### In-toto Setup Help Option Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/setup.md Displays help information for the in-toto setup command. ```shell -h, --help help for setup ``` -------------------------------- ### In-toto Setup Command Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/setup.md Use this command to initiate the in-toto setup process. Various flags can be used to customize the setup, such as specifying API URLs, asset names, SLSA provenance generation, ignore patterns, log levels, materials, products, step names, and supply chain IDs. ```shell devguard-scanner intoto setup [flags] ``` -------------------------------- ### Get Command Options Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/get.md Lists the available options for the 'get' command, including help and token specification. ```shell -h, --help help for get -t, --token string DevGuard Personal Access Token (or set DEVGUARD_TOKEN env var). Used to sign the outgoing request. If empty, command will print help. ``` -------------------------------- ### Help Flag for Start Command Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/start.md This flag provides help information specific to the `start` command. ```shell -h, --help help for start ``` -------------------------------- ### Example Logins to Container Registries Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/login.md Examples demonstrate logging into different container registries like GitHub Container Registry, Docker Hub, and a private registry using the login command with username and password flags. ```shell devguard-scanner login -u myuser -p mypass ghcr.io ``` ```shell devguard-scanner login -u myuser -p mypass docker.io ``` ```shell devguard-scanner login -u admin -p secret registry.example.com ``` -------------------------------- ### DevGuard Scanner Get Command Synopsis Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/get.md The synopsis shows the basic structure for using the 'get' command. It requires a URL and accepts optional flags. ```shell devguard-scanner get [flags] ``` -------------------------------- ### Start In-Toto Recording Command Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/start.md Use this command to begin in-toto recording. It accepts various flags to configure the recording process. ```shell devguard-scanner intoto start [flags] ``` -------------------------------- ### Simple GET Request with Token Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/get.md Perform a simple GET request to a URL using a provided DevGuard Personal Access Token for authentication. ```shell devguard-scanner get https://example.com/api/health -t ``` -------------------------------- ### Generate Tag with Image Variant Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/generate-tag.md This example shows how to generate an image tag when a specific image variant, such as 'alpine', is required. It also includes upstream version, architecture, and the image path. ```shell devguard-scanner generate-tag --upstreamVersion 2.0.0 --architecture arm64 --imageVariant alpine --imagePath registry.io/app ``` -------------------------------- ### Attest Container Image with SLSA Provenance Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/attest.md Example of attesting a container image with SLSA provenance. This requires a provenance predicate file and the correct SLSA provenance predicate type. ```shell devguard-scanner attest provenance.json ghcr.io/org/image:tag --predicateType https://slsa.dev/provenance/v1 ``` -------------------------------- ### Attest Container Image with VEX Predicate Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/attest.md Example of attesting a container image using a VEX predicate file. Ensure the predicate file and image reference are correct, and the predicate type is specified. ```shell devguard-scanner attest vex.json ghcr.io/org/image:tag --predicateType https://cyclonedx.org/vex/1.0 ``` -------------------------------- ### Scan Terraform Directory Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/iac.md Example of scanning a local Terraform directory using the `iac` command. ```shell devguard-scanner iac ./terraform ``` -------------------------------- ### Simple GET Request with DevGuard Scanner curl Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/curl.md Use this command to perform a simple GET request to a specified URL, with DevGuard automatically signing the request. ```shell devguard-scanner curl https://api.example.com/users ``` -------------------------------- ### Example Signed-off-by Tag Source: https://github.com/l3montree-dev/devguard/blob/main/CONTRIBUTING.md Include this tag at the end of your commit message, separated by a blank line, to comply with the DCO. ```text Signed-off-by: YOUR NAME ``` -------------------------------- ### GET Request Using Environment Variable Token Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/get.md Authenticate a GET request by utilizing the DEVGUARD_TOKEN environment variable, which holds your DevGuard Personal Access Token. ```shell export DEVGUARD_TOKEN= devguard-scanner get https://example.com/api/data ``` -------------------------------- ### Upload Attestation Without Attaching to Image Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/attest.md Example of uploading an attestation using a predicate file without associating it with a specific container image. The predicate type is mandatory. ```shell devguard-scanner attest predicate.json --predicateType https://example.com/custom/v1 ``` -------------------------------- ### POST Request with JSON Data using DevGuard Scanner curl Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/curl.md