attest

Create and upload an attestation for an image or artifact

Synopsis

Attach a signed metadata document (called a "predicate") to a container image or artifact.

Attestations answer the question "how was this artifact produced?" by associating it with verifiable metadata. The --predicateType flag identifies what kind of metadata it is. Downstream consumers (e.g. 'devguard-scanner attestations --policy ...') match attestations by predicate type, so the value must match exactly what the consumer expects.

Official predicate types are maintained at: https://github.com/in-toto/attestation/tree/main/spec/predicates

Common ones used with DevGuard: https://cyclonedx.org/bom CycloneDX SBOM https://cyclonedx.org/vex CycloneDX VEX (vulnerability exceptions) https://slsa.dev/provenance/v1 SLSA build provenance https://in-toto.io/attestation/release/v0.1 DevGuard release attestation

The first argument is a path to a local predicate JSON file. Pass "-" to read from stdin. Optionally provide a container image reference as the second argument to also attach the attestation directly to the image in the OCI registry using cosign.

Examples

Options

Options inherited from parent commands

Have feedback? We want to hear from you!

Fields marked with * are required