stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 12 Releases Wiki Activity
Files
8abbf9574d81c62b8cf7688bba367a777d8b3aa0
git.stella-ops.org/docs/modules/cli/guides/attest.md
StellaOps Bot c34fb7256d
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Details
SDK Publish & Sign / sdk-publish (push) Has been cancelled
Details
sdk-generator-smoke / sdk-smoke (push) Has been cancelled
Details
up
2025-11-27 08:51:10 +02:00

97 lines
2.3 KiB
Markdown
Raw Blame History

# CLI Attest Guide (DOCS-ATTEST-74-004)
How to verify and inspect attestations via CLI.
## Verify DSSE
```bash
stella attest verify --envelope bundle.dsse.json --policy policy.json \
--root keys/root.pem --transparency-checkpoint checkpoints/rekor.json
```
- Offline verification uses bundled roots and checkpoints; transparency optional.
## List attestations
```bash
stella attest list --tenant default --issuer dev-kms --format table
```
## Show attestation
```bash
stella attest show --id a1b2c3 --output json
```
## CI/CD Integration
### GitHub Actions
```yaml
# .github/workflows/verify-attestation.yml
name: Verify Attestation
on:
workflow_dispatch:
inputs:
artifact_path:
description: 'Path to artifact with attestation'
required: true
jobs:
verify:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Download artifact
uses: actions/download-artifact@v4
with:
name: signed-artifact
path: ./artifacts
- name: Install StellaOps CLI
run: |
dotnet tool install --global StellaOps.Cli
- name: Verify attestation
run: |
stella attest verify \
--envelope ./artifacts/attestation.dsse.json \
--policy ./policy/verify-policy.json \
--root ./keys/trusted-root.pem \
--output ./verification-report.json
- name: Upload verification report
uses: actions/upload-artifact@v4
with:
name: verification-report
path: ./verification-report.json
```
### GitLab CI
```yaml
# .gitlab-ci.yml
verify-attestation:
stage: verify
image: mcr.microsoft.com/dotnet/sdk:10.0
before_script:
- dotnet tool install --global StellaOps.Cli
- export PATH="$PATH:$HOME/.dotnet/tools"
script:
- |
stella attest verify \
--envelope ./artifacts/attestation.dsse.json \
--policy ./policy/verify-policy.json \
--root ./keys/trusted-root.pem \
--output ./verification-report.json
artifacts:
paths:
- verification-report.json
expire_in: 1 week
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
```
## Notes
- No network access required in sealed mode.
- All commands emit deterministic JSON; timestamps in UTC.
- Exit codes: 0 success, 2 verification failed, 4 input error.
Reference in New Issue View Git Blame Copy Permalink