cosign attest

Attest the supplied container image


--output-file <output-file>Log output to a file
--timeout, -t <timeout>Timeout for commands
--verbose, -dLog debug output
--allow-insecure-registryWhether to allow insecure connections to registries. Don't use this for anything but testing
--attachment-tag-prefix <attachment-tag-prefix>Optional custom prefix to use for attached image tags. Attachment images are tagged as: `[AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName]`
--cert <cert>Path to the x509 certificate to include in the Signature
--force, -fSkip warnings and confirmations
--fulcio-url <fulcio-url>[EXPERIMENTAL] address of sigstore PKI server
--identity-token <identity-token>[EXPERIMENTAL] identity token to use for certificate from fulcio
--insecure-skip-verify[EXPERIMENTAL] skip verifying fulcio published to the SCT (this should only be used for testing)
--k8s-keychainWhether to use the kubernetes keychain instead of the default keychain (supports workload identity)
--key <key>Path to the private key file, KMS URI or Kubernetes Secret
--no-uploadDo not upload the generated attestation
--oidc-client-id <oidc-client-id>[EXPERIMENTAL] OIDC client ID for application
--oidc-client-secret <oidc-client-secret>[EXPERIMENTAL] OIDC client secret for application
--oidc-issuer <oidc-issuer>[EXPERIMENTAL] OIDC provider to be used to issue ID token
--predicate <predicate>Path to the predicate file
--recursive, -rIf a multi-arch image is specified, additionally sign each discrete image
--rekor-url <rekor-url>[EXPERIMENTAL] address of rekor STL server
--skWhether to use a hardware security key
--slot <slot>Security key slot to use for generated key (default: signature) (authentication|signature|card-authentication|key-management)
--type <type>Specify a predicate type (slsaprovenance|link|spdx|vuln|custom) or an URI
--help, -hHelp for attest