diff --git a/docs/integrating-scribe/admission-controller/kyverno.md b/docs/integrating-scribe/admission-controller/kyverno.md index 7892233b6..24ec04eda 100644 --- a/docs/integrating-scribe/admission-controller/kyverno.md +++ b/docs/integrating-scribe/admission-controller/kyverno.md @@ -6,59 +6,101 @@ toc_min_heading_level: 2 toc_max_heading_level: 5 --- -**[Kyverno](https://https://github.com/kyverno/kyverno)** is an open source policy engine designed for kubernetes. Valint integrates with the Kyverno **[verify-images](https://kyverno.io/docs/writing-policies/verify-images/)** rule; Kyverno can enforce policies requiring the use of signed images, and ```valint``` can be used to generate the required attestations that include the image signature. +### **Introduction** -### Sigstore Keyless admission +[Kyverno](https://github.com/kyverno/kyverno) is an open-source policy engine designed for Kubernetes. It supports the **[verify-images](https://kyverno.io/docs/writing-policies/verify-images/)** rule, which enforces signed image usage policies. Valint integrates seamlessly with Kyverno, enabling users to generate required attestations, such as image signatures, to comply with these policies. -Use Kyverno keyless flow to verify the attestation (see also **[kyverno verify-images](https://kyverno.io/docs/writing-policies/verify-images/sigstore/#verifying-image-signatures)**) +### Step 1: Evidence Generation in an OCI Store -```yaml -# Generate SLSA Provenance attestation -valint slsa my_account/my_image:latest -o attest -f --oci +To generate signed attestations using Valint, the OCI store must be enabled with the `--oci` flag. + +> Learn about alternative evidence storage options in our **[documentation](https://scribe-security.netlify.app/docs/integrating-scribe/other-evidence-stores)**. + + +```bash +# Generate Evidence attestation +valint [bom,slsa] image -o attest --oci [--oci-repo repo] +``` + +- **Optional Flag**: `--oci-repo` specifies a central location for storing evidence. +- **Kyverno Integration**: When using `--oci-repo`, evidence is stored under `/container`. Configure the `repository` field in the Kyverno rule to reference this location. + +#### **Example** + +```bash +valint my_account/my_image:latest -o attest --oci --oci-repo my_account/evidence --provenance +``` + +This command generates both SBOM and SLSA provenance and attaches them to the OCI store. +--- + +### Step 2 **Sanity check with Valint and OCI Store** [Optional] + +Use Valint to verify attestations or validate them against specific Kyverno policies. + +```bash +# Verify Cyclonedx or Provenance attestation +valint verify [image] -i [attest, attest-slsa] --oci [--oci-repo evidence_repo] +``` +## Step 3 **Setting Kyverno `verifyImages` Rules** + +For detailed guidance on setting up Kyverno to verify image signatures, refer to the official **[Kyverno Verify Images documentation](https://kyverno.io/docs/writing-policies/verify-images/sigstore/#verifying-image-signatures)**. + +### **Sigstore Keyless Admission Example** + +If you’re using Sigstore for signing, here’s an example configuration: + +```yaml apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: check-image-keyless + name: check-image-keyless spec: - validationFailureAction: Enforce - webhookTimeoutSeconds: 30 - rules: - - name: check-slsa-image-keyless - match: - any: - - resources: - kinds: - - Pod - verifyImages: - - imageReferences: - - "my_account/my_image*" - attestations: - - predicateType: https://slsa.dev/provenance/v1 - attestors: - - entries: - - keyless: - subject: name@example.com - issuer: https://accounts.example.com - rekor: - url: https://rekor.sigstore.dev + validationFailureAction: Enforce + webhookTimeoutSeconds: 30 + rules: + - name: check-slsa-image-keyless + match: + any: + - resources: + kinds: + - Pod + verifyImages: + - imageReferences: + - "my_account/my_image*" + # `repository` optional field expected in `[evidence-repo]/container` format + repository: "my_account/evidence/container" + attestations: + # - predicateType: https://cyclonedx.org/bom/v1.5 + - predicateType: https://slsa.dev/provenance/v1 + attestors: + - entries: + - keyless: + subject: name@example.com + issuer: https://accounts.example.com + rekor: + url: https://rekor.sigstore.dev ``` -### Verifying using X509 Keys +### **X509 Key-Based Verification** -Use Kyverno X509 flow to verify the attestation (see also **[kyverno verify-images](https://kyverno.io/docs/writing-policies/verify-images/sigstore/#verifying-image-signatures)**) +Generate SLSA and Cyclonedx attestations signed with X509 certificates using the following command: -```yaml -# Generate SLSA Provenance attestation -valint slsa my_account/my_image:latest -o attest -f --oci \ +```bash +valint [slsa,bom] my_account/my_image:latest -o attest -f --oci \ --attest.default x509 \ --cert cert.pem \ --ca ca-chain.cert.pem \ --key key.pem ``` -### Certificate example +### **Certificate-Based Kyverno Example** + +Here’s an example policy for verifying X509-signed attestations: + +```yaml ```yaml apiVersion: kyverno.io/v1 kind: ClusterPolicy @@ -77,7 +119,10 @@ spec: verifyImages: - imageReferences: - "my_account/my_image*" + # `repository` optional field expected in `[evidence-repo]/container` format + repository: "my_account/evidence/container" attestations: + # - predicateType: https://cyclonedx.org/bom/v1.5 - predicateType: https://slsa.dev/provenance/v1 attestors: - entries: @@ -154,8 +199,6 @@ spec: -----END CERTIFICATE----- ``` -An explicit `cert` field is not required because Valint attaches certificate to its attestations. - #### X509 Certificate Constraints​ * Certificate must include a **[Subject Alternate Name](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6)** extension. diff --git a/docs/integrating-scribe/ci-integrations/github/action-bom.md b/docs/integrating-scribe/ci-integrations/github/action-bom.md index 8604ef41c..d723e188b 100644 --- a/docs/integrating-scribe/ci-integrations/github/action-bom.md +++ b/docs/integrating-scribe/ci-integrations/github/action-bom.md @@ -169,7 +169,7 @@ To overcome the limitation install tool directly - **[installer](https://github. Containerized action can be used on Linux runners as following ```yaml - name: Generate cyclonedx json SBOM - uses: scribe-security/action-bom@v1.5.12 + uses: scribe-security/action-bom@v1.5.14 with: target: 'busybox:latest' ``` @@ -177,7 +177,7 @@ Containerized action can be used on Linux runners as following Composite Action can be used on Linux or Windows runners as following ```yaml - name: Generate cyclonedx json SBOM - uses: scribe-security/action-bom-cli@v1.5.12 + uses: scribe-security/action-bom-cli@v1.5.14 with: target: 'hello-world:latest' ``` diff --git a/docs/integrating-scribe/ci-integrations/github/action-evidence.md b/docs/integrating-scribe/ci-integrations/github/action-evidence.md index fcb8874db..66c3988c5 100644 --- a/docs/integrating-scribe/ci-integrations/github/action-evidence.md +++ b/docs/integrating-scribe/ci-integrations/github/action-evidence.md @@ -136,7 +136,7 @@ The `valint evidence` action is a versatile action designed to include various t Containerized action can be used on Linux runners as following ```yaml - name: Include evidence derived from a file - uses: scribe-security/action-evidence@v1.5.12 + uses: scribe-security/action-evidence@v1.5.14 with: target: some_file.json ``` @@ -144,7 +144,7 @@ Containerized action can be used on Linux runners as following Composite Action can be used on Linux or Windows runners as following ```yaml - name: Include evidence derived from a file - uses: scribe-security/action-evidence-cli@v1.5.12 + uses: scribe-security/action-evidence-cli@v1.5.14 with: target: some_file.json ``` diff --git a/docs/integrating-scribe/ci-integrations/github/action-slsa.md b/docs/integrating-scribe/ci-integrations/github/action-slsa.md index 197cba4c0..d3339ffdd 100644 --- a/docs/integrating-scribe/ci-integrations/github/action-slsa.md +++ b/docs/integrating-scribe/ci-integrations/github/action-slsa.md @@ -155,7 +155,7 @@ To overcome the limitation install tool directly - [installer](https://github.co Containerized action can be used on Linux runners as following ```yaml - name: Generate SLSA provenance - uses: scribe-security/action-slsa@v1.5.12 + uses: scribe-security/action-slsa@v1.5.14 with: target: 'busybox:latest' ``` @@ -163,7 +163,7 @@ Containerized action can be used on Linux runners as following Composite Action can be used on Linux or Windows runners as following ```yaml - name: Generate cyclonedx json SBOM - uses: scribe-security/action-slsa-cli@v1.5.12 + uses: scribe-security/action-slsa-cli@v1.5.14 with: target: 'hello-world:latest' ``` diff --git a/docs/integrating-scribe/ci-integrations/github/action-verify.md b/docs/integrating-scribe/ci-integrations/github/action-verify.md index 0dc9b327c..55811cc5b 100644 --- a/docs/integrating-scribe/ci-integrations/github/action-verify.md +++ b/docs/integrating-scribe/ci-integrations/github/action-verify.md @@ -163,7 +163,7 @@ Containerized action can be used on Linux runners as following ```yaml - name: valint verify id: valint_verify - uses: scribe-security/action-verify@v1.5.12 + uses: scribe-security/action-verify@v1.5.14 with: target: 'busybox:latest' ``` @@ -171,7 +171,7 @@ Containerized action can be used on Linux runners as following Composite Action can be used on Linux or Windows runners as following ```yaml - name: Generate cyclonedx json SBOM - uses: scribe-security/action-verify-cli@v1.5.12 + uses: scribe-security/action-verify-cli@v1.5.14 with: target: 'hello-world:latest' ``` diff --git a/docs/integrating-scribe/other-evidence-stores.md b/docs/integrating-scribe/other-evidence-stores.md index 491fad2f3..212163b60 100644 --- a/docs/integrating-scribe/other-evidence-stores.md +++ b/docs/integrating-scribe/other-evidence-stores.md @@ -6,60 +6,81 @@ toc_min_heading_level: 2 toc_max_heading_level: 5 --- -### OCI Evidence store +### OCI Evidence Store -In standalone deployments or other cases when you don’t want to connect your SDLC with Scribe Hub, you can use an OCI registry to store and retrieve evidence. This allows you to store evidence from your CI pipeline and retrieve it at the point of admission control into your Kubernetes cluster. +In standalone deployments or scenarios where connecting your SDLC with Scribe Hub is not desired, you can leverage an OCI registry to store