diff --git a/docs/integrating-scribe/admission-controller/kyverno.md b/docs/integrating-scribe/admission-controller/kyverno.md
index 24ec04eda..6bac4c945 100644
--- a/docs/integrating-scribe/admission-controller/kyverno.md
+++ b/docs/integrating-scribe/admission-controller/kyverno.md
@@ -127,6 +127,10 @@ spec:
attestors:
- entries:
- certificates:
+ rekor:
+ ignoreTlog: true
+ ctlog:
+ ignoreSCT: true
certChain: |-
-----BEGIN CERTIFICATE-----
MIIF8jCCA9qgAwIBAgICEjQwDQYJKoZIhvcNAQELBQAwgY0xCzAJBgNVBAYTAklM
diff --git a/docs/integrating-scribe/ci-integrations/github/action-bom.md b/docs/integrating-scribe/ci-integrations/github/action-bom.md
index 9ffafb99f..d23169dc7 100644
--- a/docs/integrating-scribe/ci-integrations/github/action-bom.md
+++ b/docs/integrating-scribe/ci-integrations/github/action-bom.md
@@ -173,7 +173,7 @@ To overcome the limitation install tool directly - **[installer](https://github.
Containerized action can be used on Linux runners as following
```yaml
- name: Generate cyclonedx json SBOM
- uses: scribe-security/action-bom@v1.5.18
+ uses: scribe-security/action-bom@v1.5.19
with:
target: 'busybox:latest'
```
@@ -181,7 +181,7 @@ Containerized action can be used on Linux runners as following
Composite Action can be used on Linux or Windows runners as following
```yaml
- name: Generate cyclonedx json SBOM
- uses: scribe-security/action-bom-cli@v1.5.18
+ uses: scribe-security/action-bom-cli@v1.5.19
with:
target: 'hello-world:latest'
```
diff --git a/docs/integrating-scribe/ci-integrations/github/action-evidence.md b/docs/integrating-scribe/ci-integrations/github/action-evidence.md
index b8157882f..cfe6da83f 100644
--- a/docs/integrating-scribe/ci-integrations/github/action-evidence.md
+++ b/docs/integrating-scribe/ci-integrations/github/action-evidence.md
@@ -138,7 +138,7 @@ The `valint evidence` action is a versatile action designed to include various t
Containerized action can be used on Linux runners as following
```yaml
- name: Include evidence derived from a file
- uses: scribe-security/action-evidence@v1.5.18
+ uses: scribe-security/action-evidence@v1.5.19
with:
target: some_file.json
```
@@ -146,7 +146,7 @@ Containerized action can be used on Linux runners as following
Composite Action can be used on Linux or Windows runners as following
```yaml
- name: Include evidence derived from a file
- uses: scribe-security/action-evidence-cli@v1.5.18
+ uses: scribe-security/action-evidence-cli@v1.5.19
with:
target: some_file.json
```
diff --git a/docs/integrating-scribe/ci-integrations/github/action-slsa.md b/docs/integrating-scribe/ci-integrations/github/action-slsa.md
index c125c10c7..d6d392b0e 100644
--- a/docs/integrating-scribe/ci-integrations/github/action-slsa.md
+++ b/docs/integrating-scribe/ci-integrations/github/action-slsa.md
@@ -157,7 +157,7 @@ To overcome the limitation install tool directly - [installer](https://github.co
Containerized action can be used on Linux runners as following
```yaml
- name: Generate SLSA provenance
- uses: scribe-security/action-slsa@v1.5.18
+ uses: scribe-security/action-slsa@v1.5.19
with:
target: 'busybox:latest'
```
@@ -165,7 +165,7 @@ Containerized action can be used on Linux runners as following
Composite Action can be used on Linux or Windows runners as following
```yaml
- name: Generate cyclonedx json SBOM
- uses: scribe-security/action-slsa-cli@v1.5.18
+ uses: scribe-security/action-slsa-cli@v1.5.19
with:
target: 'hello-world:latest'
```
diff --git a/docs/integrating-scribe/ci-integrations/github/action-verify.md b/docs/integrating-scribe/ci-integrations/github/action-verify.md
index c1dcb1b5b..badbaca5e 100644
--- a/docs/integrating-scribe/ci-integrations/github/action-verify.md
+++ b/docs/integrating-scribe/ci-integrations/github/action-verify.md
@@ -169,7 +169,7 @@ Containerized action can be used on Linux runners as following
```yaml
- name: valint verify
id: valint_verify
- uses: scribe-security/action-verify@v1.5.18
+ uses: scribe-security/action-verify@v1.5.19
with:
target: 'busybox:latest'
```
@@ -177,7 +177,7 @@ Containerized action can be used on Linux runners as following
Composite Action can be used on Linux or Windows runners as following
```yaml
- name: Generate cyclonedx json SBOM
- uses: scribe-security/action-verify-cli@v1.5.18
+ uses: scribe-security/action-verify-cli@v1.5.19
with:
target: 'hello-world:latest'
```
diff --git a/docs/integrating-scribe/ci-integrations/gitlabci.md b/docs/integrating-scribe/ci-integrations/gitlabci.md
index 2204f4e83..3da866867 100644
--- a/docs/integrating-scribe/ci-integrations/gitlabci.md
+++ b/docs/integrating-scribe/ci-integrations/gitlabci.md
@@ -63,6 +63,40 @@ scribe-gitlab-job:
-P $SCRIBE_TOKEN
```
+#### Using custom x509 keys
+
+Utilizing X509 Keys on Gitlab CI.
+
+- Prepare the X509 key in PEM format, including the Certificate and CA-chain.
+
+- Encode the keys using the commands below:
+
+```yaml
+cat my_key.pem | base64
+cat my_cert.pem | base64
+cat my_ca-chain.pem | base64
+```
+
+- Store The following Secrets as project variable using **[GitLab project variable](https://docs.gitlab.com/ee/ci/variables/#add-a-cicd-variable-to-a-project)**.
+
+
+
+- `ATTEST_KEY_B64` Base64 encoded x509 Private key pem content, make sure to mask the value.
+- `ATTEST_CERT_B64` - Base64 encoded x509 Cert pem content.
+- `ATTEST_CA_B64` - Base64 encoded x509 CA Chain pem content
+
+We recommended to base64 encode your PEM files to ensure they can be marked as protected and masked.
+
+> Explore additional signing options in the [attestations](https://scribe-security.netlify.app/docs/valint/attestations) section.
+
+Lastly Use the masked environment variables with Valint by decoding them:
+```yaml
+ - export ATTEST_KEY=$(echo $ATTEST_KEY_B64 | base64 -d | tr -d '\r' )
+ - export ATTEST_CERT=$(echo $ATTEST_CERT_B64 | base64 -d | tr -d '\r' )
+ - export ATTEST_CA=$(echo $ATTEST_CA_B64 | base64 -d | tr -d '\r' )
+ - valint bom my_image:latest -o attest
+```
+
#### Basic example
```yaml
diff --git a/docs/integrating-scribe/ci-integrations/jenkins.md b/docs/integrating-scribe/ci-integrations/jenkins.md
index 6026b0b5a..c6ab39d48 100644
--- a/docs/integrating-scribe/ci-integrations/jenkins.md
+++ b/docs/integrating-scribe/ci-integrations/jenkins.md
@@ -26,10 +26,10 @@ The token is a secret and will not be accessible from the UI after you finalize
3. In the **Global credentials** section, click **+ Add Credentials**. A new **Credentials** form opens.
-4. Copy the Scribe Hub API Token to the **Password** field and set the username to `SCRIBE_CLIENT_ID`.
+4. Copy the Scribe Hub API Token to the **Password**, and **Username** with anything:
-5. Set **ID** to `scribe-auth-id` (lowercase).
+5. Set **ID** to `scribe-auth-id` (lowercase)
6. Click **Create**.
@@ -80,7 +80,7 @@ pipeline {
valint bom busybox:latest \
--context-type jenkins \
--output-directory ./scribe/valint \
- -P $SCRIBE_API_TOKEN
+ -P $SCRIBE_TOKEN
'''
}
}
diff --git a/docs/platforms/bom.md b/docs/platforms/bom.md
index f16fbf621..2f14a0c98 100644
--- a/docs/platforms/bom.md
+++ b/docs/platforms/bom.md
@@ -16,12 +16,13 @@ This command enables users to generate SBOMs on scale.
-->
```bash
-usage: platforms [options] bom [-h] [--allow-failures] [--save-scan-plan] [--dry-run] [--monitor.mount MOUNT] [--monitor.threshold THRESHOLD] [--monitor.clean-docker]
- [--max-threads MAX_THREADS] [--valint.scribe.client-secret CLIENT_SECRET] [--valint.scribe.enable] [--valint.cache.disable]
- [--valint.context-type CONTEXT_TYPE] [--valint.log-level LOG_LEVEL] [--valint.output-directory OUTPUT_DIRECTORY] [--valint.bin BIN]
- [--valint.product-key PRODUCT_KEY] [--valint.product-version PRODUCT_VERSION] [--valint.predicate-type PREDICATE_TYPE] [--valint.attest ATTEST]
- [--valint.sign] [--valint.components COMPONENTS] [--valint.label LABEL] [--unique]
- {gitlab,k8s,dockerhub,github,jfrog,ecr,bitbucket} ...
+usage: platforms [options] bom [-h] [--allow-failures] [--save-scan-plan] [--dry-run] [--monitor.mount MOUNT] [--monitor.threshold THRESHOLD]
+ [--monitor.clean-docker] [--max-threads MAX_THREADS] [--evidence.local.path PATH] [--valint.scribe.client-secret CLIENT_SECRET]
+ [--valint.cache.disable] [--valint.context-type CONTEXT_TYPE] [--valint.log-level LOG_LEVEL]
+ [--valint.output-directory OUTPUT_DIRECTORY] [--valint.bin BIN] [--valint.product-key PRODUCT_KEY]
+ [--valint.product-version PRODUCT_VERSION] [--valint.predicate-type PREDICATE_TYPE] [--valint.attest ATTEST] [--valint.sign]
+ [--valint.components COMPONENTS] [--valint.label LABEL] [--unique]
+ {gitlab,k8s,dockerhub,github,jfrog,ecr,bitbucket,azure} ...
Export bom data
@@ -38,10 +39,10 @@ options:
Monitor disk usage - auto clean docker cache (default: False)
--max-threads MAX_THREADS
Number of threads used to run valint (type: int, default: 10)
+ --evidence.local.path PATH
+ Local report export directory path (type: str, default: output)
--valint.scribe.client-secret CLIENT_SECRET, --scribe-token CLIENT_SECRET, --scribe-client-secret CLIENT_SECRET
Scribe client Secret (type: str, default: )
- --valint.scribe.enable
- Enable Scribe client (default: False)
--valint.cache.disable
Disable Valint local cache (default: False)
--valint.context-type CONTEXT_TYPE
@@ -56,13 +57,13 @@ options:
--valint.product-version PRODUCT_VERSION
Evidence product version (type: str, default: )
--valint.predicate-type PREDICATE_TYPE
- Evidence predicate type (type: str, default: http://scribesecurity.com/evidence/discovery/v0.1)
+ Evidence predicate type (type: str, default: )
--valint.attest ATTEST
Evidence attest type (type: str, default: x509-env)
--valint.sign sign evidence (default: False)
--valint.components COMPONENTS
components list (type: str, default: )
- --valint.label LABEL Set additional labels (type: at 0x705649776b60>, default: [])
+ --valint.label LABEL Set additional labels (type: at 0x7ece7edf87c0>, default: [])
--unique Allow unique assets (default: False)
subcommands:
@@ -76,6 +77,7 @@ subcommands:
jfrog
ecr
bitbucket
+ azure
```
@@ -144,8 +146,9 @@ usage: platforms [options] bom [options] dockerhub [-h] [--instance.instance INS
[--default_product_key_strategy {namespace,repository,tag,mapping}]
[--default_product_version_strategy {tag,short_image_id,image_id}] [--scope.repository [REPOSITORY ...]]
[--scope.repository_tags [REPOSITORY_TAGS ...]] [--scope.image_platform [IMAGE_PLATFORM ...]]
- [--exclude.repository [REPOSITORY ...]] [--exclude.repository_tags [REPOSITORY_TAGS ...]] [--scope.namespace [NAMESPACE ...]]
- [--image.mapping [MAPPING ...]]
+ [--exclude.repository [REPOSITORY ...]] [--exclude.repository_tags [REPOSITORY_TAGS ...]]
+ [--scope.namespace [NAMESPACE ...]] [--image.mapping [MAPPING ...]] [--hook-config [HOOK_CONFIG ...]]
+ [--hook [HOOK ...]] [--hook.skip] [--image.hook [HOOK ...]]
options:
-h, --help Show this help message and exit.
@@ -173,6 +176,12 @@ options:
Dockerhub namespaces (default: ['*'])
--image.mapping [MAPPING ...]
Image product key mapping in the format of asset::product_key::product_version (type: AssetMappingString, default: [])
+ --hook-config [HOOK_CONFIG ...]
+ Paths to YAML files containing custom hook definitions. (type: str, default: [])
+ --hook [HOOK ...] Specify hook IDs to execute. Available preconfigured hooks are: trivy_image, trivy_iac_and_secrets. (default: [])
+ --hook.skip Skip hooks (default: False)
+ --image.hook [HOOK ...]
+ Inline hook format :::::: (type: ToolHookString, default: [])
```
@@ -219,9 +228,11 @@ Note that the image characterization string is a wildcarded string, with separat
```bash
usage: platforms [options] bom [options] k8s [-h] [--instance.instance INSTANCE] [--url URL] [--token TOKEN] [--types {namespace,pod,all}]
- [--default_product_key_strategy {namespace,pod,image,mapping}] [--default_product_version_strategy {namespace_hash,pod_hash,image_id}]
- [--scope.namespace [NAMESPACE ...]] [--scope.pod [POD ...]] [--scope.image [IMAGE ...]] [--ignore-state]
- [--exclude.namespace [NAMESPACE ...]] [--exclude.pod [POD ...]] [--exclude.image [IMAGE ...]] [--image.mapping [MAPPING ...]]
+ [--default_product_key_strategy {namespace,pod,image,mapping}]
+ [--default_product_version_strategy {namespace_hash,pod_hash,image_id}] [--scope.namespace [NAMESPACE ...]]
+ [--scope.pod [POD ...]] [--scope.image [IMAGE ...]] [--ignore-state] [--exclude.namespace [NAMESPACE ...]]
+ [--exclude.pod [POD ...]] [--exclude.image [IMAGE ...]] [--image.mapping [MAPPING ...]]
+ [--hook-config [HOOK_CONFIG ...]] [--hook [HOOK ...]] [--hook.skip] [--image.hook [HOOK ...]]
options:
-h, --help Show this help message and exit.
@@ -249,8 +260,14 @@ options:
--exclude.image [IMAGE ...]
Images to exclude from discovery process (default: [])
--image.mapping [MAPPING ...]
- K8s namespace;pod;image to product_key:product_version mappinge.g. my-namespace::my-pod::my-image::product_key::product_version (type: K8sImageMappingString,
- default: [])
+ K8s namespace;pod;image to product_key:product_version mappinge.g. my-namespace::my-pod::my-image::product_key::product_version (type:
+ K8sImageMappingString, default: [])
+ --hook-config [HOOK_CONFIG ...]
+ Paths to YAML files containing custom hook definitions. (type: str, default: [])
+ --hook [HOOK ...] Specify hook IDs to execute. Available preconfigured hooks are: trivy_k8s_image, trivy_iac_and_secrets. (default: [])
+ --hook.skip Skip hooks (default: False)
+ --image.hook [HOOK ...]
+ Inline hook format :::::: (type: ToolHookString, default: [])
```
@@ -296,10 +313,12 @@ Note that the image characterization string is a wildcarded string, some useful
-->
```bash
-usage: platforms [options] bom [options] jfrog [-h] [--instance.instance INSTANCE] [--token TOKEN] [--url URL] [--default_product_key_strategy {jf-repository,repository,tag,mapping}]
+usage: platforms [options] bom [options] jfrog [-h] [--instance.instance INSTANCE] [--token TOKEN] [--url URL]
+ [--default_product_key_strategy {jf-repository,repository,tag,mapping}]
[--default_product_version_strategy {tag,short_image_id,image_id}] [--scope.jf-repository [JF_REPOSITORY ...]]