This example demonstrates how to make a POST request with JSON data. Ensure the Content-Type header is set to application/json. ```shell devguard-scanner curl -X POST -d '{"name":"test"}' -H "Content-Type: application/json" https://api.example.com/users ``` -------------------------------- ### intoto run command options Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/run.md Configure the API URL, specify the step to run, and provide the supply chain output digest if necessary. ```shell --apiUrl string The URL of the devguard API --step string The step to run --supplyChainOutputDigest string If defined, sends this digest to devguard. This should be the digest of the whole supply chain. ``` -------------------------------- ### DevGuard Scanner intoto Help Options Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/help.md This snippet lists the available options for the 'help' command itself, including the standard help flag. ```shell -h, --help help for help ``` -------------------------------- ### Create SQL Migration File Source: https://github.com/l3montree-dev/devguard/blob/main/database/migrations/tooling-read-me.txt Use this command to automatically generate `_up.sql` and `_down.sql` files with the current Unix timestamp. Specify the extension, directory, and a name for the migration. ```bash go tool migrate create -ext sql -dir ./database/migrations test_migration ``` -------------------------------- ### Version Command Options Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/version.md The `version` command supports a help flag to display its specific options. Use this to understand available flags for the version command. ```shell -h, --help help for version ``` -------------------------------- ### intoto run inherited parent command options Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/run.md These options are inherited from parent commands and can be used to set the asset name, generate SLSA provenance, specify ignore patterns, set log level, define materials and products, set the supply chain ID, and provide an authentication token. ```shell --assetName string The asset name to use --generateSlsaProvenance Generate SLSA provenance for the in-toto link. The provenance will be stored in .provenance.json. It will be signed using the intoto token. --ignore stringArray The ignore patterns for the in-toto link (default [.git/**/*]) -l, --logLevel string Set the log level. Options: debug, info, warn, error (default "info") --materials stringArray The materials to include in the in-toto link. Default is the current directory (default [.]) --products stringArray The products to include in the in-toto link. Default is the current directory (default [.]) --supplyChainId string The supply chain id to use. If empty, tries to extract the current commit hash. --token string The token to use for in-toto ``` -------------------------------- ### Run Software Composition Analysis on a Local Project Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/devguard-scanner.md Execute Software Composition Analysis on a local project directory using the 'sca' command. Provide the path to the project directory. ```shell devguard-scanner sca ./path/to/project ``` -------------------------------- ### Show Version Information Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/version.md Execute this command to display the current version of the devguard-scanner. No additional arguments are required. ```shell devguard-scanner version [flags] ``` -------------------------------- ### Discover Base Image Attestations Options Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/discover-baseimage-attestations.md Specify the output directory for attestation files using the --output flag. Filter attestations by predicate type with --predicateType. ```shell -h, --help help for discover-baseimage-attestations --output string Output directory to save the discovered attestations. (default ".") --predicateType string Predicate type to filter attestations (e.g. 'https://cyclonedx.org/vex'). If empty, all predicate types are retrieved. ``` -------------------------------- ### intoto verify options Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/verify.md These options are specific to the 'intoto verify' command. They allow you to specify the layout key, supply chain ID, and token. ```shell -h, --help help for verify --layoutKey string Path to the layout key --supplyChainId string Supply chain ID --token string Token ``` -------------------------------- ### Inspect PURL for CVEs Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/inspect.md Inspects a Package URL (PURL) against the vulnerability database to find matching CVEs and vulnerabilities. Use this to get detailed information about a specific package's security status. ```shell devguard-cli vulndb inspect "pkg:npm/lodash@4.17.20" ``` ```shell devguard-cli vulndb inspect "pkg:deb/debian/libc6@2.31-1" ``` ```shell devguard-cli vulndb inspect "pkg:pypi/requests@2.25.0" ``` -------------------------------- ### DevGuard Scanner intoto Help Command Synopsis Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/help.md This is the basic syntax for accessing help for any intoto command within the DevGuard Scanner. Replace '[command]' with the specific command you need help with. ```shell devguard-scanner intoto help [command] [flags] ``` -------------------------------- ### Inherited options for intoto verify Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/verify.md These options are inherited from parent commands and can be used with 'intoto verify' to configure API URL, asset name, provenance generation, ignore patterns, log