Synopsis
--fingerprint flag, or
calculated based on --artifact-type flag.
Artifact type can be one of: “file” for files, “dir” for directories, “oci” for container
images in registries or “docker” for local docker images.
Note: --artifact-type=docker reads the image’s repo digest via the local Docker daemon.
The image must have been pushed to or pulled from a registry for a repo digest to exist;
a freshly built image (just docker build) will not have one. If the image is already in
a registry, prefer --artifact-type=oci, which fetches the digest directly from the
registry without needing a local Docker daemon.
To specify paths in a directory artifact that should always be excluded from the SHA256 calculation, you can add a .kosli_ignore file to the root of the artifact.
Each line should specify a relative path or path glob to be ignored. You can include comments in this file, using #.
The .kosli_ignore will be treated as part of the artifact like any other file, unless it is explicitly ignored itself.
This command requires access to a git repo to associate the artifact to the git commit it is originating from.
You can optionally redact some of the git commit data sent to Kosli using --redact-commit-info.
To record repository information, all three of --repo-id, --repo-url, and --repository must be set together.
These are automatically set in GitHub Actions, GitLab CI, Bitbucket Pipelines, and Azure DevOps.
In other CI systems, set them explicitly to capture repository metadata.
Flags
Flags inherited from parent commands
Live Examples in different CI systems
- GitHub
- GitLab
View an example of the
kosli attest artifact command in GitHub.In this YAML file, which created this Kosli Event.Examples Use Cases
These examples all assume that the flags--api-token, --org, --host, (and --flow, --trail when required), are set/provided.
Attest that a file type artifact has been created, and let Kosli calculate its fingerprint
Attest that a file type artifact has been created, and let Kosli calculate its fingerprint
Attest that an artifact has been created and provide its fingerprint (sha256)
Attest that an artifact has been created and provide its fingerprint (sha256)
Attest that an artifact has been created and provide external attachments
Attest that an artifact has been created and provide external attachments