Skip to main content

valint_bom

valint bom

Create evidence command

Synopsis

Collect, Create and Store evidence for artifacts (SBOMs,SLSA provenance) or any third-party tools.

valint bom [TARGET] [flags]

Optional flags

Flags for bom subcommand

ShortLongDescriptionDefault
-A--attach-regexAttach files content by regex
--attest.configAttestation config path
--attest.defaultAttestation default config, options=[sigstore sigstore-github x509 x509-env kms pubkey]
--author-emailSet author email
--author-nameSet author name
--author-phoneSet author phone
--cax509 CA Chain path
--certx509 Cert path
--componentsSelect sbom components groups, options=[metadata layers packages syft files dep commits][metadata,layers,packages,syft,dep,commits]
--crlx509 CRL path
--crl-full-chainEnable Full chain CRL verfication
--depthGit clone depth
--disable-crlDisable certificate revocation verificatoin
-F--filter-regexFilter out files by regex[/*.pyc,/.git/**]
--filter-scopeFilter packages by scope
-f--forceForce overwrite cache
-o--formatEvidence format, options=[cyclonedx-json cyclonedx-xml attest-cyclonedx-json statement-cyclonedx-json attest-slsa statement-slsa statement-generic attest-generic]
--git-authGit repository authentication info, [format: 'username:password']
--git-branchGit branch in the repository
--git-commitGit commit hash in the repository
--git-tagGit tag in the repository
-h--helphelp for bom
--keyx509 Private key path
--kmsProvide KMS key reference
--ociEnable OCI store
-R--oci-repoSelect OCI custom attestation repo
--package-exclude-typeExclude package type, options=[ruby python javascript java dpkg apk rpm go dotnet r rust binary sbom nix conan alpm cocoapods swift dart elixir php erlang github portage haskell kernel wordpress lua]
--package-groupSelect package group, options=[index install all]
-t--package-typeSelect package type, options=[ruby python javascript java dpkg apk rpm go dotnet r rust binary sbom nix conan alpm cocoapods swift dart elixir php erlang github portage haskell kernel wordpress lua]
--passPrivate key password
--payloadpath of the decoded payload
--platformSelect target platform, examples=windows/armv6, arm64 ..)
--provenanceInclude SLSA Provenance evidence
--pubkeyPublic key path
--supplier-emailSet supplier email
--supplier-nameSet supplier name
--supplier-phoneSet supplier phone
--supplier-urlSet supplier url

Global options flags

Flags for all valint subcommands

ShortLongDescriptionDefault
--cache-enableEnable local cachetrue
-c--configConfiguration file path
-C--context-typeCI context type, options=[jenkins github circleci azure gitlab travis tekton bitbucket local admission]
--deliverableMark as deliverable, options=[true, false]
-e--envEnvironment keys to include in evidence
-G--gatePolicy Gate name
-L--labelAdd Custom labels
--levelLog depth level, options=[panic fatal error warning info debug trace]
--log-contextAttach context to all logs
--log-fileOutput log to file
-d--output-directoryOutput directory path"${XDG_CACHE_HOME}/valint"
-O--output-fileOutput file name
-p--pipeline-namePipeline name
--predicate-typeCustom Predicate type (generic evidence format)"http://scribesecurity.com/evidence/generic/v0.1"
-n--product-keyProduct Key
-V--product-versionProduct Version
-q--quietSuppress all logging output
-U--scribe.client-idScribe Client ID (deprecated)
-P--scribe.client-secretScribe Client Token
-D--scribe.disableDisable scribe client
-E--scribe.enableEnable scribe client (deprecated)
-u--scribe.urlScribe API Url"https://api.scribesecurity.com"
-s--showPrint evidence to stdout
--structuredEnable structured logger
--timeoutTimeout duration"120s"
-v--verboseLog verbosity level [-v,--verbose=1] = info, [-vv,--verbose=2] = debug

Examples for running valint bom

  valint bom <target>
  
  <target> Target object name format=[<image:tag>, <dir path>, <git url>]

  valint bom alpine:latest                         create default (cyclonedxjson) sbom
  valint bom alpine:latest -o cyclonedxxml         create cyclonedx xml sbom
  valint bom alpine:latest -o attest               create intoto attestation of cyclonedx sbom 
  valint bom alpine:latest -o attest-slsa          create intoto attestation of SLSA provenance
  valint bom alpine:latest                     show verbose debug information
  valint bom alpine:latest -A "*/**"           collect files content in to SBOM

  Supports the following image sources:
  valint bom yourrepo/yourimage:tag     defaults to using images from a Docker daemon. If Docker is not present, the image is pulled directly from the registry.

  You can also explicitly specify the scheme to use:
  valint bom docker:yourrepo/yourimage:tag          explicitly use the Docker daemon
  valint bom podman:yourrepo/yourimage:tag          explicitly use the Podman daemon
  valint bom docker-archive:path/to/yourimage.tar   use a tarball from disk for archives created from "docker save"
  valint bom oci-archive:path/to/yourimage.tar      use a tarball from disk for OCI archives (from Skopeo or otherwise)
  valint bom dir:path/to/yourproject                read directly from a path on disk (any directory)
  valint bom registry:yourrepo/yourimage:tag        pull image directly from a registry (no container runtime required)
  valint bom file:path/to/yourproject/file          read directly from a path on disk (any single file)
  valint bom git:path/to/yourrepository             read directly from a local repository on disk
  valint bom git:https://github.com/yourrepository.git         read directly from a remote repository on git

  SBOM-Example:
  valint bom alpine:latest -o attest
  valint bom alpine:latest -o statement

  SLSA-Example:
  valint bom alpine:latest -o attest-slsa
  valint bom alpine:latest -o statement-slsa

  Generic-Example:
  valint bom file.json -o attest-slsa
  valint bom file.json -o statement-slsa

  Format-aliases:
  * json=attest-cyclonedx-json
  * predicate=predicate-cyclonedx-json
  * statement=statement-cyclonedx-json
  * attest=attest-cyclonedx-json

SEE ALSO

  • valint - Validate Supply Chain Integrity