Skip to content

Commit

Permalink
Add text on being able to update templates at any time
Browse files Browse the repository at this point in the history
  • Loading branch information
JonJagger committed Aug 21, 2024
1 parent 796c60c commit 49d0494
Showing 1 changed file with 11 additions and 8 deletions.
19 changes: 11 additions & 8 deletions docs.kosli.com/content/getting_started/attestations.md
Original file line number Diff line number Diff line change
Expand Up @@ -97,19 +97,12 @@ $ kosli attest snyk \

## Compliance

{{< hint info >}}
### Attestation immutability

Attestations are append-only immutable records. You can report the same attestation multiple times, and each report will be recorded.
However, only the latest version of the attestation is considered when evaluating compliance.
{{< /hint >}}

### Attesting with a template

The four attestations above are all made against a Flow named `backend-ci` and a Trail named after the git commit.
Typically, the Flow and Trail are explicitly setup before making the attestations (e.g. at the start of a CI workflow).
This is done with the `create flow` and `begin trail` commands, either of which can specify the name of the template yaml file above
(eg `.kosli.yml`) whose contents define overall compliance. For example:
(e.g. `.kosli.yml`) whose contents define overall compliance. For example:

```shell
$ kosli create flow backend-ci \
Expand All @@ -136,6 +129,16 @@ In this case a Flow and Trail will be automatically setup but there will be no t
overall compliance. The compliance of any attested artifact will depend only on the compliance of the attestations actually made
and never because a specific attestation is missing.

### Attestation immutability

You can set/edit the template yml file for the Flow/Trail at any time.
This will affect compliance evaluations made after the edit.
It will not affect earlier records of compliance evaluations (e.g. in Environment Snapshots).

Attestations are append-only immutable records. You can report the same attestation multiple times, and each report will be recorded.
However, only the latest version of the attestation is considered when evaluating compliance.



## Evidence Vault

Expand Down

0 comments on commit 49d0494

Please sign in to comment.