- [--scope.repository [REPOSITORY ...]] [--scope.repository_tags [REPOSITORY_TAGS ...]] [--scope.image_platform [IMAGE_PLATFORM ...]]
- [--exclude.jf-repository [JF_REPOSITORY ...]] [--exclude.repository [REPOSITORY ...]] [--exclude.repository_tags [REPOSITORY_TAGS ...]]
+ [--scope.repository [REPOSITORY ...]] [--scope.repository_tags [REPOSITORY_TAGS ...]]
+ [--scope.image_platform [IMAGE_PLATFORM ...]] [--exclude.jf-repository [JF_REPOSITORY ...]]
+ [--exclude.repository [REPOSITORY ...]] [--exclude.repository_tags [REPOSITORY_TAGS ...]]
[--image.mapping [MAPPING ...]]
options:
@@ -348,8 +367,9 @@ platforms bom ecr --image.mapping "*.dkr.ecr.*.amazonaws.com/my-image*::my-produ
```bash
usage: platforms [options] bom [options] ecr [-h] [--instance.instance INSTANCE] [--default_product_key_strategy {aws-account,repository,tag,mapping}]
- [--scope.aws-account [AWS_ACCOUNT ...]] [--scope.repository [REPOSITORY ...]] [--scope.repository_tags [REPOSITORY_TAGS ...]]
- [--scope.image_platform [IMAGE_PLATFORM ...]] [--exclude.aws-account [AWS_ACCOUNT ...]] [--exclude.repository [REPOSITORY ...]]
+ [--scope.aws-account [AWS_ACCOUNT ...]] [--scope.repository [REPOSITORY ...]]
+ [--scope.repository_tags [REPOSITORY_TAGS ...]] [--scope.image_platform [IMAGE_PLATFORM ...]]
+ [--exclude.aws-account [AWS_ACCOUNT ...]] [--exclude.repository [REPOSITORY ...]]
[--exclude.repository_tags [REPOSITORY_TAGS ...]] [--url URL] [--image.mapping [MAPPING ...]]
options:
@@ -396,11 +416,12 @@ Note that the image characterization string is a wildcarded string, some useful
-->
```bash
-usage: platforms [options] bom [options] bitbucket [-h] [--instance.instance INSTANCE] [--app_password APP_PASSWORD] [--username USERNAME] [--workspace_token WORKSPACE_TOKEN]
- [--workspace WORKSPACE] [--url URL] [--types {repository,all}] [--scope.workspace [WORKSPACE ...]] [--scope.project [PROJECT ...]]
- [--scope.repository [REPOSITORY ...]] [--scope.commit [COMMIT ...]] [--scope.branch [BRANCH ...]] [--scope.webhook [WEBHOOK ...]]
- [--commit.skip] [--default_product_key_strategy {mapping}] [--workspace.mapping [MAPPING ...]] [--project.mapping [MAPPING ...]]
- [--repository.mapping [MAPPING ...]]
+usage: platforms [options] bom [options] bitbucket [-h] [--instance.instance INSTANCE] [--app_password APP_PASSWORD] [--username USERNAME]
+ [--workspace_token WORKSPACE_TOKEN] [--workspace WORKSPACE] [--url URL] [--types {repository,all}]
+ [--scope.workspace [WORKSPACE ...]] [--scope.project [PROJECT ...]] [--scope.repository [REPOSITORY ...]]
+ [--scope.commit [COMMIT ...]] [--scope.branch [BRANCH ...]] [--scope.webhook [WEBHOOK ...]] [--commit.skip]
+ [--branch-protection.skip] [--default_product_key_strategy {mapping}] [--workspace.mapping [MAPPING ...]]
+ [--project.mapping [MAPPING ...]] [--repository.mapping [MAPPING ...]]
options:
-h, --help Show this help message and exit.
@@ -419,11 +440,11 @@ options:
--scope.workspace [WORKSPACE ...]
BitBucket workspace list (default: ['*'])
--scope.project [PROJECT ...]
- BitBucket projects wildcards. Default is all projects. Note that a project name includes as a prefix its namesapce in the format 'namespace / project_name'
- (default: ['*'])
- --scope.repository [REPOSITORY ...]
- BitBucket repositories wildcards. Default is all projects. Note that a project name includes as a prefix its namesapce in the format 'namespace /
+ BitBucket projects wildcards. Default is all projects. Note that a project name includes as a prefix its namesapce in the format 'namespace /
project_name' (default: ['*'])
+ --scope.repository [REPOSITORY ...]
+ BitBucket repositories wildcards. Default is all projects. Note that a project name includes as a prefix its namesapce in the format
+ 'namespace / project_name' (default: ['*'])
--scope.commit [COMMIT ...]
BitBucket commit wildcards (default: [])
--scope.branch [BRANCH ...]
@@ -431,17 +452,19 @@ options:
--scope.webhook [WEBHOOK ...]
BitBucket webhook wildcards (default: [])
--commit.skip Skip commits in discovery/evidence (default: False)
+ --branch-protection.skip
+ Skip Branch protection in discovery/evidence (default: False)
--default_product_key_strategy {mapping}
Deferment product key by mapping. In the future - we shall support by reopsitory name too. (default: mapping)
--workspace.mapping [MAPPING ...]
- Workspace product key mapping in the format of workspace::product_key::product_version where org is the workspace name, wildcards are supported (type:
- AssetMappingString, default: [])
+ Workspace product key mapping in the format of workspace::product_key::product_version where org is the workspace name, wildcards are
+ supported (type: AssetMappingString, default: [])
--project.mapping [MAPPING ...]
- Project product key mapping in the format of project::product_key::product_version where org is the project name, wildcards are supported (type:
- AssetMappingString, default: [])
+ Project product key mapping in the format of project::product_key::product_version where org is the project name, wildcards are supported
+ (type: AssetMappingString, default: [])
--repository.mapping [MAPPING ...]
- Repository product key mapping in the format of repo::product_key::product_version where repo is the repository name, wildcards are supported (type:
- AssetMappingString, default: [])
+ Repository product key mapping in the format of repo::product_key::product_version where repo is the repository name, wildcards are supported
+ (type: AssetMappingString, default: [])
```
@@ -463,9 +486,11 @@ Note that the image characterization string is a wildcarded string, some useful
-->
```bash
-usage: platforms [options] bom [options] github [-h] [--instance.instance INSTANCE] [--token TOKEN] [--url URL] [--types {repository,all}] [--scope.organization [ORGANIZATION ...]]
- [--scope.repository [REPOSITORY ...]] [--scope.branch [BRANCH ...]] [--scope.tag [TAG ...]] [--branch.shallow] [--commit.skip]
- [--default_product_key_strategy {mapping}] [--organization.mapping [MAPPING ...]] [--repository.mapping [MAPPING ...]]
+usage: platforms [options] bom [options] github [-h] [--instance.instance INSTANCE] [--token TOKEN] [--url URL] [--types {repository,all}]
+ [--scope.organization [ORGANIZATION ...]] [--scope.repository [REPOSITORY ...]] [--scope.branch [BRANCH ...]]
+ [--scope.tag [TAG ...]] [--branch.shallow] [--commit.skip] [--default_product_key_strategy {mapping}]
+ [--organization.mapping [MAPPING ...]] [--repository.mapping [MAPPING ...]] [--hook-config [HOOK_CONFIG ...]]
+ [--hook [HOOK ...]] [--hook.skip] [--repository.hooks [HOOKS ...]]
options:
-h, --help Show this help message and exit.
@@ -478,8 +503,8 @@ options:
--scope.organization [ORGANIZATION ...]
Github organization list (default: ['*'])
--scope.repository [REPOSITORY ...]
- Github repositories wildcards. Default is all projects. Note that a project name includes as a prefix its namesapce in the format 'namespace / project_name'
- (default: ['*'])
+ Github repositories wildcards. Default is all projects. Note that a project name includes as a prefix its namesapce in the format 'namespace
+ / project_name' (default: ['*'])
--scope.branch [BRANCH ...]
Github branches wildcards (default: [])
--scope.tag [TAG ...]
@@ -489,11 +514,17 @@ options:
--default_product_key_strategy {mapping}
Deferment product key by mapping. In the future - we shall support by reopsitory name too. (default: mapping)
--organization.mapping [MAPPING ...]
- Organization product key mapping in the format of org::product_key::product_version where org is the organization name, wildcards are supported (type:
- AssetMappingString, default: [])
+ Organization product key mapping in the format of org::product_key::product_version where org is the organization name, wildcards are
+ supported (type: AssetMappingString, default: [])
--repository.mapping [MAPPING ...]
- Repository product key mapping in the format of repo::product_key::product_version where repo is the repository name, wildcards are supported (type:
- AssetMappingString, default: [])
+ Repository product key mapping in the format of repo::product_key::product_version where repo is the repository name, wildcards are supported
+ (type: AssetMappingString, default: [])
+ --hook-config [HOOK_CONFIG ...]
+ Paths to YAML files containing custom hook definitions. (type: str, default: [])
+ --hook [HOOK ...] Specify hook IDs to execute. Available preconfigured hooks are: opengrep, trivy_iac_and_secrets, gitleaks_secrets, kics_scan. (default: [])
+ --hook.skip Skip hooks (default: False)
+ --repository.hooks [HOOKS ...]
+ Inline hook format :::::: (type: ToolHookString, default: [])
```
@@ -515,9 +546,10 @@ Note that the image characterization string is a wildcarded string, some useful
-->
```bash
-usage: platforms [options] bom [options] gitlab [-h] [--instance.instance INSTANCE] [--token TOKEN] [--url URL] [--types {project,all}] [--scope.organization [ORGANIZATION ...]]
- [--scope.project [PROJECT ...]] [--scope.branch [BRANCH ...]] [--scope.tag [TAG ...]] [--commit.skip] [--pipeline.skip]
- [--default_product_key_strategy {mapping}] [--organization.mapping [MAPPING ...]] [--project.mapping [MAPPING ...]]
+usage: platforms [options] bom [options] gitlab [-h] [--instance.instance INSTANCE] [--token TOKEN] [--url URL] [--types {project,all}]
+ [--scope.organization [ORGANIZATION ...]] [--scope.project [PROJECT ...]] [--scope.branch [BRANCH ...]]
+ [--scope.tag [TAG ...]] [--commit.skip] [--pipeline.skip] [--default_product_key_strategy {mapping}]
+ [--organization.mapping [MAPPING ...]] [--project.mapping [MAPPING ...]]
options:
-h, --help Show this help message and exit.
@@ -530,8 +562,8 @@ options:
--scope.organization [ORGANIZATION ...]
Gitlab organization list (default: ['*'])
--scope.project [PROJECT ...]
- Gitlab projects epositories wildcards. Default is all projects. Note that a project name includes as a prefix its namesapce in the format 'namespace /
- project_name' (default: ['*'])
+ Gitlab projects epositories wildcards. Default is all projects. Note that a project name includes as a prefix its namesapce in the format
+ 'namespace / project_name' (default: ['*'])
--scope.branch [BRANCH ...]
Gitlab branches wildcards (default: null)
--scope.tag [TAG ...]
diff --git a/docs/platforms/discover.md b/docs/platforms/discover.md
index 3ce0c648f..47571246b 100644
--- a/docs/platforms/discover.md
+++ b/docs/platforms/discover.md
@@ -22,18 +22,21 @@ The evidence generation process uses Scribe's `valint` tool to upload and option
-->
```bash
-usage: platforms [options] discover [-h] [--db.local.store_policy {update,replace}] [--db.update_period UPDATE_PERIOD] [--evidence.local.path PATH] [--evidence.local.prefix PREFIX]
- [--evidence.local_only] [--max-threads MAX_THREADS] [--thread-timeout THREAD_TIMEOUT] [--rate-limit-retry RATE_LIMIT_RETRY] [--allow-failures]
- [--export-partial] [--skip-evidence] [--valint.scribe.client-secret CLIENT_SECRET] [--valint.scribe.enable] [--valint.cache.disable]
- [--valint.context-type CONTEXT_TYPE] [--valint.log-level LOG_LEVEL] [--valint.output-directory OUTPUT_DIRECTORY] [--valint.bin BIN]
- [--valint.product-key PRODUCT_KEY] [--valint.product-version PRODUCT_VERSION] [--valint.predicate-type PREDICATE_TYPE] [--valint.attest ATTEST]
- [--valint.sign] [--valint.components COMPONENTS] [--valint.label LABEL] [--unique]
- {gitlab,dockerhub,k8s,github,jfrog,ecr,jenkins,bitbucket} ...
+usage: platforms [options] discover [-h] [--check-token-permissions] [--db.local.store_policy {update,replace}] [--db.update_period UPDATE_PERIOD]
+ [--evidence.local.path PATH] [--evidence.local.prefix PREFIX] [--evidence.local_only] [--max-threads MAX_THREADS]
+ [--thread-timeout THREAD_TIMEOUT] [--rate-limit-retry RATE_LIMIT_RETRY] [--allow-failures] [--export-partial] [--skip-evidence]
+ [--valint.scribe.client-secret CLIENT_SECRET] [--valint.cache.disable] [--valint.context-type CONTEXT_TYPE]
+ [--valint.log-level LOG_LEVEL] [--valint.output-directory OUTPUT_DIRECTORY] [--valint.bin BIN] [--valint.product-key PRODUCT_KEY]
+ [--valint.product-version PRODUCT_VERSION] [--valint.predicate-type PREDICATE_TYPE] [--valint.attest ATTEST] [--valint.sign]
+ [--valint.components COMPONENTS] [--valint.label LABEL] [--unique]
+ {gitlab,dockerhub,k8s,github,jfrog,ecr,jenkins,bitbucket,azure} ...
Discover assets and save data to a local store
options:
-h, --help Show this help message and exit.
+ --check-token-permissions
+ Check token permissions (default: False)
--db.local.store_policy {update,replace}
Policy for local data collection: update or replace (default: update)
--db.update_period UPDATE_PERIOD
@@ -49,14 +52,12 @@ options:
--thread-timeout THREAD_TIMEOUT
Thread timeout in seconds (type: float, default: 20.0)
--rate-limit-retry RATE_LIMIT_RETRY
- Retry on rate limit (type: int, default: 3)
+ Retry on rate limit (default disabled) (type: int, default: 0)
--allow-failures Allow failures without returning an error code (default: False)
--export-partial Upload Partial Discover evidence (default: False)
--skip-evidence Skip evidence upload (default: False)
--valint.scribe.client-secret CLIENT_SECRET, --scribe-token CLIENT_SECRET, --scribe-client-secret CLIENT_SECRET
Scribe client Secret (type: str, default: )
- --valint.scribe.enable
- Enable Scribe client (default: False)
--valint.cache.disable
Disable Valint local cache (default: False)
--valint.context-type CONTEXT_TYPE
@@ -71,13 +72,13 @@ options:
--valint.product-version PRODUCT_VERSION
Evidence product version (type: str, default: )
--valint.predicate-type PREDICATE_TYPE
- Evidence predicate type (type: str, default: http://scribesecurity.com/evidence/discovery/v0.1)
+ Evidence predicate type (type: str, default: )
--valint.attest ATTEST
Evidence attest type (type: str, default: x509-env)
--valint.sign sign evidence (default: False)
--valint.components COMPONENTS
components list (type: str, default: )
- --valint.label LABEL Set additional labels (type: at 0x7697d3755a80>, default: [])
+ --valint.label LABEL Set additional labels (type: at 0x75bbf48f2ca0>, default: [])
--unique Allow unique assets (default: False)
subcommands:
@@ -92,6 +93,7 @@ subcommands:
ecr
jenkins
bitbucket
+ azure
```
@@ -140,7 +142,7 @@ usage: platforms [options] discover [options] gitlab [-h] [--instance.instance I
[--default_product_key_strategy {mapping}] [--scope.skip_org_members] [--scope.skip_project_members]
[--scope.commit.past_days PAST_DAYS] [--scope.pipeline.past_days PAST_DAYS] [--scope.pipeline.analyzed_logs]
[--scope.pipeline.reports] [--broad] [--organization.mapping [MAPPING ...]] [--project.mapping [MAPPING ...]]
- [--organization.single] [--project.single]
+ [--organization.single] [--project.single] [--skip-cache] [--cache-ttl CACHE_TTL] [--cache-group CACHE_GROUP]
options:
-h, --help Show this help message and exit.
