ec validate vsa

Validate VSA (Verification Summary Attestation)

Synopsis

Validate VSA by comparing the embedded policy against a supplied policy configuration.

By default, VSA signature verification is enabled and requires a public key. Use --ignore-signature-verification to disable signature verification.

Supports validation of: - Single VSA by identifier (image digest, file path) - Multiple VSAs from application snapshot

VSA retrieval supports: - Rekor transparency log - Local filesystem storage - Multiple backends with fallback

ec validate vsa <vsa-identifier> [flags]

Options

--color

Enable color when using text output even when the current terminal does not support it (Default: false)

--effective-time

Effective time for comparison (Default: now)

-h, --help

help for vsa (Default: false)

--ignore-signature-verification

Ignore VSA signature verification (signature verification is enabled by default) (Default: false)

--images

Application snapshot file

--no-color

Disable color when using text output even when the current terminal supports it (Default: false)

--output

Output formats (Default: [])

-o, --output-file

Output file

-p, --policy

Policy configuration

--public-key

Path to public key for signature verification (required by default)

--strict

Exit with non-zero code if validation fails (Default: true)

-v, --vsa

VSA identifier (image digest, file path)

--vsa-expiration

VSA expiration threshold (e.g., 24h, 7d, 1w, 1m) (Default: 168h)

--vsa-retrieval

VSA retrieval backends (rekor@, file@) (Default: [])

--workers

Number of worker threads for parallel processing (Default: 5)

Options inherited from parent commands

--debug

same as verbose but also show function names and line numbers (Default: false)

--kubeconfig

path to the Kubernetes config file to use

--logfile

file to write the logging output. If not specified logging output will be written to stderr

--quiet

less verbose output (Default: false)

--retry-duration

base duration for exponential backoff calculation (Default: 1s)

--retry-factor

exponential backoff multiplier (Default: 2)

--retry-jitter

randomness factor for backoff calculation (0.0-1.0) (Default: 0.1)

--retry-max-retry

maximum number of retry attempts (Default: 3)

--retry-max-wait

maximum wait time between retries (Default: 3s)

--show-successes

(Default: false)

--show-warnings

(Default: true)

--timeout

max overall execution duration (Default: 5m0s)

--trace

enable trace logging, set one or more comma separated values: none,all,perf,cpu,mem,opa,log (Default: none)

--verbose

more verbose output (Default: false)