kosli-dev · mbevc1 · Jun 22, 2026 · Jun 22, 2026
@@ -1,7 +1,5 @@
 ---
 title: "kosli"
-beta: false
-deprecated: false
 description: "The Kosli CLI."
 ---
 

@@ -1,7 +1,5 @@
 ---
 title: "kosli allow artifact"
-beta: false
-deprecated: false
 description: "Add an artifact to an environment's allowlist.  "
 ---
 

@@ -1,7 +1,5 @@
 ---
 title: "kosli archive attestation-type"
-beta: false
-deprecated: false
 description: "Archive a custom Kosli attestation type."
 ---
 

@@ -1,7 +1,5 @@
 ---
 title: "kosli archive environment"
-beta: false
-deprecated: false
 description: "Archive a Kosli environment."
 ---
 

@@ -1,7 +1,5 @@
 ---
 title: "kosli archive flow"
-beta: false
-deprecated: false
 description: "Archive a Kosli flow."
 ---
 

@@ -1,13 +1,13 @@
 ---
 title: "kosli assert approval"
-beta: false
-deprecated: true
+tag: "DEPRECATED"
 description: "Assert an artifact in Kosli has been approved for deployment.  "
 ---
 
-<Warning>
-**kosli assert approval** is deprecated. this command is deprecated and will be removed in a future release.  Deprecated commands will be removed in a future release.
-</Warning>
+import CliDeprecatedNotice from "/snippets/cli-deprecated-notice.mdx";
+
+<CliDeprecatedNotice />
+
 ## Synopsis
 
 ```shell

@@ -1,7 +1,5 @@
 ---
 title: "kosli assert artifact"
-beta: false
-deprecated: false
 description: "Assert the compliance status of an artifact in Kosli. 
 There are three ways to choose what to assert against:
 

@@ -1,7 +1,5 @@
 ---
 title: "kosli assert pullrequest azure"
-beta: false
-deprecated: false
 description: "Assert an Azure DevOps pull request for a git commit exists.  "
 ---
 

@@ -1,7 +1,5 @@
 ---
 title: "kosli assert pullrequest bitbucket"
-beta: false
-deprecated: false
 description: "Assert a Bitbucket pull request for a git commit exists.  "
 ---
 

@@ -1,7 +1,5 @@
 ---
 title: "kosli assert pullrequest github"
-beta: false
-deprecated: false
 description: "Assert a Github pull request for a git commit exists.  "
 ---
 

@@ -1,7 +1,5 @@
 ---
 title: "kosli assert pullrequest gitlab"
-beta: false
-deprecated: false
 description: "Assert a Gitlab merge request for a git commit exists.  "
 ---
 

@@ -1,7 +1,5 @@
 ---
 title: "kosli assert snapshot"
-beta: false
-deprecated: false
 description: "Assert the compliance status of an environment in Kosli."
 ---
 

@@ -1,7 +1,5 @@
 ---
 title: "kosli assert status"
-beta: false
-deprecated: false
 description: "Assert the status of a Kosli server."
 ---
 

@@ -1,7 +1,5 @@
 ---
 title: "kosli attach-policy"
-beta: false
-deprecated: false
 description: "Attach a policy to one or more Kosli environments.  "
 ---
 

@@ -1,7 +1,5 @@
 ---
 title: "kosli attest artifact"
-beta: false
-deprecated: false
 description: "Attest an artifact creation to a Kosli flow.  "
 ---
 
@@ -81,7 +79,7 @@ In other CI systems, set them explicitly to capture repository metadata.
 	<Tab title="GitHub">
 	View an example of the `kosli attest artifact` command in GitHub.
 
-	In [this YAML file](https://github.com/cyber-dojo/reusable-actions-workflows/blob/2d5cf6095a77931bc6eb6d525e4db2d1be1a8cb2/.github/workflows/secure-docker-build.yml#L219), which created [this Kosli Event](https://app.kosli.com/cyber-dojo/flows/differ-ci/trails/981dcfc34f584d46afb46b217b47ce68f2f14a08?attestation_id=03312679-db2a-4f55-a323-7cdb2c89).