@@ -155,8 +157,8 @@ options:
--scope.organization [ORGANIZATION ...]
Gitlab organization list (default: ['*'])
--scope.project [PROJECT ...]
- Gitlab projects epositories wildcards. Default is all projects. Note that a project name includes as a prefix its namesapce in the format 'namespace /
- project_name' (default: ['*'])
+ Gitlab projects epositories wildcards. Default is all projects. Note that a project name includes as a prefix its namesapce in the format
+ 'namespace / project_name' (default: ['*'])
--scope.branch [BRANCH ...]
Gitlab branches wildcards (default: null)
--scope.tag [TAG ...]
@@ -185,6 +187,11 @@ options:
--organization.single
Export all organizations in a single evidence (default: False)
--project.single Export all projects in a single evidence (default: False)
+ --skip-cache, -f Skip Scribe Evidence cache lookup (default: False)
+ --cache-ttl CACHE_TTL
+ time to live for cache (default: 2d)
+ --cache-group CACHE_GROUP
+ Scribe cache group, default to runners pipeline ID, empty to use global context (default: by_pipeline)
```
@@ -240,8 +247,10 @@ usage: platforms [options] discover [options] github [-h] [--instance.instance I
[--token TOKEN] [--url URL] [--scope.organization [ORGANIZATION ...]] [--scope.repository [REPOSITORY ...]]
[--scope.branch [BRANCH ...]] [--scope.tag [TAG ...]] [--branch.shallow] [--commit.skip]
[--default_product_key_strategy {mapping}] [--scope.commit.past_days PAST_DAYS] [--workflow.skip]
- [--scope.workflow.past_days PAST_DAYS] [--scope.workflow.analyzed_logs] [--scope.runners] [--scope.sbom] [--broad]
- [--organization.mapping [MAPPING ...]] [--repository.mapping [MAPPING ...]]
+ [--scope.workflow.past_days PAST_DAYS] [--scope.workflow.analyzed_logs] [--scope.runners] [--scope.sbom]
+ [--broad] [--hook-config [HOOK_CONFIG ...]] [--hook [HOOK ...]] [--hook.skip] [--repository.hooks [HOOKS ...]]
+ [--organization.mapping [MAPPING ...]] [--repository.mapping [MAPPING ...]] [--skip-cache]
+ [--cache-ttl CACHE_TTL] [--cache-group CACHE_GROUP]
options:
-h, --help Show this help message and exit.
@@ -256,8 +265,8 @@ options:
--scope.organization [ORGANIZATION ...]
Github organization list (default: ['*'])
--scope.repository [REPOSITORY ...]
- Github repositories wildcards. Default is all projects. Note that a project name includes as a prefix its namesapce in the format 'namespace / project_name'
- (default: ['*'])
+ Github repositories wildcards. Default is all projects. Note that a project name includes as a prefix its namesapce in the format 'namespace
+ / project_name' (default: ['*'])
--scope.branch [BRANCH ...]
Github branches wildcards (default: [])
--scope.tag [TAG ...]
@@ -276,12 +285,23 @@ options:
--scope.runners Include repository allocated runners in evidence (default: False)
--scope.sbom Include repositories SBOM in evidence (default: False)
--broad Retrieves limited information (only organizations, repositories and workflows) (default: False)
+ --hook-config [HOOK_CONFIG ...]
+ Paths to YAML files containing custom hook definitions. (type: str, default: [])
+ --hook [HOOK ...] Specify hook IDs to execute. Available preconfigured hooks are: trivy_iac_and_secrets. (default: [])
+ --hook.skip Skip hooks (default: False)
+ --repository.hooks [HOOKS ...]
+ Inline hook format :::::: (type: ToolHookString, default: [])
--organization.mapping [MAPPING ...]
- Organization product key mapping in the format of org::product_key::product_version where org is the organization name, wildcards are supported (type:
- AssetMappingString, default: [])
+ Organization product key mapping in the format of org::product_key::product_version where org is the organization name, wildcards are
+ supported (type: AssetMappingString, default: [])
--repository.mapping [MAPPING ...]
- Repository product key mapping in the format of repo::product_key::product_version where repo is the repository name, wildcards are supported (type:
- AssetMappingString, default: [])
+ Repository product key mapping in the format of repo::product_key::product_version where repo is the repository name, wildcards are supported
+ (type: AssetMappingString, default: [])
+ --skip-cache, -f Skip Scribe Evidence cache lookup (default: False)
+ --cache-ttl CACHE_TTL
+ time to live for cache (default: 2d)
+ --cache-group CACHE_GROUP
+ Scribe cache group, default to runners pipeline ID, empty to use global context (default: by_pipeline)
```
@@ -328,9 +348,10 @@ usage: platforms [options] discover [options] dockerhub [-h] [--instance.instanc
[--username USERNAME] [--password PASSWORD] [--token TOKEN] [--url URL] [--scope.repository [REPOSITORY ...]]
[--scope.repository_tags [REPOSITORY_TAGS ...]] [--scope.image_platform [IMAGE_PLATFORM ...]]
[--exclude.repository [REPOSITORY ...]] [--exclude.repository_tags [REPOSITORY_TAGS ...]]
- [--namespace-list [NAMESPACE_LIST ...]] [--scope.past_days PAST_DAYS] [--broad] [--namespace.single] [--repository.single]
- [--namespace.mapping [MAPPING ...]] [--repository.mapping [MAPPING ...]] [--instance.mapping [MAPPING ...]]
- [--default_product_key_strategy {mapping,mapping,mapping,mapping}]
+ [--namespace-list [NAMESPACE_LIST ...]] [--scope.past_days PAST_DAYS] [--broad] [--namespace.single]
+ [--repository.single] [--namespace.mapping [MAPPING ...]] [--repository.mapping [MAPPING ...]]
+ [--instance.mapping [MAPPING ...]] [--default_product_key_strategy {mapping,mapping,mapping,mapping}]
+ [--hook-config [HOOK_CONFIG ...]] [--hook [HOOK ...]] [--hook.skip] [--repository.hook [HOOK ...]]
options:
-h, --help Show this help message and exit.
@@ -369,6 +390,12 @@ options:
Repository tag product key mapping in the format of asset::product_key::product_version (type: AssetMappingString, default: [])
--default_product_key_strategy {mapping,mapping,mapping,mapping}
Override product key with namespace, repository or image names (default: mapping)
+ --hook-config [HOOK_CONFIG ...]
+ Paths to YAML files containing custom hook definitions. (type: str, default: [])
+ --hook [HOOK ...] Specify hook IDs to execute. Available preconfigured hooks are: trivy_image, trivy_iac_and_secrets. (default: [])
+ --hook.skip Skip hooks (default: False)
+ --repository.hook [HOOK ...]
+ Inline hook format :::::: (type: ToolHookString, default: [])
```
@@ -405,11 +432,14 @@ platforms discover k8s \
-->
```bash
-usage: platforms [options] discover [options] k8s [-h] [--instance.instance INSTANCE] [--types {namespace,pod,secret,deployment,all} [{namespace,pod,secret,deployment,all} ...]]
- [--exclude.types {namespace,pod,secret,deployment} [{namespace,pod,secret,deployment} ...]] [--url URL] [--token TOKEN]
- [--scope.namespace [NAMESPACE ...]] [--scope.pod [POD ...]] [--scope.image [IMAGE ...]] [--ignore-state]
- [--exclude.namespace [NAMESPACE ...]] [--exclude.pod [POD ...]] [--exclude.image [IMAGE ...]] [--secret.skip] [--deployment.skip]
- [--broad] [--namespace.single] [--pod.single] [--namespace.mapping [MAPPING ...]] [--pod.mapping [MAPPING ...]]
+usage: platforms [options] discover [options] k8s [-h] [--instance.instance INSTANCE]
+ [--types {namespace,pod,secret,deployment,all} [{namespace,pod,secret,deployment,all} ...]]
+ [--exclude.types {namespace,pod,secret,deployment} [{namespace,pod,secret,deployment} ...]] [--url URL]
+ [--token TOKEN] [--scope.namespace [NAMESPACE ...]] [--scope.pod [POD ...]] [--scope.image [IMAGE ...]]
+ [--ignore-state] [--exclude.namespace [NAMESPACE ...]] [--exclude.pod [POD ...]] [--exclude.image [IMAGE ...]]
+ [--secret.skip] [--deployment.skip] [--broad] [--namespace.single] [--pod.single]
+ [--namespace.mapping [MAPPING ...]] [--pod.mapping [MAPPING ...]] [--hook-config [HOOK_CONFIG ...]]
+ [--hook [HOOK ...]] [--hook.skip] [--namespace.hooks [HOOKS ...]]
[--default_product_key_strategy {namespace,pod,image,mapping}]
options:
@@ -444,6 +474,12 @@ options:
Namespace product key mapping in the format of asset::product_key::product_version (type: AssetMappingString, default: [])
--pod.mapping [MAPPING ...]
Pod product key mapping in the format of asset::product_key::product_version (type: AssetMappingString, default: [])
+ --hook-config [HOOK_CONFIG ...]
+ Paths to YAML files containing custom hook definitions. (type: str, default: [])
+ --hook [HOOK ...] Specify hook IDs to execute. Available preconfigured hooks are: kubescape_cluster, apparmor_namespace. (default: [])
+ --hook.skip Skip hooks (default: False)
+ --namespace.hooks [HOOKS ...]
+ Inline hook format :::::: (type: ToolHookString, default: [])
--default_product_key_strategy {namespace,pod,image,mapping}
Override product key with namespace, pod or image names (default: mapping)
```
@@ -501,9 +537,10 @@ usage: platforms [options] discover [options] jfrog [-h] [--instance.instance IN
[--token TOKEN] [--url URL] [--scope.jf-repository [JF_REPOSITORY ...]] [--scope.repository [REPOSITORY ...]]
[--scope.repository_tags [REPOSITORY_TAGS ...]] [--scope.image_platform [IMAGE_PLATFORM ...]]
[--exclude.jf-repository [JF_REPOSITORY ...]] [--exclude.repository [REPOSITORY ...]]
- [--exclude.repository_tags [REPOSITORY_TAGS ...]] [--scope.past_days PAST_DAYS] [--scope.tag_limit TAG_LIMIT] [--broad]
- [--jf-repository.mapping [MAPPING ...]] [--repository.mapping [MAPPING ...]] [--instance.mapping [MAPPING ...]]
- [--jf-repository.single] [--repository.single] [--default_product_key_strategy {mapping,mapping,mapping,mapping}]
+ [--exclude.repository_tags [REPOSITORY_TAGS ...]] [--scope.past_days PAST_DAYS] [--scope.tag_limit TAG_LIMIT]
+ [--broad] [--jf-repository.mapping [MAPPING ...]] [--repository.mapping [MAPPING ...]]
+ [--instance.mapping [MAPPING ...]] [--jf-repository.single] [--repository.single]
+ [--default_product_key_strategy {mapping,mapping,mapping,mapping}]
options:
-h, --help Show this help message and exit.
@@ -532,8 +569,8 @@ options:
--scope.past_days PAST_DAYS
Ignore tags pushed earlier that previous to this number of days (type: int, default: 30)
--scope.tag_limit TAG_LIMIT
- Limit the number of recent tags to be discovered. Scoping to tag names is done on the limited tag list. Limit applies also to the past_days filter. 0 for no
- limit, default is 10. (type: int, default: 20)
+ Limit the number of recent tags to be discovered. Scoping to tag names is done on the limited tag list. Limit applies also to the past_days
+ filter. 0 for no limit, default is 10. (type: int, default: 20)
--broad Retrieves limited information (only jf-repositories and repositories) (default: False)
--jf-repository.mapping [MAPPING ...]
Repository product key mapping in the format of asset::product_key::product_version (type: AssetMappingString, default: [])
@@ -593,13 +630,13 @@ platforms discover ecr \
```bash
usage: platforms [options] discover [options] ecr [-h] [--instance.instance INSTANCE]
[--types {aws-account,repository,repository_tags,all} [{aws-account,repository,repository_tags,all} ...]]
- [--exclude.types {aws-account,repository,repository_tags} [{aws-account,repository,repository_tags} ...]] [--token TOKEN]
- [--url URL] [--scope.aws-account [AWS_ACCOUNT ...]] [--scope.repository [REPOSITORY ...]]
+ [--exclude.types {aws-account,repository,repository_tags} [{aws-account,repository,repository_tags} ...]]
+ [--token TOKEN] [--url URL] [--scope.aws-account [AWS_ACCOUNT ...]] [--scope.repository [REPOSITORY ...]]
[--scope.repository_tags [REPOSITORY_TAGS ...]] [--scope.image_platform [IMAGE_PLATFORM ...]]
- [--exclude.aws-account [AWS_ACCOUNT ...]] [--exclude.repository [REPOSITORY ...]] [--exclude.repository_tags [REPOSITORY_TAGS ...]]
- [--scope.past_days PAST_DAYS] [--scope.tag_limit TAG_LIMIT] [--broad] [--aws-account.mapping [MAPPING ...]]
- [--repository.mapping [MAPPING ...]] [--aws-account.single] [--repository.single]
- [--default_product_key_strategy {mapping,mapping,mapping,mapping}]
+ [--exclude.aws-account [AWS_ACCOUNT ...]] [--exclude.repository [REPOSITORY ...]]
+ [--exclude.repository_tags [REPOSITORY_TAGS ...]] [--scope.past_days PAST_DAYS] [--scope.tag_limit TAG_LIMIT]
+ [--broad] [--aws-account.mapping [MAPPING ...]] [--repository.mapping [MAPPING ...]] [--aws-account.single]
+ [--repository.single] [--default_product_key_strategy {mapping,mapping,mapping,mapping}]
options:
-h, --help Show this help message and exit.
@@ -628,8 +665,8 @@ options:
--scope.past_days PAST_DAYS
Ignore tags pushed earlier that previous to this number of days (type: int, default: 30)
--scope.tag_limit TAG_LIMIT
- Limit the number of recent tags to be discovered. Scoping to tag names is done on the limited tag list. Limit applies also to the past_days filter. 0 for no
- limit, default is 10. (type: int, default: 10)
+ Limit the number of recent tags to be discovered. Scoping to tag names is done on the limited tag list. Limit applies also to the past_days
+ filter. 0 for no limit, default is 10. (type: int, default: 10)
--broad Retrieves limited information (only aws-account and repository) (default: False)
--aws-account.mapping [MAPPING ...]
Repository product key mapping in the format of asset::product_key::product_version (type: AssetMappingString, default: [])
@@ -688,11 +725,13 @@ platforms discover bitbucket \
```bash
usage: platforms [options] discover [options] bitbucket [-h] [--instance.instance INSTANCE]
[--types {workspace,project,repository,branch,commit,authenticated_user,webhooks,repo_permission,user_permission,branch_protection,token,all} [{workspace,project,repository,branch,commit,authenticated_user,webhooks,repo_permission,user_permission,branch_protection,token,all} ...]]
- [--app_password APP_PASSWORD] [--username USERNAME] [--workspace_token WORKSPACE_TOKEN] [--workspace WORKSPACE] [--url URL]
- [--scope.workspace [WORKSPACE ...]] [--scope.project [PROJECT ...]] [--scope.repository [REPOSITORY ...]]
- [--scope.commit [COMMIT ...]] [--scope.branch [BRANCH ...]] [--scope.webhook [WEBHOOK ...]] [--commit.skip] [--broad]
+ [--app_password APP_PASSWORD] [--username USERNAME] [--workspace_token WORKSPACE_TOKEN]
+ [--workspace WORKSPACE] [--url URL] [--scope.workspace [WORKSPACE ...]] [--scope.project [PROJECT ...]]
+ [--scope.repository [REPOSITORY ...]] [--scope.commit [COMMIT ...]] [--scope.branch [BRANCH ...]]
+ [--scope.webhook [WEBHOOK ...]] [--commit.skip] [--branch-protection.skip] [--broad]
[--workspace.mapping [MAPPING ...]] [--project.mapping [MAPPING ...]] [--repository.mapping [MAPPING ...]]
[--default_product_key_strategy {mapping}] [--workspace.single] [--project.single] [--repository.single]
+ [--skip-cache] [--cache-ttl CACHE_TTL] [--cache-group CACHE_GROUP]
options:
-h, --help Show this help message and exit.
@@ -711,11 +750,11 @@ options:
--scope.workspace [WORKSPACE ...]
BitBucket workspace list (default: ['*'])
--scope.project [PROJECT ...]
- BitBucket projects wildcards. Default is all projects. Note that a project name includes as a prefix its namesapce in the format 'namespace / project_name'
- (default: ['*'])
- --scope.repository [REPOSITORY ...]
- BitBucket repositories wildcards. Default is all projects. Note that a project name includes as a prefix its namesapce in the format 'namespace /
+ BitBucket projects wildcards. Default is all projects. Note that a project name includes as a prefix its namesapce in the format 'namespace /
project_name' (default: ['*'])
+ --scope.repository [REPOSITORY ...]
+ BitBucket repositories wildcards. Default is all projects. Note that a project name includes as a prefix its namesapce in the format
+ 'namespace / project_name' (default: ['*'])
--scope.commit [COMMIT ...]
BitBucket commit wildcards (default: [])
--scope.branch [BRANCH ...]
@@ -723,21 +762,28 @@ options:
--scope.webhook [WEBHOOK ...]
BitBucket webhook wildcards (default: [])
--commit.skip Skip commits in discovery/evidence (default: False)
+ --branch-protection.skip
+ Skip Branch protection in discovery/evidence (default: False)
--broad Retrieves limited information (only workspaces, repositories) (default: False)
--workspace.mapping [MAPPING ...]
- Workspace product key mapping in the format of workspace::product_key::product_version where org is the workspace name, wildcards are supported (type:
- AssetMappingString, default: [])
+ Workspace product key mapping in the format of workspace::product_key::product_version where org is the workspace name, wildcards are
+ supported (type: AssetMappingString, default: [])
--project.mapping [MAPPING ...]
- Project product key mapping in the format of project::product_key::product_version where org is the project name, wildcards are supported (type:
- AssetMappingString, default: [])
+ Project product key mapping in the format of project::product_key::product_version where org is the project name, wildcards are supported
+ (type: AssetMappingString, default: [])
--repository.mapping [MAPPING ...]
- Repository product key mapping in the format of repo::product_key::product_version where repo is the repository name, wildcards are supported (type:
- AssetMappingString, default: [])
+ Repository product key mapping in the format of repo::product_key::product_version where repo is the repository name, wildcards are supported
+ (type: AssetMappingString, default: [])
--default_product_key_strategy {mapping}
Deferment product key by mapping. In the future - we shall support by reopsitory name too. (default: mapping)
--workspace.single Export all workspaces in a single evidence (default: False)
--project.single Export all projects in a single evidence (default: False)
--repository.single Export all repos in a single evidence (default: False)
+ --skip-cache, -f Skip Scribe Evidence cache lookup (default: False)
+ --cache-ttl CACHE_TTL
+ time to live for cache (default: 2d)
+ --cache-group CACHE_GROUP
+ Scribe cache group, default to runners pipeline ID, empty to use global context (default: by_pipeline)
```
@@ -783,10 +829,11 @@ platforms discover jenkins \
```bash
usage: platforms [options] discover [options] jenkins [-h] [--instance.instance INSTANCE] [--username USERNAME] [--password PASSWORD] [--url URL] [--broad]
[--types {all,computer_set,users,jobs,job_runs,credential_stores,plugins,security_settings,all} [{all,computer_set,users,jobs,job_runs,credential_stores,plugins,security_settings,all} ...]]
- [--credential_stores.skip] [--users.skip] [--plugins.skip] [--security_settings.skip] [--computer_set.skip] [--jobs.skip]
- [--scope.folder [FOLDER ...]] [--exclude.folder [FOLDER ...]] [--scope.job_runs.past_days PAST_DAYS] [--scope.job_runs.max MAX]
- [--scope.job_runs.analyzed_logs] [--job_runs.skip] [--default_product_key_strategy {mapping}]
- [--instance-mapping [INSTANCE_MAPPING ...]] [--folder.mapping [MAPPING ...]]
+ [--credential_stores.skip] [--users.skip] [--plugins.skip] [--security_settings.skip] [--computer_set.skip]
+ [--jobs.skip] [--scope.folder [FOLDER ...]] [--exclude.folder [FOLDER ...]]
+ [--scope.job_runs.past_days PAST_DAYS] [--scope.job_runs.max MAX] [--scope.job_runs.analyzed_logs]
+ [--job_runs.skip] [--default_product_key_strategy {mapping}] [--instance-mapping [INSTANCE_MAPPING ...]]
+ [--folder.mapping [MAPPING ...]]
options:
-h, --help Show this help message and exit.
@@ -794,7 +841,7 @@ options:
Jenkins instance string (default: )
--username USERNAME Jenkins username (default: )
--password PASSWORD Jenkins token (JENKINS_PASSWORD) (default: )
- --url URL Jenkins base URL (default: null)
+ --url URL Jenkins base URL (default: )
--broad Perform a fast broad discovery instead of a detailed one (default: False)
--types {all,computer_set,users,jobs,job_runs,credential_stores,plugins,security_settings,all} [{all,computer_set,users,jobs,job_runs,credential_stores,plugins,security_settings,all} ...]
Defines which asset to discover, scoped by scope parameters (default: ['all'])
@@ -807,25 +854,28 @@ options:
--computer_set.skip Skip computer sets in discovery/evidence (default: False)
--jobs.skip Skip jobs (default: False)
--scope.folder [FOLDER ...]
- Jenkins folder/job list. Default is all folders. The folder scoping is defined as a path of folders and can include the job name in order to scope specific
- jobs. Wildcard is supported only as a suffix. examples: folder-a* will discover all folders that are included in a root folder that starts with folder-a.
- folder-a/* will discover all folders and jobs under the root folder folder-a (type: JenkinsFolderScope, default: ['*'])
+ Jenkins folder/job list. Default is all folders. The folder scoping is defined as a path of folders and can include the job name in order to
+ scope specific jobs. Wildcard is supported only as a suffix. examples: folder-a* will discover all folders that are included in a root folder
+ that starts with folder-a. folder-a/* will discover all folders and jobs under the root folder folder-a (type: JenkinsFolderScope, default:
+ ['*'])
--exclude.folder [FOLDER ...]
Jenkins folder/job list to exclude from discovery. Format is like the --scope.folder argument (type: JenkinsFolderScope, default: [])
--scope.job_runs.past_days PAST_DAYS
Number of past days to include in the job run discovery, 0 for no time limit (type: int, default: 30)
--scope.job_runs.max MAX
- Mam number of job runs to include in the job run discovery. This argument will limit the number of job runs in the past_days range. 0 for no limit (type: int,
- default: 10)
+ Mam number of job runs to include in the job run discovery. This argument will limit the number of job runs in the past_days range. 0 for no
+ limit (type: int, default: 10)
--scope.job_runs.analyzed_logs
Include analyzed job run logs (default: False)
--job_runs.skip Skip commits in discovery/evidence (default: False)
--default_product_key_strategy {mapping}
Deferment product key by mapping. In the future - we shall support by folder name too. (default: mapping)
--instance-mapping [INSTANCE_MAPPING ...]
- Instance product key mapping in the format of *::product_key::product_version, wildcards are supported (type: AssetMappingString, default: [])
+ Instance product key mapping in the format of *::product_key::product_version, wildcards are supported (type: AssetMappingString, default:
+ [])
--folder.mapping [MAPPING ...]
- Folder product key mapping in the format of folder_path::product_key::product_version, wildcards are supported (type: AssetMappingString, default: [])
+ Folder product key mapping in the format of folder_path::product_key::product_version, wildcards are supported (type: AssetMappingString,
+ default: [])
```
diff --git a/docs/platforms/evidence.md b/docs/platforms/evidence.md
index 603dce1bd..ffbd9e9ea 100644
--- a/docs/platforms/evidence.md
+++ b/docs/platforms/evidence.md
@@ -25,11 +25,11 @@ The evidence command uses Scribe's `valint` tool to upload the evidence and to s
```bash
usage: platforms [options] evidence [-h] [--evidence.local.path PATH] [--evidence.local.prefix PREFIX] [--evidence.local_only] [--max-threads MAX_THREADS]
[--thread-timeout THREAD_TIMEOUT] [--rate-limit-retry RATE_LIMIT_RETRY] [--allow-failures] [--export-partial] [--skip-evidence]
- [--valint.scribe.client-secret CLIENT_SECRET] [--valint.scribe.enable] [--valint.cache.disable] [--valint.context-type CONTEXT_TYPE]
+ [--valint.scribe.client-secret CLIENT_SECRET] [--valint.cache.disable] [--valint.context-type CONTEXT_TYPE]
[--valint.log-level LOG_LEVEL] [--valint.output-directory OUTPUT_DIRECTORY] [--valint.bin BIN] [--valint.product-key PRODUCT_KEY]
[--valint.product-version PRODUCT_VERSION] [--valint.predicate-type PREDICATE_TYPE] [--valint.attest ATTEST] [--valint.sign]
[--valint.components COMPONENTS] [--valint.label LABEL] [--unique]
- {gitlab,k8s,dockerhub,github,jfrog,ecr,jenkins,bitbucket} ...
+ {gitlab,k8s,dockerhub,github,jfrog,ecr,jenkins,bitbucket,azure} ...
Export evidence data (Deprecated)
@@ -46,14 +46,12 @@ options:
--thread-timeout THREAD_TIMEOUT
Thread timeout in seconds (type: float, default: 20.0)
--rate-limit-retry RATE_LIMIT_RETRY
- Retry on rate limit (type: int, default: 3)
+ Retry on rate limit (default disabled) (type: int, default: 0)
--allow-failures Allow failures without returning an error code (default: False)
--export-partial Upload Partial Discover evidence (default: False)
--skip-evidence Skip evidence upload (default: False)
--valint.scribe.client-secret CLIENT_SECRET, --scribe-token CLIENT_SECRET, --scribe-client-secret CLIENT_SECRET
Scribe client Secret (type: str, default: )
- --valint.scribe.enable
- Enable Scribe client (default: False)
--valint.cache.disable
Disable Valint local cache (default: False)
--valint.context-type CONTEXT_TYPE
@@ -68,13 +66,13 @@ options:
--valint.product-version PRODUCT_VERSION
Evidence product version (type: str, default: )
--valint.predicate-type PREDICATE_TYPE
- Evidence predicate type (type: str, default: http://scribesecurity.com/evidence/discovery/v0.1)
+ Evidence predicate type (type: str, default: )
--valint.attest ATTEST
Evidence attest type (type: str, default: x509-env)
--valint.sign sign evidence (default: False)
--valint.components COMPONENTS
components list (type: str, default: )
- --valint.label LABEL Set additional labels (type: at 0x7b9df7c3ff60>, default: [])
+ --valint.label LABEL Set additional labels (type: at 0x7f0fc74b5800>, default: [])
--unique Allow unique assets (default: False)
subcommands:
@@ -89,6 +87,7 @@ subcommands:
ecr
jenkins
bitbucket
+ azure
```
@@ -109,9 +108,10 @@ platforms evidence gitlab --organization.mapping "my-org::my-product::1.0" --pro
```bash
usage: platforms [options] evidence [options] gitlab [-h] [--instance.instance INSTANCE] [--token TOKEN] [--url URL] [--types {organization,project,all}]
- [--scope.organization [ORGANIZATION ...]] [--scope.project [PROJECT ...]] [--scope.branch [BRANCH ...]] [--scope.tag [TAG ...]]
- [--commit.skip] [--pipeline.skip] [--default_product_key_strategy {mapping}] [--organization.mapping [MAPPING ...]]
- [--project.mapping [MAPPING ...]] [--organization.single] [--project.single]
+ [--scope.organization [ORGANIZATION ...]] [--scope.project [PROJECT ...]] [--scope.branch [BRANCH ...]]
+ [--scope.tag [TAG ...]] [--commit.skip] [--pipeline.skip] [--default_product_key_strategy {mapping}]
+ [--organization.mapping [MAPPING ...]] [--project.mapping [MAPPING ...]] [--organization.single]
+ [--project.single]
options:
-h, --help Show this help message and exit.
@@ -124,8 +124,8 @@ options:
--scope.organization [ORGANIZATION ...]
Gitlab organization list (default: ['*'])
--scope.project [PROJECT ...]
- Gitlab projects epositories wildcards. Default is all projects. Note that a project name includes as a prefix its namesapce in the format 'namespace /
- project_name' (default: ['*'])
+ Gitlab projects epositories wildcards. Default is all projects. Note that a project name includes as a prefix its namesapce in the format
+ 'namespace / project_name' (default: ['*'])
--scope.branch [BRANCH ...]
Gitlab branches wildcards (default: null)
--scope.tag [TAG ...]
@@ -164,7 +164,8 @@ platforms evidence github --organization.mapping "my-org::my-product::1.0" --rep
usage: platforms [options] evidence [options] github [-h] [--instance.instance INSTANCE] [--token TOKEN] [--url URL] [--types {organization,repository,all,all}]
[--scope.organization [ORGANIZATION ...]] [--scope.repository [REPOSITORY ...]] [--scope.branch [BRANCH ...]]
[--scope.tag [TAG ...]] [--branch.shallow] [--commit.skip] [--default_product_key_strategy {mapping}]
- [--organization.mapping [MAPPING ...]] [--repository.mapping [MAPPING ...]] [--organization.single] [--repository.single]
+ [--organization.mapping [MAPPING ...]] [--repository.mapping [MAPPING ...]] [--organization.single]
+ [--repository.single]
options:
-h, --help Show this help message and exit.
@@ -177,8 +178,8 @@ options:
--scope.organization [ORGANIZATION ...]
Github organization list (default: ['*'])
--scope.repository [REPOSITORY ...]
- Github repositories wildcards. Default is all projects. Note that a project name includes as a prefix its namesapce in the format 'namespace / project_name'
- (default: ['*'])
+ Github repositories wildcards. Default is all projects. Note that a project name includes as a prefix its namesapce in the format 'namespace
+ / project_name' (default: ['*'])
--scope.branch [BRANCH ...]
Github branches wildcards (default: [])
--scope.tag [TAG ...]
@@ -188,11 +189,11 @@ options:
--default_product_key_strategy {mapping}
Deferment product key by mapping. In the future - we shall support by reopsitory name too. (default: mapping)
--organization.mapping [MAPPING ...]
- Organization product key mapping in the format of org::product_key::product_version where org is the organization name, wildcards are supported (type:
- AssetMappingString, default: [])
+ Organization product key mapping in the format of org::product_key::product_version where org is the organization name, wildcards are
+ supported (type: AssetMappingString, default: [])
--repository.mapping [MAPPING ...]
- Repository product key mapping in the format of repo::product_key::product_version where repo is the repository name, wildcards are supported (type:
- AssetMappingString, default: [])
+ Repository product key mapping in the format of repo::product_key::product_version where repo is the repository name, wildcards are supported
+ (type: AssetMappingString, default: [])
--organization.single
Export all organizations in a single evidence (default: False)
--repository.single Export all repos in a single evidence (default: False)
@@ -214,12 +215,14 @@ platforms evidence dockerhub --namespace.mapping "my-namespace::my-product::1.0"
-->
```bash
-usage: platforms [options] evidence [options] dockerhub [-h] [--instance.instance INSTANCE] [--types {instance,token,repository,namespace,repository_tag,webhook,all}]
- [--username USERNAME] [--password PASSWORD] [--token TOKEN] [--url URL] [--scope.repository [REPOSITORY ...]]
+usage: platforms [options] evidence [options] dockerhub [-h] [--instance.instance INSTANCE]
+ [--types {instance,token,repository,namespace,repository_tag,webhook,all}] [--username USERNAME]
+ [--password PASSWORD] [--token TOKEN] [--url URL] [--scope.repository [REPOSITORY ...]]
[--scope.repository_tags [REPOSITORY_TAGS ...]] [--scope.image_platform [IMAGE_PLATFORM ...]]
- [--exclude.repository [REPOSITORY ...]] [--exclude.repository_tags [REPOSITORY_TAGS ...]] [--scope.namespace [NAMESPACE ...]]
- [--namespace.mapping [MAPPING ...]] [--repository.mapping [MAPPING ...]] [--instance.mapping [MAPPING ...]]