and retrieve evidence. This setup enables evidence storage from your CI pipeline and retrieval during admission control in a Kubernetes cluster. #### Flags -* `--oci` Enable OCI store -* `--oci-repo` Evidence store location -`oci-repo` setting indicates the location in a registry under which the evidence is stored. It must be a dedicated location in an OCI registry. for example, ```scribesecuriy.jfrog.io/my_docker-registry/evidence```. +* `--oci`: Enables the use of an OCI evidence store. +* `--oci-repo`: Specifies the registry location for evidence storage. + The `oci-repo` value defines the dedicated location within an OCI registry for storing evidence. For example: `scribesecurity.jfrog.io/my_docker-registry/evidence`. -:::note -Docker Hub does not support the subpath format, `oci-repo` should be set to your Docker hub Username. +:::note +Docker Hub does not support subpath formats. When using Docker Hub, set `oci-repo` to your Docker Hub username. ::: -Some registries such as Artifactory allow multi-layer format for repo names such as, -```my_org.jfrog.io/policies/attestations``` +Some registries, such as Artifactory, support multi-layer repository names. For example: +`my_org.jfrog.io/policies/attestations` -#### Before you begin​ -Evidence can be stored in any accessible registry. -* Write access is required for upload (generate). -* Read access is required for download (verify). -You must first log in with the required access privileges to your registry before calling Valint. For example, using the `docker login` command. +#### Evidence Storage + +Evidence is stored in the specified `oci-repo` location with suffixes based on the asset type: +- **Image assets**: `container` +- **Git assets**: `git` +- **Directory assets**: `directory` +- **Generic assets**: `generic` + +If no `oci-repo` is provided, evidence will be stored alongside the image. For additional details, see [Cosign Signed Container Images](https://blog.sigstore.dev/cosign-signed-container-images-c1016862618/). + +#### Before You Begin + +Ensure the registry you plan to use is accessible: +* **Write access** is required to upload (generate) evidence. +* **Read access** is required to download (verify) evidence. + +You must log in to your registry with appropriate privileges before executing Valint commands. For example, you can use the `docker login` command. #### Usage -``` -# Generating evidence, storing on [my_repo] OCI repo. -valint slsa [target] -o [attest, statement] --oci --oci-repo=[my_repo] -# Verifying evidence, pulling attestation from [my_repo] OCI repo. -valint verify [target] -i [attest-slsa, statement-slsa] --oci --oci-repo=[my_repo] -``` -For image targets only you may attach the evidence in the same repo as the image. +```bash +# Generating evidence and storing it in the [my_repo] OCI repository +valint [bom, slsa] [target] -o [attest, statement] --oci --oci-repo=[my_repo] + +# Verifying evidence by retrieving it from the [my_repo] OCI repository +valint verify [target] -i [attest, attest-slsa, attest-generic, statement-slsa] --oci --oci-repo=[my_repo] ``` -valint slsa [image] -o [attest, statement] --oci + +For image targets, you can store evidence directly in the same repository as the image: + +```bash +valint [bom, slsa] [image] -o [attest, statement] --oci valint verify [image] -i [attest-slsa, statement-slsa] --oci ``` -### Cache Evidence store -Valint supports both storage and verification flows for attestations and statement objects utilizing a local directory as an evidence store. This is the simplest form and is mainly used to cache previous evidence creation + +--- + +### Cache Evidence Store + +Valint also supports using a local directory as an evidence store for both generating and verifying attestations and statements. This is a simple option, often used for caching previously created evidence. #### Flags -* `--cache-enable` -* `--output-directory` -* `--force` -By default, this cache store is enabled. To disable use `--cache-enable=false`. + +* `--cache-enable`: Enables or disables the cache store (default is enabled). +* `--output-directory`: Specifies the local directory for storing evidence. +* `--force`: Forces overwriting existing evidence. + +To disable the cache store, use `--cache-enable=false`. #### Usage -``` -# Generating evidence, storing on [my_dir] local directory. -valint slsa [target] -o [attest, statement] --output-directory=[my_dir] -# Verifying evidence, pulling attestation from [my_dir] local directory. +```bash +# Generating evidence and storing it in the [my_dir] local directory +valint [bom, slsa] [target] -o [attest, statement] --output-directory=[my_dir] + +# Verifying evidence by retrieving it from the [my_dir] local directory valint verify [target] -i [attest-slsa, statement-slsa] --output-directory=[my_dir] ``` -By default, the evidence is written to `~/.cache/valint/`, use `--output-file`, `-d`, or `--output-directory` to customize the evidence output location. - +By default, evidence is stored in `~/.cache/valint/`. You can customize the output location using options like `--output-file`, `-d`, or `--output-directory`. \ No newline at end of file diff --git a/docs/platforms/bom.md b/docs/platforms/bom.md index aaf78bd36..50c703150 100644 --- a/docs/platforms/bom.md +++ b/docs/platforms/bom.md @@ -67,7 +67,7 @@ options: --valint.sign sign evidence (default: False) --valint.components COMPONENTS components list (type: str, default: ) - --valint.label LABEL Set additional labels (type: at 0x7fab0c19f100>, default: []) + --valint.label LABEL Set additional labels (type: at 0x7f2934ecf420>, default: []) --unique Allow unique assets (default: False) subcommands: @@ -148,10 +148,12 @@ Note that the image characterization string is a wildcarded string, some useful usage: platforms [options] bom [options] dockerhub [-h] [--instance INSTANCE] [--default_product_key_strategy {namespace,repository,tag,mapping}] [--default_product_version_strategy {tag,short_image_id,image_id}] - [--scope.repository [REPOSITORY ...]] [--scope.repository_tags [REPOSITORY_TAGS ...]] - [--scope.image_platform [IMAGE_PLATFORM ...]] [--exclude.repository [REPOSITORY ...]] - [--exclude.repository_tags [REPOSITORY_TAGS ...]] [--scope.namespace [NAMESPACE ...]] - [--image.mapping [MAPPING ...]] + [--scope.repository [REPOSITORY ...]] + [--scope.repository_tags [REPOSITORY_TAGS ...]] + [--scope.image_platform [IMAGE_PLATFORM ...]] + [--exclude.repository [REPOSITORY ...]] + [--exclude.repository_tags [REPOSITORY_TAGS ...]] + [--scope.namespace [NAMESPACE ...]] [--image.mapping [MAPPING ...]] options: -h, --help Show this help message and exit. @@ -173,8 +175,8 @@ options: --scope.namespace [NAMESPACE ...] Dockerhub namespaces (default: ['*']) --image.mapping [MAPPING ...] - Image product key mapping in the format of asset::product_key::product_version (type: AssetMappingString, - default: []) + Image product key mapping in the format of asset::product_key::product_version (type: + AssetMappingString, default: []) ``` @@ -223,8 +225,9 @@ Note that the image characterization string is a wildcarded string, with separat usage: platforms [options] bom [options] k8s [-h] [--instance INSTANCE] [--types {namespace,pod,all}] [--default_product_key_strategy {namespace,pod,image,mapping}] [--default_product_version_strategy {namespace_hash,pod_hash,image_id}] - [--scope.namespace [NAMESPACE ...]] [--scope.pod [POD ...]] [--scope.image [IMAGE ...]] - [--ignore-state] [--exclude.namespace [NAMESPACE ...]] [--exclude.pod [POD ...]] + [--scope.namespace [NAMESPACE ...]] [--scope.pod [POD ...]] + [--scope.image [IMAGE ...]] [--ignore-state] + [--exclude.namespace [NAMESPACE ...]] [--exclude.pod [POD ...]] [--exclude.image [IMAGE ...]] [--image.mapping [MAPPING ...]] options: @@ -300,11 +303,14 @@ Note that the image characterization string is a wildcarded string, some useful usage: platforms [options] bom [options] jfrog [-h] [--instance INSTANCE] [--default_product_key_strategy {jf-repository,repository,tag,mapping}] [--default_product_version_strategy {tag,short_image_id,image_id}] - [--scope.jf-repository [JF_REPOSITORY ...]] [--scope.repository [REPOSITORY ...]] + [--scope.jf-repository [JF_REPOSITORY ...]] + [--scope.repository [REPOSITORY ...]] [--scope.repository_tags [REPOSITORY_TAGS ...]] [--scope.image_platform [IMAGE_PLATFORM ...]] - [--exclude.jf-repository [JF_REPOSITORY ...]] [--exclude.repository [REPOSITORY ...]] - [--exclude.repository_tags [REPOSITORY_TAGS ...]] [--image.mapping [MAPPING ...]] + [--exclude.jf-repository [JF_REPOSITORY ...]] + [--exclude.repository [REPOSITORY ...]] + [--exclude.repository_tags [REPOSITORY_TAGS ...]] + [--image.mapping [MAPPING ...]] options: -h, --help Show this help message and exit. @@ -328,8 +334,8 @@ options: --exclude.repository_tags [REPOSITORY_TAGS ...] Jfrog tags to exclude (default: []) --image.mapping [MAPPING ...] - Image product key mapping in the format of asset::product_key::product_version (type: AssetMappingString, - default: []) + Image product key mapping in the format of asset::product_key::product_version (type: + AssetMappingString, default: []) ``` @@ -353,9 +359,10 @@ usage: platforms [options] bom [options] ecr [-h] [--instance INSTANCE] [--default_product_key_strategy {aws-account,repository,tag,mapping}] [--scope.aws-account [AWS_ACCOUNT ...]] [--scope.repository [REPOSITORY ...]] [--scope.repository_tags [REPOSITORY_TAGS ...]] - [--scope.image_platform [IMAGE_PLATFORM ...]] [--exclude.aws-account [AWS_ACCOUNT ...]] - [--exclude.repository [REPOSITORY ...]] [--exclude.repository_tags [REPOSITORY_TAGS ...]] - [--url URL] [--image.mapping [MAPPING ...]] + [--scope.image_platform [IMAGE_PLATFORM ...]] + [--exclude.aws-account [AWS_ACCOUNT ...]] [--exclude.repository [REPOSITORY ...]] + [--exclude.repository_tags [REPOSITORY_TAGS ...]] [--url URL] + [--image.mapping [MAPPING ...]] options: -h, --help Show this help message and exit. @@ -378,8 +385,8 @@ options: ECR tags to exclude (default: []) --url URL ECR base URL (default: null) --image.mapping [MAPPING ...] - Image product key mapping in the format of asset::product_key::product_version (type: AssetMappingString, - default: []) + Image product key mapping in the format of asset::product_key::product_version (type: + AssetMappingString, default: []) ``` @@ -401,14 +408,15 @@ Note that the image characterization string is a wildcarded string, some