dhi: add auto build info for customization

Signed-off-by: Craig Osterhout <[email protected]>

Author: craig-osterhout

content/manuals/dhi/features/patching.md

@@ -39,4 +39,15 @@ Docker Hardened Images are automatically rebuilt and tested.
 Updated images are published with cryptographic provenance attestations to
 support verification and compliance workflows. This automated process reduces
 the operational burden of manual patching and helps teams stay aligned with
-secure software development practices.
+secure software development practices.
+
+## Automatic patching for customized images
+
+When you [customize a Docker Hardened Image](../how-to/customize.md), your
+customized images also benefit from automatic patching. When the base Docker
+Hardened Image receives a security update, Docker automatically rebuilds your
+customized images in the background, ensuring they stay current with the latest
+security patches without requiring manual intervention.
+
+This means your customizations maintain continuous compliance and protection by
+default, with no additional operational overhead.

content/manuals/dhi/how-to/customize.md

@@ -105,6 +105,16 @@ To customize a Docker Hardened Image, follow these steps:
    to build. Once built, it will appear in the **Tags** tab of the repository,
    and your team members can pull it like any other image.
 
+## Automatic rebuilds
+
+Your customized images stay secure automatically. When the base Docker Hardened
+Image receives a security patch or your OCI artifacts are updated, Docker
+automatically rebuilds your customized images in the background. This ensures
+continuous compliance and protection by default, with no manual work required.
+
+The rebuilt images are signed and attested to the same SLSA Build Level 3
+standard as the base images, ensuring a secure and verifiable supply chain.
+
 ## Edit or delete a Docker Hardened Image customization
 
 To edit or delete a Docker Hardened Image customization, follow these steps: