You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
description: "Reference for devguard-scanner attest: Create and upload an attestation for an OCI image or a local predicate file. The first argument is a path to a local."
description: "Reference for devguard-scanner attest: Create and upload an attestation for an OCI image or a local predicate file. The first argument is a path to a local."
14
-
image: "/og-image.png"
15
-
type: "article"
16
-
schema:
17
-
type: "TechArticle"
18
-
robots: "index,follow"
19
-
ignoreChecks:
20
-
- "checkIfKeywordDensityInRange"
21
-
- "checkIfMinimumInternalLinks"
22
-
- "checkIfHeadingContainsKeywordPrimary"
23
-
- "checkIfTitleContainsKeywordPrimary"
24
-
- "checkIfHeadingOrderCorrect"
25
-
---
26
-
27
1
## attest
28
2
29
3
Create and upload an attestation for an image or artifact
30
4
31
5
### Synopsis
32
6
33
-
Create and upload an attestation for an OCI image or a local predicate file.
7
+
Attach a signed metadata document (called a "predicate") to a container image or artifact.
8
+
9
+
Attestations answer the question "how was this artifact produced?" by associating it with
10
+
verifiable metadata. The --predicateType flag identifies what kind of metadata it is. Downstream
11
+
consumers (e.g. 'devguard-scanner attestations --policy ...') match attestations by predicate type,
12
+
so the value must match exactly what the consumer expects.
34
13
35
-
The first argument is a path to a local predicate JSON file that will be used as
36
-
the attestation payload. Optionally provide a container image reference as the
37
-
second argument to attach the attestation to that image.
description: "Reference for devguard-scanner attestations: Retrieve and validate security attestations for container images used in Helm charts or other deployment."
description: "Reference for devguard-scanner attestations: Retrieve and validate security attestations for container images used in Helm charts or other deployment."
14
-
image: "/og-image.png"
15
-
type: "article"
16
-
schema:
17
-
type: "TechArticle"
18
-
robots: "index,follow"
19
-
ignoreChecks:
20
-
- "checkIfKeywordDensityInRange"
21
-
- "checkIfMinimumInternalLinks"
22
-
- "checkIfHeadingContainsKeywordPrimary"
23
-
- "checkIfTitleContainsKeywordPrimary"
24
-
- "checkIfHeadingOrderCorrect"
25
-
---
26
-
27
1
## attestations
28
2
29
3
Discover attestations for an image and optionally evaluate a rego policy
30
4
31
5
### Synopsis
32
6
33
-
Retrieve and validate security attestations for container images used in Helm charts or other deployment workflows.
7
+
Retrieve all attestations (metadata documents) attached to a container image and optionally evaluate them against a Rego policy.
8
+
9
+
Attestations are documents attached to the image during its build pipeline — for example an SBOM,
10
+
a VEX document (vulnerability exceptions), or SARIF security scan results. Each attestation has a
11
+
predicate type (a URI) that identifies its kind. The policy receives all discovered attestations
12
+
and can match against specific predicate types to check that required metadata is present.
13
+
14
+
Example Rego policy that requires an SBOM and a VEX document:
15
+
16
+
package devguard
17
+
18
+
import future.keywords.if
19
+
import future.keywords.in
20
+
21
+
deny[msg] if {
22
+
not has_attestation("https://cyclonedx.org/bom")
23
+
msg := "Image is missing a CycloneDX SBOM attestation"
24
+
}
25
+
26
+
deny[msg] if {
27
+
not has_attestation("https://cyclonedx.org/vex")
28
+
msg := "Image is missing a VEX document"
29
+
}
30
+
31
+
has_attestation(predicate_type) if {
32
+
some att in input.attestations
33
+
att.predicateType == predicate_type
34
+
}
34
35
35
-
It automates what is normally a manual, time-consuming process of verifying that each image is properly hardened and accompanied by essential metadata such as SBOM, VEX, and SARIF.
36
+
The command exits with code 1 if any deny rule fires — making it suitable as a deployment gate.
--apiUrl string The url of the API to send the scan request to (default "https://api.devguard.org")
58
59
--assetName string The id of the asset which is scanned
59
60
--defaultRef string The default git reference to use. This can be a branch, tag, or commit hash. If not specified, it will check, if the current directory is a git repo. If it isn't, --ref will be used.
61
+
--format string Format of the report to generate (plain, sarif). Default is plain (default "plain")
60
62
-h, --help help for attestations
61
63
--isTag If the current git reference is a tag. If not specified, it will check if the current directory is a git repo. If it isn't, it will be set to false.
62
-
--outputPath string Path to save the generated SARIF report. If not provided, the report is only printed.
64
+
--outputPath string Path to save the generated report. If not provided, the report is only printed.
63
65
-p, --policy string check the images attestations against policy
64
66
--ref string The git reference to use. This can be a branch, tag, or commit hash. If not specified, it will first check fora git repositoryin the current directory. If not found, it will just use main.
