From 69cdbc6fb7044b303710d1e27d8ce836370db616 Mon Sep 17 00:00:00 2001 From: Sofus Albertsen Date: Tue, 7 Jul 2026 16:45:27 +0200 Subject: [PATCH 1/4] docs: document OCI/docker registry credential discovery Explain how registry credentials are resolved for --artifact-type=oci (and docker with --registry-username set): explicit flags first, then Docker/Podman auth files and credential helpers, then anonymous access. Also note --registry-provider is deprecated and no longer used. --- cmd/kosli/root.go | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/cmd/kosli/root.go b/cmd/kosli/root.go index 2d278e7b1..0805d9581 100644 --- a/cmd/kosli/root.go +++ b/cmd/kosli/root.go @@ -59,6 +59,19 @@ a freshly built image (just ^docker build^) will not have one. If the image is a a registry, prefer ^--artifact-type=oci^, which fetches the digest directly from the registry without needing a local Docker daemon. +For ^--artifact-type=oci^ (and for ^--artifact-type=docker^ when ^--registry-username^ is set), +registry credentials are resolved as follows: + 1) If ^--registry-username^ and ^--registry-password^ are both set, they are used directly. + 2) Otherwise, credentials are discovered automatically from: + - the Docker config file (^~/.docker/config.json^, populated by ^docker login^) + - the Podman/containers auth file (^~/.config/containers/auth.json^, or ^$REGISTRY_AUTH_FILE^) + - any Docker credential helper configured in that config (e.g. ^docker-credential-ecr-login^ + for AWS ECR, ^docker-credential-gcloud^ for GCR/Artifact Registry, an ACR helper for Azure, + or a local keychain helper), invoked as an external binary on ^$PATH^ + - if none of the above yield credentials, the registry is accessed anonymously, which works + for public images + ^--registry-provider^ is deprecated and no longer used. + ` attestationBindingDesc = ` @@ -199,8 +212,8 @@ The ^.kosli_ignore^ will be treated as part of the artifact like any other file, gitlabOrgFlag = "Gitlab organization. (defaulted if you are running in Gitlab Pipelines: https://docs.kosli.com/integrations/ci_cd )." gitlabBaseURLFlag = "[optional] Gitlab base URL (only needed for on-prem Gitlab installations)." registryProviderFlag = "[deprecated] The docker registry provider or url. Only required if you want to read docker image SHA256 digest from a remote docker registry." - registryUsernameFlag = "[conditional] The container registry username. Only required if you want to read container image SHA256 digest from a remote container registry." - registryPasswordFlag = "[conditional] The container registry password or access token. Only required if you want to read container image SHA256 digest from a remote container registry." + registryUsernameFlag = "[conditional] The container registry username. Only required if you want to read container image SHA256 digest from a remote container registry and it is not already accessible via Docker/Podman auth files or a credential helper." + registryPasswordFlag = "[conditional] The container registry password or access token. Only required if you want to read container image SHA256 digest from a remote container registry and it is not already accessible via Docker/Podman auth files or a credential helper." resultsDirFlag = "[defaulted] The path to a directory with JUnit test results. By default, the directory will be uploaded to Kosli's evidence vault." snykJsonResultsFileFlag = "The path to Snyk SARIF or JSON scan results file from 'snyk test' and 'snyk container test'. By default, the Snyk results will be uploaded to Kosli's evidence vault." snykSarifResultsFileFlag = "The path to Snyk scan SARIF results file from 'snyk test' and 'snyk container test'. By default, the Snyk results will be uploaded to Kosli's evidence vault." From a8406d05a3ac8f6dc94ee551df123d8d4abab99a Mon Sep 17 00:00:00 2001 From: Marko Bevc Date: Tue, 7 Jul 2026 16:11:06 +0100 Subject: [PATCH 2/4] chore: Update cmd/kosli/root.go --- cmd/kosli/root.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cmd/kosli/root.go b/cmd/kosli/root.go index 0805d9581..ce1716b0b 100644 --- a/cmd/kosli/root.go +++ b/cmd/kosli/root.go @@ -59,8 +59,8 @@ a freshly built image (just ^docker build^) will not have one. If the image is a a registry, prefer ^--artifact-type=oci^, which fetches the digest directly from the registry without needing a local Docker daemon. -For ^--artifact-type=oci^ (and for ^--artifact-type=docker^ when ^--registry-username^ is set), -registry credentials are resolved as follows: +For ^--artifact-type=oci^ (and for ^--artifact-type=docker^), registry credentials +are resolved as follows: 1) If ^--registry-username^ and ^--registry-password^ are both set, they are used directly. 2) Otherwise, credentials are discovered automatically from: - the Docker config file (^~/.docker/config.json^, populated by ^docker login^) From 135a0b5747fa5d0996f8848eb032a7c5185c4609 Mon Sep 17 00:00:00 2001 From: Marko Bevc Date: Tue, 7 Jul 2026 16:18:08 +0100 Subject: [PATCH 3/4] Apply suggestion from @claude[bot] Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com> --- cmd/kosli/root.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/cmd/kosli/root.go b/cmd/kosli/root.go index ce1716b0b..b996a2b8b 100644 --- a/cmd/kosli/root.go +++ b/cmd/kosli/root.go @@ -59,9 +59,9 @@ a freshly built image (just ^docker build^) will not have one. If the image is a a registry, prefer ^--artifact-type=oci^, which fetches the digest directly from the registry without needing a local Docker daemon. -For ^--artifact-type=oci^ (and for ^--artifact-type=docker^), registry credentials -are resolved as follows: - 1) If ^--registry-username^ and ^--registry-password^ are both set, they are used directly. +For ^--artifact-type=oci^ (and for ^--artifact-type=docker^ when ^--registry-username^ +is set), registry credentials are resolved as follows: + 1) If ^--registry-username^ (and optionally ^--registry-password^) is set, it is used directly. 