The kosli attest generic CLI command can attest anything, but unlike a “typed” attestation (such as kosli attest snyk), it does not calculate a true/false compliance value for you. Customers have reported that while a generic “escape hatch” is useful, it nevertheless has some drawbacks: Based on this feedback we’ve implemented a new attest command called kosli attest custom.

We are thrilled to announce that Kosli has joined the Fintech Open Source Foundation (FINOS), a Linux Foundation organization dedicated to fostering collaboration and innovation in financial services technology. Our goal is to engage the community establishing common standards and automation practices for DevOps controls and change management automation.

All but one of the kosli attest commands calculate the true/false compliance value for you based on their type. For example, kosli attest snyk can read the sarif output file produced by a snyk scan. The one that doesn’t is kosli attest generic which is “type-less”. It can attest anything, but Kosli cannot calculate a true/false compliance value for you. Often the tool you are using can generate the true/false value, which is then easy to capture.

The Kosli CLI provides several attest commands, such as kosli attest snyk, kosli attest jira, etc. These attestations are “typed” - each one knows how to interpret its own particular kind of input. For example, kosli attest snyk interprets the sarif file produced by a snyk container scan to determine the true/false value for that individual attestation.