Skip to main content

Synopsis

Report a custom attestation to an artifact or a trail in a Kosli flow. The name of the custom attestation type is specified using the --type flag. The path to the JSON file the custom type will evaluate is specified using the --attestation-data flag. The attestation can be bound to a trail using the trail name. The attestation can be bound to an artifact in two ways:
  • using the artifact’s SHA256 fingerprint which is calculated (based on the --artifact-type flag and the artifact name/path argument) or can be provided directly (with the --fingerprint flag).
  • using the artifact’s name in the flow yaml template and the git commit from which the artifact is/will be created. Useful when reporting an attestation before creating/reporting the artifact.
You can optionally associate the attestation to a git commit using --commit (requires access to a git repo). You can optionally redact some of the git commit data sent to Kosli using --redact-commit-info. Note that when the attestation is reported for an artifact that does not yet exist in Kosli, --commit is required to facilitate binding the attestation to the right artifact. To record repository information, all three of --repo-id, --repo-url, and --repository must be set together. These are automatically set in GitHub Actions, GitLab CI, Bitbucket Pipelines, and Azure DevOps. In other CI systems, set them explicitly to capture repository metadata.

Flags

Flags inherited from parent commands

Live Examples in different CI systems

View an example of the kosli attest custom command in GitHub.In this YAML file, which created this Kosli Event.

Examples Use Cases

These examples all assume that the flags --api-token, --org, --host, (and --flow, --trail when required), are set/provided.
Last modified on June 18, 2026