Skip to content

Commit a6ad429

Browse files
committed
updates scanner reference
1 parent 9404d4f commit a6ad429

35 files changed

Lines changed: 396 additions & 912 deletions

src/pages/reference/scanner/attest.md

Lines changed: 20 additions & 33 deletions
Original file line numberDiff line numberDiff line change
@@ -1,44 +1,28 @@
1-
---
2-
title: "devguard-scanner attest — DevGuard CLI Reference"
3-
description: "Reference for devguard-scanner attest: Create and upload an attestation for an OCI image or a local predicate file. The first argument is a path to a local."
4-
seo:
5-
keyword_primary: "devguard-scanner attest"
6-
keywords_secondary:
7-
- "DevGuard CLI"
8-
- "devguard-scanner commands"
9-
- "DevGuard security scanner"
10-
lang: "en-US"
11-
og:
12-
title: "devguard-scanner attest — DevGuard CLI Reference"
13-
description: "Reference for devguard-scanner attest: Create and upload an attestation for an OCI image or a local predicate file. The first argument is a path to a local."
14-
image: "/og-image.png"
15-
type: "article"
16-
schema:
17-
type: "TechArticle"
18-
robots: "index,follow"
19-
ignoreChecks:
20-
- "checkIfKeywordDensityInRange"
21-
- "checkIfMinimumInternalLinks"
22-
- "checkIfHeadingContainsKeywordPrimary"
23-
- "checkIfTitleContainsKeywordPrimary"
24-
- "checkIfHeadingOrderCorrect"
25-
---
26-
271
## attest
282

293
Create and upload an attestation for an image or artifact
304

315
### Synopsis
326

33-
Create and upload an attestation for an OCI image or a local predicate file.
7+
Attach a signed metadata document (called a "predicate") to a container image or artifact.
8+
9+
Attestations answer the question "how was this artifact produced?" by associating it with
10+
verifiable metadata. The --predicateType flag identifies what kind of metadata it is. Downstream
11+
consumers (e.g. 'devguard-scanner attestations --policy ...') match attestations by predicate type,
12+
so the value must match exactly what the consumer expects.
3413

35-
The first argument is a path to a local predicate JSON file that will be used as
36-
the attestation payload. Optionally provide a container image reference as the
37-
second argument to attach the attestation to that image.
14+
Official predicate types are maintained at:
15+
https://github.com/in-toto/attestation/tree/main/spec/predicates
3816

39-
This command validates the predicate file exists, signs the upload using the
40-
configured token, and sends it to the DevGuard backend. The HTTP header
41-
X-Predicate-Type is populated from the --predicateType flag (required).
17+
Common ones used with DevGuard:
18+
https://cyclonedx.org/bom CycloneDX SBOM
19+
https://cyclonedx.org/vex CycloneDX VEX (vulnerability exceptions)
20+
https://slsa.dev/provenance/v1 SLSA build provenance
21+
https://in-toto.io/attestation/release/v0.1 DevGuard release attestation
22+
23+
The first argument is a path to a local predicate JSON file. Pass "-" to read from stdin.
24+
Optionally provide a container image reference as the second argument to also attach the
25+
attestation directly to the image in the OCI registry using cosign.
4226

4327
```shell
4428
devguard-scanner attest <predicate> [container-image] [flags]
@@ -53,6 +37,9 @@ devguard-scanner attest <predicate> [container-image] [flags]
5337
# Attest with SLSA provenance
5438
devguard-scanner attest provenance.json ghcr.io/org/image:tag --predicateType https://slsa.dev/provenance/v1
5539

40+
# Pipe curl output directly into attest (no shell needed)
41+
devguard-scanner curl https://api.example.com/sbom.json --token=... | devguard-scanner attest - ghcr.io/org/image:tag --predicateType https://cyclonedx.org/bom
42+
5643
# Upload attestation without attaching to an image
5744
devguard-scanner attest predicate.json --predicateType https://example.com/custom/v1
5845
```