level, materials, products, and step name. ```shell --apiUrl string The devguard api url --assetName string The asset name to use --generateSlsaProvenance Generate SLSA provenance for the in-toto link. The provenance will be stored in .provenance.json. It will be signed using the intoto token. --ignore stringArray The ignore patterns for the in-toto link (default [.git/**/*]) -l, --logLevel string Set the log level. Options: debug, info, warn, error (default "info") --materials stringArray The materials to include in the in-toto link. Default is the current directory (default [.]) --products stringArray The products to include in the in-toto link. Default is the current directory (default [.]) --step string The name of the in-toto link ``` -------------------------------- ### Merge SBOMs using a configuration file Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/merge-sboms.md Use this command to merge SBOMs. Provide the path to a JSON configuration file that lists the SBOMs to merge and the target PURL. The output is written to stdout. ```shell devguard-scanner merge-sboms config.json ``` -------------------------------- ### Sign a Local File with DevGuard Scanner Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/sign.md Use this command to sign a local binary artifact. Ensure the file path is correct. ```shell devguard-scanner sign ./artifact.bin ``` -------------------------------- ### Run intoto command Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/run.md This is the base command for running an in-toto operation. Use this to initiate the process. ```shell devguard-scanner intoto run [flags] ``` -------------------------------- ### Fetch Links Options Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/fetch-links.md Configure the 'fetch-links' command with specific options. Set the API URL, asset name, and supply chain ID for targeted link retrieval. ```shell --apiUrl string The devguard api url (default "api.devguard.org") --assetName string The asset name to use -h, --help help for fetch-links --supplyChainId string The supply chain id to fetch the links for --token string The token to use to authenticate with the devguard api ``` -------------------------------- ### Intoto Fetch Links Command Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/fetch-links.md Use this command to fetch links for a specified supply chain. Flags can be used to configure the API URL, asset name, and supply chain ID. ```shell devguard-scanner intoto fetch-links [flags] ``` -------------------------------- ### Scan with Custom Path Flag Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/iac.md Demonstrates scanning a specific directory using the `--path` flag. ```shell devguard-scanner iac --path ./terraform ``` -------------------------------- ### Create and Upload an Attestation Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/devguard-scanner.md Generate and upload an attestation to the DevGuard backend. This command requires a predicate JSON file, the target image, and optionally a predicate type. ```shell devguard-scanner attest predicate.json ghcr.io/org/image:tag --predicateType https://cyclonedx.org/vex/1.0 ``` -------------------------------- ### Inherited Options for Fetch Links Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/fetch-links.md These options are inherited from parent commands and can be used to control SLSA provenance generation, ignore patterns, log level, and materials/products inclusion. ```shell --generateSlsaProvenance Generate SLSA provenance for the in-toto link. The provenance will be stored in .provenance.json. It will be signed using the intoto token. --ignore stringArray The ignore patterns for the in-toto link (default [.git/**/*]) -l, --logLevel string Set the log level. Options: debug, info, warn, error (default "info") --materials stringArray The materials to include in the in-toto link. Default is the current directory (default [.]) --products stringArray The products to include in the in-toto link. Default is the current directory (default [.]) --step string The name of the in-toto link ``` -------------------------------- ### Run Software Composition Analysis on a Container Image Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/devguard-scanner.md Use the 'sca' command to perform Software Composition Analysis on a specified container image. Ensure the image tag is correctly formatted. ```shell devguard-scanner sca ghcr.io/org/image:tag ``` -------------------------------- ### Discover Attestations for an Image Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/attestations.md Use this command to retrieve all available security attestations for a specified container image. Ensure the image is correctly referenced by its OCI or tag. ```shell devguard-scanner attestations ghcr.io/org/image:tag ``` -------------------------------- ### Discover Base Image Attestations Command Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/discover-baseimage-attestations.md Use this command to scan a directory for container files, extract base image information, and discover associated attestation documents. Attestations are saved to the specified output path. ```shell devguard-scanner discover-baseimage-attestations [flags] ``` -------------------------------- ### intoto verify command Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/verify.md Use this command to initiate the supply chain verification process. Various flags can be used to customize the verification. ```shell devguard-scanner intoto verify [flags] ``` -------------------------------- ### Intoto Verify Command Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/verify.md Verifies a