CLI reference
Source of truth: rookery/cilock/cmd/cilock/main.go and rookery/cilock/internal/cmd/. All defaults and flag names below match cilock 1.0.1.
GitHub Action reference
Source of truth: cilock-action/action.yml.
GitLab component reference
Source of truth: cilock-action/gitlab/cilock.gitlab-ci.yml and cilock-action/gitlab/README.md.
Attestor catalog
Every attestor compiled into the default cilock binary (verified against cilock 1.0.1's cilock attestors list output), with its predicate type URL, lifecycle phase, and a one-line summary. Per-attestor JSON schemas live upstream in the witness docs (linked in the table); cilock and witness use compatible schemas, with cilock attestation types namespaced under https//witness.dev/attestations//v0.1. Cilock accepts both via legacy aliases. Several attestors emit upstream-typed predicates (SLSA, OpenVEX, in-toto link, SLSA VSA) instead of an aflock-namespaced one; those exact types are shown in the table.
Policy schema
A cilock policy is a signed DSSE document that declares which attestation collections must appear, which functionaries are trusted to sign each step, and which OPA Rego rules must pass against attestation contents.
Configuration
Cilock supports a YAML config file that persists CLI flag values, so you don't have to repeat them on every invocation. CLI flags always override config file values.
Compatibility
What cilock is built for, tested against, and known to interoperate with.