Skip to main content
In this tutorial, we will attest a large security report to Kosli using a lightweight summary for compliance evaluation, with the full document preserved in the Evidence Vault for audit purposes. By the end, you will have a Kosli attestation that captures the key facts from your report — vulnerability counts, severity levels, pass/fail status — and links to the full file for audit access. This two-part approach keeps attestation payloads focused on what compliance rules need to evaluate, while ensuring the raw evidence remains available.

Prerequisites

Step 1: Create a summary attestation type

Define a custom attestation type that captures the key facts from your report. In this example we use a vulnerability report distilled into a summary JSON file:
Create an attestation type that enforces a zero-critical-findings rule:
You should see: attestation-type vulnerability-summary was created. You can verify it with:

Step 2: Distill your report into a summary

Use jq (or any other tool) to extract the fields you care about from your full report and write them to a summary file. For example, if your tool produces a SARIF file, you might count findings by severity and write the result to vuln-summary.json. The exact transformation will depend on your tool’s output format. The goal is a small JSON object that your attestation type’s rules can evaluate.

Step 3: Attest the summary and attach the full report

Use --attachments to upload the full report to the Evidence Vault alongside the summary attestation:
Kosli will:
  • Evaluate the jq rule against vuln-summary.json to determine compliance.
  • Store full-report.sarif in the Evidence Vault, linked to this attestation.

Step 4: Verify the attestation

The attestation record will show the compliance status and include a link to the attached file in the Evidence Vault.

What you’ve accomplished

You have attested a security report to Kosli using a lightweight summary for compliance evaluation, with the full document preserved in the Evidence Vault for audit purposes. From here you can:
Last modified on June 5, 2026