useful --> ```bash -usage: platforms [options] bom [options] bitbucket [-h] [--instance INSTANCE] [--app_password APP_PASSWORD] [--username USERNAME] - [--workspace_token WORKSPACE_TOKEN] [--workspace_name WORKSPACE_NAME] --url URL - [--types {repository,all}] [--scope.workspace [WORKSPACE ...]] - [--scope.project [PROJECT ...]] [--scope.repository [REPOSITORY ...]] - [--scope.commit [COMMIT ...]] [--scope.branch [BRANCH ...]] - [--scope.webhook [WEBHOOK ...]] [--commit.skip] - [--default_product_key_strategy {mapping}] [--workspace.mapping [MAPPING ...]] - [--project.mapping [MAPPING ...]] [--repository.mapping [MAPPING ...]] +usage: platforms [options] bom [options] bitbucket [-h] [--instance INSTANCE] [--app_password APP_PASSWORD] + [--username USERNAME] [--workspace_token WORKSPACE_TOKEN] + [--workspace WORKSPACE] [--url URL] [--types {repository,all}] + [--scope.workspace [WORKSPACE ...]] [--scope.project [PROJECT ...]] + [--scope.repository [REPOSITORY ...]] [--scope.commit [COMMIT ...]] + [--scope.branch [BRANCH ...]] [--scope.webhook [WEBHOOK ...]] + [--commit.skip] [--default_product_key_strategy {mapping}] + [--workspace.mapping [MAPPING ...]] [--project.mapping [MAPPING ...]] + [--repository.mapping [MAPPING ...]] options: -h, --help Show this help message and exit. @@ -417,22 +425,22 @@ options: BitBucket app_password (BB_PASSWORD) (default: ) --username USERNAME BitBucket username (default: null) --workspace_token WORKSPACE_TOKEN - BitBucket workspace_token can be used with --workspace_name flag instead of --app_password and --username - (BB_WORKSPACE_TOKEN) (default: ) - --workspace_name WORKSPACE_NAME - BitBucket workspace_name can be used with --workspace_token flag instead of --app_password and --username - (default: null) - --url URL BitBucket URL (required) + BitBucket workspace_token can be used with --workspace_name flag instead of --app_password and + --username (BB_WORKSPACE_TOKEN) (default: ) + --workspace WORKSPACE + BitBucket workspace_name can be used with --workspace_token flag instead of --app_password and + --username (default: ) + --url URL BitBucket URL (required, default: https://api.bitbucket.org) --types {repository,all} Specifies the type of evidence to generate, scoped by scope parameters (default: repository) --scope.workspace [WORKSPACE ...] BitBucket workspace list (default: ['*']) --scope.project [PROJECT ...] - BitBucket projects wildcards. Default is all projects. Note that a project name includes as a prefix its - namesapce in the format 'namespace / project_name' (default: ['*']) + BitBucket projects wildcards. Default is all projects. Note that a project name includes as a prefix + its namesapce in the format 'namespace / project_name' (default: ['*']) --scope.repository [REPOSITORY ...] - BitBucket repositories wildcards. Default is all projects. Note that a project name includes as a prefix its - namesapce in the format 'namespace / project_name' (default: ['*']) + BitBucket repositories wildcards. Default is all projects. Note that a project name includes as a + prefix its namesapce in the format 'namespace / project_name' (default: ['*']) --scope.commit [COMMIT ...] BitBucket commit wildcards (default: []) --scope.branch [BRANCH ...] @@ -441,16 +449,17 @@ options: BitBucket webhook wildcards (default: []) --commit.skip Skip commits in discovery/evidence (default: False) --default_product_key_strategy {mapping} - Determint product key by mapping. In the future - we shall support by reopsitory name too. (default: mapping) + Determint product key by mapping. In the future - we shall support by reopsitory name too. (default: + mapping) --workspace.mapping [MAPPING ...] - Workspace product key mapping in the format of workspace::product_key::product_version where org is the workspace - name, wildcards are supported (type: AssetMappingString, default: []) + Workspace product key mapping in the format of workspace::product_key::product_version where org is + the workspace name, wildcards are supported (type: AssetMappingString, default: []) --project.mapping [MAPPING ...] - Project product key mapping in the format of project::product_key::product_version where org is the workspace - name, wildcards are supported (type: AssetMappingString, default: []) + Project product key mapping in the format of project::product_key::product_version where org is the + project name, wildcards are supported (type: AssetMappingString, default: []) --repository.mapping [MAPPING ...] - Repository product key mapping in the format of repo::product_key::product_version where repo is the repository - name, wildcards are supported (type: AssetMappingString, default: []) + Repository product key mapping in the format of repo::product_key::product_version where repo is the + repository name, wildcards are supported (type: AssetMappingString, default: []) ``` @@ -472,11 +481,13 @@ Note that the image characterization string is a wildcarded string, some useful --> ```bash -usage: platforms [options] bom [options] github [-h] [--instance INSTANCE] [--token TOKEN] [--url URL] [--types {repository,all}] - [--scope.organization [ORGANIZATION ...]] [--scope.repository [REPOSITORY ...]] - [--scope.branch [BRANCH ...]] [--scope.tag [TAG ...]] [--branch.shallow] [--commit.skip] - [--default_product_key_strategy {mapping}] [--organization.single] [--repository.single] - [--organization.mapping [MAPPING ...]] [--repository.mapping [MAPPING ...]] +usage: platforms [options] bom [options] github [-h] [--instance INSTANCE] [--token TOKEN] [--url URL] + [--types {repository,all}] [--scope.organization [ORGANIZATION ...]] + [--scope.repository [REPOSITORY ...]] [--scope.branch [BRANCH ...]] + [--scope.tag [TAG ...]] [--branch.shallow] [--commit.skip] + [--default_product_key_strategy {mapping}] [--organization.single] + [--repository.single] [--organization.mapping [MAPPING ...]] + [--repository.mapping [MAPPING ...]] options: -h, --help Show this help message and exit. @@ -488,8 +499,8 @@ options: --scope.organization [ORGANIZATION ...] Github organization list (default: ['*']) --scope.repository [REPOSITORY ...] - Github repositories wildcards. Default is all projects. Note that a project name includes as a prefix its - namesapce in the format 'namespace / project_name' (default: ['*']) + Github repositories wildcards. Default is all projects. Note that a project name includes as a prefix + its namesapce in the format 'namespace / project_name' (default: ['*']) --scope.branch [BRANCH ...] Github branches wildcards (default: []) --scope.tag [TAG ...] @@ -497,16 +508,17 @@ options: --branch.shallow Shallow branch discovery (default: False) --commit.skip Skip commits in discovery/evidence (default: False) --default_product_key_strategy {mapping} - Determint product key by mapping. In the future - we shall support by reopsitory name too. (default: mapping) + Determint product key by mapping. In the future - we shall support by reopsitory name too. (default: + mapping) --organization.single Export all organizations in a single evidence (default: False) --repository.single Export all repos in a single evidence (default: False) --organization.mapping [MAPPING ...] - Organization product key mapping in the format of org::product_key::product_version where org is the organization - name, wildcards are supported (type: AssetMappingString, default: []) + Organization product key mapping in the format of org::product_key::product_version where org is the + organization name, wildcards are supported (type: AssetMappingString, default: []) --repository.mapping [MAPPING ...] - Repository product key mapping in the format of repo::product_key::product_version where repo is the repository - name, wildcards are supported (type: AssetMappingString, default: []) + Repository product key mapping in the format of repo::product_key::product_version where repo is the + repository name, wildcards are supported (type: AssetMappingString, default: []) ``` @@ -530,9 +542,9 @@ Note that the image characterization string is a wildcarded string, some useful ```bash usage: platforms [options] bom [options] gitlab [-h] [--instance INSTANCE] [--token TOKEN] [--url URL] [--types {project,all}] [--scope.organization [ORGANIZATION ...]] [--scope.project [PROJECT ...]] - [--scope.branch [BRANCH ...]] [--scope.tag [TAG ...]] [--commit.skip] [--pipeline.skip] - [--default_product_key_strategy {mapping}] [--organization.mapping [MAPPING ...]] - [--project.mapping [MAPPING ...]] + [--scope.branch [BRANCH ...]] [--scope.tag [TAG ...]] [--commit.skip] + [--pipeline.skip] [--default_product_key_strategy {mapping}] + [--organization.mapping [MAPPING ...]] [--project.mapping [MAPPING ...]] options: -h, --help Show this help message and exit. @@ -544,8 +556,8 @@ options: --scope.organization [ORGANIZATION ...] Gitlab organization list (default: ['*']) --scope.project [PROJECT ...] - Gitlab projects epositories wildcards. Default is all projects. Note that a project name includes as a prefix its - namesapce in the format 'namespace / project_name' (default: ['*']) + Gitlab projects epositories wildcards. Default is all projects. Note that a project name includes as a + prefix its namesapce in the format 'namespace / project_name' (default: ['*']) --scope.branch [BRANCH ...] Gitlab branches wildcards (default: null) --scope.tag [TAG ...] @@ -558,7 +570,7 @@ options: Organization product key mapping in the format of to organization::product_key::product_version (type: AssetMappingString, default: []) --project.mapping [MAPPING ...] - Project product key mapping in the format of asset::product_key::product_version (type: AssetMappingString, - default: []) + Project product key mapping in the format of asset::product_key::product_version (type: + AssetMappingString, default: []) ``` diff --git a/docs/platforms/discover.md b/docs/platforms/discover.md index b462f5364..0e44e74ff 100644 --- a/docs/platforms/discover.md +++ b/docs/platforms/discover.md @@ -80,8 +80,8 @@ options: --scope.organization [ORGANIZATION ...] Gitlab organization list (default: ['*']) --scope.project [PROJECT ...] - Gitlab projects epositories wildcards. Default is all projects. Note that a project name includes as a prefix its - namesapce in the format 'namespace / project_name' (default: ['*']) + Gitlab projects epositories wildcards. Default is all projects. Note that a project name includes as a + prefix its namesapce in the