supply chain using the devguard-scanner tool. This command requires a layout key and optionally accepts a supply chain ID and token for authentication. ```APIDOC ## intoto verify Verify a supply chain ```shell devguard-scanner intoto verify [flags] ``` ### Options ```shell --layoutKey string Path to the layout key --supplyChainId string Supply chain ID --token string Token ``` ### Options inherited from parent commands ```shell --apiUrl string The devguard api url --assetName string The asset name to use --generateSlsaProvenance Generate SLSA provenance for the in-toto link. The provenance will be stored in .provenance.json. It will be signed using the intoto token. --ignore stringArray The ignore patterns for the in-toto link (default [.git/**/*]) -l, --logLevel string Set the log level. Options: debug, info, warn, error (default "info") --materials stringArray The materials to include in the in-toto link. Default is the current directory (default [.]) --products stringArray The products to include in the in-toto link. Default is the current directory (default [.]) --step string The name of the in-toto link ``` ``` -------------------------------- ### Scan Container Image from Registry Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/container-scanning.md Use this command to scan a container image directly from a registry. Ensure the image reference is correctly formatted. ```shell devguard-scanner container-scanning --image ghcr.io/org/image:tag ``` -------------------------------- ### Run SCA Scan and Fail on High Risk Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/sca.md Scan a local project and configure the scanner to fail if high-risk vulnerabilities are detected. ```shell devguard-scanner sca ./project --failOnRisk high ``` -------------------------------- ### Configure Git Commit Template Source: https://github.com/l3montree-dev/devguard/blob/main/CONTRIBUTING.md Set up a default commit template to automatically include the 'Signed-off-by' tag in all your commit messages. ```sh git config commit.template ~/.git-template ``` -------------------------------- ### Attest Command Usage Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/attest.md Basic usage of the attest command, specifying the predicate file, optional container image, and required predicate type. ```shell devguard-scanner attest [container-image] [flags] ``` -------------------------------- ### Run SCA Scan with Custom Asset Name and Token Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/sca.md Scan a container image, specifying a custom asset name and authentication token. ```shell devguard-scanner sca --image ghcr.io/org/image:tag --assetName my-app --token YOUR_TOKEN ``` -------------------------------- ### DevGuard Scanner Sign Command Synopsis Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/sign.md This is the basic command structure for signing files or OCI images using the DevGuard scanner. ```shell devguard-scanner sign [flags] ``` -------------------------------- ### Convert Kyverno Output to SARIF Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/kyverno2sarif.md Use this command to convert Kyverno test results from a JSON file into SARIF format. Specify the input file using the -i flag. ```shell devguard-scanner kyverno2sarif -i kyverno-results.json ``` -------------------------------- ### Run SAST Scan on Local Repository Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/sast.md Execute a SAST scan on the local filesystem. The path can be provided as a positional argument or using the --path flag. ```shell devguard-scanner sast ./my-repo ``` ```shell devguard-scanner sast --path ./my-repo ``` -------------------------------- ### Stop Command Options Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/stop.md These options are specific to the 'stop' command, allowing you to specify the output file or access help. ```shell -h, --help help for stop --output string The output file name. Default is the .link.json name ``` -------------------------------- ### Approve a Library and its License Source: https://github.com/l3montree-dev/devguard/blob/main/CONTRIBUTING.md Use this command to approve a library and its license, which modifies the decisions file. You can also edit the file directly. ```sh license_finder approval add --who=WHO --why=WHY DEPENDENCY --decisions_file ./docs/dependency_decisions.yml ``` -------------------------------- ### Upload a SARIF Report Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/devguard-scanner.md Upload a generated SARIF report to the DevGuard backend using the 'sarif' command. Provide the path to the SARIF results file. ```shell devguard-scanner sarif results.sarif.json ``` -------------------------------- ### Scan SBOM with Custom Asset Name and Token Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/sbom.md Scan a CycloneDX SBOM and specify a custom asset name and authentication token for the DevGuard API. ```shell devguard-scanner sbom my-bom.json --assetName my-app --token YOUR_TOKEN ``` -------------------------------- ### Convert SARIF to Markdown Summary Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/sarif2markdown.md Use this command to generate a concise markdown summary from a SARIF JSON file. Specify the input SARIF file using the -i flag. ```shell devguard-scanner sarif2markdown -i results.sarif.json ``` -------------------------------- ### Devguard Scanner Inspect Command Options Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/inspect.md Available options for the devguard-scanner inspect command, including API URL, help, output path, and timeout settings. ```shell --apiUrl string The url of the API to send the request