1## in-toto run
2
3Executes the passed command and records paths and hashes of 'materials'
4
5### Synopsis
6
7Executes the passed command and records paths and hashes of 'materials' (i.e.
8files before command execution) and 'products' (i.e. files after command
9execution) and stores them together with other information (executed command,
10return value, stdout, stderr, ...) to a link metadata file, which is signed
11with the passed key. Returns nonzero value on failure and zero otherwise.
12
13```
14in-toto run [flags]
15```
16
17### Options
18
19```
20 -c, --cert string Path to a PEM formatted certificate that corresponds with
21 the provided key.
22 -e, --exclude stringArray Path patterns to match paths that should not be recorded as 0
23 ‘materials’ or ‘products’. Passed patterns override patterns defined
24 in environment variables or config files. See Config docs for details.
25 --follow-symlink-dirs Follow symlinked directories to their targets. Note: this parameter
26 toggles following linked directories only, linked files are always
27 recorded independently of this parameter.
28 -h, --help help for run
29 -k, --key string Path to a PEM formatted private key file used to sign
30 the resulting link metadata.
31 -l, --lstrip-paths stringArray Path prefixes used to left-strip artifact paths before storing
32 them to the resulting link metadata. If multiple prefixes
33 are specified, only a single prefix can match the path of
34 any artifact and that is then left-stripped. All prefixes
35 are checked to ensure none of them are a left substring
36 of another.
37 -m, --materials stringArray Paths to files or directories, whose paths and hashes
38 are stored in the resulting link metadata before the
39 command is executed. Symlinks are followed.
40 -d, --metadata-directory string Directory to store link metadata (default "./")
41 -n, --name string Name used to associate the resulting link metadata
42 with the corresponding step defined in an in-toto layout.
43 -x, --no-command Indicate that there is no command to be executed for the step.
44 --normalize-line-endings Enable line normalization in order to support different
45 operating systems. It is done by replacing all line separators
46 with a new line character.
47 -p, --products stringArray Paths to files or directories, whose paths and hashes
48 are stored in the resulting link metadata after the
49 command is executed. Symlinks are followed.
50 -r, --run-dir string runDir specifies the working directory of the command.
51 If runDir is the empty string, the command will run in the
52 calling process's current directory. The runDir directory must
53 exist, be writable, and not be a symlink.
54 --spiffe-workload-api-path string UDS path for SPIFFE workload API
55 --use-dsse Create metadata using DSSE instead of the legacy signature wrapper.
56```
57
58### SEE ALSO
59
60* [in-toto](in-toto.md) - Framework to secure integrity of software supply chains
61
View as plain text