VisCommandsvis attest

vis attest

Emit and verify supply-chain attestations (in-toto SLSA provenance + Sigstore)

vis attest

Outbound and inbound supply-chain attestation. Two leaves:

  • vis attest <subject> (emit) — build an in-toto SLSA v1 provenance statement for a built artifact and keyless-sign it via Sigstore (Fulcio cert from ambient CI OIDC, Rekor transparency log). Writes a serialized .sigstore bundle — authenticity, not just integrity.
  • vis attest verify — compose the inbound provenance + registry-signature marshalls over the locked dependency graph and gate on regressions (publisher dropped provenance, unknown/expired key id, bad signature).

Usage

vis attest <subject> [options]    # emit
vis attest verify [options]       # verify

attest (emit)

Build an in-toto SLSA v1 provenance statement for an artifact and keyless-sign it via Sigstore. The artifact's sha256 becomes the in-toto subject digest.

vis attest dist/app.tgz                                  # emit dist/app.tgz.sigstore (keyless-signed in CI)
vis attest dist/app.tgz --output attest.sigstore         # write the bundle to a specific path
vis attest dist/app.tgz --predicate slsaProvenance       # predicate type (default: slsaProvenance)
vis attest dist/app.tgz --require-signing                # fail instead of skip-with-warn when no ambient OIDC
vis attest dist/app.tgz --format json                    # print the signed bundle summary as JSON

Options — vis attest <subject>

OptionDefaultDescription
--formattableOutput format: table, json, or ndjson (json/ndjson go to stdout, logs to stderr)
--output<subject>.sigstoreWrite the serialized Sigstore bundle here
--predicateslsaProvenancePredicate type (slsaProvenancehttps://slsa.dev/provenance/v1)
--require-signingfalseError instead of skip-with-warn when no ambient OIDC token is available (i.e. outside CI)

verify

Verify inbound provenance + registry signatures across the locked dependency graph and gate on regressions.

vis attest verify                       # check every locked dep for provenance/signature problems
vis attest verify --prod-only           # skip devDependencies
vis attest verify --format json         # machine-readable findings for CI
vis attest verify --fail-on error       # exit non-zero only on error-severity findings

Options — vis attest verify

OptionDefaultDescription
--formattableOutput format: table, json, or ndjson (json/ndjson go to stdout, logs to stderr)
--prod-onlyfalseSkip devDependencies — verify the production graph only
--fail-onwarningSeverity that triggers a non-zero exit: warning (any finding) or error
--allowlistComma-separated package names to exclude from both marshalls
Edit on GitHub

On this page

vis attestUsageattest (emit)Options — vis attest <subject>verifyOptions — vis attest verifyRelated
Support

Contribute to our work and keep us going

Community is the heart of open source. The success of our packages wouldn't be possible without the incredible contributions of users, testers, and developers who collaborate with us every day.Want to get involved? Here are some tips on how you can make a meaningful impact on our open source projects.

Ready to help us out?

Be sure to check out the package's contribution guidelines first. They'll walk you through the process on how to properly submit an issue or pull request to our repositories.

Submit a pull request

Found something to improve? Fork the repo, make your changes, and open a PR. We review every contribution and provide feedback to help you get merged.

Good first issues

Simple issues suited for people new to open source development, and often a good place to start working on a package.
View good first issues