attest
Create and upload an attestation for an image or artifact
Synopsis
Attach a signed metadata document (called a "predicate") to a container image or artifact.
Attestations answer the question "how was this artifact produced?" by associating it with verifiable metadata. The --predicateType flag identifies what kind of metadata it is. Downstream consumers (e.g. 'devguard-scanner attestations --policy ...') match attestations by predicate type, so the value must match exactly what the consumer expects.
Official predicate types are maintained at: https://github.com/in-toto/attestation/tree/main/spec/predicates
Common ones used with DevGuard: https://cyclonedx.org/bom CycloneDX SBOM https://cyclonedx.org/vex CycloneDX VEX (vulnerability exceptions) https://slsa.dev/provenance/v1 SLSA build provenance https://in-toto.io/attestation/release/v0.1 DevGuard release attestation
The first argument is a path to a local predicate JSON file. Pass "-" to read from stdin. Optionally provide a container image reference as the second argument to also attach the attestation directly to the image in the OCI registry using cosign.