in-toto-run

Generating link metadata while carrying out a supply chain step.

• Tag a git repo and signing the resulting link file:

in-toto-run -n {tag} --products {.} -k {key_file} -- {git tag v1.0}

• Create a tarball, storing files as materials and the tarball as product:

in-toto-run -n {package} -m {project} -p {project.tar.gz} -- {tar czf project.tar.gz project}

• Generate signed attestations for review work:

in-toto-run -n {review} -k {key_file} -m {document.pdf} -x

• Scan the image using Trivy and generate link file:

in-toto-run -n {scan} -k {key_file} -p {report.json} -- {/bin/sh -c "trivy -o report.json -f json "}

Copyright © 2014—present the tldr-pages team and contributors.

This work is licensed under the Creative Commons Attribution 4.0 International License (CC-BY).