format 'namespace / project_name' (default: ['*']) --scope.branch [BRANCH ...] Gitlab branches wildcards (default: null) --scope.tag [TAG ...] @@ -128,9 +128,10 @@ usage: platforms [options] discover [options] github [-h] [--instance INSTANCE] [--token TOKEN] [--url URL] [--scope.organization [ORGANIZATION ...]] [--scope.repository [REPOSITORY ...]] [--scope.branch [BRANCH ...]] [--scope.tag [TAG ...]] [--branch.shallow] [--commit.skip] - [--default_product_key_strategy {mapping}] [--scope.commit.past_days PAST_DAYS] - [--workflow.skip] [--scope.workflow.past_days PAST_DAYS] - [--scope.workflow.analyzed_logs] [--scope.runners] [--scope.sbom] [--broad] + [--default_product_key_strategy {mapping}] + [--scope.commit.past_days PAST_DAYS] [--workflow.skip] + [--scope.workflow.past_days PAST_DAYS] [--scope.workflow.analyzed_logs] + [--scope.runners] [--scope.sbom] [--broad] options: -h, --help Show this help message and exit. @@ -142,8 +143,8 @@ options: --scope.organization [ORGANIZATION ...] Github organization list (default: ['*']) --scope.repository [REPOSITORY ...] - Github repositories wildcards. Default is all projects. Note that a project name includes as a prefix its - namesapce in the format 'namespace / project_name' (default: ['*']) + Github repositories wildcards. Default is all projects. Note that a project name includes as a prefix + its namesapce in the format 'namespace / project_name' (default: ['*']) --scope.branch [BRANCH ...] Github branches wildcards (default: []) --scope.tag [TAG ...] @@ -151,7 +152,8 @@ options: --branch.shallow Shallow branch discovery (default: False) --commit.skip Skip commits in discovery/evidence (default: False) --default_product_key_strategy {mapping} - Determint product key by mapping. In the future - we shall support by reopsitory name too. (default: mapping) + Determint product key by mapping. In the future - we shall support by reopsitory name too. (default: + mapping) --scope.commit.past_days PAST_DAYS Number of past days to include in the report (type: int, default: 30) --workflow.skip Skip workflows in evidence (default: False) @@ -183,13 +185,14 @@ DockerHub discovery samples the following assets: namespaces, repositories, and ```bash usage: platforms [options] discover [options] dockerhub [-h] [--instance INSTANCE] [--types {instance,namespace,repository,repository_tag,webhook,token,all} [{instance,namespace,repository,repository_tag,webhook,token,all} ...]] - [--username USERNAME] [--password PASSWORD] [--token TOKEN] [--url URL] - [--scope.repository [REPOSITORY ...]] + [--username USERNAME] [--password PASSWORD] [--token TOKEN] + [--url URL] [--scope.repository [REPOSITORY ...]] [--scope.repository_tags [REPOSITORY_TAGS ...]] [--scope.image_platform [IMAGE_PLATFORM ...]] [--exclude.repository [REPOSITORY ...]] [--exclude.repository_tags [REPOSITORY_TAGS ...]] - [--namespace-list [NAMESPACE_LIST ...]] [--scope.past_days PAST_DAYS] [--broad] + [--namespace-list [NAMESPACE_LIST ...]] [--scope.past_days PAST_DAYS] + [--broad] options: -h, --help Show this help message and exit. @@ -257,10 +260,10 @@ Kubernetes discovery samples the following asset types: namespaces, pods, and se ```bash usage: platforms [options] discover [options] k8s [-h] [--instance INSTANCE] [--types {namespace,pod,secret,deployment,all} [{namespace,pod,secret,deployment,all} ...]] - [--url URL] [--token TOKEN] [--scope.namespace [NAMESPACE ...]] [--scope.pod [POD ...]] - [--scope.image [IMAGE ...]] [--ignore-state] [--exclude.namespace [NAMESPACE ...]] - [--exclude.pod [POD ...]] [--exclude.image [IMAGE ...]] [--secret.skip] - [--deployment.skip] [--broad] + [--url URL] [--token TOKEN] [--scope.namespace [NAMESPACE ...]] + [--scope.pod [POD ...]] [--scope.image [IMAGE ...]] [--ignore-state] + [--exclude.namespace [NAMESPACE ...]] [--exclude.pod [POD ...]] + [--exclude.image [IMAGE ...]] [--secret.skip] [--deployment.skip] [--broad] options: -h, --help Show this help message and exit. @@ -338,11 +341,13 @@ For example `my_company.jfrog.io/my_registry/my_image:latest` usage: platforms [options] discover [options] jfrog [-h] [--instance INSTANCE] [--types {jf-repository,repository,repository_tag,user,token,webhook,all} [{jf-repository,repository,repository_tag,user,token,webhook,all} ...]] [--token TOKEN] [--url URL] [--scope.jf-repository [JF_REPOSITORY ...]] - [--scope.repository [REPOSITORY ...]] [--scope.repository_tags [REPOSITORY_TAGS ...]] + [--scope.repository [REPOSITORY ...]] + [--scope.repository_tags [REPOSITORY_TAGS ...]] [--scope.image_platform [IMAGE_PLATFORM ...]] - [--exclude.jf-repository [JF_REPOSITORY ...]] [--exclude.repository [REPOSITORY ...]] - [--exclude.repository_tags [REPOSITORY_TAGS ...]] [--scope.past_days PAST_DAYS] - [--scope.tag_limit TAG_LIMIT] [--broad] + [--exclude.jf-repository [JF_REPOSITORY ...]] + [--exclude.repository [REPOSITORY ...]] + [--exclude.repository_tags [REPOSITORY_TAGS ...]] + [--scope.past_days PAST_DAYS] [--scope.tag_limit TAG_LIMIT] [--broad] options: -h, --help Show this help message and exit. @@ -368,8 +373,9 @@ options: --scope.past_days PAST_DAYS Ignore tags pushed earlier that previous to this number of days (type: int, default: 30) --scope.tag_limit TAG_LIMIT - Limit the number of recent tags to be discovered. Scoping to tag names is done on the limited tag list. Limit - applies also to the past_days filter. 0 for no limit, default is 10. (type: int, default: 10) + Limit the number of recent tags to be discovered. Scoping to tag names is done on the limited tag + list. Limit applies also to the past_days filter. 0 for no limit, default is 10. (type: int, default: + 10) --broad Retrieves limited information (only jf-repositories and repositories) (default: False) ``` @@ -393,11 +399,13 @@ For example `\.dkr.ecr.us-west-2.amazonaws.com/my_image:latest` usage: platforms [options] discover [options] ecr [-h] [--instance INSTANCE] [--types {aws-account,repository,repository_tags,all} [{aws-account,repository,repository_tags,all} ...]] [--token TOKEN] [--url URL] [--scope.aws-account [AWS_ACCOUNT ...]] - [--scope.repository [REPOSITORY ...]] [--scope.repository_tags [REPOSITORY_TAGS ...]] - [--scope.image_platform [IMAGE_PLATFORM ...]] [--exclude.aws-account [AWS_ACCOUNT ...]] + [--scope.repository [REPOSITORY ...]] + [--scope.repository_tags [REPOSITORY_TAGS ...]] + [--scope.image_platform [IMAGE_PLATFORM ...]] + [--exclude.aws-account [AWS_ACCOUNT ...]] [--exclude.repository [REPOSITORY ...]] - [--exclude.repository_tags [REPOSITORY_TAGS ...]] [--scope.past_days PAST_DAYS] - [--scope.tag_limit TAG_LIMIT] [--broad] + [--exclude.repository_tags [REPOSITORY_TAGS ...]] + [--scope.past_days PAST_DAYS] [--scope.tag_limit TAG_LIMIT] [--broad] options: -h, --help Show this help message and exit. @@ -423,8 +431,9 @@ options: --scope.past_days PAST_DAYS Ignore tags pushed earlier that previous to this number of days (type: int, default: 30) --scope.tag_limit TAG_LIMIT - Limit the number of recent tags to be discovered. Scoping to tag names is done on the limited tag list. Limit - applies also to the past_days filter. 0 for no limit, default is 10. (type: int, default: 10) + Limit the number of recent tags to be discovered. Scoping to tag names is done on the limited tag + list. Limit applies also to the past_days filter. 0 for no limit, default is 10. (type: int, default: + 10) --broad Retrieves limited information (only aws-account and repository) (default: False) ``` @@ -442,11 +451,11 @@ BitBucket discovery samples the following assets: workspaces, projects, reposito usage: platforms [options] discover [options] bitbucket [-h] [--instance INSTANCE] [--types {workspace,project,repository,branch,commit,authenticated_user,webhooks,repo_permission,user_permission,branch_protection,token,all} [{workspace,project,repository,branch,commit,authenticated_user,webhooks,repo_permission,user_permission,branch_protection,token,all} ...]] [--app_password APP_PASSWORD] [--username USERNAME] - [--workspace_token WORKSPACE_TOKEN] [--workspace_name WORKSPACE_NAME] --url URL - [--scope.workspace [WORKSPACE ...]] [--scope.project [PROJECT ...]] - [--scope.repository [REPOSITORY ...]] [--scope.commit [COMMIT ...]] - [--scope.branch [BRANCH ...]] [--scope.webhook [WEBHOOK ...]] [--commit.skip] - [--broad] + [--workspace_token WORKSPACE_TOKEN] [--workspace WORKSPACE] + [--url URL] [--scope.workspace [WORKSPACE ...]] + [--scope.project [PROJECT ...]] [--scope.repository [REPOSITORY ...]] + [--scope.commit [COMMIT ...]] [--scope.branch [BRANCH ...]] + [--scope.webhook [WEBHOOK ...]] [--commit.skip] [--broad] options: -h, --help Show this help message and exit. @@ -457,20 +466,20 @@ options: BitBucket app_password (BB_PASSWORD) (default: ) --username USERNAME BitBucket username (default: null) --workspace_token WORKSPACE_TOKEN - BitBucket workspace_token can be used with --workspace_name flag instead of --app_password and --username - (BB_WORKSPACE_TOKEN) (default: ) - --workspace_name WORKSPACE_NAME - BitBucket workspace_name can be used with --workspace_token flag instead of --app_password and --username - (default: null) - --url URL BitBucket URL (required) + BitBucket workspace_token can be used with --workspace_name flag instead of --app_password and + --username (BB_WORKSPACE_TOKEN) (default: ) + --workspace WORKSPACE + BitBucket workspace_name can be used with --workspace_token flag instead of --app_password and + --username (default: ) + --url URL BitBucket URL (required, default: https://api.bitbucket.org) --scope.workspace [WORKSPACE ...] BitBucket workspace list (default: ['*']) --scope.project [PROJECT ...] - BitBucket projects wildcards. Default is all projects. Note that a project name includes as a prefix its - namesapce in the format 'namespace / project_name' (default: ['*']) + BitBucket projects wildcards. Default is all projects. Note that a project name includes as a prefix + its namesapce in the format 'namespace / project_name' (default: ['*']) --scope.repository [REPOSITORY ...] - BitBucket repositories wildcards. Default is all projects. Note that a project name includes as a prefix its - namesapce in the format 'namespace / project_name' (default: ['*']) + BitBucket repositories wildcards. Default is all projects. Note that a project name includes as a + prefix its namesapce in the format 'namespace / project_name' (default: ['*']) --scope.commit [COMMIT ...] BitBucket commit wildcards (default: []) --scope.branch [BRANCH ...] @@ -492,8 +501,8 @@ Jenkins discovery samples the following assets: instance, folders, jobs, job_run --> ```bash -usage: platforms [options] discover [options] jenkins [-h] [--instance INSTANCE] [--username USERNAME] [--password PASSWORD] [--url URL] - [--broad] +usage: platforms [options] discover [options] jenkins [-h] [--instance INSTANCE] [--username USERNAME] [--password PASSWORD] + [--url URL] [--broad] [--types {all,computer_set,users,jobs,job_runs,credential_stores,plugins,security_settings,all} [{all,computer_set,users,jobs,job_runs,credential_stores,plugins,security_settings,all} ...]] [--credential_stores.skip] [--users.skip] [--plugins.skip] [--security_settings.skip] [--computer_set.skip] [--jobs.skip] @@ -519,18 +528,19 @@ options: --computer_set.skip Skip computer sets in discovery/evidence (default: False) --jobs.skip Skip jobs (default: False) --scope.folder [FOLDER ...] - Jenkins folder/job list. Default is all folders. The folder scoping is defined as a path of folders and can - include the job name in order to scope specific jobs. Wildcard is supported only as a suffix. examples: folder-a* - will discover all folders that are included in a root folder that starts with folder-a. folder-a/* will discover - all folders and jobs under the root folder folder-a (type: JenkinsFolderScope, default: ['*']) + Jenkins folder/job list. Default is all folders. The folder scoping is defined as a path of folders + and can include the job name in order to scope specific jobs. Wildcard is supported only as a suffix. + examples: folder-a* will discover all folders that are included in a root folder that starts with + folder-a. folder-a/* will discover all folders and jobs under the root folder folder-a (type: + JenkinsFolderScope, default: ['*']) --exclude.folder [FOLDER ...] Jenkins folder/job list to exclude from discovery. Format is like the --scope.folder argument (type: JenkinsFolderScope, default: []) --scope.job_runs.past_days PAST_DAYS Number of past days to include in the job run discovery, 0 for no time limit (type: int, default: 30) --scope.job_runs.max MAX - Mam number of job runs to include in the job run discovery. This argument will limit the number of job runs in - the past_days range. 0 for no limit (type: int, default: 10) + Mam number of job runs to include in the job run discovery. This argument will limit the number of job + runs in the past_days range. 0 for no limit (type: int, default: 10) --scope.job_runs.analyzed_logs Include analyzed job run logs (default: False) --job_runs.skip Skip commits in discovery/evidence (default: False) diff --git a/docs/platforms/evidence.md b/docs/platforms/evidence.md index 8c478d5b0..7524b3c11 100644 --- a/docs/platforms/evidence.md +++ b/docs/platforms/evidence.md @@ -22,12 +22,13 @@ The evidence command uses Scribe's `valint` tool to upload the evidence and to s ```bash usage: platforms [options] evidence [-h] [--evidence.local.path PATH] [--evidence.local.prefix PREFIX] [--evidence.local_only] [--max-threads MAX_THREADS] [--valint.scribe.client-id CLIENT_ID] - [--valint.scribe.client-secret CLIENT_SECRET] [--valint.scribe.enable] [--valint.cache.disable] - [--valint.context-type CONTEXT_TYPE] [--valint.log-level LOG_LEVEL] - [--valint.output-directory OUTPUT_DIRECTORY] [--valint.bin BIN] [--valint.product-key PRODUCT_KEY] + [--valint.scribe.client-secret CLIENT_SECRET] [--valint.scribe.enable] + [--valint.cache.disable] [--valint.context-type CONTEXT_TYPE] + [--valint.log-level LOG_LEVEL] [--valint.output-directory OUTPUT_DIRECTORY] + [--valint.bin BIN] [--valint.product-key PRODUCT_KEY] [--valint.product-version PRODUCT_VERSION] [--valint.predicate-type PREDICATE_TYPE] - [--valint.attest ATTEST] [--valint.sign] [--valint.components COMPONENTS] [--valint.label LABEL] - [--unique] + [--valint.attest ATTEST] [--valint.sign] [--valint.components COMPONENTS] + [--valint.label LABEL] [--unique] {gitlab,k8s,dockerhub,github,jfrog,ecr,jenkins,bitbucket} ... Export evidence data @@ -68,7 +69,7 @@ options: --valint.sign sign evidence (default: False) --valint.components COMPONENTS components list (type: str, default: ) - --valint.label LABEL Set additional labels (type: at 0x7fd158f48720>, default: []) + --valint.label LABEL Set additional labels (type: at 0x7f9f7325ca40>, default: []) --unique Allow unique assets (default: False) subcommands: @@ -141,11 +142,12 @@ platforms evidence gitlab --organization.mapping "my-org::my-product::1.0" --pro ```bash usage: platforms [options] evidence [options] gitlab [-h] [--instance INSTANCE] [--token TOKEN] [--url URL] - [--types {organization,project,all}] [--scope.organization [ORGANIZATION ...]] - [--scope.project [PROJECT ...]] [--scope.branch [BRANCH ...]] - [--scope.tag [TAG ...]] [--commit.skip] [--pipeline.skip] - [--default_product_key_strategy {mapping}] [--organization.mapping [MAPPING ...]] - [--project.mapping [MAPPING ...]] [--organization.single] [--project.single] + [--types {organization,project,all}] + [--scope.organization [ORGANIZATION ...]] [--scope.project [PROJECT ...]] + [--scope.branch [BRANCH ...]] [--scope.tag [TAG ...]] [--commit.skip] + [--pipeline.skip] [--default_product_key_strategy {mapping}] + [--organization.mapping [MAPPING ...]] [--project.mapping [MAPPING ...]] + [--organization.single] [--project.single] options: -h, --help Show this help message and exit. @@ -157,8 +159,8 @@ options: --scope.organization [ORGANIZATION ...] Gitlab organization list (default: ['*']) --scope.project [PROJECT ...] - Gitlab projects epositories wildcards. Default is all projects. Note that a project name includes as a prefix its - namesapce in the format 'namespace / project_name' (default: ['*']) + Gitlab projects epositories wildcards. Default is all projects. Note that a project name includes as a + prefix its namesapce in the format 'namespace / project_name' (default: ['*']) --scope.branch [BRANCH ...] Gitlab branches wildcards (default: null) --scope.tag [TAG ...] @@ -171,8 +173,8 @@ options: Organization product key mapping in the format of to organization::product_key::product_version (type: AssetMappingString, default: []) --project.mapping [MAPPING ...] - Project product key mapping in the format of asset::product_key::product_version (type: AssetMappingString, - default: []) + Project product key mapping in the format of asset::product_key::product_version (type: + AssetMappingString, default: []) --organization.single Export all organizations in a single evidence (default: False) --project.single Export all projects in a single evidence (default: False) @@ -225,9 +227,10 @@ platforms evidence github --organization.mapping "my-org::my-product::1.0" --rep ```bash usage: platforms [options] evidence [options] github [-h] [--instance INSTANCE] [--token TOKEN] [--url URL] [--types {organization,repository,all,all}] - [--scope.organization [ORGANIZATION ...]] [--scope.repository [REPOSITORY ...]] - [--scope.branch [BRANCH ...]] [--scope.tag [TAG ...]] [--branch.shallow] - [--commit.skip] [--default_product_key_strategy {mapping}] [--organization.single] + [--scope.organization [ORGANIZATION ...]] + [--scope.repository [REPOSITORY ...]] [--scope.branch [BRANCH ...]] + [--scope.tag [TAG ...]] [--branch.shallow] [--commit.skip] + [--default_product_key_strategy {mapping}] [--organization.single] [--repository.single] [--organization.mapping [MAPPING ...]] [--repository.mapping [MAPPING ...]] @@ -241,8 +244,8 @@ options: --scope.organization [ORGANIZATION ...] Github organization list (default: ['*']) --scope.repository [REPOSITORY ...] - Github repositories wildcards. Default is all projects. Note that a project name includes as a prefix its - namesapce in the format 'namespace / project_name' (default: ['*']) + Github repositories wildcards. Default is all projects. Note that a project name includes as a prefix + its namesapce in the format 'namespace / project_name' (default: ['*']) --scope.branch [BRANCH ...] Github branches wildcards (default: []) --scope.tag [TAG ...] @@ -250,16 +253,17 @@ options: --branch.shallow Shallow branch discovery (default: False) --commit.skip Skip commits in discovery/evidence (default: False) --default_product_key_strategy {mapping} - Determint product key by mapping. In the future - we shall support by reopsitory name too. (default: mapping) + Determint product key by mapping. In the future - we shall support by reopsitory name too. (default: + mapping) --organization.single Export all organizations in a single evidence (default: False) --repository.single Export all repos in a single evidence (default: False) --organization.mapping [MAPPING ...] - Organization product key mapping in the format of org::product_key::product_version where org is the organization - name, wildcards are supported (type: AssetMappingString, default: []) + Organization product key mapping in the format of org::product_key::product_version where org is the + organization name, wildcards are supported (type: AssetMappingString, default: []) --repository.mapping [MAPPING ...] - Repository product key mapping in the format of repo::product_key::product_version where repo is the repository - name, wildcards are supported (type: AssetMappingString, default: []) + Repository product key mapping in the format of repo::product_key::product_version where repo is the + repository name, wildcards are supported (type: AssetMappingString, default: []) ``` @@ -285,7 +289,8 @@ usage: platforms [options] evidence [options] dockerhub [-h] [--instance INSTANC [--scope.image_platform [IMAGE_PLATFORM ...]] [--exclude.repository [REPOSITORY ...]] [--exclude.repository_tags [REPOSITORY_TAGS ...]] - [--scope.namespace [NAMESPACE ...]] [--namespace.mapping [MAPPING ...]] + [--scope.namespace [NAMESPACE ...]] + [--namespace.mapping [MAPPING ...]] [--repository.mapping [MAPPING ...]] [--token.mapping [MAPPING ...]] [--namespace.single] [--repository.single] [--default_product_key_strategy {mapping}] @@ -308,11 +313,11 @@ options: --scope.namespace [NAMESPACE ...] Dockerhub namespaces (default: ['*']) --namespace.mapping [MAPPING ...] - Repository product key mapping in the format of asset::product_key::product_version (type: AssetMappingString, - default: []) + Repository product key mapping in the format of asset::product_key::product_version (type: + AssetMappingString, default: []) --repository.mapping [MAPPING ...] - Repository product key mapping in the format of asset::product_key::product_version (type: AssetMappingString, - default: []) + Repository product key mapping in the format of asset::product_key::product_version (type: + AssetMappingString, default: []) --token.mapping [MAPPING ...] Repository tag product key mapping in the format of asset::product_key::product_version (type: AssetMappingString, default: []) @@ -364,12 +369,13 @@ platforms evidence k8s --namespace.mapping "my-namespace::my-product::1.0" --pod ```bash usage: platforms [options] evidence [options] k8s [-h] [--instance INSTANCE] [--types {namespace,pod,all}] - [--scope.namespace [NAMESPACE ...]] [--scope.pod [POD ...]] [--scope.image [IMAGE ...]] - [--ignore-state] [--exclude.namespace [NAMESPACE ...]] [--exclude.pod [POD ...]] + [--scope.namespace [NAMESPACE ...]] [--scope.pod [POD ...]] + [--scope.image [IMAGE ...]] [--ignore-state] + [--exclude.namespace [NAMESPACE ...]] [--exclude.pod [POD ...]] [--exclude.image [IMAGE ...]] - [--default_product_key_strategy {namespace,pod,image,mapping}] [--secret.skip] - [--namespace.single] [--pod.single] [--namespace.mapping [MAPPING ...]] - [--pod.mapping [MAPPING ...]] + [--default_product_key_strategy {namespace,pod,image,mapping}] + [--secret.skip] [--namespace.single] [--pod.single] + [--namespace.mapping [MAPPING ...]] [--pod.mapping [MAPPING ...]] options: -h, --help Show this help message and exit. @@ -395,11 +401,11 @@ options: --namespace.single Export all namespaces (default: False) --pod.single Export all pods in a single evidence (default: False) --namespace.mapping [MAPPING ...] - Namespace product key mapping in the format of asset::product_key::product_version (type: AssetMappingString, - default: []) + Namespace product key mapping in the format of asset::product_key::product_version (type: + AssetMappingString, default: []) --pod.mapping [MAPPING ...] - Pod product key mapping in the format of asset::product_key::product_version (type: AssetMappingString, default: - []) + Pod product key mapping in the format of asset::product_key::product_version (type: + AssetMappingString, default: []) ``` @@ -452,12 +458,15 @@ platforms evidence jfrog --jf-repository.mapping "*::my-product::1.0" --namespac ```bash usage: platforms [options] evidence [options] ecr [-h] [--instance INSTANCE] [--types {instance,aws-account,repository,all}] - [--scope.aws-account [AWS_ACCOUNT ...]] [--scope.repository [REPOSITORY ...]] + [--scope.aws-account [AWS_ACCOUNT ...]] + [--scope.repository [REPOSITORY ...]] [--scope.repository_tags [REPOSITORY_TAGS ...]] - [--scope.image_platform [IMAGE_PLATFORM ...]] [--exclude.aws-account [AWS_ACCOUNT ...]] + [--scope.image_platform [IMAGE_PLATFORM ...]] + [--exclude.aws-account [AWS_ACCOUNT ...]] [--exclude.repository [REPOSITORY ...]] - [--exclude.repository_tags [REPOSITORY_TAGS ...]] [--aws-account.mapping [MAPPING ...]] - [--repository.mapping [MAPPING ...]] [--aws-account.single] [--repository.single] + [--exclude.repository_tags [REPOSITORY_TAGS ...]] + [--aws-account.mapping [MAPPING ...]] [--repository.mapping [MAPPING ...]] + [--aws-account.single] [--repository.single] [--default_product_key_strategy {instance,aws-account,repository,tag,mapping}] options: @@ -480,8 +489,8 @@ options: --exclude.repository_tags [REPOSITORY_TAGS ...] ECR tags to exclude (default: []) --aws-account.mapping [MAPPING ...] - Repository product key mapping in the format of asset::product_key::product_version (type: AssetMappingString, - default: []) + Repository product key mapping in the format of asset::product_key::product_version (type: + AssetMappingString, default: []) --repository.mapping [MAPPING ...] Repository image_tags product key mapping in the format of asset::product_key::product_version (type: AssetMappingString, default: []) @@ -509,12 +518,15 @@ platforms evidence ecr --repository.mapping "*my-service*::my-product::1.0" ```bash usage: platforms [options] evidence [options] ecr [-h] [--instance INSTANCE] [--types {instance,aws-account,repository,all}] - [--scope.aws-account [AWS_ACCOUNT ...]] [--scope.repository [REPOSITORY ...]] + [--scope.aws-account [AWS_ACCOUNT ...]] + [--scope.repository [REPOSITORY ...]] [--scope.repository_tags [REPOSITORY_TAGS ...]] - [--scope.image_platform [IMAGE_PLATFORM ...]] [--exclude.aws-account [AWS_ACCOUNT ...]] + [--scope.image_platform [IMAGE_PLATFORM ...]] + [--exclude.aws-account [AWS_ACCOUNT ...]] [--exclude.repository [REPOSITORY ...]] - [--exclude.repository_tags [REPOSITORY_TAGS ...]] [--aws-account.mapping [MAPPING ...]] - [--repository.mapping [MAPPING ...]] [--aws-account.single] [--repository.single] + [--exclude.repository_tags [REPOSITORY_TAGS ...]] + [--aws-account.mapping [MAPPING ...]] [--repository.mapping [MAPPING ...]] + [--aws-account.single] [--repository.single] [--default_product_key_strategy {instance,aws-account,repository,tag,mapping}] options: @@ -537,8 +549,8 @@ options: --exclude.repository_tags [REPOSITORY_TAGS ...] ECR tags to exclude (default: []) --aws-account.mapping [MAPPING ...] - Repository product key mapping in the format of asset::product_key::product_version (type: AssetMappingString, - default: []) + Repository product key mapping in the format of asset::product_key::product_version (type: + AssetMappingString, default: []) --repository.mapping [MAPPING ...] Repository image_tags product key mapping in the format of asset::product_key::product_version (type: AssetMappingString, default: []) @@ -565,27 +577,29 @@ platforms evidence bitbucker --workspace.mapping "my-workspace::my-product::1.0" --> ```bash -usage: platforms [options] evidence [options] bitbucket [-h] [--instance INSTANCE] [--types {workspace,repository,all,all}] +usage: platforms [options] evidence [options] bitbucket [-h] [--instance INSTANCE] + [--types {workspace,project,repository,all,all}] [--scope.workspace [WORKSPACE ...]] [--scope.project [PROJECT ...]] [--scope.repository [REPOSITORY ...]] [--scope.commit [COMMIT ...]] - [--scope.branch [BRANCH ...]] [--scope.webhook [WEBHOOK ...]] [--commit.skip] - [--default_product_key_strategy {mapping}] [--workspace.mapping [MAPPING ...]] - [--project.mapping [MAPPING ...]] [--repository.mapping [MAPPING ...]] - [--workspace.single] [--project.single] [--repository.single] + [--scope.branch [BRANCH ...]] [--scope.webhook [WEBHOOK ...]] + [--commit.skip] [--default_product_key_strategy {mapping}] + [--workspace.mapping [MAPPING ...]] [--project.mapping [MAPPING ...]] + [--repository.mapping [MAPPING ...]] [--workspace.single] + [--project.single] [--repository.single] options: -h, --help Show this help message and exit. --instance INSTANCE BitBucket instance string (default: ) - --types {workspace,repository,all,all} + --types {workspace,project,repository,all,all} Defines which evidence to create, scoped by scope parameters (default: all) --scope.workspace [WORKSPACE ...] BitBucket workspace list (default: ['*']) --scope.project [PROJECT ...] - BitBucket projects wildcards. Default is all projects. Note that a project name includes as a prefix its - namesapce in the format 'namespace / project_name' (default: ['*']) + BitBucket projects wildcards. Default is all projects. Note that a project name includes as a prefix + its namesapce in the format 'namespace / project_name' (default: ['*']) --scope.repository [REPOSITORY ...] - BitBucket repositories wildcards. Default is all projects. Note that a project name includes as a prefix its - namesapce in the format 'namespace / project_name' (default: ['*']) + BitBucket repositories wildcards. Default is all projects. Note that a project name includes as a + prefix its namesapce in the format 'namespace / project_name' (default: ['*']) --scope.commit [COMMIT ...] BitBucket commit wildcards (default: []) --scope.branch [BRANCH ...] @@ -594,16 +608,17 @@ options: BitBucket webhook wildcards (default: []) --commit.skip Skip commits in discovery/evidence (default: False) --default_product_key_strategy {mapping} - Determint product key by mapping. In the future - we shall support by reopsitory name too. (default: mapping) + Determint product key by mapping. In the future - we shall support by reopsitory name too. (default: + mapping) --workspace.mapping [MAPPING ...] - Workspace product key mapping in the format of workspace::product_key::product_version where org is the workspace - name, wildcards are supported (type: AssetMappingString, default: []) + Workspace product key mapping in the format of workspace::product_key::product_version where org is + the workspace name, wildcards are supported (type: AssetMappingString, default: []) --project.mapping [MAPPING ...] - Project product key mapping in the format of project::product_key::product_version where org is the workspace - name, wildcards are supported (type: AssetMappingString, default: []) + Project product key mapping in the format of project::product_key::product_version where org is the + project name, wildcards are supported (type: AssetMappingString, default: []) --repository.mapping [MAPPING ...] - Repository product key mapping in the format of repo::product_key::product_version where repo is the repository - name, wildcards are supported (type: AssetMappingString, default: []) + Repository product key mapping in the format of repo::product_key::product_version where repo is the + repository name, wildcards are supported (type: AssetMappingString, default: []) --workspace.single Export all workspaces in a single evidence (default: False) --project.single Export all projects in a single evidence (default: False) --repository.single Export all repos in a single evidence (default: False) @@ -633,8 +648,8 @@ usage: platforms [options] evidence [options] jenkins [-h] [--instance INSTANCE] [--scope.job_runs.past_days PAST_DAYS] [--scope.job_runs.max MAX] [--scope.job_runs.analyzed_logs] [--job_runs.skip] [--default_product_key_strategy {mapping}] - [--instance-mapping [INSTANCE_MAPPING ...]] [--folder.mapping [MAPPING ...]] - [--folder.single] + [--instance-mapping [INSTANCE_MAPPING ...]] + [--folder.mapping [MAPPING ...]] [--folder.single] options: -h, --help Show this help message and exit. @@ -650,29 +665,31 @@ options: --computer_set.skip Skip computer sets in discovery/evidence (default: False) --jobs.skip Skip jobs (default: False) --scope.folder [FOLDER ...] - Jenkins folder/job list. Default is all folders. The folder scoping is defined as a path of folders and can - include the job name in order to scope specific jobs. Wildcard is supported only as a suffix. examples: folder-a* - will discover all folders that are included in a root folder that starts with folder-a. folder-a/* will discover - all folders and jobs under the root folder folder-a (type: JenkinsFolderScope, default: ['*']) + Jenkins folder/job list. Default is all folders. The folder scoping is defined as a path of folders + and can include the job name in order to scope specific jobs. Wildcard is supported only as a suffix. + examples: folder-a* will discover all folders that are included in a root folder that starts with + folder-a. folder-a/* will discover all folders and jobs under the root folder folder-a (type: + JenkinsFolderScope, default: ['*']) --exclude.folder [FOLDER ...] Jenkins folder/job list to exclude from discovery. Format is like the --scope.folder argument (type: JenkinsFolderScope, default: []) --scope.job_runs.past_days PAST_DAYS Number of past days to include in the job run discovery, 0 for no time limit (type: int, default: 30) --scope.job_runs.max MAX - Mam number of job runs to include in the job run discovery. This argument will limit the number of job runs in - the past_days range. 