+	In [this YAML file](https://github.com/cyber-dojo/reusable-actions-workflows/blob/2d5cf6095a77931bc6eb6d525e4db2d1be1a8cb2/.github/workflows/secure-docker-build.yml#L219), which created [this Kosli Event](https://app.kosli.com/cyber-dojo/flows/differ-ci/trails/3ab1ef84cb2243f184502ddb7f491e24d4ced1c1?attestation_id=c25bc6ba-cbfd-4ad5-b5ab-d4bca4e9).
 	</Tab>
 	<Tab title="GitLab">
 	View an example of the `kosli attest artifact` command in GitLab.

@@ -1,7 +1,5 @@
 ---
 title: "kosli attest custom"
-beta: false
-deprecated: false
 description: "Report a custom attestation to an artifact or a trail in a Kosli flow. "
 ---
 
@@ -79,7 +77,7 @@ In other CI systems, set them explicitly to capture repository metadata.
 	<Tab title="GitHub">
 	View an example of the `kosli attest custom` command in GitHub.
 
-	In [this YAML file](https://github.com/cyber-dojo/differ/blob/981dcfc34f584d46afb46b217b47ce68f2f14a08/.github/workflows/main.yml#L168), which created [this Kosli Event](https://app.kosli.com/cyber-dojo/flows/differ-ci/trails/981dcfc34f584d46afb46b217b47ce68f2f14a08?attestation_id=dfa0b6c3-d537-4299-bbe9-c0943930).
+	In [this YAML file](https://github.com/cyber-dojo/differ/blob/3ab1ef84cb2243f184502ddb7f491e24d4ced1c1/.github/workflows/main.yml#L168), which created [this Kosli Event](https://app.kosli.com/cyber-dojo/flows/differ-ci/trails/3ab1ef84cb2243f184502ddb7f491e24d4ced1c1?attestation_id=e76820c2-28e3-47a4-b047-fd78c0e6).
 	</Tab>
 </Tabs>
 

@@ -0,0 +1,124 @@
+---
+title: "kosli attest decision"
+tag: "BETA"
+hidden: true
+description: "Record a compliance decision against a control in a Kosli trail.  "
+---
+
+import CliBetaNotice from "/snippets/cli-beta-notice.mdx";
+
+<CliBetaNotice />
+
+## Synopsis
+
+```shell
+kosli attest decision [IMAGE-NAME | FILE-PATH | DIR-PATH] [flags]
+```
+
+Record a compliance decision against a control in a Kosli trail.  
+Use this command to record the outcome of evaluating a control as part of your delivery
+pipeline — whether it was satisfied or not — attached to a specific trail with an optional artifact.
+This decision is the evidence that a governance requirement was assessed.
+
+
+The attestation can be bound to a *trail* using the trail name.
+The attestation can be bound to an *artifact* in two ways:
+- using the artifact's SHA256 fingerprint which is calculated (based on the `--artifact-type` flag and the artifact name/path argument) or can be provided directly (with the `--fingerprint` flag).
+- using the artifact's name in the flow yaml template and the git commit from which the artifact is/will be created. Useful when reporting an attestation before creating/reporting the artifact.
+
+You can optionally associate the attestation to a git commit using `--commit` (requires access to a git repo).
+You can optionally redact some of the git commit data sent to Kosli using `--redact-commit-info`.
+Note that when the attestation is reported for an artifact that does not yet exist in Kosli, `--commit` is required to facilitate
+binding the attestation to the right artifact.
+To record repository information, all three of `--repo-id`, `--repo-url`, and `--repository` must be set together.
+These are automatically set in GitHub Actions, GitLab CI, Bitbucket Pipelines, and Azure DevOps.
+In other CI systems, set them explicitly to capture repository metadata.
