how-to/dependencytrack.md

@@ -2,36 +2,17 @@
 tags: [ dependencytrack, how-to ]
 ---
 
-# Explore Dependency-track
+# Dependencytrack
 
 You can access the Dependency-track user interface through the following URL:
 
 https://salsa.[tenant].cloud.nais.io
 
-To sign in, click the OpenID button, which will redirect you to your organization's identity provider.
-
-![Dependency Login](../../../assets/salsa-login.png)
-
 In Dependency-track, each image in a deployment or job is linked to its own project.
 A project can be associated with multiple workloads, teams, and clusters.
 The project name is based on the image name. For Google Artifact Registry (GAR),
 the project name follows this format: `europe-north1-docker.pkg.dev/nais-management-233d/[team]/[application]`,
 with the image version set as the project version.
 
-You can list projects your interested in using the following tag prefixes:
-
-* `team:`
-* `workload:`
-* `image:`
-
-Below is a screenshot of a project using the dependency graph within Dependency-track:
-
-![Dependency Graph](../../../assets/salsa-graph.png)
-
 [Dependency-track](https://dependencytrack.org/) has a ton of features so check out
-the [documentation](https://docs.dependencytrack.org/) for more information.
-
-## Language support
-
-SBOM generation for
-different [languages/build tools dictated by Trivy](https://aquasecurity.github.io/trivy/v0.56/docs/scanner/vulnerability/#supported-languages).
+the [documentation](https://docs.dependencytrack.org/) for more information.

docs/vulnerabilities/insights/README.md → docs/services/vulnerabilities/how-to/insight.md

@@ -12,7 +12,7 @@ Dependency-track is a Component Analysis platform that allows you to identify an
 [Dependency-Track](https://dependencytrack.org/) operates as a single instance that manages all clusters and stores both
 attestations and vulnerabilities for all signed attestations successfully deployed.
 
-:dart: [**Explore Dependency-track**](how-to/dependencytrack.md)
+:dart: [**Explore Dependency-track**](dependencytrack.md)
 
 ## NAIS Console
 
@@ -24,4 +24,4 @@ It offers a centralized way to view and handle various aspects of workloads, suc
 **Vulnerability analysis 📊:** Get an overview of the vulnerabilities in your workloads and clusters.  
 **Vulnerability management 🛠️:** Manage vulnerabilities and take action to mitigate risks.  
 
-:dart: [**Explore Console**](how-to/console.md)
+:dart: [**Explore Console**](console.md)

docs/vulnerabilities/attestation/reference/README.md → docs/services/vulnerabilities/reference/README.md

@@ -1,11 +1,36 @@
 ---
-tags: [attestation, reference]
+tags: [ vulnerabilities, reference ]
 ---
 
-# Attestation reference
+# Vulnerability reference
+
+## Project exists in Dependency-Track, but I can't see the SBOM or vulnerabilities
+
+This issue likely arises from using the GitHub dependency graph resolution output JSON as an input for byosbom. 
+This JSON format is incompatible with Dependency-track. 
+Please use the SBOM generated by the nais/docker-build-push action instead.
+
+To fix this, remove the similar input from your workflow:
+
+```yaml
+    byosbom: dependency-graph-reports/your-file.json
+```
 
 ## Known limitations and alternatives
 
+Due to [Trivy](https://github.com/aquasecurity/trivy-action), you'll receive a simplified dependency graph, as Trivy
+doesn't support Gradle or Maven's dependency resolution.
+
+Dependency-track integrates with Trivy at runtime, ensuring that vulnerabilities from the Docker container are still detected.
+
+Trivy directly parses the .jar files without access to full dependency resolution details.
+
+Gradle and Maven plugins provide a deeper graph of nested transitive dependencies.
+However, if you're using [Distroless](../explanations/README.md#distroless-google) images or
+[Chainguard images](../explanations/README.md#chainguard), updates are managed and kept to a minimum.
+
+See [limitations and alternatives](../attestation/reference/README.md#known-limitations-and-alternatives) for more information.
+
 ### Gradle Plugin
 
 ??? Gradle Plugin
@@ -86,4 +111,5 @@ tags: [attestation, reference]
             with:
                 sbom: target/bom.json
         ```
-    For more info about settings check out the [CycloneDx Maven Plugin](https://github.com/CycloneDX/cyclonedx-maven-plugin)
+    For more info about settings check out the [CycloneDx Maven Plugin](https://github.com/CycloneDX/cyclonedx-maven-plugin)
+