intoto verify

Check with DevGuard whether a supply chain is fully verified (intended for automated deployment gates, not direct use)

Synopsis

Calls the DevGuard supply chain verification endpoint and exits 0 if the supply chain is valid, non-zero otherwise.

This command is CURRENTLY (https://github.com/l3montree-dev/devguard/issues/2202) NOT intended to be called by human users. It exists so that automated deployment gates — such as an OPA policy, an admission webhook, or a CI/CD quality gate — can query DevGuard for the verification status of a specific image digest before allowing a deployment to proceed.

DevGuard performs the verification server-side: it checks that all three required pipeline steps (post-commit, build, deploy) have uploaded signed links for the given supply chain ID, that each step was signed by an authorized token, and that the final deploy link's output digest matches the --supplyChainOutputDigest you provide.

The underlying endpoint is a plain HTTP GET that returns 200 on success and a non-200 status on failure — easy to call directly from policy engines or shell scripts:

GET /api/v1/organizations//in-toto/verify?supplyChainId=&supplyChainOutputDigest=

Examples

Options

Options inherited from parent commands

Have feedback? We want to hear from you!

Fields marked with * are required