+
+## Flags
+| Flag | Description |
+| :--- | :--- |
+|        `--annotate` stringToString  |  [optional] Annotate the attestation with data using key=value.  |
+|    `-t`, `--artifact-type` string  |  The type of the artifact to calculate its SHA256 fingerprint. One of: [oci, docker, file, dir]. Only required if you want Kosli to calculate the fingerprint for you (i.e. when you don't specify '`--fingerprint`' on commands that allow it).  |
+|        `--attachments` strings  |  [optional] The comma-separated list of paths of attachments for the reported attestation. Attachments can be files or directories. All attachments are compressed and uploaded to Kosli's evidence vault.  |
+|    `-g`, `--commit` string  |  [conditional] The git commit for which the attestation is associated to. Becomes required when reporting an attestation for an artifact before reporting it to Kosli. (defaulted in some CIs: [docs](/integrations/ci_cd) ).  |
+|    `-C`, `--compliant`  |  [defaulted] Whether the attestation is compliant or not. A boolean flag [docs](/faq/#boolean-flags)  |
+|        `--control` string  |  The control identifier being evaluated (e.g. RCTL-043).  |
+|        `--description` string  |  [optional] attestation description  |
+|    `-D`, `--dry-run`  |  [optional] Run in dry-run mode. When enabled, no data is sent to Kosli and the CLI exits with 0 exit code regardless of any errors.  |
+|    `-x`, `--exclude` strings  |  [optional] The comma separated list of directories and files to exclude from fingerprinting. Can take glob patterns. Only applicable for `--artifact-type` dir.  |
+|        `--external-fingerprint` stringToString  |  [optional] A SHA256 fingerprint of an external attachment represented by `--external-url`. The format is label=fingerprint (labels cannot contain '.' or '='). This flag can be set multiple times. There must be an external url with a matching label for each external fingerprint.  |
+|        `--external-url` stringToString  |  [optional] Add labeled reference URL for an external resource. The format is label=url (labels cannot contain '.' or '='). This flag can be set multiple times. If the resource is a file or dir, you can optionally add its fingerprint via `--external-fingerprint`  |
+|    `-F`, `--fingerprint` string  |  [conditional] The SHA256 fingerprint of the artifact to attach the attestation to. Only required if the attestation is for an artifact and `--artifact-type` and artifact name/path are not used.  |
+|    `-f`, `--flow` string  |  The Kosli flow name.  |
+|    `-h`, `--help`  |  help for decision  |
+|    `-n`, `--name` string  |  The name of the attestation as declared in the flow or trail yaml template.  |
+|    `-o`, `--origin-url` string  |  [optional] The url pointing to where the attestation came from or is related. (defaulted to the CI url in some CIs: [docs](/integrations/ci_cd/#defaulted-kosli-command-flags-from-ci-variables) ).  |
+|        `--redact-commit-info` strings  |  [optional] The list of commit info to be redacted before sending to Kosli. Allowed values are one or more of [author, message, branch].  |
+|        `--registry-password` string  |  [conditional] The container registry password or access token. Only required if you want to read container image SHA256 digest from a remote container registry.  |
+|        `--registry-username` string  |  [conditional] The container registry username. Only required if you want to read container image SHA256 digest from a remote container registry.  |
+|        `--repo-id` string  |  [conditional] The stable, unique identifier for the repository in your VCS provider (e.g. a numeric ID). Do not use the repository name as it can change if the repo is renamed. All three of `--repo-id`, `--repo-url` and `--repository` must be set to record repository information (defaulted in some CIs: [docs](/integrations/ci_cd) ).  |
+|        `--repo-provider` string  |  [optional] The source code hosting provider. One of: github, gitlab, bitbucket, azure-devops (defaulted in some CIs: [docs](/integrations/ci_cd) ).  |
+|        `--repo-root` string  |  [defaulted] The directory where the source git repository is available. Only used if `--commit` is used or defaulted in CI, see [docs](/integrations/ci_cd/#defaulted-kosli-command-flags-from-ci-variables) . (default ".")  |
+|        `--repo-url` string  |  [conditional] The URL of the repository. Must be a valid URL. All three of `--repo-id`, `--repo-url` and `--repository` must be set to record repository information (defaulted in some CIs: [docs](/integrations/ci_cd) ).  |
+|        `--repository` string  |  [conditional] The name of the repository (e.g. owner/repo-name). All three of `--repo-id`, `--repo-url` and `--repository` must be set to record repository information (defaulted in some CIs: [docs](/integrations/ci_cd) ).  |
+|    `-T`, `--trail` string  |  The Kosli trail name.  |
+|    `-u`, `--user-data` string  |  [optional] The path to a JSON file containing additional data you would like to attach to the attestation.  |
+
+
+## Flags inherited from parent commands
+| Flag | Description |
+| :--- | :--- |
+|    `-a`, `--api-token` string  |  The Kosli API token.  |
+|    `-c`, `--config-file` string  |  [optional] The Kosli config file path. (default "kosli")  |
+|        `--debug`  |  [optional] Print debug logs to stdout.  |
+|    `-H`, `--host` string  |  [defaulted] The Kosli endpoint. (default "https://app.kosli.com")  |
+|        `--http-proxy` string  |  [optional] The HTTP proxy URL including protocol and port number. e.g. `http://proxy-server-ip:proxy-port`  |
+|    `-r`, `--max-api-retries` int  |  [defaulted] How many times should API calls be retried when the API host is not reachable. (default 3)  |
+|        `--org` string  |  The Kosli organization.  |
+|    `-q`, `--quiet`  |  [optional] Suppress non-critical warning messages. Errors and normal output are not affected. If both `--quiet` and `--debug` are set, `--debug` wins.  |
+
+
+## Examples Use Cases
+
+These examples all assume that the flags  `--api-token`, `--org`, `--host`, (and `--flow`, `--trail` when required), are [set/provided](/getting_started/install/#assigning-flags-via-environment-variables). 
