Synopsis
Only SARIF snyk output is accepted. Snyk output can be for “snyk code test”, “snyk container test”, or “snyk iac test”. The
--scan-results .json file is analyzed and a summary of the scan results are reported to Kosli.
By default, the --scan-results .json file is also uploaded to Kosli’s evidence vault.
You can disable that by setting --upload-results=false
The attestation can be bound to a trail using the trail name.
The attestation can be bound to an artifact in two ways:
- using the artifact’s SHA256 fingerprint which is calculated (based on the
--artifact-typeflag and the artifact name/path argument) or can be provided directly (with the--fingerprintflag). - using the artifact’s name in the flow yaml template and the git commit from which the artifact is/will be created. Useful when reporting an attestation before creating/reporting the artifact.
--commit (requires access to a git repo).
You can optionally redact some of the git commit data sent to Kosli using --redact-commit-info.
Note that when the attestation is reported for an artifact that does not yet exist in Kosli, --commit is required to facilitate
binding the attestation to the right artifact.
To record repository information, all three of --repo-id, --repo-url, and --repository must be set together.
These are automatically set in GitHub Actions, GitLab CI, Bitbucket Pipelines, and Azure DevOps.
In other CI systems, set them explicitly to capture repository metadata.
Flags
Flags inherited from parent commands
Live Examples in different CI systems
- GitHub
- GitLab
View an example of the
kosli attest snyk command in GitHub.In this YAML file, which created this Kosli Event.Examples Use Cases
These examples all assume that the flags--api-token, --org, --host, (and --flow, --trail when required), are set/provided.
report a snyk attestation about a pre-built docker artifact (kosli calculates the fingerprint)
report a snyk attestation about a pre-built docker artifact (kosli calculates the fingerprint)
report a snyk attestation about a pre-built docker artifact (you provide the fingerprint)
report a snyk attestation about a pre-built docker artifact (you provide the fingerprint)
report a snyk attestation about a trail
report a snyk attestation about a trail
report a snyk attestation about an artifact which has not been reported yet in a trail
report a snyk attestation about an artifact which has not been reported yet in a trail
report a snyk attestation about a trail with an attachment
report a snyk attestation about a trail with an attachment
report a snyk attestation about a trail without uploading the snyk results file
report a snyk attestation about a trail without uploading the snyk results file