src/pages/reference/scanner/attestations.md

Lines changed: 36 additions & 34 deletions
Original file line numberDiff line numberDiff line change
@@ -1,38 +1,39 @@
1-
---
2-
title: "devguard-scanner attestations — DevGuard CLI Reference"
3-
description: "Reference for devguard-scanner attestations: Retrieve and validate security attestations for container images used in Helm charts or other deployment."
4-
seo:
5-
keyword_primary: "devguard-scanner attestations"
6-
keywords_secondary:
7-
- "DevGuard CLI"
8-
- "devguard-scanner commands"
9-
- "DevGuard security scanner"
10-
lang: "en-US"
11-
og:
12-
title: "devguard-scanner attestations — DevGuard CLI Reference"
13-
description: "Reference for devguard-scanner attestations: Retrieve and validate security attestations for container images used in Helm charts or other deployment."
14-
image: "/og-image.png"
15-
type: "article"
16-
schema:
17-
type: "TechArticle"
18-
robots: "index,follow"
19-
ignoreChecks:
20-
- "checkIfKeywordDensityInRange"
21-
- "checkIfMinimumInternalLinks"
22-
- "checkIfHeadingContainsKeywordPrimary"
23-
- "checkIfTitleContainsKeywordPrimary"
24-
- "checkIfHeadingOrderCorrect"
25-
---
26-
271
## attestations
282

293
Discover attestations for an image and optionally evaluate a rego policy
304

315
### Synopsis
326

33-
Retrieve and validate security attestations for container images used in Helm charts or other deployment workflows.
7+
Retrieve all attestations (metadata documents) attached to a container image and optionally evaluate them against a Rego policy.
8+
9+
Attestations are documents attached to the image during its build pipeline — for example an SBOM,
10+
a VEX document (vulnerability exceptions), or SARIF security scan results. Each attestation has a
11+
predicate type (a URI) that identifies its kind. The policy receives all discovered attestations
12+
and can match against specific predicate types to check that required metadata is present.
13+
14+
Example Rego policy that requires an SBOM and a VEX document:
15+
16+
package devguard
17+
18+
import future.keywords.if
19+
import future.keywords.in
20+
21+
deny[msg] if {
22+
not has_attestation("https://cyclonedx.org/bom")
23+
msg := "Image is missing a CycloneDX SBOM attestation"
24+
}
25+
26+
deny[msg] if {
27+
not has_attestation("https://cyclonedx.org/vex")
28+
msg := "Image is missing a VEX document"
29+
}
30+
31+
has_attestation(predicate_type) if {
32+
some att in input.attestations
33+
att.predicateType == predicate_type
34+
}
3435

35-
It automates what is normally a manual, time-consuming process of verifying that each image is properly hardened and accompanied by essential metadata such as SBOM, VEX, and SARIF.
36+
The command exits with code 1 if any deny rule fires — making it suitable as a deployment gate.
3637

3738
```shell
3839
devguard-scanner attestations <oci@SHA> [flags]
@@ -41,14 +42,14 @@ devguard-scanner attestations <oci@SHA> [flags]
4142
### Examples
4243

4344
```shell
44-
# Discover attestations for an image
45+
# List all attestations attached to an image
4546
devguard-scanner attestations ghcr.io/org/image:tag
4647

47-
# Evaluate against a rego policy
48-
devguard-scanner attestations ghcr.io/org/image:tag --policy path/to/file.rego
48+
# Evaluate against a Rego policy (exits 1 if policy fails)
49+
devguard-scanner attestations ghcr.io/org/image:tag --policy policy.rego
4950