0 for no limit (type: int, default: 10) + Mam number of job runs to include in the job run discovery. This argument will limit the number of job + runs in the past_days range. 0 for no limit (type: int, default: 10) --scope.job_runs.analyzed_logs Include analyzed job run logs (default: False) --job_runs.skip Skip commits in discovery/evidence (default: False) --default_product_key_strategy {mapping} - Determint product key by mapping. In the future - we shall support by folder name too. (default: mapping) + Determint product key by mapping. In the future - we shall support by folder name too. (default: + mapping) --instance-mapping [INSTANCE_MAPPING ...] - Instance product key mapping in the format of *::product_key::product_version, wildcards are supported (type: - AssetMappingString, default: []) - --folder.mapping [MAPPING ...] - Folder product key mapping in the format of folder_path::product_key::product_version, wildcards are supported + Instance product key mapping in the format of *::product_key::product_version, wildcards are supported (type: AssetMappingString, default: []) + --folder.mapping [MAPPING ...] + Folder product key mapping in the format of folder_path::product_key::product_version, wildcards are + supported (type: AssetMappingString, default: []) --folder.single Export all repos in a single evidence (default: False) ``` diff --git a/docs/platforms/usage.md b/docs/platforms/usage.md index 41defbb62..57f34632f 100644 --- a/docs/platforms/usage.md +++ b/docs/platforms/usage.md @@ -68,8 +68,9 @@ options: -h, --help Show this help message and exit. --config CONFIG Path to a configuration file. --print_config [=flags] - Print the configuration after applying all other arguments and exit. The optional flags customizes the output and - are one or more keywords separated by comma. The supported flags are: comments, skip_default, skip_null. + Print the configuration after applying all other arguments and exit. The optional flags customizes the + output and are one or more keywords separated by comma. The supported flags are: comments, + skip_default, skip_null. --log-level {DEBUG,INFO,WARNING,ERROR,CRITICAL} Set the logging level (default: INFO) --log-file LOG_FILE Set the logging file (default: ) diff --git a/docs/platforms/verify.md b/docs/platforms/verify.md index 4ea9adac3..2e045beae 100644 --- a/docs/platforms/verify.md +++ b/docs/platforms/verify.md @@ -21,10 +21,11 @@ The recommended use of the verify command with the product-mapping capabilities; ```bash usage: platforms [options] verify [-h] [--valint.scribe.client-id CLIENT_ID] [--valint.scribe.client-secret CLIENT_SECRET] [--valint.scribe.enable] [--valint.cache.disable] [--valint.context-type CONTEXT_TYPE] - [--valint.log-level LOG_LEVEL] [--valint.output-directory OUTPUT_DIRECTORY] [--valint.bin BIN] - [--valint.product-key PRODUCT_KEY] [--valint.product-version PRODUCT_VERSION] - [--valint.predicate-type PREDICATE_TYPE] [--valint.attest ATTEST] [--valint.sign] - [--valint.components COMPONENTS] [--valint.label LABEL] [--unique] [--valint.bundle BUNDLE] + [--valint.log-level LOG_LEVEL] [--valint.output-directory OUTPUT_DIRECTORY] + [--valint.bin BIN] [--valint.product-key PRODUCT_KEY] + [--valint.product-version PRODUCT_VERSION] [--valint.predicate-type PREDICATE_TYPE] + [--valint.attest ATTEST] [--valint.sign] [--valint.components COMPONENTS] + [--valint.label LABEL] [--unique] [--valint.bundle BUNDLE] [--valint.bundle-auth BUNDLE_AUTH] [--valint.bundle-branch BUNDLE_BRANCH] [--valint.bundle-commit BUNDLE_COMMIT] [--valint.bundle-tag BUNDLE_TAG] [--allow-failures] [--max-threads MAX_THREADS] @@ -60,7 +61,7 @@ options: --valint.sign sign evidence (default: False) --valint.components COMPONENTS components list (type: str, default: ) - --valint.label LABEL Set additional labels (type: at 0x7f2cc663d080>, default: []) + --valint.label LABEL Set additional labels (type: at 0x7fc9d52013a0>, default: []) --unique Allow unique assets (default: False) --valint.bundle BUNDLE Set bundle git branch (type: str, default: ) @@ -147,12 +148,12 @@ platforms verify gitlab --organization.mapping "my-org::my-product::1.0" --proje ```bash usage: platforms [options] verify [options] gitlab [-h] [--instance INSTANCE] [--token TOKEN] [--url URL] - [--types {organization,project,all}] [--scope.organization [ORGANIZATION ...]] - [--scope.project [PROJECT ...]] [--scope.branch [BRANCH ...]] [--scope.tag [TAG ...]] - [--commit.skip] [--organization.mapping [MAPPING ...]] - [--project.mapping [MAPPING ...]] [--project.policy [POLICY ...]] - [--organization.policy [POLICY ...]] [--org-policy-skip-aggregate] - [--project-policy-skip-aggregate] + [--types {organization,project,all}] + [--scope.organization [ORGANIZATION ...]] [--scope.project [PROJECT ...]] + [--scope.branch [BRANCH ...]] [--scope.tag [TAG ...]] [--commit.skip] + [--organization.mapping [MAPPING ...]] [--project.mapping [MAPPING ...]] + [--project.policy [POLICY ...]] [--organization.policy [POLICY ...]] + [--org-policy-skip-aggregate] [--project-policy-skip-aggregate] options: -h, --help Show this help message and exit. @@ -164,8 +165,8 @@ options: --scope.organization [ORGANIZATION ...] Gitlab organization list (default: ['*']) --scope.project [PROJECT ...] - Gitlab projects epositories wildcards. Default is all projects. Note that a project name includes as a prefix its - namesapce in the format 'namespace / project_name' (default: ['*']) + Gitlab projects epositories wildcards. Default is all projects. Note that a project name includes as a + prefix its namesapce in the format 'namespace / project_name' (default: ['*']) --scope.branch [BRANCH ...] Gitlab branches wildcards (default: null) --scope.tag [TAG ...] @@ -175,12 +176,13 @@ options: Organization product key mapping in the format of to organization::product_key::product_version (type: AssetMappingString, default: []) --project.mapping [MAPPING ...] - Project product key mapping in the format of asset::product_key::product_version (type: AssetMappingString, - default: []) + Project product key mapping in the format of asset::product_key::product_version (type: + AssetMappingString, default: []) --project.policy [POLICY ...] Set project policy file (type: str, default: ['ct-2@discovery', 'ct-9@discovery']) --organization.policy [POLICY ...] - Set organization policy file (type: str, default: ['ct-1@discovery', 'ct-3@discovery', 'ct-4@discovery']) + Set organization policy file (type: str, default: ['ct-1@discovery', 'ct-3@discovery', + 'ct-4@discovery']) --org-policy-skip-aggregate Skip Aggregate organization policy results (default: False) --project-policy-skip-aggregate @@ -203,13 +205,14 @@ platforms verify gitlab --organization.mapping "my-org::my-product::1.0" --repos ```bash usage: platforms [options] verify [options] github [-h] [--instance INSTANCE] [--token TOKEN] [--url URL] - [--types {organization,repository,all}] [--scope.organization [ORGANIZATION ...]] + [--types {organization,repository,all}] + [--scope.organization [ORGANIZATION ...]] [--scope.repository [REPOSITORY ...]] [--scope.branch [BRANCH ...]] - [--scope.tag [TAG ...]] [--branch.shallow] [--commit.skip] [--organization.single] - [--repository.single] [--organization.mapping [MAPPING ...]] - [--repository.mapping [MAPPING ...]] [--repository.policy [POLICY ...]] - [--organization.policy [POLICY ...]] [--org-policy-skip-aggregate] - [--repo-policy-skip-aggregate] + [--scope.tag [TAG ...]] [--branch.shallow] [--commit.skip] + [--organization.single] [--repository.single] + [--organization.mapping [MAPPING ...]] [--repository.mapping [MAPPING ...]] + [--repository.policy [POLICY ...]] [--organization.policy [POLICY ...]] + [--org-policy-skip-aggregate] [--repo-policy-skip-aggregate] options: -h, --help Show this help message and exit. @@ -221,8 +224,8 @@ options: --scope.organization [ORGANIZATION ...] Github organization list (default: ['*']) --scope.repository [REPOSITORY ...] - Github repositories wildcards. Default is all projects. Note that a project name includes as a prefix its - namesapce in the format 'namespace / project_name' (default: ['*']) + Github repositories wildcards. Default is all projects. Note that a project name includes as a prefix + its namesapce in the format 'namespace / project_name' (default: ['*']) --scope.branch [BRANCH ...] Github branches wildcards (default: []) --scope.tag [TAG ...] @@ -233,11 +236,11 @@ options: Export all organizations in a single evidence (default: False) --repository.single Export all repos in a single evidence (default: False) --organization.mapping [MAPPING ...] - Organization product key mapping in the format of org::product_key::product_version where org is the organization - name, wildcards are supported (type: AssetMappingString, default: []) + Organization product key mapping in the format of org::product_key::product_version where org is the + organization name, wildcards are supported (type: AssetMappingString, default: []) --repository.mapping [MAPPING ...] - Repository product key mapping in the format of repo::product_key::product_version where repo is the repository - name, wildcards