Skip to main content

CLI

In some cases, we don't have an extension for installing and running Cimon. This is either due to a lack of infrastructure or to the requirement to install it manually. In such cases, we've provided methods for installing and executing Cimon. Our extensions (GitHub Actions and Azure Pipelines) do precisely that behind the scenes.

Installation Cimon CLI

The quickest way to install Cimon CLI is with the install script. It will automatically select the latest version according to the architecture. The default folder for the installation is ./bin:

curl -sSfL https://cimon-releases.s3.amazonaws.com/install.sh | sh -s -- -h

sh: download go binaries for Cimon
Usage: sh [-b] bindir [-d] [tag]
-b sets bindir or installation directory, Defaults to ./bin
-d turns on debug logging
[tag] is a tag from
https://github.com/cycodelabs/cimon-releases/releases
If tag is missing, then the latest will be used.

Examples

Fetching the latest version to ./bin

curl -sSfL https://cimon-releases.s3.amazonaws.com/install.sh | sh

Installing Cimon to a path that is already included in the PATH variable, but it will require higher privileges:

curl -sSfL https://cimon-releases.s3.amazonaws.com/install.sh | sudo sh -s -- -b /usr/local/bin

cimon -h

Fetching a specific version tag

curl -sSfL https://cimon-releases.s3.amazonaws.com/install.sh | sh -s -- v0.10.0

Available Sub-commands

  • cimon attest - Attest and optionally sign supplied subjects (aka artifacts).

Parameters

Here are the parameters that are supported:

Environment VariableDefaultDescription
CIMON_CLIENT_IDCimon client ID for authentication
CIMON_SECRETCimon secret for authentication
CIMON_URLCimon endpoint for authentication
CIMON_SUBJECTSA white space seperated list of paths, or base64-encoded subjects. Either subjects or imageRef are required
CIMON_ATTEST_IMAGE_REFThe container reference to generate provenance for. Either subjects or imageRef are required
CIMON_PROVENANCE_OUTPUTprovenance.intoto.jsonlProvenance output path. Can be an absolute path or a relative path to the working directory
CIMON_SIGNED_PROVENANCE_OUTPUTprovenance.intoto.jsonl.sigSigned provenance output path. Can be an absolute path or a relative path to the working directory
CIMON_SIGN_KEYInput path to a private ECDSA/RSA/ED25519 key used to sign provenance statement. Can be an absolute path or a relative path to the working directory
CIMON_LOG_LEVELinfoLog level (Used for debugging)