Skip to main content

Synopsis

Calculate the SHA256 fingerprint of an artifact. Requires --artifact-type flag to be set. Artifact type can be one of: “file” for files, “dir” for directories, “oci” for container images in registries or “docker” for local docker images. Fingerprinting container images can be done using the local docker daemon or the fingerprint can be fetched from a remote registry. Note: --artifact-type=docker reads the image’s repo digest via the local Docker daemon, so the image must have been pushed to or pulled from a registry. A freshly built image (just docker build) does not have a repo digest. For images already in a registry, prefer --artifact-type=oci to fetch the digest directly from the registry. When fingerprinting a ‘dir’ artifact, you can exclude certain paths from fingerprint calculation using the --exclude flag. Excluded paths are relative to the DIR-PATH and can be literal paths or glob patterns. With a directory structure like this foo/bar/zam/file.txt if you are calculating the fingerprint of foo/bar you need to exclude zam/file.txt which is relative to the DIR-PATH. The supported glob pattern syntax is what is documented here: https://pkg.go.dev/path/filepath#Match , plus the ability to use recursive globs ”**” If the directory structure contains a symbolic link to a file (for example, a link ‘from/this/file’ and a target of ‘to/another/file’) then:
  • the name of the link (‘from/this/file’) is included in the fingerprint.
  • the name of the link (‘from/this/file’) is subject to .kosli_ignore entries.
  • the name of the target (‘to/another/file’) is not included in the fingerprint.
  • the content of target is included in the fingerprint, even if the target is outside the root directory being fingerprinted.
If the directory structure contains a symbolic link to a directory (for example, a link ‘from/this/dir’ and a target of ‘to/another/dir’) then:
  • the name of the link (‘from/this/dir’) is included in the fingerprint.
  • the name of the link (‘from/this/dir’) is subject to .kosli_ignore entries.
  • the name of the target (‘to/another/dir’) is included in the fingerprint, even if the target is outside the root directory being fingerprinted.
  • the name of the target (‘to/another/dir’) is not subject to .kosli_ignore entries.
  • the content of the target is not included in the fingerprint.
To specify paths in a directory artifact that should always be excluded from the SHA256 calculation, you can add a .kosli_ignore file to the root of the artifact. Each line should specify a relative path or path glob to be ignored. You can include comments in this file, using #. The .kosli_ignore will be treated as part of the artifact like any other file, unless it is explicitly ignored itself.

Flags

Flags inherited from parent commands

Live Examples in different CI systems

View an example of the kosli fingerprint command in GitHub.In this YAML file

Examples Use Cases

These examples all assume that the flags --api-token, --org, --host, (and --flow, --trail when required), are set/provided.
Last modified on June 18, 2026