2) Otherwise, credentials are discovered automatically from: - the Docker config file (^~/.docker/config.json^, populated by ^docker login^) - the Podman/containers auth file (^~/.config/containers/auth.json^, or ^$REGISTRY_AUTH_FILE^) From 3a122df80f95b0e325d8d5d4cac64885b28e8475 Mon Sep 17 00:00:00 2001 From: Sofus Albertsen Date: Fri, 10 Jul 2026 10:27:11 +0200 Subject: [PATCH 4/4] docs: update artifact and snyk test data for registry credential resolution --- .../testdata/output/docs/mintlify/artifact.md | 17 +++++++++++++++-- cmd/kosli/testdata/output/docs/mintlify/snyk.md | 4 ++-- 2 files changed, 17 insertions(+), 4 deletions(-) diff --git a/cmd/kosli/testdata/output/docs/mintlify/artifact.md b/cmd/kosli/testdata/output/docs/mintlify/artifact.md index 74ab3ba6b..2fbcbe070 100644 --- a/cmd/kosli/testdata/output/docs/mintlify/artifact.md +++ b/cmd/kosli/testdata/output/docs/mintlify/artifact.md @@ -30,6 +30,19 @@ a freshly built image (just `docker build`) will not have one. If the image is a a registry, prefer `--artifact-type=oci`, which fetches the digest directly from the registry without needing a local Docker daemon. +For `--artifact-type=oci` (and for `--artifact-type=docker` when `--registry-username` +is set), registry credentials are resolved as follows: + 1) If `--registry-username` (and optionally `--registry-password`) is set, it is used directly. + 2) Otherwise, credentials are discovered automatically from: + - the Docker config file (`~/.docker/config.json`, populated by `docker login`) + - the Podman/containers auth file (`~/.config/containers/auth.json`, or `$REGISTRY_AUTH_FILE`) + - any Docker credential helper configured in that config (e.g. `docker-credential-ecr-login` + for AWS ECR, `docker-credential-gcloud` for GCR/Artifact Registry, an ACR helper for Azure, + or a local keychain helper), invoked as an external binary on `$PATH` + - if none of the above yield credentials, the registry is accessed anonymously, which works + for public images + `--registry-provider` is deprecated and no longer used. + ## Flags @@ -45,8 +58,8 @@ registry without needing a local Docker daemon. | `-g`, `--git-commit` string | [defaulted] The git commit from which the artifact was created. (defaulted in some CIs: [docs](/integrations/ci_cd), otherwise defaults to HEAD ). | | `-h`, `--help` | help for artifact | | `-n`, `--name` string | [optional] Artifact display name, if different from file, image or directory name. | -| `--registry-password` string | [conditional] The container registry password or access token. Only required if you want to read container image SHA256 digest from a remote container registry. | -| `--registry-username` string | [conditional] The container registry username. Only required if you want to read container image SHA256 digest from a remote container registry. | +| `--registry-password` string | [conditional] The container registry password or access token. Only required if you want to read container image SHA256 digest from a remote container registry and it is not already accessible via Docker/Podman auth files or a credential helper. | +| `--registry-username` string | [conditional] The container registry username. Only required if you want to read container image SHA256 digest from a remote container registry and it is not already accessible via Docker/Podman auth files or a credential helper. | | `--repo-root` string | [defaulted] The directory where the source git repository is available. (default ".") | diff --git a/cmd/kosli/testdata/output/docs/mintlify/snyk.md b/cmd/kosli/testdata/output/docs/mintlify/snyk.md index 728b2d1be..f1a019582 100644 --- a/cmd/kosli/testdata/output/docs/mintlify/snyk.md +++ b/cmd/kosli/testdata/output/docs/mintlify/snyk.md @@ -50,8 +50,8 @@ In other CI systems, set them explicitly to capture repository metadata. | `-n`, `--name` string | The name of the attestation as declared in the flow or trail yaml template. | | `-o`, `--origin-url` string | [optional] The url pointing to where the attestation came from or is related. (defaulted to the CI url in some CIs: [docs](/integrations/ci_cd/#defaulted-kosli-command-flags-from-ci-variables) ). | | `--redact-commit-info` strings | [optional] The list of commit info to be redacted before sending to Kosli. Allowed values are one or more of [author, message, branch]. | -| `--registry-password` string | [conditional] The container registry password or access token. Only required if you want to read container image SHA256 digest from a remote container registry. | -| `--registry-username` string | [conditional] The container registry username. Only required if you want to read container image SHA256 digest from a remote container registry. | +| `--registry-password` string | [conditional] The container registry password or access token. Only required if you want to read container image SHA256 digest from a remote container registry and it is not already accessible via Docker/Podman auth files or a credential helper. | +| `--registry-username` string | [conditional] The container registry username. Only required if you want to read container image SHA256 digest from a remote container registry and it is not already accessible via Docker/Podman auth files or a credential helper. | | `--repo-id` string | [conditional] The stable, unique identifier for the repository in your VCS provider (e.g. a numeric ID). Do not use the repository name as it can change if the repo is renamed. All three of `--repo-id`, `--repo-url` and `--repository` must be set to record repository information (defaulted in some CIs: [docs](/integrations/ci_cd) ). | | `--repo-provider` string | [optional] The source code hosting provider. One of: github, gitlab, bitbucket, azure-devops (defaulted in some CIs: [docs](/integrations/ci_cd) ). | | `--repo-root` string | [defaulted] The directory where the source git repository is available. Only used if `--commit` is used or defaulted in CI, see [docs](/integrations/ci_cd/#defaulted-kosli-command-flags-from-ci-variables) . (default ".") |