glab attestation verify

Verify the provenance of a specific artifact or file. (EXPERIMENTAL)

Synopsis

Verify the provenance of an artifact built by a GitLab CI/CD pipeline. This command checks the artifact’s signed attestation against the expected GitLab project and pipeline.

This command requires the cosign binary. To install it, see Cosign installation.

This command works only on GitLab.com.

For more information about attestations, see:

• Attestations API
• SLSA provenance specification
• SLSA software attestations

This feature is an experiment and is not ready for production use. It might be unstable or removed at any time. For more information, see https://docs.gitlab.com/policy/development_stages_support/.

glab attestation verify <project-id> <artifact-path> [flags]

Examples

# Verify attestation for filename.txt in the gitlab-org/gitlab project
glab attestation verify gitlab-org/gitlab filename.txt

# Verify attestation for filename.txt in the project with ID 123
glab attestation verify 123 filename.txt

Options inherited from parent commands

  -h, --help   Show help for this command.