cmd verify sbom - nself-org/cli GitHub Wiki
nself verify-sbom
Download and verify the CycloneDX SBOM cosign bundle for a CLI release.
Usage
nself verify-sbom --version <v>
Flags
| Flag | Default | Description |
|---|---|---|
--version |
required | Release version to verify (e.g. v1.1.1) |
--repo |
nself-org/cli |
GitHub repo (owner/name) |
What It Does
- Downloads
sbom-cli-{version}.cdx.jsonfrom the GitHub Release. - Downloads
sbom-cli-{version}.cdx.json.bundle(cosign bundle). - Runs
cosign verify-blobwith the OIDC certificate from GitHub Actions. - Prints
VERIFIEDon success or exits 1 on failure.
Requirements
cosignmust be in PATH:brew install cosign- The version must correspond to a published GitHub Release.
Example
nself verify-sbom --version v1.1.1
# Downloading SBOM for v1.1.1...
# Verifying cosign bundle signature...
# SBOM for v1.1.1: VERIFIED
Related
- cmd-secrets, secret management and rotation
- security/Supply-Chain, supply-chain security baseline
- Home