docs: clarify --artifact-type=docker requires registry digest

AlexKantor87 · claude · AlexKantor87 · commit 797eabc5083b · 2026-04-28T14:50:28.000+01:00
A customer hit "repo digest unavailable for the image, has it been
pushed to or pulled from a registry?" after kosli attest artifact with
--artifact-type=docker in CI, where the image was built but never
pushed. The constraint that the docker artifact type requires a
registry-resident image was only stated in the error itself.

Add a note to the long descriptions of attest commands (via
fingerprintDesc) and kosli fingerprint, covering the constraint and
pointing at oci and dir as alternatives.

Help-text only; no behaviour change. Auto-generated docs in
kosli-dev/docs will pick this up on the next CLI release.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/cmd/kosli/fingerprint.go b/cmd/kosli/fingerprint.go
@@ -40,6 +40,11 @@ images in registries or "docker" for local docker images.
 Fingerprinting container images can be done using the local docker daemon or the fingerprint can be fetched
 from a remote registry.
 
+Note: ^--artifact-type=docker^ reads the image's repo digest via the local Docker daemon, so
+the image must have been pushed to or pulled from a registry. A freshly built image (just
+^docker build^) does not have a repo digest. For images already in a registry, prefer
+^--artifact-type=oci^ to fetch the digest directly from the registry.
+
 ` + fingerprintDirSynopsis
 
 const fingerprintExamples = `
diff --git a/cmd/kosli/root.go b/cmd/kosli/root.go
@@ -42,12 +42,19 @@ const (
 
 	// the following constants are used in the docs/help
 	fingerprintDesc = `
-The artifact fingerprint can be provided directly with the ^--fingerprint^ flag, or 
+The artifact fingerprint can be provided directly with the ^--fingerprint^ flag, or
 calculated based on ^--artifact-type^ flag.
 
 Artifact type can be one of: "file" for files, "dir" for directories, "oci" for container
 images in registries or "docker" for local docker images.
 
+Note: ^--artifact-type=docker^ reads the image's repo digest via the local Docker daemon.
+The image must have been pushed to or pulled from a registry for a repo digest to exist;
+a freshly built image (just ^docker build^) will not have one. If the image is already in
+a registry, prefer ^--artifact-type=oci^, which fetches the digest directly from the
+registry without needing a local Docker daemon. To fingerprint the source instead, use
+^--artifact-type=dir^ on the build context.
+
 `
 
 	attestationBindingDesc = `
