Synopsis
Parses the given commit’s message, current branch name or the content of the
--jira-secondary-source
argument for Jira issue references of the form:
‘at least 2 characters long, starting with an uppercase letter project key followed by
dash and one or more digits’.
Any candidate match is automatically excluded if every occurrence in the parsed text is
immediately followed by a hyphen and a digit — for example, CVE-2026-41284 is excluded
because CVE-2026 would be followed by -4. This applies across all parsed sources
(commit message, branch name, and secondary source).
Note: if your Jira project key collides with this pattern (e.g. a project key of CVE), an
issue reference that happens to be the prefix of a longer hyphenated number (such as a CVE
identifier) will be filtered out. Use --jira-secondary-source with a different identifier
format as a workaround.
If you want to restrict the Jira issue matching to a specific project, use the
--jira-project-key flag to specify your own project key. You can specify multiple project keys if needed.
If the --ignore-branch-match is set, the branch name is not parsed for a match.
The found issue references will be checked against Jira to confirm their existence.
The attestation is reported in all cases, and its compliance status depends on referencing
existing Jira issues.If you have wrong Jira credentials or wrong Jira-base-url it will be reported as non existing Jira issue. This is because Jira returns same 404 error code in all cases. The
--jira-issue-fields can be used to include fields from the jira issue. By default no fields
are included. *all will give all fields. Using --jira-issue-fields "*all" --dry-run will give you
the complete list so you can select the once you need. The issue fields uses the jira API that is documented here:
https://developer.atlassian.com/cloud/jira/platform/rest/v2/api-group-issues/#api-rest-api-2-issue-issueidorkey-get-request
The attestation can be bound to a trail using the trail name.
The attestation can be bound to an artifact in two ways:
- using the artifact’s SHA256 fingerprint which is calculated (based on the
--artifact-typeflag and the artifact name/path argument) or can be provided directly (with the--fingerprintflag). - using the artifact’s name in the flow yaml template and the git commit from which the artifact is/will be created. Useful when reporting an attestation before creating/reporting the artifact.
--commit (requires access to a git repo).
You can optionally redact some of the git commit data sent to Kosli using --redact-commit-info.
Note that when the attestation is reported for an artifact that does not yet exist in Kosli, --commit is required to facilitate
binding the attestation to the right artifact.
To record repository information, all three of --repo-id, --repo-url, and --repository must be set together.
These are automatically set in GitHub Actions, GitLab CI, Bitbucket Pipelines, and Azure DevOps.
In other CI systems, set them explicitly to capture repository metadata.
Flags
Flags inherited from parent commands
Examples Use Cases
These examples all assume that the flags--api-token, --org, --host, (and --flow, --trail when required), are set/provided.
report a jira attestation about a pre-built docker artifact (kosli calculates the fingerprint)
report a jira attestation about a pre-built docker artifact (kosli calculates the fingerprint)
report a jira attestation about a pre-built docker artifact (you provide the fingerprint)
report a jira attestation about a pre-built docker artifact (you provide the fingerprint)
report a jira attestation about a trail
report a jira attestation about a trail
report a jira attestation matching a specific jira project key
report a jira attestation matching a specific jira project key
report a jira attestation about a trail and include jira issue summary, description and creator
report a jira attestation about a trail and include jira issue summary, description and creator
report a jira attestation about an artifact which has not been reported yet in a trail
report a jira attestation about an artifact which has not been reported yet in a trail
report a jira attestation about a trail with an attachment
report a jira attestation about a trail with an attachment
fail if no issue reference is found, or the issue is not found in your jira instance
fail if no issue reference is found, or the issue is not found in your jira instance
get jira reference from original branch name in a GitHub Pull Request merge job
get jira reference from original branch name in a GitHub Pull Request merge job