intoto verify
Check with DevGuard whether a supply chain is fully verified (intended for automated deployment gates, not direct use)
Synopsis
Calls the DevGuard supply chain verification endpoint and exits 0 if the supply chain is valid, non-zero otherwise.
This command is CURRENTLY (https://github.com/l3montree-dev/devguard/issues/2202) NOT intended to be called by human users. It exists so that automated deployment gates — such as an OPA policy, an admission webhook, or a CI/CD quality gate — can query DevGuard for the verification status of a specific image digest before allowing a deployment to proceed.
DevGuard performs the verification server-side: it checks that all three required pipeline steps (post-commit, build, deploy) have uploaded signed links for the given supply chain ID, that each step was signed by an authorized token, and that the final deploy link's output digest matches the --supplyChainOutputDigest you provide.
The underlying endpoint is a plain HTTP GET that returns 200 on success and a non-200 status on failure — easy to call directly from policy engines or shell scripts:
GET /api/v1/organizations//in-toto/verify?supplyChainId=&supplyChainOutputDigest=