50-
# Save policy evaluation results as SARIF
51-
devguard-scanner attestations ghcr.io/org/image:tag --policy path/to/file.rego --outputPath report.sarif.json
51+
# Save evaluation results as SARIF for upload to DevGuard
52+
devguard-scanner attestations ghcr.io/org/image:tag --policy policy.rego --format sarif --outputPath report.sarif.json
5253
```
5354

5455
### Options
@@ -57,9 +58,10 @@ devguard-scanner attestations <oci@SHA> [flags]
5758
--apiUrl string The url of the API to send the scan request to (default "https://api.devguard.org")
5859
--assetName string The id of the asset which is scanned
5960
--defaultRef string The default git reference to use. This can be a branch, tag, or commit hash. If not specified, it will check, if the current directory is a git repo. If it isn't, --ref will be used.
61+
--format string Format of the report to generate (plain, sarif). Default is plain (default "plain")
6062
-h, --help help for attestations
6163
--isTag If the current git reference is a tag. If not specified, it will check if the current directory is a git repo. If it isn't, it will be set to false.
62-
--outputPath string Path to save the generated SARIF report. If not provided, the report is only printed.
64+
--outputPath string Path to save the generated report. If not provided, the report is only printed.
6365
-p, --policy string check the images attestations against policy
6466
--ref string The git reference to use. This can be a branch, tag, or commit hash. If not specified, it will first check for a git repository in the current directory. If not found, it will just use main.
6567
--token string The personal access token to authenticate the request
Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,39 @@
1+
## auth
2+
3+
Verify a DevGuard token and store it in the system keyring
4+
5+
### Synopsis
6+
7+
Verify a DevGuard personal access token and store it in the OS keyring so you do not have to
8+
pass --token on every command.
9+
10+
This is the recommended setup for developer machines and git hooks. In CI pipelines, prefer the
11+
DEVGUARD_TOKEN environment variable instead so the token is not written to disk.
12+
13+
Once stored, all devguard-scanner commands will automatically pick up the token from the keyring.
14+
15+
```shell
16+
devguard-scanner auth [flags]
17+
```
18+
19+
### Examples
20+
21+
```shell
22+
# One-time setup on a developer machine
23+
devguard-scanner auth --token <hex-token> --assetName org/project/asset --apiUrl https://api.devguard.org
24+
```
25+
26+
### Options
27+
28+
```shell
29+
--apiUrl string The url of the API to send the scan request to (default "https://api.devguard.org")
30+
--assetName string The id of the asset which is scanned (required)
31+
-h, --help help for auth
32+
--token string The personal access token to authenticate the request (required)
33+
```
34+
35+
### Options inherited from parent commands
36+
37+
```shell
38+
-l, --logLevel string Set the log level. Options: debug, info, warn, error (default "info")
39+
```

src/pages/reference/scanner/clean.md

Lines changed: 5 additions & 33 deletions
Original file line numberDiff line numberDiff line change
@@ -1,44 +1,16 @@
1-
---
2-
title: "devguard-scanner clean — DevGuard CLI Reference"
3-
description: "Reference for devguard-scanner clean: Run cosign remove on an image or signature object to clean attestations/signatures. This command wraps the cosign CLI."
4-
seo:
5-
keyword_primary: "devguard-scanner clean"
6-
keywords_secondary:
7-
- "DevGuard CLI"
8-
- "devguard-scanner commands"
9-
- "DevGuard security scanner"
10-
lang: "en-US"
11-
og:
12-
title: "devguard-scanner clean — DevGuard CLI Reference"
13-
description: "Reference for devguard-scanner clean: Run cosign remove on an image or signature object to clean attestations/signatures. This command wraps the cosign CLI."
14-
image: "/og-image.png"
15-
type: "article"
16-
schema:
17-
type: "TechArticle"
18-
robots: "index,follow"
19-
ignoreChecks:
20-
- "checkIfKeywordDensityInRange"
21-
- "checkIfMinimumInternalLinks"
22-
- "checkIfHeadingContainsKeywordPrimary"
23-
- "checkIfTitleContainsKeywordPrimary"
24-
- "checkIfHeadingOrderCorrect"
25-
---
26-
271
## clean
282

29-
Remove attestations or signatures using cosign
3+
Remove attestations or signatures from an OCI image
304

315
### Synopsis
326

33-
Run cosign remove on an image or signature object to clean attestations/signatures.
7+
Remove attestations and/or signatures from an OCI image.
348

35-
This command wraps the cosign CLI. If registry credentials are provided they will
36-
be used for authentication. The command converts your configured token into a key
37-
and uses it where appropriate. Use --type to limit the cleanup to signatures,
38-
attestations, SBOMs, or all.
9+
If registry credentials are provided they will be used for authentication.
10+
Use --type to limit the cleanup to signatures, attestations, SBOMs, or all.
3911

4012
```shell
41-
devguard-scanner clean <image | signature-file> [flags]
13+
devguard-scanner clean <image> [flags]
4214
```
4315

4416
### Examples

src/pages/reference/scanner/container-scanning.md