to (default "https://api.devguard.org") --help help for inspect --outputPath string Path to save the inspection result as JSON file (optional) --timeout int Set the timeout for scanner operations in seconds (default 300) ``` -------------------------------- ### Generate Tag with Upstream Version and Architecture Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/generate-tag.md Use this command to generate an image tag when you need to specify the upstream version and target architecture. Ensure the imagePath is correctly provided. ```shell devguard-scanner generate-tag --upstreamVersion 1.2.3 --architecture amd64 --imagePath registry.io/my-image ``` -------------------------------- ### Generate Detailed Markdown Report Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/sarif2markdown.md To create a comprehensive markdown report with detailed results per resource, use the --detailed flag along with the input SARIF file. ```shell devguard-scanner sarif2markdown -i results.sarif.json --detailed ``` -------------------------------- ### DevGuard Scanner intoto Inherited Parent Command Options Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/help.md These are options inherited from parent commands that can be used with the intoto help command. They control API URL, asset naming, SLSA provenance generation, ignore patterns, log level, materials, products, step name, supply chain ID, and authentication token. ```shell --apiUrl string The devguard api url ``` ```shell --assetName string The asset name to use ``` ```shell --generateSlsaProvenance Generate SLSA provenance for the in-toto link. The provenance will be stored in .provenance.json. It will be signed using the intoto token. ``` ```shell --ignore stringArray The ignore patterns for the in-toto link (default [.git/**/*]) ``` ```shell -l, --logLevel string Set the log level. Options: debug, info, warn, error (default "info") ``` ```shell --materials stringArray The materials to include in the in-toto link. Default is the current directory (default [.]) ``` ```shell --products stringArray The products to include in the in-toto link. Default is the current directory (default [.]) ``` ```shell --step string The name of the in-toto link ``` ```shell --supplyChainId string The supply chain id to use. If empty, tries to extract the current commit hash. ``` ```shell --token string The token to use for in-toto ``` -------------------------------- ### Evaluate Attestations Against a Rego Policy Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/attestations.md Evaluate the discovered attestations against a Rego policy file. This helps in enforcing security standards and compliance checks. Specify the path to your Rego policy file using the `--policy` flag. ```shell devguard-scanner attestations ghcr.io/org/image:tag --policy path/to/file.rego ``` -------------------------------- ### Upload VEX Document Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/vex.md Use this command to upload a VEX document to DevGuard. The VEX file must be specified as an argument. ```shell devguard-scanner vex [flags] ``` -------------------------------- ### DevGuard Scanner CLI Options Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/devguard-scanner.md Common command-line options for the DevGuard Scanner CLI, including help, log level, and toggles. ```shell -h, --help help for devguard-scanner ``` ```shell -l, --logLevel string Set the log level. Options: debug, info, warn, error (default "info") ``` ```shell -t, --toggle Help message for toggle ``` -------------------------------- ### Scan Container Image from Tar File Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/container-scanning.md Use this command to scan a container image that has been exported as a tar file. Provide the path to the tar file. ```shell devguard-scanner container-scanning --path image.tar ``` -------------------------------- ### Inspect DevGuard Token Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/inspect-devguard-token.md Use this command to decode a DevGuard hex token and print the corresponding private and public keys. The private key is printed to stdout, so handle the output carefully. ```shell devguard-scanner inspect-devguard-token [flags] ``` ```shell devguard-scanner inspect-devguard-token 4a6f... ``` ```shell devguard-scanner inspect-devguard-token 4a6f... > keys.txt ``` -------------------------------- ### Upload SARIF Report and Save Processed Output Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/sarif.md Upload a SARIF report and specify an output path to save the processed report locally. If `outputPath` is not provided, the report is only uploaded to DevGuard. ```shell devguard-scanner sarif results.sarif.json --outputPath uploaded-results.sarif.json ``` -------------------------------- ### Save SARIF Output to File Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/kyverno2sarif.md This command converts Kyverno test results to SARIF format and saves the output to a specified file using the -o flag. If no output file is specified, the SARIF output will be printed to standard output. ```shell devguard-scanner kyverno2sarif -i kyverno-results.json -o sarif.json ``` -------------------------------- ### Sign a Container Image with DevGuard Scanner Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/sign.md This command signs a specified container image, identified by its registry, organization, image name, and tag. ```shell devguard-scanner sign ghcr.io/org/image:tag ``` -------------------------------- ### Inherited Options for Discover Base Image Attestations Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/discover-baseimage-attestations.md