- [--namespace.single] [--repository.single] [--default_product_key_strategy {mapping,mapping,mapping,mapping}]
+ [--exclude.repository [REPOSITORY ...]] [--exclude.repository_tags [REPOSITORY_TAGS ...]]
+ [--scope.namespace [NAMESPACE ...]] [--namespace.mapping [MAPPING ...]] [--repository.mapping [MAPPING ...]]
+ [--instance.mapping [MAPPING ...]] [--namespace.single] [--repository.single]
+ [--default_product_key_strategy {mapping,mapping,mapping,mapping}]
options:
-h, --help Show this help message and exit.
@@ -271,10 +274,11 @@ platforms evidence k8s --namespace.mapping "my-namespace::my-product::1.0" --pod
-->
```bash
-usage: platforms [options] evidence [options] k8s [-h] [--instance.instance INSTANCE] [--types {namespace,pod,all}] [--scope.namespace [NAMESPACE ...]] [--scope.pod [POD ...]]
- [--scope.image [IMAGE ...]] [--ignore-state] [--exclude.namespace [NAMESPACE ...]] [--exclude.pod [POD ...]]
- [--exclude.image [IMAGE ...]] [--default_product_key_strategy {namespace,pod,image,mapping}] [--secret.skip] [--url URL]
- [--token TOKEN] [--namespace.single] [--pod.single] [--namespace.mapping [MAPPING ...]] [--pod.mapping [MAPPING ...]]
+usage: platforms [options] evidence [options] k8s [-h] [--instance.instance INSTANCE] [--types {namespace,pod,all}] [--scope.namespace [NAMESPACE ...]]
+ [--scope.pod [POD ...]] [--scope.image [IMAGE ...]] [--ignore-state] [--exclude.namespace [NAMESPACE ...]]
+ [--exclude.pod [POD ...]] [--exclude.image [IMAGE ...]]
+ [--default_product_key_strategy {namespace,pod,image,mapping}] [--secret.skip] [--url URL] [--token TOKEN]
+ [--namespace.single] [--pod.single] [--namespace.mapping [MAPPING ...]] [--pod.mapping [MAPPING ...]]
options:
-h, --help Show this help message and exit.
@@ -327,10 +331,12 @@ platforms evidence jfrog --jf-repository.mapping "*::my-product::1.0" --namespac
```bash
usage: platforms [options] evidence [options] ecr [-h] [--instance.instance INSTANCE] [--url URL] [--types {instance,aws-account,repository,all}]
- [--scope.aws-account [AWS_ACCOUNT ...]] [--scope.repository [REPOSITORY ...]] [--scope.repository_tags [REPOSITORY_TAGS ...]]
- [--scope.image_platform [IMAGE_PLATFORM ...]] [--exclude.aws-account [AWS_ACCOUNT ...]] [--exclude.repository [REPOSITORY ...]]
- [--exclude.repository_tags [REPOSITORY_TAGS ...]] [--aws-account.mapping [MAPPING ...]] [--repository.mapping [MAPPING ...]]
- [--aws-account.single] [--repository.single] [--default_product_key_strategy {instance,aws-account,repository,tag,mapping}]
+ [--scope.aws-account [AWS_ACCOUNT ...]] [--scope.repository [REPOSITORY ...]]
+ [--scope.repository_tags [REPOSITORY_TAGS ...]] [--scope.image_platform [IMAGE_PLATFORM ...]]
+ [--exclude.aws-account [AWS_ACCOUNT ...]] [--exclude.repository [REPOSITORY ...]]
+ [--exclude.repository_tags [REPOSITORY_TAGS ...]] [--aws-account.mapping [MAPPING ...]]
+ [--repository.mapping [MAPPING ...]] [--aws-account.single] [--repository.single]
+ [--default_product_key_strategy {instance,aws-account,repository,tag,mapping}]
options:
-h, --help Show this help message and exit.
@@ -381,10 +387,12 @@ platforms evidence ecr --repository.mapping "*my-service*::my-product::1.0"
```bash
usage: platforms [options] evidence [options] ecr [-h] [--instance.instance INSTANCE] [--url URL] [--types {instance,aws-account,repository,all}]
- [--scope.aws-account [AWS_ACCOUNT ...]] [--scope.repository [REPOSITORY ...]] [--scope.repository_tags [REPOSITORY_TAGS ...]]
- [--scope.image_platform [IMAGE_PLATFORM ...]] [--exclude.aws-account [AWS_ACCOUNT ...]] [--exclude.repository [REPOSITORY ...]]
- [--exclude.repository_tags [REPOSITORY_TAGS ...]] [--aws-account.mapping [MAPPING ...]] [--repository.mapping [MAPPING ...]]
- [--aws-account.single] [--repository.single] [--default_product_key_strategy {instance,aws-account,repository,tag,mapping}]
+ [--scope.aws-account [AWS_ACCOUNT ...]] [--scope.repository [REPOSITORY ...]]
+ [--scope.repository_tags [REPOSITORY_TAGS ...]] [--scope.image_platform [IMAGE_PLATFORM ...]]
+ [--exclude.aws-account [AWS_ACCOUNT ...]] [--exclude.repository [REPOSITORY ...]]
+ [--exclude.repository_tags [REPOSITORY_TAGS ...]] [--aws-account.mapping [MAPPING ...]]
+ [--repository.mapping [MAPPING ...]] [--aws-account.single] [--repository.single]
+ [--default_product_key_strategy {instance,aws-account,repository,tag,mapping}]
options:
-h, --help Show this help message and exit.
@@ -434,11 +442,14 @@ platforms evidence bitbucker --workspace.mapping "my-workspace::my-product::1.0"
-->
```bash
-usage: platforms [options] evidence [options] bitbucket [-h] [--instance.instance INSTANCE] [--types {workspace,project,repository,all,all}] [--scope.workspace [WORKSPACE ...]]
- [--scope.project [PROJECT ...]] [--scope.repository [REPOSITORY ...]] [--scope.commit [COMMIT ...]]
- [--scope.branch [BRANCH ...]] [--scope.webhook [WEBHOOK ...]] [--commit.skip] [--default_product_key_strategy {mapping}]
- [--workspace.mapping [MAPPING ...]] [--project.mapping [MAPPING ...]] [--repository.mapping [MAPPING ...]]
- [--workspace.single] [--project.single] [--repository.single]
+usage: platforms [options] evidence [options] bitbucket [-h] [--instance.instance INSTANCE] [--types {workspace,project,repository,all,all}]
+ [--app_password APP_PASSWORD] [--username USERNAME] [--workspace_token WORKSPACE_TOKEN]
+ [--workspace WORKSPACE] [--url URL] [--scope.workspace [WORKSPACE ...]] [--scope.project [PROJECT ...]]
+ [--scope.repository [REPOSITORY ...]] [--scope.commit [COMMIT ...]] [--scope.branch [BRANCH ...]]
+ [--scope.webhook [WEBHOOK ...]] [--commit.skip] [--branch-protection.skip]
+ [--default_product_key_strategy {mapping}] [--workspace.mapping [MAPPING ...]]
+ [--project.mapping [MAPPING ...]] [--repository.mapping [MAPPING ...]] [--workspace.single]
+ [--project.single] [--repository.single]
options:
-h, --help Show this help message and exit.
@@ -446,14 +457,22 @@ options:
BitBucket instance string (default: )
--types {workspace,project,repository,all,all}
Defines which evidence to create, scoped by scope parameters (default: all)
+ --app_password APP_PASSWORD
+ BitBucket app_password (BB_PASSWORD) (default: )
+ --username USERNAME BitBucket username (default: null)
+ --workspace_token WORKSPACE_TOKEN
+ BitBucket workspace_token can be used with --workspace_name flag instead of --app_password and --username (BB_WORKSPACE_TOKEN) (default: )
+ --workspace WORKSPACE
+ BitBucket workspace_name can be used with --workspace_token flag instead of --app_password and --username (default: )
+ --url URL BitBucket URL (required, default: https://api.bitbucket.org)
--scope.workspace [WORKSPACE ...]
BitBucket workspace list (default: ['*'])
--scope.project [PROJECT ...]
- BitBucket projects wildcards. Default is all projects. Note that a project name includes as a prefix its namesapce in the format 'namespace / project_name'
- (default: ['*'])
- --scope.repository [REPOSITORY ...]
- BitBucket repositories wildcards. Default is all projects. Note that a project name includes as a prefix its namesapce in the format 'namespace /
+ BitBucket projects wildcards. Default is all projects. Note that a project name includes as a prefix its namesapce in the format 'namespace /
project_name' (default: ['*'])
+ --scope.repository [REPOSITORY ...]
+ BitBucket repositories wildcards. Default is all projects. Note that a project name includes as a prefix its namesapce in the format
+ 'namespace / project_name' (default: ['*'])
--scope.commit [COMMIT ...]
BitBucket commit wildcards (default: [])
--scope.branch [BRANCH ...]
@@ -461,17 +480,19 @@ options:
--scope.webhook [WEBHOOK ...]
BitBucket webhook wildcards (default: [])
--commit.skip Skip commits in discovery/evidence (default: False)
+ --branch-protection.skip
+ Skip Branch protection in discovery/evidence (default: False)
--default_product_key_strategy {mapping}
Deferment product key by mapping. In the future - we shall support by reopsitory name too. (default: mapping)
--workspace.mapping [MAPPING ...]
- Workspace product key mapping in the format of workspace::product_key::product_version where org is the workspace name, wildcards are supported (type:
- AssetMappingString, default: [])
+ Workspace product key mapping in the format of workspace::product_key::product_version where org is the workspace name, wildcards are
+ supported (type: AssetMappingString, default: [])
--project.mapping [MAPPING ...]
- Project product key mapping in the format of project::product_key::product_version where org is the project name, wildcards are supported (type:
- AssetMappingString, default: [])
+ Project product key mapping in the format of project::product_key::product_version where org is the project name, wildcards are supported
+ (type: AssetMappingString, default: [])
--repository.mapping [MAPPING ...]
- Repository product key mapping in the format of repo::product_key::product_version where repo is the repository name, wildcards are supported (type:
- AssetMappingString, default: [])
+ Repository product key mapping in the format of repo::product_key::product_version where repo is the repository name, wildcards are supported
+ (type: AssetMappingString, default: [])
--workspace.single Export all workspaces in a single evidence (default: False)
--project.single Export all projects in a single evidence (default: False)
--repository.single Export all repos in a single evidence (default: False)
@@ -494,8 +515,9 @@ platforms evidence jenkins --instance-mapping "my-instance::my-product::1.0" --f
-->
```bash
-usage: platforms [options] evidence [options] jenkins [-h] [--instance.instance INSTANCE] [--types {instance,folder,all,all}] [--credential_stores.skip] [--users.skip]
- [--plugins.skip] [--security_settings.skip] [--computer_set.skip] [--jobs.skip] [--scope.folder [FOLDER ...]]
+usage: platforms [options] evidence [options] jenkins [-h] [--instance.instance INSTANCE] [--types {instance,folder,all,all}] [--username USERNAME]
+ [--password PASSWORD] [--url URL] [--credential_stores.skip] [--users.skip] [--plugins.skip]
+ [--security_settings.skip] [--computer_set.skip] [--jobs.skip] [--scope.folder [FOLDER ...]]
[--exclude.folder [FOLDER ...]] [--scope.job_runs.past_days PAST_DAYS] [--scope.job_runs.max MAX]
[--scope.job_runs.analyzed_logs] [--job_runs.skip] [--default_product_key_strategy {mapping}]
[--instance-mapping [INSTANCE_MAPPING ...]] [--folder.mapping [MAPPING ...]] [--folder.single]
@@ -506,6 +528,9 @@ options:
Jenkins instance string (default: )
--types {instance,folder,all,all}
Defines which evidence to create, scoped by scope parameters (default: all)
+ --username USERNAME Jenkins username (default: )
+ --password PASSWORD Jenkins token (JENKINS_PASSWORD) (default: )
+ --url URL Jenkins base URL (default: )
--credential_stores.skip
Skip credential stores (default: False)
--users.skip Skip users (default: False)
@@ -515,25 +540,28 @@ options:
--computer_set.skip Skip computer sets in discovery/evidence (default: False)
--jobs.skip Skip jobs (default: False)
--scope.folder [FOLDER ...]
- Jenkins folder/job list. Default is all folders. The folder scoping is defined as a path of folders and can include the job name in order to scope specific
- jobs. Wildcard is supported only as a suffix. examples: folder-a* will discover all folders that are included in a root folder that starts with folder-a.
- folder-a/* will discover all folders and jobs under the root folder folder-a (type: JenkinsFolderScope, default: ['*'])
+ Jenkins folder/job list. Default is all folders. The folder scoping is defined as a path of folders and can include the job name in order to
+ scope specific jobs. Wildcard is supported only as a suffix. examples: folder-a* will discover all folders that are included in a root folder
+ that starts with folder-a. folder-a/* will discover all folders and jobs under the root folder folder-a (type: JenkinsFolderScope, default:
+ ['*'])
--exclude.folder [FOLDER ...]
Jenkins folder/job list to exclude from discovery. Format is like the --scope.folder argument (type: JenkinsFolderScope, default: [])
--scope.job_runs.past_days PAST_DAYS
Number of past days to include in the job run discovery, 0 for no time limit (type: int, default: 30)
--scope.job_runs.max MAX
- Mam number of job runs to include in the job run discovery. This argument will limit the number of job runs in the past_days range. 0 for no limit (type: int,
- default: 10)
+ Mam number of job runs to include in the job run discovery. This argument will limit the number of job runs in the past_days range. 0 for no
+ limit (type: int, default: 10)
--scope.job_runs.analyzed_logs
Include analyzed job run logs (default: False)
--job_runs.skip Skip commits in discovery/evidence (default: False)
--default_product_key_strategy {mapping}
Deferment product key by mapping. In the future - we shall support by folder name too. (default: mapping)
--instance-mapping [INSTANCE_MAPPING ...]
- Instance product key mapping in the format of *::product_key::product_version, wildcards are supported (type: AssetMappingString, default: [])
+ Instance product key mapping in the format of *::product_key::product_version, wildcards are supported (type: AssetMappingString, default:
+ [])
--folder.mapping [MAPPING ...]
- Folder product key mapping in the format of folder_path::product_key::product_version, wildcards are supported (type: AssetMappingString, default: [])
+ Folder product key mapping in the format of folder_path::product_key::product_version, wildcards are supported (type: AssetMappingString,
+ default: [])
--folder.single Export all repos in a single evidence (default: False)
```
diff --git a/docs/platforms/hooks.md b/docs/platforms/hooks.md
new file mode 100644
index 000000000..2cc09321f
--- /dev/null
+++ b/docs/platforms/hooks.md
@@ -0,0 +1,619 @@
+---
+sidebar_label: "Using Hooks"
+title: "Extending Platforms with Hooks"
+sidebar_position: 2
+---
+
+# Extending Platforms with Third-Party Hooks
+
+Hooks allow you to extend the capabilities of the `platforms` CLI by integrating third-party tools and collecting additional evidence from scanned assets.
+
+## What are Hooks?
+Hooks are user-defined scripts or commands executed during asset discovery or SBOM generation. They enable running external tools such as security scanners, vulnerability analyzers, or policy checkers, enriching the evidence gathered by `platforms`.
+
+### Hook Configuration
+Hooks are configured using a YAML file or via CLI flags. Each hook specifies:
+- **ID**: Hook identifier (defaults to the value of **Tool** if not specified).
+- **Name**: Hook Name.
+- **Tool**: Name of the external tool used.
+- **Type**: Asset type (e.g., repository, namespace, image).
+- **Platform**: Platform to execute the hook on (e.g., GitHub, Kubernetes).
+- **Command**: Platform command target (e.g., `discover`, `bom`); defaults to `discover`.
+- **Parser**: Output format parser (e.g., JSON, SARIF).
+- **use-stdout-evidence**: Use the Command Stdout as evidence.
+- **Run**: Command executed, using environment variables for dynamic input.
+
+Hook configurations can be provided using the `--hook-config` flag and activated via the `--hook` flag referencing the Hook ID.
