Synopsis
The attestation can be bound to an artifact in two ways:
- using the artifact’s SHA256 fingerprint which is calculated (based on the
--artifact-typeflag and the artifact name/path argument) or can be provided directly (with the--fingerprintflag). - using the artifact’s name in the flow yaml template and the git commit from which the artifact is/will be created. Useful when reporting an attestation before creating/reporting the artifact.
--commit (requires access to a git repo).
You can optionally redact some of the git commit data sent to Kosli using --redact-commit-info.
Note that when the attestation is reported for an artifact that does not yet exist in Kosli, --commit is required to facilitate
binding the attestation to the right artifact.
Flags
| Flag | Description |
|---|---|
| —annotate stringToString | [optional] Annotate the attestation with data using key=value. |
| -t, —artifact-type string | The type of the artifact to calculate its SHA256 fingerprint. One of: [oci, docker, file, dir]. Only required if you want Kosli to calculate the fingerprint for you (i.e. when you don’t specify ‘—fingerprint’ on commands that allow it). |
| —attachments strings | [optional] The comma-separated list of paths of attachments for the reported attestation. Attachments can be files or directories. All attachments are compressed and uploaded to Kosli’s evidence vault. |
| -g, —commit string | [conditional] The git commit for which the attestation is associated to. Becomes required when reporting an attestation for an artifact before reporting it to Kosli. (defaulted in some CIs: docs ). |
| -C, —compliant | [defaulted] Whether the attestation is compliant or not. A boolean flag docs (default true) |
| —description string | [optional] attestation description |
| -D, —dry-run | [optional] Run in dry-run mode. When enabled, no data is sent to Kosli and the CLI exits with 0 exit code regardless of any errors. |
| -x, —exclude strings | [optional] The comma separated list of directories and files to exclude from fingerprinting. Can take glob patterns. Only applicable for —artifact-type dir. |
| —external-fingerprint stringToString | [optional] A SHA256 fingerprint of an external attachment represented by —external-url. The format is label=fingerprint (labels cannot contain ’.’ or ’=’). This flag can be set multiple times. There must be an external url with a matching label for each external fingerprint. |
| —external-url stringToString | [optional] Add labeled reference URL for an external resource. The format is label=url (labels cannot contain ’.’ or ’=’). This flag can be set multiple times. If the resource is a file or dir, you can optionally add its fingerprint via —external-fingerprint |
| -F, —fingerprint string | [conditional] The SHA256 fingerprint of the artifact to attach the attestation to. Only required if the attestation is for an artifact and —artifact-type and artifact name/path are not used. |
| -f, —flow string | The Kosli flow name. |
| -h, —help | help for generic |
| -n, —name string | The name of the attestation as declared in the flow or trail yaml template. |
| -o, —origin-url string | [optional] The url pointing to where the attestation came from or is related. (defaulted to the CI url in some CIs: docs ). |
| —redact-commit-info strings | [optional] The list of commit info to be redacted before sending to Kosli. Allowed values are one or more of [author, message, branch]. |
| —registry-password string | [conditional] The container registry password or access token. Only required if you want to read container image SHA256 digest from a remote container registry. |
| —registry-username string | [conditional] The container registry username. Only required if you want to read container image SHA256 digest from a remote container registry. |
| —repo-root string | [defaulted] The directory where the source git repository is available. Only used if —commit is used or defaulted in CI, see docs . (default ”.”) |
| -T, —trail string | The Kosli trail name. |
| -u, —user-data string | [optional] The path to a JSON file containing additional data you would like to attach to the attestation. |
Flags inherited from parent commands
| Flag | Description |
|---|---|
| -a, —api-token string | The Kosli API token. |
| -c, —config-file string | [optional] The Kosli config file path. (default “kosli”) |
| —debug | [optional] Print debug logs to stdout. A boolean flag docs (default false) |
| -H, —host string | [defaulted] The Kosli endpoint. (default “https://app.kosli.com”) |
| —http-proxy string | [optional] The HTTP proxy URL including protocol and port number. e.g. ‘http://proxy-server-ip:proxy-port’ |
| -r, —max-api-retries int | [defaulted] How many times should API calls be retried when the API host is not reachable. (default 3) |
| —org string | The Kosli organization. |
Live Examples in different CI systems
- GitHub
- GitLab
View an example of the
kosli attest generic command in GitHub.In this YAML file, which created this Kosli Event.Examples Use Cases
These examples all assume that the flags--api-token, --org, --host, (and --flow, --trail when required), are set/provided.
report a generic attestation about a pre-built docker artifact (kosli calculates the fingerprint)
report a generic attestation about a pre-built docker artifact (kosli calculates the fingerprint)
report a generic attestation about a pre-built docker artifact (you provide the fingerprint)
report a generic attestation about a pre-built docker artifact (you provide the fingerprint)
report a generic attestation about a trail
report a generic attestation about a trail
report a generic attestation about an artifact which has not been reported yet in a trail
report a generic attestation about an artifact which has not been reported yet in a trail
report a generic attestation about a trail with an attachment
report a generic attestation about a trail with an attachment
report a non-compliant generic attestation about a trail
report a non-compliant generic attestation about a trail