are supported (type: AssetMappingString, default: []) + Repository product key mapping in the format of repo::product_key::product_version where repo is the + repository name, wildcards are supported (type: AssetMappingString, default: []) --repository.policy [POLICY ...] Set repository evidence policy file (type: str, default: []) --organization.policy [POLICY ...] @@ -300,11 +303,11 @@ options: --scope.namespace [NAMESPACE ...] Dockerhub namespaces (default: ['*']) --image.mapping [MAPPING ...] - Image product key mapping in the format of asset::product_key::product_version (type: AssetMappingString, - default: []) + Image product key mapping in the format of asset::product_key::product_version (type: + AssetMappingString, default: []) --image.policy [POLICY ...] - Set image mapping policy file (type: str, default: ['ct-8@discovery', 'ct-11@discovery', 'ct-12@discovery', - 'ct-13@discovery']) + Set image mapping policy file (type: str, default: ['ct-8@discovery', 'ct-11@discovery', + 'ct-12@discovery', 'ct-13@discovery']) --policy-skip-aggregate Skip Aggregate policy results (default: False) ``` @@ -347,8 +350,9 @@ usage: platforms [options] verify [options] k8s [-h] [--instance INSTANCE] [--ur [--types {namespace,pod,cluster-images,all}] [--default_product_key_strategy {namespace,pod,image,mapping}] [--default_product_version_strategy {namespace_hash,pod_hash,image_id}] - [--scope.namespace [NAMESPACE ...]] [--scope.pod [POD ...]] [--scope.image [IMAGE ...]] - [--ignore-state] [--exclude.namespace [NAMESPACE ...]] [--exclude.pod [POD ...]] + [--scope.namespace [NAMESPACE ...]] [--scope.pod [POD ...]] + [--scope.image [IMAGE ...]] [--ignore-state] + [--exclude.namespace [NAMESPACE ...]] [--exclude.pod [POD ...]] [--exclude.image [IMAGE ...]] [--namespace.single] [--pod.single] [--image.mapping [MAPPING ...]] [--cluster-images.policy [POLICY ...]] [--namespace.policy [POLICY ...]] [--policy-skip-aggregate] @@ -434,12 +438,15 @@ usage: platforms [options] verify [options] jfrog [-h] [--instance INSTANCE] [-- [--types {token,repository,jf-repository,all}] [--default_product_key_strategy {jf-repository,repository,tag,mapping}] [--default_product_version_strategy {tag,short_image_id,image_id}] - [--scope.jf-repository [JF_REPOSITORY ...]] [--scope.repository [REPOSITORY ...]] + [--scope.jf-repository [JF_REPOSITORY ...]] + [--scope.repository [REPOSITORY ...]] [--scope.repository_tags [REPOSITORY_TAGS ...]] [--scope.image_platform [IMAGE_PLATFORM ...]] - [--exclude.jf-repository [JF_REPOSITORY ...]] [--exclude.repository [REPOSITORY ...]] - [--exclude.repository_tags [REPOSITORY_TAGS ...]] [--image.mapping [MAPPING ...]] - [--image.policy [POLICY ...]] [--policy-skip-aggregate] + [--exclude.jf-repository [JF_REPOSITORY ...]] + [--exclude.repository [REPOSITORY ...]] + [--exclude.repository_tags [REPOSITORY_TAGS ...]] + [--image.mapping [MAPPING ...]] [--image.policy [POLICY ...]] + [--policy-skip-aggregate] options: -h, --help Show this help message and exit. @@ -467,11 +474,11 @@ options: --exclude.repository_tags [REPOSITORY_TAGS ...] Jfrog tags to exclude (default: []) --image.mapping [MAPPING ...] - Image product key mapping in the format of asset::product_key::product_version (type: AssetMappingString, - default: []) + Image product key mapping in the format of asset::product_key::product_version (type: + AssetMappingString, default: []) --image.policy [POLICY ...] - Set image mapping policy file (type: str, default: ['ct-8@discovery', 'ct-11@discovery', 'ct-12@discovery', - 'ct-13@discovery']) + Set image mapping policy file (type: str, default: ['ct-8@discovery', 'ct-11@discovery', + 'ct-12@discovery', 'ct-13@discovery']) --policy-skip-aggregate Skip Aggregate policy results (default: False) ``` @@ -491,12 +498,14 @@ platforms verify bitbucket --workspace.mapping "my-workspace::my-product::1.0" - --> ```bash -usage: platforms [options] verify [options] bitbucket [-h] [--instance INSTANCE] [--app_password APP_PASSWORD] [--username USERNAME] - [--workspace_token WORKSPACE_TOKEN] [--workspace_name WORKSPACE_NAME] --url URL - [--types {workspace,project,repository,all}] [--scope.workspace [WORKSPACE ...]] - [--scope.project [PROJECT ...]] [--scope.repository [REPOSITORY ...]] - [--scope.commit [COMMIT ...]] [--scope.branch [BRANCH ...]] - [--scope.webhook [WEBHOOK ...]] [--commit.skip] [--workspace.mapping [MAPPING ...]] +usage: platforms [options] verify [options] bitbucket [-h] [--instance INSTANCE] [--app_password APP_PASSWORD] + [--username USERNAME] [--workspace_token WORKSPACE_TOKEN] + [--workspace WORKSPACE] [--url URL] + [--types {workspace,project,repository,all}] + [--scope.workspace [WORKSPACE ...]] [--scope.project [PROJECT ...]] + [--scope.repository [REPOSITORY ...]] [--scope.commit [COMMIT ...]] + [--scope.branch [BRANCH ...]] [--scope.webhook [WEBHOOK ...]] + [--commit.skip] [--workspace.mapping [MAPPING ...]] [--project.mapping [MAPPING ...]] [--repository.mapping [MAPPING ...]] [--repository.policy [POLICY ...]] [--project.policy [POLICY ...]] [--workspace.policy [POLICY ...]] [--org-policy-skip-aggregate] @@ -509,22 +518,22 @@ options: BitBucket app_password (BB_PASSWORD) (default: ) --username USERNAME BitBucket username (default: null) --workspace_token WORKSPACE_TOKEN - BitBucket workspace_token can be used with --workspace_name flag instead of --app_password and --username - (BB_WORKSPACE_TOKEN) (default: ) - --workspace_name WORKSPACE_NAME - BitBucket workspace_name can be used with --workspace_token flag instead of --app_password and --username - (default: null) - --url URL BitBucket URL (required) + BitBucket workspace_token can be used with --workspace_name flag instead of --app_password and + --username (BB_WORKSPACE_TOKEN) (default: ) + --workspace WORKSPACE + BitBucket workspace_name can be used with --workspace_token flag instead of --app_password and + --username (default: ) + --url URL BitBucket URL (required, default: https://api.bitbucket.org) --types {workspace,project,repository,all} Defines which evidence to validate, scoped by scope parameters (default: all) --scope.workspace [WORKSPACE ...] BitBucket workspace list (default: ['*']) --scope.project [PROJECT ...] - BitBucket projects wildcards. Default is all projects. Note that a project name includes as a prefix its - namesapce in the format 'namespace / project_name' (default: ['*']) + BitBucket projects wildcards. Default is all projects. Note that a project name includes as a prefix + its namesapce in the format 'namespace / project_name' (default: ['*']) --scope.repository [REPOSITORY ...] - BitBucket repositories wildcards. Default is all projects. Note that a project name includes as a prefix its - namesapce in the format 'namespace / project_name' (default: ['*']) + BitBucket repositories wildcards. Default is all projects. Note that a project name includes as a + prefix its namesapce in the format 'namespace / project_name' (default: ['*']) --scope.commit [COMMIT ...] BitBucket commit wildcards (default: []) --scope.branch [BRANCH ...] @@ -533,14 +542,14 @@ options: BitBucket webhook wildcards (default: []) --commit.skip Skip commits in discovery/evidence (default: False) --workspace.mapping [MAPPING ...] - Workspace product key mapping in the format of workspace::product_key::product_version where org is the workspace - name, wildcards are supported (type: AssetMappingString, default: []) + Workspace product key mapping in the format of workspace::product_key::product_version where org is + the workspace name, wildcards are supported (type: AssetMappingString, default: []) --project.mapping [MAPPING ...] - Project product key mapping in the format of project::product_key::product_version where org is the workspace - name, wildcards are supported (type: AssetMappingString, default: []) + Project product key mapping in the format of project::product_key::product_version where org is the + project name, wildcards are supported (type: AssetMappingString, default: []) --repository.mapping [MAPPING ...] - Repository product key mapping in the format of repo::product_key::product_version where repo is the repository - name, wildcards are supported (type: AssetMappingString, default: []) + Repository product key mapping in the format of repo::product_key::product_version where repo is the + repository name, wildcards are supported (type: AssetMappingString, default: []) --repository.policy [POLICY ...] Set repository evidence policy file (type: str, default: []) --project.policy [POLICY ...] diff --git a/docs/valint/getting-started-valint.md b/docs/valint/getting-started-valint.md index 98e3a5652..1ce99c69a 100644 --- a/docs/valint/getting-started-valint.md +++ b/docs/valint/getting-started-valint.md @@ -11,7 +11,7 @@ Valint is a tool used to manage `evidence` generation (for directories, file art Valint also enables you to **capture** any 3rd party report, scan or configuration (any file) into evidence. -> Latest Version `v1.5.12`. +> Latest Version `v1.5.14`. ### Installing Valint diff --git a/docs/valint/help/valint_diff.md b/docs/valint/help/valint_diff.md index 6aef2c536..d6cfb9900 100644 --- a/docs/valint/help/valint_diff.md +++ b/docs/valint/help/valint_diff.md @@ -49,7 +49,7 @@ global flag for all commands | -C | --context-type | CI context type, options=[jenkins github circleci local gitlab] | "local" | | -L | --label | Add Custom labels | | | -D | --level | Log depth level, options=[panic fatal error warning info debug trace] | | -| -d | --output-directory | Output directory path | "$\{XDG_CACHE_HOME\}/valint" | +| -d | --output-directory | Output directory path | "${XDG_CACHE_HOME}/valint" | | -O | --output-file | Output file name | | | -n | --product-key | Scribe Project Key | | | -q | --quiet | Suppress all logging output | | diff --git a/docs/valint/help/valint_verify.md b/docs/valint/help/valint_verify.md index 67592b2f2..e0814f8d8 100644 --- a/docs/valint/help/valint_verify.md +++ b/docs/valint/help/valint_verify.md @@ -48,6 +48,7 @@ Flags for `verify` subcommand | | --oci | Enable OCI store | | | -R | --oci-repo | Select OCI custom attestation repo | | | | --pass | Private key password | | +| | --payload | path of the decoded payload | | | | --platform | Select target platform, examples=windows/armv6, arm64 ..) | | | | --policy | Policy configuration file path (early-availability) | | | | --provenance | Create target SLSA Provenance evidence | |