+
+### Example Hook Configuration
+```yaml
+hooks:
+ - name: "Semgrep Static Analysis"
+ type: "repository"
+ platform: "github"
+ command: discover
+ tool: "semgrep"
+ parser: "json"
+ run: |
+ semgrep scan --debug --json --output $HOOK_OUTPUT_FILE $LOCAL_SOURCE_DIR
+```
+
+To run this hook:
+```bash
+platforms discover github --hook-config my_hook_config.yaml --hook semgrep
+```
+
+### Supported Environment Variables
+When running hooks, `platforms` provides useful environment variables:
+
+#### Asset Information
+- `ASSET_NAME`: Name of the asset being scanned.
+- `ASSET_TYPE`: Type of the asset (e.g., repository, namespace).
+- `HOOK_OUTPUT_FILE`: Path to save hook evidence output.
+- `REMOTE_IMAGE_REF`: Reference URL for container images (available for registry platforms).
+- `REMOTE_SOURCE_URL`: URL of the source repository or asset (available for SCM platforms).
+- `REMOTE_SOURCE_URL_WITH_TOKEN`: URL with SCM token of the source repository or asset (available for SCM platforms).
+- `LOCAL_SOURCE_DIR`: Local source directory (Avaliable for BOM comamnd on SCM platforms)
+- `PLATFORMS_KUBECONFIG`: Kubeconfig path with the provided `url` and `token` to platforms command (avilable for `k8s`).
+- `CLUSTER_URL`: Provided `url` to platforms command (avilable for `k8s`).
+- `NAMESPACE`: Target asset namespace (avilable for `k8s`).
+- `POD`: Target asset namespace (avilable for `k8s`).
+
+Of course! Here's a cleaner, more formal rephrasing for the Kubernetes (K8s) parts you added, while keeping the structure and meaning you intended:
+
+
+#### CI and Git Context
+These variables represent the CI and Git environment in which platforms is executed:
+
+- `GIT_COMMIT`: Git commit SHA.
+- `GIT_BRANCH`: Git branch name.
+- `GIT_TAG`: Git tag, if applicable.
+- `GIT_REPO`: Git repository URL.
+- `GIT_REF`: Git reference.
+- `BUILD_NUM`: CI build number.
+- `WORKFLOW`: CI workflow name.
+- `RUN_ID`: CI run identifier.
+- `JOB_NAME`: CI job name.
+
+
+### Adding Hooks via CLI
+
+You can specify hooks inline when running `platforms` commands using the format:
+`command::tool::parser::name`
+
+For example, to add a Semgrep static analysis hook for GitHub:
+```bash
+platforms discover github \
+ --repository.hooks "semgrep scan --sarif --config auto --output \$HOOK_OUTPUT_FILE"::semgrep::sarif::"Semgrep Static Analysis"
+```
+> Escape special chars like `$` so that the parent shell does not expand them.
+
+## Controlling Hook Execution
+Control hook execution with these flags:
+- `--hook-config`: Specify a YAML file containing hook configurations.
+- `--hook`: Runs only specified hooks by tool name.
+- `--hook.skip`: Skips execution of hooks entirely.
+
+## Kubernetes Hooks Prerequisites
+When integrating third-party tools that access Kubernetes (K8s) resources, a kubeconfig is typically required.
+
+The `platforms` CLI supports issuing Kubernetes commands with a dedicated cluster `URL` and `Access Token`. Hooks targeting Kubernetes can use the `PLATFORMS_KUBECONFIG` environment variable, which provides a temporary kubeconfig file generated with the given credentials. This allows third-party tools executed via hooks to authenticate seamlessly against the cluster.
+
+In addition to `PLATFORMS_KUBECONFIG`, the `CLUSTER_URL` environment variable is also available, containing the cluster endpoint URL for direct use if needed.
+
+## Registry and Kubernetes Hooks Prerequisites
+For hooks that interact with container registries (e.g., scanning images), you may also need to configure a Docker `config.json` with the required registry credentials to allow authentication during the hook execution.
+
+## Embedded Supported Hooks
+These hooks are provided by the `platforms` container along with required configurations:
+
+
+
+### `platform discover` Command Hooks
+| Name | ID | Type | Platform | Tool | Parser | License |
+| --- | --- | --- | --- | --- | --- | --- |
+| Trivy Vulnerability Scan | trivy_image | repository | dockerhub | trivy | sarif | [Apache-2.0](https://github.com/aquasecurity/trivy/blob/main/LICENSE) |
+| Trivy IaC and Secrets Scan | trivy_iac_and_secrets | image | dockerhub | trivy | trivy | [Apache-2.0](https://github.com/aquasecurity/trivy/blob/main/LICENSE) |
+| Trivy IaC and Secrets Scan | trivy_iac_and_secrets | repository | github | trivy | trivy | [Apache-2.0](https://github.com/aquasecurity/trivy/blob/main/LICENSE) |
+| AppArmor Profile Check | apparmor_namespace | namespace | k8s | apparmor | json | |
+| Kubescape Cluster Scan | kubescape_cluster | namespace | k8s | kubescape | kubescape | [Apache-2.0](https://github.com/kubescape/kubescape/blob/master/LICENSE) |
+
+> Use `platforms discover [platform] --hook [hook_id]` to enable the hook.
+
+
+### `platform bom` Command Hooks
+| Name | ID | Type | Platform | Tool | Parser | License |
+| --- | --- | --- | --- | --- | --- | --- |
+| Trivy Vulnerability Scan | trivy_image | image | dockerhub | trivy | sarif | [Apache-2.0](https://github.com/aquasecurity/trivy/blob/main/LICENSE) |
+| Trivy IaC and Secrets Scan | trivy_iac_and_secrets | image | dockerhub | trivy | trivy | [Apache-2.0](https://github.com/aquasecurity/trivy/blob/main/LICENSE) |
+| Opengrep Static Analysis Scan | opengrep | repository | github | opengrep | sarif | [LGPL-2.1](https://github.com/opengrep/opengrep/blob/main/LICENSE) |
+| Gitleaks Secret Scan | gitleaks_secrets | repository | github | gitleaks | gitleaks | [MIT](https://github.com/gitleaks/gitleaks/blob/master/LICENSE) |
+| KICS IaC Security Scan | kics_scan | repository | github | kics | kics | [Apache-2.0](https://github.com/Checkmarx/kics/blob/master/LICENSE) |
+| Trivy IaC and Secrets Scan | trivy_iac_and_secrets | repository | github | trivy | trivy | [Apache-2.0](https://github.com/aquasecurity/trivy/blob/main/LICENSE) |
+| Trivy Vulnerability Scan K8s | trivy_k8s_image | image | k8s | trivy | sarif | [Apache-2.0](https://github.com/aquasecurity/trivy/blob/main/LICENSE) |
+| Trivy IaC and Secrets Scan | trivy_iac_and_secrets | image | k8s | trivy | trivy | [Apache-2.0](https://github.com/aquasecurity/trivy/blob/main/LICENSE) |
+
+> Use `platforms bom [platform] --hook [hook_id]` to enable the hook.
+
+
+## Default hook Examples
+
+
+Trivy IaC and Secrets Scan
+
+```yaml
+name: Trivy IaC and Secrets Scan
+id: trivy_iac_and_secrets
+type: repository
+platform: github
+command: discover
+tool: trivy
+parser: trivy
+allow_failure: false
+use-stdout-evidence: false
+license: '[Apache-2.0](https://github.com/aquasecurity/trivy/blob/main/LICENSE)'
+run: |
+ trivy repository \
+ --scanners config,secret \
+ --exit-code 0 \
+ --format json \
+ --output $HOOK_OUTPUT_FILE \
+ $REMOTE_SOURCE_URL_WITH_TOKEN
+```
+
+
+
+
+Opengrep Static Analysis Scan
+
+```yaml
+name: Opengrep Static Analysis Scan
+id: opengrep
+type: repository
+platform: github
+command: bom
+tool: ''
+parser: sarif
+allow_failure: false
+use-stdout-evidence: false
+license: '[LGPL-2.1](https://github.com/opengrep/opengrep/blob/main/LICENSE)'
+predicate-type: auto
+timeout: 300
+run: |
+ opengrep scan --metrics=on --config auto --sarif -o "$HOOK_OUTPUT_FILE" "$LOCAL_SOURCE_DIR"
+```
+
+
+
+
+Trivy IaC and Secrets Scan
+
+```yaml
+name: Trivy IaC and Secrets Scan
+id: trivy_iac_and_secrets
+type: repository
+platform: github
+command: bom
+tool: trivy
+parser: trivy
+allow_failure: true
+use-stdout-evidence: false
+license: '[Apache-2.0](https://github.com/aquasecurity/trivy/blob/main/LICENSE)'
+run: |
+ trivy config \
+ --scanners config,secret \
+ --exit-code 0 \
+ --format json \
+ --output $HOOK_OUTPUT_FILE \
+ $LOCAL_SOURCE_DIR
+```
+
+
+
+
+Gitleaks Secret Scan
+
+```yaml
+name: Gitleaks Secret Scan
+id: gitleaks_secrets
+type: repository
+platform: github
+command: bom
+tool: gitleaks
+parser: gitleaks
+allow_failure: false
+use-stdout-evidence: false
+timeout: 600
+license: '[MIT](https://github.com/gitleaks/gitleaks/blob/master/LICENSE)'
+run: |
+ gitleaks detect \
+ --source "$LOCAL_SOURCE_DIR" \
+ --report-path "$HOOK_OUTPUT_FILE" \
+ --report-format json \
+ --redact \
+ --verbose
+```
+
+
+
+
+KICS IaC Security Scan
+
+```yaml
+name: KICS IaC Security Scan
+id: kics_scan
+type: repository
+platform: github
+command: bom
+tool: kics
+parser: kics
+allow_failure: false
+use-stdout-evidence: false
+license: '[Apache-2.0](https://github.com/Checkmarx/kics/blob/master/LICENSE)'
+run: "kics scan \\\n -p \"$LOCAL_SOURCE_DIR\" \\\n -o \"$HOOK_OUTPUT_DIR\" \\\n\
+ \ --output-name \"$HOOK_OUTPUT_FILE_NAME\" \\\n --report-formats json \\\n --no-progress\
+ \ \\\n --log-level INFO \n"
+```
+
+
+
+
+Trivy Vulnerability Scan
+
+```yaml
+name: Trivy Vulnerability Scan
+id: trivy_image
+type: repository
+platform: dockerhub
+command: discover
+tool: ''
+parser: sarif
+allow_failure: false
+use-stdout-evidence: false
+predicate-type: auto
+license: '[Apache-2.0](https://github.com/aquasecurity/trivy/blob/main/LICENSE)'
+run: |
+ trivy image \
+ --scanners vuln \
+ --exit-code 0 \
+ --format sarif \
+ --output $HOOK_OUTPUT_FILE \
+ $REMOTE_IMAGE_REF
+```
+
+
+
+
+Trivy IaC and Secrets Scan
+
+```yaml
+name: Trivy IaC and Secrets Scan
+id: trivy_iac_and_secrets
+type: image
+platform: dockerhub
+command: discover
+tool: trivy
+parser: trivy
+allow_failure: false
+use-stdout-evidence: false
+license: '[Apache-2.0](https://github.com/aquasecurity/trivy/blob/main/LICENSE)'
+run: |
+ trivy image \
+ --scanners misconfig,secret \
+ --exit-code 0 \
+ --format json \
+ --output $HOOK_OUTPUT_FILE \
+ $REMOTE_IMAGE_REF
+```
+
+
+
+
+Trivy Vulnerability Scan
+
+```yaml
+name: Trivy Vulnerability Scan
+id: trivy_image
+type: image
+platform: dockerhub
+command: bom
+tool: ''
+parser: sarif
+allow_failure: false
+use-stdout-evidence: false
+predicate-type: auto
+license: '[Apache-2.0](https://github.com/aquasecurity/trivy/blob/main/LICENSE)'
+run: |
+ trivy image \
+ --scanners vuln \
+ --exit-code 0 \
+ --format sarif \
+ --output $HOOK_OUTPUT_FILE \
+ $REMOTE_IMAGE_REF
+```
+
+
+
+
+Trivy IaC and Secrets Scan
+
+```yaml
+name: Trivy IaC and Secrets Scan
+id: trivy_iac_and_secrets
+type: image
+platform: dockerhub
+command: bom
+tool: trivy
+parser: trivy
+allow_failure: false
+use-stdout-evidence: false
+license: '[Apache-2.0](https://github.com/aquasecurity/trivy/blob/main/LICENSE)'
+run: |
+ trivy image \
+ --scanners misconfig,secret \
+ --exit-code 0 \
+ --format json \
+ --output $HOOK_OUTPUT_FILE \
+ $REMOTE_IMAGE_REF
+```
+
+
+
+
+Kubescape Cluster Scan
+
+```yaml
+name: Kubescape Cluster Scan
+id: kubescape_cluster
+type: namespace
+platform: k8s
+command: discover
+tool: kubescape
+parser: kubescape
+allow_failure: false
+use-stdout-evidence: true
+license: '[Apache-2.0](https://github.com/kubescape/kubescape/blob/master/LICENSE)'
+run: |
+ kubescape scan framework nsa \
+ --include-namespaces $ASSET_NAME \
+ --kubeconfig $PLATFORMS_KUBECONFIG \
+ --format json \
+ --format-version v2 \
+ --output $HOOK_OUTPUT_FILE
+```
+
+
+
+
+AppArmor Profile Check
+
+```yaml
+name: AppArmor Profile Check
+id: apparmor_namespace
+type: namespace
+platform: k8s
+command: discover
+tool: apparmor
+parser: json
+allow_failure: true
+use-stdout-evidence: false
+run: "echo bash scripts/hooks/k8s-apparmor-profiles.sh \\\n --namespace $ASSET_NAME\
+ \ \\\n --output $HOOK_OUTPUT_FILE \\\n --format json \n\necho bash scripts/hooks/k8s-apparmor-profiles.sh\
+ \ \\\n --namespace $ASSET_NAME \\\n --output $HOOK_OUTPUT_FILE \\\n --format\
+ \ json \n"
+```
+
+
+
+
+Trivy Vulnerability Scan K8s
+
+```yaml
+name: Trivy Vulnerability Scan K8s
+id: trivy_k8s_image
+type: image
+platform: k8s
+command: bom
+tool: ''
+parser: sarif
+allow_failure: false
+use-stdout-evidence: false
+predicate-type: auto
+license: '[Apache-2.0](https://github.com/aquasecurity/trivy/blob/main/LICENSE)'
+run: |
+ trivy image \
+ --scanners vuln \
+ --exit-code 0 \
+ --format sarif \
+ --output $HOOK_OUTPUT_FILE \
+ $REMOTE_IMAGE_REF
+```
+
+
+
+
+Trivy IaC and Secrets Scan
+
+```yaml
+name: Trivy IaC and Secrets Scan
+id: trivy_iac_and_secrets
+type: image
+platform: k8s
+command: bom
+tool: trivy
+parser: trivy
+allow_failure: false
+use-stdout-evidence: false
+license: '[Apache-2.0](https://github.com/aquasecurity/trivy/blob/main/LICENSE)'
+run: |-
+ trivy image \
+ --scanners misconfig,secret \
+ --exit-code 0 \
+ --format json \
+ --output $HOOK_OUTPUT_FILE \
+ $REMOTE_IMAGE_REF
+```
+
+
+## General hook Examples
+
+
+CodeQL Static Analysis Scan
+
+```yaml
+name: CodeQL Static Analysis Scan
+type: repository
+platform: github
+command: bom
+tool: codeql
+disable: false
+parser: ''
+allow_failure: false
+use-stdout-evidence: true
+run: |
+ /platforms/codeql/codeql database create /tmp/db \
+ --language=javascript \
+ --source-root=$LOCAL_SOURCE_DIR \
+ --threads=4 || true
+
+ /platforms/codeql/codeql database analyze /tmp/db \
+ --format=sarifv2.1.0 \
+ --output=$HOOK_OUTPUT_FILE \
+ --threads=4
+```
+
+
+
+
+Grype Vulnrability Scan
+
+```yaml
+name: Grype Vulnrability Scan
+type: image
+platform: dockerhub
+command: bom
+tool: grype
+disable: false
+parser: anchoregrype
+allow_failure: true
+use-stdout-evidence: false
+run: |
+ grype $REMOTE_IMAGE_REF --output json --file $HOOK_OUTPUT_FILE
+```
+
+
+
+
+Hadolint Dockerfile Lint Scan
+
+```yaml
+name: Hadolint Dockerfile Lint Scan
+id: hadolint
+type: repository
+platform: github
+command: bom
+tool: hadolint
+parser: hadolint
+allow_failure: false
+use-stdout-evidence: false
+license: '[GNU.3](https://github.com/hadolint/hadolint/blob/master/LICENSE)'
+run: |
+ cd "$LOCAL_SOURCE_DIR"
+ if [ -f Dockerfile ]; then
+ echo "Found Dockerfile, running Hadolint"
+ hadolint --format sarif Dockerfile > "$HOOK_OUTPUT_FILE"
+ else
+ echo "No Dockerfile found, skipping Hadolint"
+ fi
+```
+
+
+
+
+GitGuardian Secret Scan
+
+```yaml
+name: GitGuardian Secret Scan
+id: ggshield_secrets
+type: repository
+platform: github
+command: bom
+tool: ggshield
+parser: ggshield
+allow_failure: false
+use-stdout-evidence: true
+timeout: 600
+license: '[MIT](https://github.com/GitGuardian/ggshield/blob/main/LICENSE)'
+run: |
+ ggshield secret scan repo \
+ $LOCAL_SOURCE_DIR \
+ -o $HOOK_OUTPUT_FILE \
+ --format json
+```
+
+
+
+
+GitGuardian Secret Scan
+
+```yaml
+name: GitGuardian Secret Scan
+id: ggshield_secrets
+type: repository
+platform: github
+command: bom
+tool: ggshield
+parser: ggshield
+allow_failure: false
+use-stdout-evidence: true
+timeout: 600
+license: '[MIT](https://github.com/GitGuardian/ggshield/blob/main/LICENSE)'
+run: |
+ ggshield secret scan repo \
+ $LOCAL_SOURCE_DIR \
+ -o $HOOK_OUTPUT_FILE \
+ --format json
+```
+
+
+
+
+GitGuardian Secret Scan
+
+```yaml
+name: GitGuardian Secret Scan
+id: ggshield_secrets
+type: repository
+platform: github
+command: discover
+tool: ggshield
+parser: ggshield
+allow_failure: false
+use-stdout-evidence: true
+timeout: 600
+license: '[MIT](https://github.com/GitGuardian/ggshield/blob/main/LICENSE)'
+run: |-
+ ggshield secret scan repo \
+ $REMOTE_SOURCE_URL_WITH_TOKEN \
+ -o $HOOK_OUTPUT_FILE \
+ --format json
+```
+
+
+
+
+
+
+Example:
+```bash
+docker run -it scribesecurity/platforms:latest discover github --hook trivy_iac_and_secrets_remote
+```
+
+## Evidence from Hooks
+Hook-generated evidence is automatically attached to assets and included in Scribe's attestation store, enabling comprehensive security analysis and policy evaluation.