+
+<AccordionGroup>
+<Accordion title="record a compliant decision against a trail">
+```shell
+kosli attest decision 
+	--name yourAttestationName 
+	--control RCTL-043 
+	--compliant=true 
+
+```
+</Accordion>
+<Accordion title="record a non-compliant decision against a trail">
+```shell
+kosli attest decision 
+	--name yourAttestationName 
+	--control RCTL-043 
+	--compliant=false 
+
+```
+</Accordion>
+<Accordion title="record a decision linked to a specific artifact (by fingerprint)">
+```shell
+kosli attest decision 
+	--name yourAttestationName 
+	--control RCTL-043 
+	--compliant=true 
+	--fingerprint yourArtifactFingerprint 
+
+```
+</Accordion>
+<Accordion title="record a decision with an evidence attachment">
+```shell
+kosli attest decision 
+	--name yourAttestationName 
+	--control RCTL-043 
+	--compliant=true 
+	--attachments eval-report.json 
+```
+</Accordion>
+</AccordionGroup>
+
@@ -1,7 +1,5 @@
 ---
 title: "kosli attest generic"
-beta: false
-deprecated: false
 description: "Report a generic attestation to an artifact or a trail in a Kosli flow.  "
 ---
 
@@ -75,7 +73,7 @@ In other CI systems, set them explicitly to capture repository metadata.
 	<Tab title="GitHub">
 	View an example of the `kosli attest generic` command in GitHub.
 
-	In [this YAML file](https://github.com/cyber-dojo/dashboard/blob/87f560f87fb2bc242ee5c58d74d0e209d71cd338/.github/workflows/main.yml#L197), which created [this Kosli Event](https://app.kosli.com/cyber-dojo/flows/dashboard-ci/trails/87f560f87fb2bc242ee5c58d74d0e209d71cd338?attestation_id=13c229f8-974c-4f29-afed-5c3a990c).
+	In [this YAML file](https://github.com/cyber-dojo/dashboard/blob/ff89dd9bd1bfc5441854450adcf25d5aad9508f4/.github/workflows/main.yml#L197), which created [this Kosli Event](https://app.kosli.com/cyber-dojo/flows/dashboard-ci/trails/ff89dd9bd1bfc5441854450adcf25d5aad9508f4?attestation_id=13206cf1-58ef-44b2-abd5-7ba7dd52).
 	</Tab>
 	<Tab title="GitLab">
 	View an example of the `kosli attest generic` command in GitLab.

@@ -1,7 +1,5 @@
 ---
 title: "kosli attest jira"
-beta: false
-deprecated: false
 description: "Report a jira attestation to an artifact or a trail in a Kosli flow.  "
 ---
 

@@ -1,7 +1,5 @@
 ---
 title: "kosli attest junit"
-beta: false
-deprecated: false
 description: "Report a junit attestation to an artifact or a trail in a Kosli flow.
 JUnit xml files are read from the `--results-dir` directory which defaults to the current directory.
 The xml files are automati..."
@@ -80,7 +78,7 @@ In other CI systems, set them explicitly to capture repository metadata.
 	<Tab title="GitHub">
 	View an example of the `kosli attest junit` command in GitHub.
 
-	In [this YAML file](https://github.com/cyber-dojo/differ/blob/981dcfc34f584d46afb46b217b47ce68f2f14a08/.github/workflows/main.yml#L101), which created [this Kosli Event](https://app.kosli.com/cyber-dojo/flows/differ-ci/trails/981dcfc34f584d46afb46b217b47ce68f2f14a08?attestation_id=b35c2895-32ae-4a40-8eb8-ddf7eff0).