Control the logging verbosity for the scanner command using the inherited --logLevel flag. ```shell -l, --logLevel string Set the log level. Options: debug, info, warn, error (default "info") ``` -------------------------------- ### Generate Slug from Text Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/slug.md Use this command to create a URL-friendly slug from a given text string. The output is suitable for use as an artifact name or identifier. ```shell devguard-scanner slug "My Project Name" ``` -------------------------------- ### Login to Remote Registry Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/login.md Log in to a remote registry using username and password. Provide the registry URL as a positional argument. Both --username and --password are required by this command. ```shell devguard-scanner login [flags] ``` -------------------------------- ### DevGuard Scanner Clean Command Usage Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/clean.md This is the base command for cleaning attestations or signatures. Specify the image or signature file as the primary argument. ```shell devguard-scanner clean [flags] ``` -------------------------------- ### Run IaC Scan Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/iac.md Executes an Infrastructure-as-Code scan against a specified repository or path. This command is used to identify security vulnerabilities and misconfigurations in IaC files like Terraform, CloudFormation, and Kubernetes manifests. ```shell devguard-scanner iac [path] [flags] ``` -------------------------------- ### Save SARIF Output Locally Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/secret-scanning.md Scan a repository for secrets and save the generated SARIF report to a local file. If --outputPath is not specified, the report is only uploaded to DevGuard. ```shell devguard-scanner secret-scanning ./my-repo --outputPath secrets.sarif.json ``` -------------------------------- ### Save Policy Evaluation Results as SARIF Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/attestations.md After evaluating attestations against a Rego policy, you can save the detailed evaluation results in SARIF format. Use the `--outputPath` flag to specify the file path for the SARIF report. ```shell devguard-scanner attestations ghcr.io/org/image:tag --policy path/to/file.rego --outputPath report.sarif.json ``` -------------------------------- ### Redirect merged SBOM output to a file Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/merge-sboms.md This command merges SBOMs and redirects the resulting merged SBOM JSON to a specified file. Ensure the configuration file is correctly formatted. ```shell devguard-scanner merge-sboms config.json > merged-sbom.json ``` -------------------------------- ### Scan CycloneDX SBOM Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/sbom.md Scan a CycloneDX SBOM from a file. Ensure the file is in the correct format. ```shell devguard-scanner sbom my-bom.json ``` -------------------------------- ### Upload VEX Document with Custom Asset Name Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/vex.md Upload a VEX document and specify a custom asset name for identification. You can also provide your authentication token directly. ```shell devguard-scanner vex vex.json --assetName my-app --token YOUR_TOKEN ``` -------------------------------- ### Scan Container Image with SAST Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/sast.md Perform a SAST scan on a specified container image. Ensure the image is accessible. ```shell devguard-scanner sast ghcr.io/org/image:tag ``` -------------------------------- ### Scan CycloneDX SBOM from Stdin Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/sbom.md Scan a CycloneDX SBOM by piping its content from another command, such as `merge-sboms`. Use '-' to indicate reading from standard input. ```shell devguard-scanner merge-sboms config.json | devguard-scanner sbom - ``` -------------------------------- ### Scan Container Image and Ignore Upstream Attestations Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/container-scanning.md Scan a container image while ignoring any existing upstream attestations. This is useful when you want to rely solely on DevGuard's analysis. ```shell devguard-scanner container-scanning --image ghcr.io/org/image:tag --ignoreUpstreamAttestations ``` -------------------------------- ### Sign a File Offline with DevGuard Scanner Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/sign.md Use the `--offline` flag to sign a local file without uploading the public key to DevGuard. This is useful for air-gapped environments or when key management is handled separately. ```shell devguard-scanner sign ./artifact.bin --offline ``` -------------------------------- ### Devguard Scanner Inspect Command Syntax Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/inspect.md Basic syntax for the devguard-scanner inspect command. Specify the PURL to inspect and any desired flags. ```shell devguard-scanner inspect [flags] ``` -------------------------------- ### Sign Commits with Git Source: https://github.com/l3montree-dev/devguard/blob/main/CONTRIBUTING.md Use the '-s' flag with 'git commit' to automatically add the 'Signed-off-by' tag, confirming agreement with the DCO. ```sh git commit --signoff ``` -------------------------------- ### Scan and Save Results Locally Source: https://github.com/l3montree-dev/devguard/blob/main/docs/scanner/iac.md Scans IaC files and saves the generated SARIF report to a local file using the `--outputPath` flag, in addition to uploading it to DevGuard. ```shell devguard-scanner iac ./terraform --outputPath iac-results.sarif.json ```