- Understand Flow Templates and how they define compliance requirements
- Update an existing Flow to enforce specific attestations
- Understand the difference between compliant and non-compliant Trails
- Use
kosli assert artifactto gate deployments based on compliance status
In the previous labs, you've been recording evidence (attestations) for your builds. However, recording evidence is only half the battle. You also need to ensure that the required evidence is actually present before allowing a release to proceed.
Flow Templates define the "shape" of a compliant release. They specify:
- Which artifacts are expected
- Which attestations are required for each artifact
- Which attestations are required for the Trail itself
When a Trail is evaluated against its Flow Template, Kosli determines if it is Compliant or Non-Compliant.
By using the kosli assert artifact command in your pipeline, you can automatically block deployments that don't meet your compliance standards.
- Completed Lab 3: Build Controls and Attestations
- CI/CD pipeline successfully sending attestations to Kosli
In this lab, you will:
- Define a Flow Template that requires Unit Tests and an SBOM
- Update your existing Flow with these requirements
- Verify that your current pipeline is compliant
- Add a "Release Gate" step to your pipeline using
kosli assert artifact - (Optional) Test what happens when requirements are not met
We can tell Kosli what attestations a "good" release looks like.
We do this by defining a template YAML file.
Create a file named flow-template.yaml in the root of your repository:
version: 1
trail:
artifacts:
- name: application
attestations:
- name: unit-tests
type: junit
- name: docker-image
attestations:
- name: sbom
type: genericThis template matches the structure of the attestations we set up in Lab 3:
- An
applicationartifact which must haveunit-tests. - A
docker-imageartifact which must have ansbom.
Now, let's update your existing Flow to use this template. We'll add a step to your workflow to ensure the Flow definition is always up to date with your code.
Open .github/workflows/full-pipeline.yaml and find the Create/Update Flow step (added in Lab 2). Update it to use the template file:
- name: Create/Update Flow
run: |
kosli create flow ${APP_NAME}-pipeline \
--description "CI/CD pipeline for ${APP_NAME} application" \
--template-file flow-template.yaml💡 We removed
--use-empty-templateand replaced it with--template-file flow-template.yaml.
Now that we have rules, let's enforce them! We will add a step before deployment that checks if the artifacts are compliant.
In .github/workflows/full-pipeline.yaml, find the Deploy job. Add the assertion step before the "Deploy to production" step:
- name: Setup Kosli CLI
uses: kosli-dev/setup-cli-action@v2
with:
version:
2.11.32
- name: Assert Compliance
run: |
IMAGE_NAME="ghcr.io/${IMAGE}:latest"
kosli assert artifact ${IMAGE_NAME} \
--artifact-type oci \
--flow ${APP_NAME}-pipelineThis command asks Kosli: "Is this artifact (and its trail) compliant?"
- Yes: means that all attestations and artifacts in the template is pressent and none of the attestations made to the trail are non-compliant.
- The command exits with 0, and the pipeline continues to deploy.
- No: means that either one or more attestations and artifacts in the template is not pressent or one of the attestations made to the trail are non-compliant.
- The command exits with 1, failing the pipeline and preventing deployment.
See kosli assert artifact for more details.
- Commit the
flow-template.yamland the changes to.github/workflows/full-pipeline.yaml:
git add flow-template.yaml .github/workflows/full-pipeline.yaml
git commit -m "Add Flow Template and Release Gate"
git push origin main- Watch the GitHub Actions workflow run.
- The
Create/Update Flowstep will update your Flow definition. - The build and attestations will proceed as normal.
- The
Assert Compliancestep in theDeployjob will check the status. - Since you are providing all required attestations, the gate should pass (Green).
- Go to app.kosli.com.
- Navigate to your Flow (
labs-pipeline). - Click on the latest Trail.
- You should see the Compliance status is COMPLIANT (Green).
- You can see the template requirements listed and checked off.
To see the gate in action, you can simulate a failure.
- Edit
flow-template.yamlto require a non-existent attestation:
# ... existing content ...
- name: docker-image
attestations:
- name: sbom
type: generic
- name: performance-test # We haven't implemented this yet!
type: generic- Commit and push.
- Watch the pipeline.
- The
Assert Compliancestep should fail, preventing theDeploy to productionstep from running. - In the Kosli UI, the Trail will be marked NON-COMPLIANT.
💡 Don't forget to revert this change to make your pipeline green again!
Before moving to the next lab, ensure you have:
- ✅ Created
flow-template.yaml - ✅ Updated the workflow to apply the template
- ✅ Added
kosli assert artifactto the Deploy job - ✅ Verified that a fully attested build passes the gate
- ✅ Verified that the Trail shows as "COMPLIANT" in the Kosli UI
If you did the optional non-compliance test, make sure to revert flow-template.yaml to its working state.
In Lab 5: Runtime Controls, you'll learn how to create environments, snapshot what's running in production, and enforce compliance policies.