+	In [this YAML file](https://github.com/cyber-dojo/differ/blob/3ab1ef84cb2243f184502ddb7f491e24d4ced1c1/.github/workflows/main.yml#L101), which created [this Kosli Event](https://app.kosli.com/cyber-dojo/flows/differ-ci/trails/3ab1ef84cb2243f184502ddb7f491e24d4ced1c1?attestation_id=1943de12-81c4-4493-b83c-6a6d8613).
 	</Tab>
 	<Tab title="GitLab">
 	View an example of the `kosli attest junit` command in GitLab.

@@ -1,7 +1,5 @@
 ---
 title: "kosli attest pullrequest azure"
-beta: false
-deprecated: false
 description: "Report an Azure Devops pull request attestation to an artifact or a trail in a Kosli flow.  "
 ---
 

@@ -1,7 +1,5 @@
 ---
 title: "kosli attest pullrequest bitbucket"
-beta: false
-deprecated: false
 description: "Report a Bitbucket pull request attestation to an artifact or a trail in a Kosli flow.  "
 ---
 

@@ -1,7 +1,5 @@
 ---
 title: "kosli attest pullrequest github"
-beta: false
-deprecated: false
 description: "Report a Github pull request attestation to an artifact or a trail in a Kosli flow.  "
 ---
 
@@ -72,7 +70,7 @@ The attestation can be bound to an *artifact* in two ways:
 	<Tab title="GitHub">
 	View an example of the `kosli attest pullrequest github` command in GitHub.
 
-	In [this YAML file](https://github.com/cyber-dojo/differ/blob/981dcfc34f584d46afb46b217b47ce68f2f14a08/.github/workflows/main.yml#L81), which created [this Kosli Event](https://app.kosli.com/cyber-dojo/flows/differ-ci/trails/981dcfc34f584d46afb46b217b47ce68f2f14a08?attestation_id=bde7c31e-ae7d-453e-b261-994f2f49).
+	In [this YAML file](https://github.com/cyber-dojo/differ/blob/3ab1ef84cb2243f184502ddb7f491e24d4ced1c1/.github/workflows/main.yml#L81), which created [this Kosli Event](https://app.kosli.com/cyber-dojo/flows/differ-ci/trails/3ab1ef84cb2243f184502ddb7f491e24d4ced1c1?attestation_id=8f8068e0-2e48-4f20-b5a2-3869516e).
 	</Tab>
 </Tabs>
 

@@ -1,7 +1,5 @@
 ---
 title: "kosli attest pullrequest gitlab"
-beta: false
-deprecated: false
 description: "Report a Gitlab merge request attestation to an artifact or a trail in a Kosli flow.  "
 ---
 

@@ -1,7 +1,5 @@
 ---
 title: "kosli attest snyk"
-beta: false
-deprecated: false
 description: "Report a snyk attestation to an artifact or a trail in a Kosli flow.  "
 ---
 

@@ -1,7 +1,5 @@
 ---
 title: "kosli attest sonar"
-beta: false
-deprecated: false
 description: "Report a SonarQube attestation to an artifact or a trail in a Kosli flow.  "
 ---
 
@@ -100,7 +98,7 @@ The attestation can be bound to an *artifact* in two ways:
 	<Tab title="GitHub">
 	View an example of the `kosli attest sonar` command in GitHub.
 
-	In [this YAML file](https://github.com/cyber-dojo/dashboard/blob/87f560f87fb2bc242ee5c58d74d0e209d71cd338/.github/workflows/main.yml#L122), which created [this Kosli Event](https://app.kosli.com/cyber-dojo/flows/dashboard-ci/trails/87f560f87fb2bc242ee5c58d74d0e209d71cd338?attestation_id=9b4f1511-de6d-4330-81c7-833cf034).
+	In [this YAML file](https://github.com/cyber-dojo/dashboard/blob/ff89dd9bd1bfc5441854450adcf25d5aad9508f4/.github/workflows/main.yml#L122), which created [this Kosli Event](https://app.kosli.com/cyber-dojo/flows/dashboard-ci/trails/ff89dd9bd1bfc5441854450adcf25d5aad9508f4?attestation_id=c8a0c20f-2037-4668-af96-6dcaaf73).
 	</Tab>
 </Tabs>