Lines changed: 2 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -1,29 +1,3 @@
1-
---
2-
title: "devguard-scanner container-scanning — DevGuard CLI Reference"
3-
description: "Reference for devguard-scanner container-scanning: Scan a container image for vulnerabilities. The image must either be a tar file (--path) or be available."
4-
seo:
5-
keyword_primary: "devguard-scanner container-scanning"
6-
keywords_secondary:
7-
- "DevGuard CLI"
8-
- "devguard-scanner commands"
9-
- "DevGuard security scanner"
10-
lang: "en-US"
11-
og:
12-
title: "devguard-scanner container-scanning — DevGuard CLI Reference"
13-
description: "Reference for devguard-scanner container-scanning: Scan a container image for vulnerabilities. The image must either be a tar file (--path) or be available."
14-
image: "/og-image.png"
15-
type: "article"
16-
schema:
17-
type: "TechArticle"
18-
robots: "index,follow"
19-
ignoreChecks:
20-
- "checkIfKeywordDensityInRange"
21-
- "checkIfMinimumInternalLinks"
22-
- "checkIfHeadingContainsKeywordPrimary"
23-
- "checkIfTitleContainsKeywordPrimary"
24-
- "checkIfHeadingOrderCorrect"
25-
---
26-
271
## container-scanning
282

293
Software composition analysis of a container image
@@ -67,7 +41,9 @@ devguard-scanner container-scanning [flags]
6741
--image string OCI image reference to scan (e.g. ghcr.io/org/image:tag). If empty, --path or the first argument may be used to provide a tar or local files.
6842
--isTag If the current git reference is a tag. If not specified, it will check if the current directory is a git repo. If it isn't, it will be set to false.
6943
--keepOriginalSbomRootComponent Use this flag if you get software from a supplier and you want to identify vulnerabilities in the root component itself, not only in the dependencies
44+
--noWrite Run the scan and display results (including VEX/false-positive assessments) without persisting anything to DevGuard.
7045
--origin string Origin of the SBOM (how it was generated). Examples: 'source-scanning', 'container-scanning', 'base-image'. Default: 'container-scanning'. (default "DEFAULT")
46+
--output string Output format for scan results. Options: 'table' (default), 'cyclonedx' (CycloneDX VEX JSON). (default "table")
7147
--path string Path to a tar file or directory containing the container image to scan. If empty, --image must be provided or an argument.
7248
--ref string The git reference to use. This can be a branch, tag, or commit hash. If not specified, it will first check for a git repository in the current directory. If not found, it will just use main.
7349
--timeout int Set the timeout for scanner operations in seconds (default 300)

src/pages/reference/scanner/curl.md

Lines changed: 0 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -1,29 +1,3 @@
1-
---
2-
title: "devguard-scanner curl — DevGuard CLI Reference"
3-
description: "Reference for devguard-scanner curl: Make HTTP requests with DevGuard Personal Access Token signing. This command provides curl-compatible syntax while."
4-
seo:
5-
keyword_primary: "devguard-scanner curl"
6-
keywords_secondary:
7-
- "DevGuard CLI"
8-
- "devguard-scanner commands"
9-
- "DevGuard security scanner"
10-
lang: "en-US"
11-
og:
12-
title: "devguard-scanner curl — DevGuard CLI Reference"
13-
description: "Reference for devguard-scanner curl: Make HTTP requests with DevGuard Personal Access Token signing. This command provides curl-compatible syntax while."
14-
image: "/og-image.png"
15-
type: "article"
16-
schema:
17-
type: "TechArticle"
18-
robots: "index,follow"
19-
ignoreChecks:
20-
- "checkIfKeywordDensityInRange"
21-
- "checkIfMinimumInternalLinks"
22-
- "checkIfHeadingContainsKeywordPrimary"
23-
- "checkIfTitleContainsKeywordPrimary"
24-
- "checkIfHeadingOrderCorrect"
25-
---
26-
271
## curl
282

293
Make HTTP requests with DevGuard PAT signing (curl-compatible)

src/pages/reference/scanner/devguard-scanner.md

Lines changed: 0 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -1,29 +1,3 @@
1-
---
2-
title: "devguard-scanner devguard-scanner — DevGuard CLI Reference"
3-
description: "Reference for devguard-scanner devguard-scanner: Secure your Software Supply Chain DevGuard Scanner is a small CLI to help generate, sign and upload SBOMs."
4-
seo:
5-
keyword_primary: "devguard-scanner devguard-scanner"
6-
keywords_secondary:
7-
- "DevGuard CLI"
8-
- "devguard-scanner commands"
9-
- "DevGuard security scanner"
10-
lang: "en-US"
11-
og:
12-
title: "devguard-scanner devguard-scanner — DevGuard CLI Reference"
13-
description: "Reference for devguard-scanner devguard-scanner: Secure your Software Supply Chain DevGuard Scanner is a small CLI to help generate, sign and upload SBOMs."
14-
image: "/og-image.png"
15-
type: "article"
16-
schema:
17-
type: "TechArticle"
18-
robots: "index,follow"
19-
ignoreChecks:
20-
- "checkIfKeywordDensityInRange"
21-
- "checkIfMinimumInternalLinks"
22-
- "checkIfHeadingContainsKeywordPrimary"
23-
- "checkIfTitleContainsKeywordPrimary"
24-
- "checkIfHeadingOrderCorrect"
25-
---
26-
271
## devguard-scanner
282

293
Secure your Software Supply Chain

0 commit comments

Comments
 (0)