65
67
--token string The personal access token to authenticate the request
description: "Reference for devguard-scanner clean: Run cosign remove on an image or signature object to clean attestations/signatures. This command wraps the cosign CLI."
description: "Reference for devguard-scanner clean: Run cosign remove on an image or signature object to clean attestations/signatures. This command wraps the cosign CLI."
14
-
image: "/og-image.png"
15
-
type: "article"
16
-
schema:
17
-
type: "TechArticle"
18
-
robots: "index,follow"
19
-
ignoreChecks:
20
-
- "checkIfKeywordDensityInRange"
21
-
- "checkIfMinimumInternalLinks"
22
-
- "checkIfHeadingContainsKeywordPrimary"
23
-
- "checkIfTitleContainsKeywordPrimary"
24
-
- "checkIfHeadingOrderCorrect"
25
-
---
26
-
27
1
## clean
28
2
29
-
Remove attestations or signatures using cosign
3
+
Remove attestations or signatures from an OCI image
30
4
31
5
### Synopsis
32
6
33
-
Run cosign remove on an image or signature object to clean attestations/signatures.
7
+
Remove attestations and/or signatures from an OCI image.
34
8
35
-
This command wraps the cosign CLI. If registry credentials are provided they will
36
-
be used for authentication. The command converts your configured token into a key
37
-
and uses it where appropriate. Use --type to limit the cleanup to signatures,
38
-
attestations, SBOMs, or all.
9
+
If registry credentials are provided they will be used for authentication.
10
+
Use --type to limit the cleanup to signatures, attestations, SBOMs, or all.
description: "Reference for devguard-scanner container-scanning: Scan a container image for vulnerabilities. The image must either be a tar file (--path) or be available."
description: "Reference for devguard-scanner container-scanning: Scan a container image for vulnerabilities. The image must either be a tar file (--path) or be available."
14
-
image: "/og-image.png"
15
-
type: "article"
16
-
schema:
17
-
type: "TechArticle"
18
-
robots: "index,follow"
19
-
ignoreChecks:
20
-
- "checkIfKeywordDensityInRange"
21
-
- "checkIfMinimumInternalLinks"
22
-
- "checkIfHeadingContainsKeywordPrimary"
23
-
- "checkIfTitleContainsKeywordPrimary"
24
-
- "checkIfHeadingOrderCorrect"
25
-
---
26
-
27
1
## container-scanning
28
2
29
3
Software composition analysis of a container image
--image string OCI image reference to scan (e.g. ghcr.io/org/image:tag). If empty, --path or the first argument may be used to provide a tar or local files.
68
42
--isTag If the current git reference is a tag. If not specified, it will check if the current directory is a git repo. If it isn't, it will be set to false.
69
43
--keepOriginalSbomRootComponent Use this flag if you get software from a supplier and you want to identify vulnerabilities in the root component itself, not only in the dependencies
44
+
--noWrite Run the scan and display results (including VEX/false-positive assessments) without persisting anything to DevGuard.
70
45
--origin string Origin of the SBOM (how it was generated). Examples: 'source-scanning', 'container-scanning', 'base-image'. Default: 'container-scanning'. (default "DEFAULT")
46
+
--output string Output format for scan results. Options: 'table' (default), 'cyclonedx' (CycloneDX VEX JSON). (default "table")
71
47
--path string Path to a tar file or directory containing the container image to scan. If empty, --image must be provided or an argument.
72
48
--ref string The git reference to use. This can be a branch, tag, or commit hash. If not specified, it will first check fora git repositoryin the current directory. If not found, it will just use main.
73
49
--timeout int Set the timeout forscanner operationsin seconds (default 300)
description: "Reference for devguard-scanner curl: Make HTTP requests with DevGuard Personal Access Token signing. This command provides curl-compatible syntax while."
description: "Reference for devguard-scanner curl: Make HTTP requests with DevGuard Personal Access Token signing. This command provides curl-compatible syntax while."
14
-
image: "/og-image.png"
15
-
type: "article"
16
-
schema:
17
-
type: "TechArticle"
18
-
robots: "index,follow"
19
-
ignoreChecks:
20
-
- "checkIfKeywordDensityInRange"
21
-
- "checkIfMinimumInternalLinks"
22
-
- "checkIfHeadingContainsKeywordPrimary"
23
-
- "checkIfTitleContainsKeywordPrimary"
24
-
- "checkIfHeadingOrderCorrect"
25
-
---
26
-
27
1
## curl
28
2
29
3
Make HTTP requests with DevGuard PAT signing (curl-compatible)
description: "Reference for devguard-scanner devguard-scanner: Secure your Software Supply Chain DevGuard Scanner is a small CLI to help generate, sign and upload SBOMs."
description: "Reference for devguard-scanner devguard-scanner: Secure your Software Supply Chain DevGuard Scanner is a small CLI to help generate, sign and upload SBOMs."
0 commit comments