attestations

Discover attestations for an image and optionally evaluate a rego policy

Synopsis

Retrieve all attestations (metadata documents) attached to a container image and optionally evaluate them against a Rego policy.

Attestations are documents attached to the image during its build pipeline — for example an SBOM, a VEX document (vulnerability exceptions), or SARIF security scan results. Each attestation has a predicate type (a URI) that identifies its kind. The policy receives all discovered attestations and can match against specific predicate types to check that required metadata is present.

Example Rego policy that requires an SBOM and a VEX document:

package devguard

import future.keywords.if import future.keywords.in

deny[msg] if { not has_attestation("https://cyclonedx.org/bom") msg := "Image is missing a CycloneDX SBOM attestation" }

deny[msg] if { not has_attestation("https://cyclonedx.org/vex") msg := "Image is missing a VEX document" }

has_attestation(predicate_type) if { some att in input.attestations att.predicateType == predicate_type }

The command exits with code 1 if any deny rule fires — making it suitable as a deployment gate.

Examples

Options

Options inherited from parent commands

Have feedback? We want to hear from you!

Fields marked with * are required