Skip to main content
In this tutorial, we will run Snyk scans against the Kosli CLI git repo and attest the results to a Kosli trail. By the end, you will have a Kosli trail with attested Snyk scan results that you can view in the Kosli app.

Prerequisites

To follow the steps in this tutorial, you need to:

Setup

Set the KOSLI_ORG environment variable to your personal org name and KOSLI_API_TOKEN to your token: 
export KOSLI_ORG=<your-personal-kosli-org-name>
export KOSLI_API_TOKEN=<your-api-token>
Clone the Kosli CLI git repo: 
git clone https://github.com/kosli-dev/cli.git
cd cli

Create a Flow and Trail

We will start by creating a flow in Kosli to contain trails and artifacts for this tutorial: 
kosli create flow snyk-demo --use-empty-template
You should see: flow snyk-demo was created. Then start a trail to bind our Snyk attestations to: 
kosli begin trail test-1 --flow snyk-demo
You should see: trail 'test-1' was begun.

Attest Snyk scans

We can now run Snyk scans and attest them to the trail. After each attestation, you can verify the result by navigating to https://app.kosli.com/`your-personal-org-name`/flows/snyk-demo/trails/test-1 in the Kosli app.

Open Source scan

Snyk Open Source finds vulnerabilities in the open-source libraries used by your application: 
snyk test --sarif-file-output=os.json

kosli attest snyk --flow snyk-demo --trail test-1 --name open-source-scan --scan-results os.json --commit HEAD
You should see: snyk attestation 'open-source-scan' is reported to trail: test-1.

Code scan

Snyk Code scans your source code for security issues: 
snyk code test --sarif-file-output=code.json

kosli attest snyk --flow snyk-demo --trail test-1 --name code-scan --scan-results code.json --commit HEAD
You should see: snyk attestation 'code-scan' is reported to trail: test-1.

Container scan

Snyk Container scans container images for security issues: 
docker pull ghcr.io/kosli-dev/cli:v2.8.3
snyk container test ghcr.io/kosli-dev/cli:v2.8.3 --file=Dockerfile --sarif-file-output=container.json

kosli attest snyk --flow snyk-demo --trail test-1 --name container-scan --scan-results container.json --commit HEAD
You should see: snyk attestation 'container-scan' is reported to trail: test-1.

IaC scan

Snyk IaC scans IaC configuration files (Terraform, Kubernetes, Helm) for security issues: 
helm template ./charts/k8s-reporter --output-dir helm \
  --set kosliApiToken.secretName=secret \
  --set reporterConfig.kosliEnvironmentName=foo \
  --set reporterConfig.kosliOrg=bar

snyk iac test helm --sarif-file-output=helm.json

kosli attest snyk --flow snyk-demo --trail test-1 --name helm-scan --scan-results helm.json --commit HEAD
You should see: snyk attestation 'helm-scan' is reported to trail: test-1.

What you’ve accomplished

You have run four types of Snyk scans and attested each result to a Kosli trail. The trail now holds a tamper-proof record of your scan findings, linked to a specific git commit. From here you can:
Last modified on March 10, 2026