+
diff --git a/docs/platforms/usage.md b/docs/platforms/usage.md
index 45ba7420e..977741988 100644
--- a/docs/platforms/usage.md
+++ b/docs/platforms/usage.md
@@ -61,7 +61,8 @@ In the following sections, we shall explain each command in detail, by going thr
-->
```bash
-usage: platforms [-h] [--config CONFIG] [--print_config [=flags]] [--log-level {TRACE,DEBUG,INFO,WARNING,ERROR,CRITICAL}] [--log-file LOG_FILE] [--db.local.path PATH]
+usage: platforms [-h] [--config CONFIG] [--print_config [=flags]] [--log-level {TRACE,DEBUG,INFO,WARNING,ERROR,CRITICAL}] [--log-file LOG_FILE]
+ [--db.local.path PATH]
{discover,evidence,bom,verify} ...
CLI tool for collecting evidence and enforcing policies via CI/CD platform APIs
@@ -70,8 +71,8 @@ options:
-h, --help Show this help message and exit.
--config CONFIG Path to a configuration file.
--print_config [=flags]
- Print the configuration after applying all other arguments and exit. The optional flags customizes the output and are one or more keywords separated by comma.
- The supported flags are: comments, skip_default, skip_null.
+ Print the configuration after applying all other arguments and exit. The optional flags customizes the output and are one or more keywords
+ separated by comma. The supported flags are: comments, skip_default, skip_null.
--log-level {TRACE,DEBUG,INFO,WARNING,ERROR,CRITICAL}
Set the logging level (default: INFO)
--log-file LOG_FILE Set the logging file (default: )
diff --git a/docs/platforms/verify.md b/docs/platforms/verify.md
index a20c26559..82a61ef3b 100644
--- a/docs/platforms/verify.md
+++ b/docs/platforms/verify.md
@@ -19,13 +19,13 @@ The recommended use of the verify command with the product-mapping capabilities;
-->
```bash
-usage: platforms [options] verify [-h] [--valint.scribe.client-secret CLIENT_SECRET] [--valint.scribe.enable] [--valint.cache.disable] [--valint.context-type CONTEXT_TYPE]
+usage: platforms [options] verify [-h] [--valint.scribe.client-secret CLIENT_SECRET] [--valint.cache.disable] [--valint.context-type CONTEXT_TYPE]
[--valint.log-level LOG_LEVEL] [--valint.output-directory OUTPUT_DIRECTORY] [--valint.bin BIN] [--valint.product-key PRODUCT_KEY]
[--valint.product-version PRODUCT_VERSION] [--valint.predicate-type PREDICATE_TYPE] [--valint.attest ATTEST] [--valint.sign]
[--valint.components COMPONENTS] [--valint.label LABEL] [--unique] [--valint.bundle BUNDLE] [--valint.bundle-auth BUNDLE_AUTH]
[--valint.bundle-branch BUNDLE_BRANCH] [--valint.bundle-commit BUNDLE_COMMIT] [--valint.bundle-tag BUNDLE_TAG] [--allow-failures]
[--max-threads MAX_THREADS]
- {k8s,dockerhub,gitlab,github,jfrog,ecr,bitbucket,jenkins} ...
+ {k8s,dockerhub,gitlab,github,jfrog,ecr,bitbucket,jenkins,azure} ...
Verify supply chain policies
@@ -33,8 +33,6 @@ options:
-h, --help Show this help message and exit.
--valint.scribe.client-secret CLIENT_SECRET, --scribe-token CLIENT_SECRET, --scribe-client-secret CLIENT_SECRET
Scribe client Secret (type: str, default: )
- --valint.scribe.enable
- Enable Scribe client (default: False)
--valint.cache.disable
Disable Valint local cache (default: False)
--valint.context-type CONTEXT_TYPE
@@ -49,13 +47,13 @@ options:
--valint.product-version PRODUCT_VERSION
Evidence product version (type: str, default: )
--valint.predicate-type PREDICATE_TYPE
- Evidence predicate type (type: str, default: http://scribesecurity.com/evidence/discovery/v0.1)
+ Evidence predicate type (type: str, default: )
--valint.attest ATTEST
Evidence attest type (type: str, default: x509-env)
--valint.sign sign evidence (default: False)
--valint.components COMPONENTS
components list (type: str, default: )
- --valint.label LABEL Set additional labels (type: at 0x747b9cb90a40>, default: [])
+ --valint.label LABEL Set additional labels (type: at 0x7fd39cf92fc0>, default: [])
--unique Allow unique assets (default: False)
--valint.bundle BUNDLE
Set bundle git branch (type: str, default: )
@@ -83,6 +81,7 @@ subcommands:
ecr
bitbucket
jenkins
+ azure
```
@@ -142,9 +141,10 @@ platforms verify gitlab --organization.mapping "my-org::my-product::1.0" --proje
```bash
usage: platforms [options] verify [options] gitlab [-h] [--instance.instance INSTANCE] [--token TOKEN] [--url URL] [--types {organization,project,all}]
- [--scope.organization [ORGANIZATION ...]] [--scope.project [PROJECT ...]] [--scope.branch [BRANCH ...]] [--scope.tag [TAG ...]]
- [--commit.skip] [--organization.mapping [MAPPING ...]] [--project.mapping [MAPPING ...]] [--project.policy [POLICY ...]]
- [--organization.policy [POLICY ...]] [--org-policy-skip-aggregate] [--project-policy-skip-aggregate]
+ [--scope.organization [ORGANIZATION ...]] [--scope.project [PROJECT ...]] [--scope.branch [BRANCH ...]]
+ [--scope.tag [TAG ...]] [--commit.skip] [--organization.mapping [MAPPING ...]] [--project.mapping [MAPPING ...]]
+ [--project.policy [POLICY ...]] [--organization.policy [POLICY ...]] [--org-policy-skip-aggregate]
+ [--project-policy-skip-aggregate]
options:
-h, --help Show this help message and exit.
@@ -157,8 +157,8 @@ options:
--scope.organization [ORGANIZATION ...]
Gitlab organization list (default: ['*'])
--scope.project [PROJECT ...]
- Gitlab projects epositories wildcards. Default is all projects. Note that a project name includes as a prefix its namesapce in the format 'namespace /
- project_name' (default: ['*'])
+ Gitlab projects epositories wildcards. Default is all projects. Note that a project name includes as a prefix its namesapce in the format
+ 'namespace / project_name' (default: ['*'])
--scope.branch [BRANCH ...]
Gitlab branches wildcards (default: null)
--scope.tag [TAG ...]
@@ -210,8 +210,8 @@ options:
--scope.organization [ORGANIZATION ...]
Github organization list (default: ['*'])
--scope.repository [REPOSITORY ...]
- Github repositories wildcards. Default is all projects. Note that a project name includes as a prefix its namesapce in the format 'namespace / project_name'
- (default: ['*'])
+ Github repositories wildcards. Default is all projects. Note that a project name includes as a prefix its namesapce in the format 'namespace
+ / project_name' (default: ['*'])
--scope.branch [BRANCH ...]
Github branches wildcards (default: [])
--scope.tag [TAG ...]
@@ -219,11 +219,11 @@ options:
--branch.shallow Shallow branch discovery (default: False)
--commit.skip Skip commits in discovery/evidence (default: False)
--organization.mapping [MAPPING ...]
- Organization product key mapping in the format of org::product_key::product_version where org is the organization name, wildcards are supported (type:
- AssetMappingString, default: [])
+ Organization product key mapping in the format of org::product_key::product_version where org is the organization name, wildcards are
+ supported (type: AssetMappingString, default: [])
--repository.mapping [MAPPING ...]
- Repository product key mapping in the format of repo::product_key::product_version where repo is the repository name, wildcards are supported (type:
- AssetMappingString, default: [])
+ Repository product key mapping in the format of repo::product_key::product_version where repo is the repository name, wildcards are supported
+ (type: AssetMappingString, default: [])
--repository.policy [POLICY ...]
Set repository evidence policy file (type: str, default: [])
--organization.policy [POLICY ...]
@@ -252,8 +252,9 @@ usage: platforms [options] verify [options] dockerhub [-h] [--instance.instance
[--types {token,repository,namespace,all}] [--default_product_key_strategy {namespace,repository,tag,mapping}]
[--default_product_version_strategy {tag,short_image_id,image_id}] [--scope.repository [REPOSITORY ...]]
[--scope.repository_tags [REPOSITORY_TAGS ...]] [--scope.image_platform [IMAGE_PLATFORM ...]]
- [--exclude.repository [REPOSITORY ...]] [--exclude.repository_tags [REPOSITORY_TAGS ...]] [--scope.namespace [NAMESPACE ...]]
- [--image.mapping [MAPPING ...]] [--image.policy [POLICY ...]] [--policy-skip-aggregate]
+ [--exclude.repository [REPOSITORY ...]] [--exclude.repository_tags [REPOSITORY_TAGS ...]]
+ [--scope.namespace [NAMESPACE ...]] [--image.mapping [MAPPING ...]] [--image.policy [POLICY ...]]
+ [--policy-skip-aggregate]
options:
-h, --help Show this help message and exit.
@@ -324,10 +325,12 @@ The option `--image.policy` sets the image mapping policy file, defaulting to "c
```bash
usage: platforms [options] verify [options] k8s [-h] [--instance.instance INSTANCE] [--url URL] [--token TOKEN] [--types {namespace,pod,cluster-images,all}]
- [--default_product_key_strategy {namespace,pod,image,mapping}] [--default_product_version_strategy {namespace_hash,pod_hash,image_id}]
- [--scope.namespace [NAMESPACE ...]] [--scope.pod [POD ...]] [--scope.image [IMAGE ...]] [--ignore-state]
- [--exclude.namespace [NAMESPACE ...]] [--exclude.pod [POD ...]] [--exclude.image [IMAGE ...]] [--namespace.single] [--pod.single]
- [--image.mapping [MAPPING ...]] [--cluster-images.policy [POLICY ...]] [--namespace.policy [POLICY ...]] [--policy-skip-aggregate]
+ [--default_product_key_strategy {namespace,pod,image,mapping}]
+ [--default_product_version_strategy {namespace_hash,pod_hash,image_id}] [--scope.namespace [NAMESPACE ...]]
+ [--scope.pod [POD ...]] [--scope.image [IMAGE ...]] [--ignore-state] [--exclude.namespace [NAMESPACE ...]]
+ [--exclude.pod [POD ...]] [--exclude.image [IMAGE ...]] [--namespace.single] [--pod.single]
+ [--image.mapping [MAPPING ...]] [--cluster-images.policy [POLICY ...]] [--namespace.policy [POLICY ...]]
+ [--policy-skip-aggregate]
options:
-h, --help Show this help message and exit.
@@ -357,8 +360,8 @@ options:
--namespace.single Export all namespaces (default: False)
--pod.single Export all pods in a single evidence (default: False)
--image.mapping [MAPPING ...]
- K8s namespace;pod;image to product_key:product_version mappinge.g. my-namespace::my-pod::my-image::product_key::product_version (type: K8sImageMappingString,
- default: [])
+ K8s namespace;pod;image to product_key:product_version mappinge.g. my-namespace::my-pod::my-image::product_key::product_version (type:
+ K8sImageMappingString, default: [])
--cluster-images.policy [POLICY ...]
Set image policy file (type: str, default: ['ct-8@discovery', 'ct-11@discovery', 'ct-12@discovery', 'ct-13@discovery'])
--namespace.policy [POLICY ...]
@@ -409,10 +412,10 @@ To evaluate policies on Jfrog evidence.
usage: platforms [options] verify [options] jfrog [-h] [--instance.instance INSTANCE] [--token TOKEN] [--url URL] [--types {token,repository,jf-repository,all}]
[--default_product_key_strategy {jf-repository,repository,tag,mapping}]
[--default_product_version_strategy {tag,short_image_id,image_id}] [--scope.jf-repository [JF_REPOSITORY ...]]
- [--scope.repository [REPOSITORY ...]] [--scope.repository_tags [REPOSITORY_TAGS ...]] [--scope.image_platform [IMAGE_PLATFORM ...]]
- [--exclude.jf-repository [JF_REPOSITORY ...]] [--exclude.repository [REPOSITORY ...]]
- [--exclude.repository_tags [REPOSITORY_TAGS ...]] [--image.mapping [MAPPING ...]] [--image.policy [POLICY ...]]
- [--policy-skip-aggregate]
+ [--scope.repository [REPOSITORY ...]] [--scope.repository_tags [REPOSITORY_TAGS ...]]
+ [--scope.image_platform [IMAGE_PLATFORM ...]] [--exclude.jf-repository [JF_REPOSITORY ...]]
+ [--exclude.repository [REPOSITORY ...]] [--exclude.repository_tags [REPOSITORY_TAGS ...]]
+ [--image.mapping [MAPPING ...]] [--image.policy [POLICY ...]] [--policy-skip-aggregate]
options:
-h, --help Show this help message and exit.
@@ -463,12 +466,14 @@ platforms verify bitbucket --workspace.mapping "my-workspace::my-product::1.0" -
-->
```bash
-usage: platforms [options] verify [options] bitbucket [-h] [--instance.instance INSTANCE] [--app_password APP_PASSWORD] [--username USERNAME] [--workspace_token WORKSPACE_TOKEN]
- [--workspace WORKSPACE] [--url URL] [--types {workspace,project,repository,all}] [--scope.workspace [WORKSPACE ...]]
+usage: platforms [options] verify [options] bitbucket [-h] [--instance.instance INSTANCE] [--app_password APP_PASSWORD] [--username USERNAME]
+ [--workspace_token WORKSPACE_TOKEN] [--workspace WORKSPACE] [--url URL]
+ [--types {workspace,project,repository,all}] [--scope.workspace [WORKSPACE ...]]
