Skip to main content

Basic examples

Docker built image

Create SLSA Provenance for image built by local docker image_name:latest image.

docker build . -t image_name:latest
valint slsa image_name:latest
Private registry image

Create SLSA Provenance for images hosted by a private registry.

docker login command is required to enable access the private registry.

docker login
valint slsa scribesecurity.jfrog.io/scribe-docker-local/example:latest
Include specific environment

Custom env added to SLSA Provenance internal parameters.

export test_env=test_env_value
valint slsa busybox:latest --env test_env
Include ALL environment

ALL environment added to SLSA Provenance.

export test_env=test_env_value
valint slsa busybox:latest --all-env
Custom evidence location

Use flags --output-directory or --output-file flags to set the default location.

# Save evidence to custom path
valint slsa busybox:latest --output-file my_slsa_provenance.json
ls -lh my_slsa_provenance.json

# Change evidence cache directory 
valint slsa busybox:latest --output-directory ./my_evidence_cache
ls -lhR my_evidence_cache
Docker archive image

Create SLSA Provenance for local docker save ... output.

docker save busybox:latest -o busybox_archive.tar
valint slsa docker-archive:busybox_archive.tar
Directory target

Create SLSA Provenance for a local directory.

mkdir testdir
echo "test" > testdir/test.txt

valint slsa dir:testdir
Git target

Create SLSA Provenance for mongo-express remote git repository.

valint slsa git:https://github.com/mongo-express/mongo-express.git

Create SLSA Provenance for yourrepository local git repository.

git clone https://github.com/yourrepository.git
valint slsa git:yourrepository
Public registry image

Create SLSA Provenance for remote busybox:latest image.

valint slsa busybox:latest
Attest target

Create and sign SLSA Provenance for target.

By default, Valint is using Sigstore interactive flow as the engine behind the signing mechanism.

valint slsa busybox:latest -o attest
Attest and verify image target

Generating and verifying SLSA Provenance attestation for image target busybox:latest.

By default, Valint is using Sigstore interactive flow as the engine behind the signing mechanism.

# Create SLSA Provenance attestations
valint slsa busybox:latest -vv -o attest

# Verify SLSA Provenance attestations
valint verify busybox:latest -i attest-slsa
Attest and verify Git repository target

Generating and verifying statements for remote git repo target https://github.com/mongo-express/mongo-express.git.

valint slsa git:https://github.com/mongo-express/mongo-express.git -o attest
valint verify git:https://github.com/mongo-express/mongo-express.git

Or for a local repository

# Cloned a local repository
git clone https://github.com/mongo-express/mongo-expressvalint ver.git

# Create CycloneDX SLSA Provenance attestations
valint slsa git:./mongo-express -o attest

# Verify CycloneDX SLSA Provenance attestations
valint verify git:./mongo-express -i attest-slsa
Store evidence on OCI

Store any evidence on any OCI registry.
Support storage for all targets and both SLSA Provenance and SLSA evidence formats.

Use -o, --format to select between supported formats.
Write permission to --oci-repo value is required.

# Login to registry
docker login $

# Generate and push evidence to registry
valint slsa [target] -o [attest, statement] --oci --oci-repo $REGISTRY_URL

# Pull and validate evidence from registry
valint verify [target] -i [attest-slsa, statement-slsa] --oci --oci-repo $REGISTRY_URL -f

Note -f in the verification command, which skips the local cache evidence lookup.

Store evidence on Scribe service

Store any evidence on any Scribe service.
Support storage for all targets and both SLSA Provenance and SLSA evidence formats.

Use -o, --format to select between supported formats.
Credentials for Scribe API is required.


# Set Scribe credentials
export SCRIBE_TOKEN=**

# Generate and push evidence to registry
valint slsa [target] -o [attest, statement] --f \
  -P $SCRIBE_TOKEN

# Pull and validate evidence from registry
valint verify [target] -i [attest-slsa, statement-slsa] -f \
  -P $SCRIBE_TOKEN

Note -f in the verification command, which skips the local cache evidence lookup.