ec validate vsa
Validate VSA (Verification Summary Attestation)
Synopsis
Validate VSA by comparing the embedded policy against a supplied policy configuration.
By default, VSA signature verification is enabled and requires a public key. Use --ignore-signature-verification to disable signature verification.
Supports validation of: - Single VSA by identifier (image digest, file path) - Multiple VSAs from application snapshot
VSA retrieval supports: - Rekor transparency log - Local filesystem storage - Multiple backends with fallback
ec validate vsa <vsa-identifier> [flags]
Options
- --color
-
Enable color when using text output even when the current terminal does not support it (Default: false)
- --effective-time
-
Effective time for comparison (Default: now)
- -h, --help
-
help for vsa (Default: false)
- --ignore-signature-verification
-
Ignore VSA signature verification (signature verification is enabled by default) (Default: false)
- --images
-
Application snapshot file
- --no-color
-
Disable color when using text output even when the current terminal supports it (Default: false)
- --output
-
Output formats (Default: [])
- -o, --output-file
-
Output file
- -p, --policy
-
Policy configuration
- --public-key
-
Path to public key for signature verification (required by default)
- --strict
-
Exit with non-zero code if validation fails (Default: true)
- -v, --vsa
-
VSA identifier (image digest, file path)
- --vsa-expiration
-
VSA expiration threshold (e.g., 24h, 7d, 1w, 1m) (Default: 168h)
- --vsa-retrieval
-
VSA retrieval backends (rekor@, file@) (Default: [])
- --workers
-
Number of worker threads for parallel processing (Default: 5)
Options inherited from parent commands
- --debug
-
same as verbose but also show function names and line numbers (Default: false)
- --kubeconfig
-
path to the Kubernetes config file to use
- --logfile
-
file to write the logging output. If not specified logging output will be written to stderr
- --quiet
-
less verbose output (Default: false)
- --retry-duration
-
base duration for exponential backoff calculation (Default: 1s)
- --retry-factor
-
exponential backoff multiplier (Default: 2)
- --retry-jitter
-
randomness factor for backoff calculation (0.0-1.0) (Default: 0.1)
- --retry-max-retry
-
maximum number of retry attempts (Default: 3)
- --retry-max-wait
-
maximum wait time between retries (Default: 3s)
- --show-successes
-
(Default: false)
- --show-warnings
-
(Default: true)
- --timeout
-
max overall execution duration (Default: 5m0s)
- --trace
-
enable trace logging, set one or more comma separated values: none,all,perf,cpu,mem,opa,log (Default: none)
- --verbose
-
more verbose output (Default: false)