[--scope.project [PROJECT ...]] [--scope.repository [REPOSITORY ...]] [--scope.commit [COMMIT ...]]
- [--scope.branch [BRANCH ...]] [--scope.webhook [WEBHOOK ...]] [--commit.skip] [--workspace.mapping [MAPPING ...]]
- [--project.mapping [MAPPING ...]] [--repository.mapping [MAPPING ...]] [--repository.policy [POLICY ...]]
- [--project.policy [POLICY ...]] [--workspace.policy [POLICY ...]] [--org-policy-skip-aggregate] [--repo-policy-skip-aggregate]
+ [--scope.branch [BRANCH ...]] [--scope.webhook [WEBHOOK ...]] [--commit.skip] [--branch-protection.skip]
+ [--workspace.mapping [MAPPING ...]] [--project.mapping [MAPPING ...]] [--repository.mapping [MAPPING ...]]
+ [--repository.policy [POLICY ...]] [--project.policy [POLICY ...]] [--workspace.policy [POLICY ...]]
+ [--org-policy-skip-aggregate] [--repo-policy-skip-aggregate]
options:
-h, --help Show this help message and exit.
@@ -487,11 +492,11 @@ options:
--scope.workspace [WORKSPACE ...]
BitBucket workspace list (default: ['*'])
--scope.project [PROJECT ...]
- BitBucket projects wildcards. Default is all projects. Note that a project name includes as a prefix its namesapce in the format 'namespace / project_name'
- (default: ['*'])
- --scope.repository [REPOSITORY ...]
- BitBucket repositories wildcards. Default is all projects. Note that a project name includes as a prefix its namesapce in the format 'namespace /
+ BitBucket projects wildcards. Default is all projects. Note that a project name includes as a prefix its namesapce in the format 'namespace /
project_name' (default: ['*'])
+ --scope.repository [REPOSITORY ...]
+ BitBucket repositories wildcards. Default is all projects. Note that a project name includes as a prefix its namesapce in the format
+ 'namespace / project_name' (default: ['*'])
--scope.commit [COMMIT ...]
BitBucket commit wildcards (default: [])
--scope.branch [BRANCH ...]
@@ -499,15 +504,17 @@ options:
--scope.webhook [WEBHOOK ...]
BitBucket webhook wildcards (default: [])
--commit.skip Skip commits in discovery/evidence (default: False)
+ --branch-protection.skip
+ Skip Branch protection in discovery/evidence (default: False)
--workspace.mapping [MAPPING ...]
- Workspace product key mapping in the format of workspace::product_key::product_version where org is the workspace name, wildcards are supported (type:
- AssetMappingString, default: [])
+ Workspace product key mapping in the format of workspace::product_key::product_version where org is the workspace name, wildcards are
+ supported (type: AssetMappingString, default: [])
--project.mapping [MAPPING ...]
- Project product key mapping in the format of project::product_key::product_version where org is the project name, wildcards are supported (type:
- AssetMappingString, default: [])
+ Project product key mapping in the format of project::product_key::product_version where org is the project name, wildcards are supported
+ (type: AssetMappingString, default: [])
--repository.mapping [MAPPING ...]
- Repository product key mapping in the format of repo::product_key::product_version where repo is the repository name, wildcards are supported (type:
- AssetMappingString, default: [])
+ Repository product key mapping in the format of repo::product_key::product_version where repo is the repository name, wildcards are supported
+ (type: AssetMappingString, default: [])
--repository.policy [POLICY ...]
Set repository evidence policy file (type: str, default: [])
--project.policy [POLICY ...]
diff --git a/docs/valint/configuration.md b/docs/valint/configuration.md
index dc4e01c81..3faee57dc 100644
--- a/docs/valint/configuration.md
+++ b/docs/valint/configuration.md
@@ -59,6 +59,7 @@ attest:
branch: ""
commit: ""
depth: 0
+ clone-path: ""
policy_configs: []
rule_configs: []
label_filters: []
diff --git a/docs/valint/getting-started-valint.md b/docs/valint/getting-started-valint.md
index ad9923716..7946266b4 100644
--- a/docs/valint/getting-started-valint.md
+++ b/docs/valint/getting-started-valint.md
@@ -11,7 +11,7 @@ Valint is a tool used to manage `evidence` generation (for directories, file art
Valint also enables you to **capture** any 3rd party report, scan or configuration (any file) into evidence.
-> Latest Version `v1.5.18`.
+> Latest Version `v1.5.19`.
### Installing Valint
diff --git a/docs/valint/help/valint.md b/docs/valint/help/valint.md
index 0b399ea61..eb83aaf16 100644
--- a/docs/valint/help/valint.md
+++ b/docs/valint/help/valint.md
@@ -14,12 +14,12 @@ Flags for `valint`
| --- | --- | --- | --- |
| | --cache-enable | Enable local cache | true |
| -c | --config | Configuration file path | |
-| -C | --context-type | CI context type, options=[jenkins github circleci azure gitlab travis tekton bitbucket local admission] | |
+| -C | --context-type | CI context type, options=[jenkins github circleci azure gitlab travis tekton bitbucket teamcity local admission] | |
| | --deliverable | Mark as deliverable, options=[true, false] | |
| -e | --env | Environment keys to include in evidence | |
| -G | --gate | Policy Gate name | |
| -h | --help | help for valint | |
-| | --input | Input Evidence target, format (\:\ or \:\:\) | |
+| | --input | Input Evidence target, format (\:\ or \:\:\) | |
| -L | --label | Add Custom labels | |
| | --level | Log depth level, options=[panic fatal error warning info debug trace] | |
| | --log-context | Attach context to all logs | |
diff --git a/docs/valint/help/valint_bom.md b/docs/valint/help/valint_bom.md
index 0955707e5..4c51188d3 100644
--- a/docs/valint/help/valint_bom.md
+++ b/docs/valint/help/valint_bom.md
@@ -43,9 +43,9 @@ Flags for `bom` subcommand
| | --kms | Provide KMS key reference | |
| | --oci | Enable OCI store | |
| -R | --oci-repo | Select OCI custom attestation repo | |
-| | --package-exclude-type | Exclude package type, options=[ruby python javascript java dpkg apk rpm go dotnet r rust binary sbom nix conan alpm cocoapods swift dart elixir php erlang github portage haskell kernel wordpress lua] | |
+| | --package-exclude-type | Exclude package type, options=[ruby python javascript java dpkg apk rpm go dotnet r rust binary sbom nix conan alpm cocoapods swift dart elixir php erlang github portage haskell kernel wordpress lua bitnami terraform] | |
| | --package-group | Select package group, options=[index install all] | |
-| -t | --package-type | Select package type, options=[ruby python javascript java dpkg apk rpm go dotnet r rust binary sbom nix conan alpm cocoapods swift dart elixir php erlang github portage haskell kernel wordpress lua] | |
+| -t | --package-type | Select package type, options=[ruby python javascript java dpkg apk rpm go dotnet r rust binary sbom nix conan alpm cocoapods swift dart elixir php erlang github portage haskell kernel wordpress lua bitnami terraform] | |
| | --pass | Private key password | |
| | --payload | path of the decoded payload | |
| | --platform | Select target platform, examples=windows/armv6, arm64 ..) | |
@@ -66,11 +66,11 @@ Flags for all `valint` subcommands
| --- | --- | --- | --- |
| | --cache-enable | Enable local cache | true |
| -c | --config | Configuration file path | |
-| -C | --context-type | CI context type, options=[jenkins github circleci azure gitlab travis tekton bitbucket local admission] | |
+| -C | --context-type | CI context type, options=[jenkins github circleci azure gitlab travis tekton bitbucket teamcity local admission] | |
| | --deliverable | Mark as deliverable, options=[true, false] | |
| -e | --env | Environment keys to include in evidence | |
| -G | --gate | Policy Gate name | |
-| | --input | Input Evidence target, format (\:\ or \:\:\) | |
+| | --input | Input Evidence target, format (\:\ or \:\:\) | |
| -L | --label | Add Custom labels | |
| | --level | Log depth level, options=[panic fatal error warning info debug trace] | |
| | --log-context | Attach context to all logs | |
diff --git a/docs/valint/help/valint_diff.md b/docs/valint/help/valint_diff.md
index 6aef2c536..d6cfb9900 100644
--- a/docs/valint/help/valint_diff.md
+++ b/docs/valint/help/valint_diff.md
@@ -49,7 +49,7 @@ global flag for all commands
| -C | --context-type | CI context type, options=[jenkins github circleci local gitlab] | "local" |
| -L | --label | Add Custom labels | |
| -D | --level | Log depth level, options=[panic fatal error warning info debug trace] | |
-| -d | --output-directory | Output directory path | "$\{XDG_CACHE_HOME\}/valint" |
+| -d | --output-directory | Output directory path | "${XDG_CACHE_HOME}/valint" |
| -O | --output-file | Output file name | |
| -n | --product-key | Scribe Project Key | |
| -q | --quiet | Suppress all logging output | |
diff --git a/docs/valint/help/valint_discard.md b/docs/valint/help/valint_discard.md
index e8e418813..cbc893b6a 100644
--- a/docs/valint/help/valint_discard.md
+++ b/docs/valint/help/valint_discard.md
@@ -32,11 +32,11 @@ Flags for all `valint` subcommands
| --- | --- | --- | --- |
| | --cache-enable | Enable local cache | true |
| -c | --config | Configuration file path | |
-| -C | --context-type | CI context type, options=[jenkins github circleci azure gitlab travis tekton bitbucket local admission] | |
+| -C | --context-type | CI context type, options=[jenkins github circleci azure gitlab travis tekton bitbucket teamcity local admission] | |
| | --deliverable | Mark as deliverable, options=[true, false] | |
| -e | --env | Environment keys to include in evidence | |
| -G | --gate | Policy Gate name | |
-| | --input | Input Evidence target, format (\:\ or \:\:\) | |
+| | --input | Input Evidence target, format (\:\ or \:\:\) | |
| -L | --label | Add Custom labels | |
| | --level | Log depth level, options=[panic fatal error warning info debug trace] | |
| | --log-context | Attach context to all logs | |
diff --git a/docs/valint/help/valint_download.md b/docs/valint/help/valint_download.md
index 8306a8970..2f2a03052 100644
--- a/docs/valint/help/valint_download.md
+++ b/docs/valint/help/valint_download.md
@@ -28,11 +28,11 @@ Flags for all `valint` subcommands
| --- | --- | --- | --- |
| | --cache-enable | Enable local cache | true |
| -c | --config | Configuration file path | |
-| -C | --context-type | CI context type, options=[jenkins github circleci azure gitlab travis tekton bitbucket local admission] | |
+| -C | --context-type | CI context type, options=[jenkins github circleci azure gitlab travis tekton bitbucket teamcity local admission] | |
| | --deliverable | Mark as deliverable, options=[true, false] | |
| -e | --env | Environment keys to include in evidence | |
| -G | --gate | Policy Gate name | |
-| | --input | Input Evidence target, format (\:\ or \:\:\) | |
+| | --input | Input Evidence target, format (\:\ or \:\:\) | |
| -L | --label | Add Custom labels | |
| | --level | Log depth level, options=[panic fatal error warning info debug trace] | |
| | --log-context | Attach context to all logs | |
diff --git a/docs/valint/help/valint_evidence.md b/docs/valint/help/valint_evidence.md
index 587bb3b32..6161a0ad7 100644
--- a/docs/valint/help/valint_evidence.md
+++ b/docs/valint/help/valint_evidence.md
@@ -50,11 +50,11 @@ Flags for all `valint` subcommands
| --- | --- | --- | --- |
| | --cache-enable | Enable local cache | true |
| -c | --config | Configuration file path | |
-| -C | --context-type | CI context type, options=[jenkins github circleci azure gitlab travis tekton bitbucket local admission] | |
+| -C | --context-type | CI context type, options=[jenkins github circleci azure gitlab travis tekton bitbucket teamcity local admission] | |
| | --deliverable | Mark as deliverable, options=[true, false] | |
| -e | --env | Environment keys to include in evidence | |
| -G | --gate | Policy Gate name | |
-| | --input | Input Evidence target, format (\:\ or \:\:\) | |
+| | --input | Input Evidence target, format (\:\ or \:\:\) | |
| -L | --label | Add Custom labels | |
| | --level | Log depth level, options=[panic fatal error warning info debug trace] | |
| | --log-context | Attach context to all logs | |
diff --git a/docs/valint/help/valint_list.md b/docs/valint/help/valint_list.md
index ddd57801d..ff0f3da48 100644
--- a/docs/valint/help/valint_list.md
+++ b/docs/valint/help/valint_list.md
@@ -39,11 +39,11 @@ Flags for all `valint` subcommands
| --- | --- | --- | --- |
| | --cache-enable | Enable local cache | true |
| -c | --config | Configuration file path | |
-| -C | --context-type | CI context type, options=[jenkins github circleci azure gitlab travis tekton bitbucket local admission] | |
+| -C | --context-type | CI context type, options=[jenkins github circleci azure gitlab travis tekton bitbucket teamcity local admission] | |
| | --deliverable | Mark as deliverable, options=[true, false] | |
| -e | --env | Environment keys to include in evidence | |
| -G | --gate | Policy Gate name | |
-| | --input | Input Evidence target, format (\:\ or \:\:\) | |
+| | --input | Input Evidence target, format (\:\ or \:\:\) | |
| -L | --label | Add Custom labels | |
| | --level | Log depth level, options=[panic fatal error warning info debug trace] | |
| | --log-context | Attach context to all logs | |
diff --git a/docs/valint/help/valint_slsa.md b/docs/valint/help/valint_slsa.md
index 5789da25c..dd78e93db 100644
--- a/docs/valint/help/valint_slsa.md
+++ b/docs/valint/help/valint_slsa.md
@@ -61,11 +61,11 @@ Flags for all `valint` subcommands
| --- | --- | --- | --- |
| | --cache-enable | Enable local cache | true |
| -c | --config | Configuration file path | |
-| -C | --context-type | CI context type, options=[jenkins github circleci azure gitlab travis tekton bitbucket local admission] | |
+| -C | --context-type | CI context type, options=[jenkins github circleci azure gitlab travis tekton bitbucket teamcity local admission] | |
| | --deliverable | Mark as deliverable, options=[true, false] | |
| -e | --env | Environment keys to include in evidence | |
| -G | --gate | Policy Gate name | |
-| | --input | Input Evidence target, format (\:\ or \:\:\) | |
+| | --input | Input Evidence target, format (\:\ or \:\:\) | |
| -L | --label | Add Custom labels | |
| | --level | Log depth level, options=[panic fatal error warning info debug trace] | |
| | --log-context | Attach context to all logs | |
diff --git a/docs/valint/help/valint_verify.md b/docs/valint/help/valint_verify.md
index eba8810b2..b98d0aa11 100644
--- a/docs/valint/help/valint_verify.md
+++ b/docs/valint/help/valint_verify.md
@@ -72,11 +72,11 @@ Flags for all `valint` subcommands
| --- | --- | --- | --- |
| | --cache-enable | Enable local cache | true |
| -c | --config | Configuration file path | |
-| -C | --context-type | CI context type, options=[jenkins github circleci azure gitlab travis tekton bitbucket local admission] | |
+| -C | --context-type | CI context type, options=[jenkins github circleci azure gitlab travis tekton bitbucket teamcity local admission] | |
| | --deliverable | Mark as deliverable, options=[true, false] | |
| -e | --env | Environment keys to include in evidence | |
| -G | --gate | Policy Gate name | |
-| | --input | Input Evidence target, format (\:\ or \:\:\) | |
+| | --input | Input Evidence target, format (\:\ or \:\:\) | |
| -L | --label | Add Custom labels | |
| | --level | Log depth level, options=[panic fatal error warning info debug trace] | |
| | --log-context | Attach context to all logs | |
diff --git a/docusaurus.config.js b/docusaurus.config.js
index 45bf4883e..699a5a3f5 100644
--- a/docusaurus.config.js
+++ b/docusaurus.config.js
@@ -167,6 +167,7 @@ const config = {
"platforms/verify.md",
"platforms/generate_k8s_token.md",
"platforms/usage.md",
+ "platforms/hooks.md",
"release-notes/rns.md",
// "advanced-guide/generating-sboms.md",