Knowledge Hub

Using clnstrt-cli for Supply Chain Security

clnstrt-cli is a Docker-based CLI tool that handles the entire DevOps supply chain security workflow by analyzing images, generating attestations, scanning f…

clnstrt-cli is a Docker-based CLI tool that handles the entire DevOps supply chain security workflow by analyzing images, generating attestations, scanning for vulnerabilities, signing artifacts, and verifying provenance. The command-line binary is clnstrt, which is separate from cleanimg (the Rust-based declarative image builder). While cleanimg handles low-level image construction, clnstrt-cli focuses on making DevOps workflows accessible to security and operations teams.

Installation

Linux/macOS (Recommended)

Download the latest release, make it executable, verify the installation, and optionally install to PATH.

Docker

You can run clnstrt-cli as a container using docker run --rm -v $(pwd):/workspace cleanstart/clnstrt-cli:latest sign --image my-app:latest.

From Source

Clone the repository, change into the directory, build it, and verify the build.

Core Commands

1. sign — Sign Images and Attestations

Purpose: Sign OCI images with cryptographic keys and attach attestations.

You can sign with Cosign key, Cloud KMS, environment variable, include SLSA provenance attestation, or sign with custom certificate.

Output: Image is signed with Cosign signature, attestations are attached to image, and verification command is printed for reference.

2. verify — Verify Signatures and Compliance

Purpose: Cryptographically verify image signatures and check security compliance.

You can verify image signature, verify with KMS public key, verify with certificate, verify and require specific attestations, verify with policy file, use verbose verification with detailed output, check FIPS compliance, and fail if vulnerabilities exceed threshold.

Exit Codes: 0 means all verifications passed, 1 means signature verification failed, 2 means compliance checks failed, 3 means image not found.

3. generate-sbom — Create Software Bill of Materials

Purpose: Generate SPDX/CycloneDX SBOMs from source code or container images.

You can generate SBOM from directory or image, choose SPDX or CycloneDX format, include build metadata, perform deep scan for hidden dependencies, or filter to production dependencies only.

Output: SPDX 3.0 or CycloneDX 1.4 format compatible with tooling ecosystem.

4. analyze-dependencies — Supply Chain Risk Assessment

Purpose: Query CleanStart Source Intelligence Core for dependency vulnerabilities and risk scores.

You can analyze all dependencies, analyze specific package, get risk score and threat intelligence, fail if any dependency has high risk, get recommendations for vulnerable dependencies, or show supply chain attestations.

Intelligence Queried includes known vulnerabilities from NVD/GHSA/OSV, package registry metadata (ownership, signing), typosquatting and namespace hijacking risks, and dependency graph analysis (transitive risks).

5. risk-report — Generate Security Assessment Report

Purpose: Produce human-readable and machine-readable security reports.

You can generate HTML report, generate JSON report for automation, generate PDF report for compliance, include provenance and attestation info, compare against security policy, or generate trend analysis over time.

Report Contents include vulnerability summary, FIPS/STIG compliance status, attestation status (SLSA, SBOM, provenance), recommendations and remediation steps, and audit trail and timestamps.

Common Workflows

Workflow 1: Build, Sign, and Push

A typical workflow builds image, generates SBOM, signs image with attestations, pushes to registry, and verifies in registry.

Workflow 2: Dependency Scanning and Risk Assessment

A workflow generates SBOM from source, analyzes dependencies, generates risk report, and exits with failure if critical issues found.

Workflow 3: Pre-Deployment Verification

A workflow verifies signature, verifies FIPS compliance, verifies attestations are present, and confirms ready for production.

Workflow 4: Compliance Reporting

A workflow generates report for audit with FIPS compliance check, includes provenance chain for compliance, and creates timestamped audit report.

Configuration Files

.clnstrtrc (Local Configuration)

Default behavior specifies signing format, verification requirements, SBOM settings, and intelligence endpoint configuration.

security-policy.yaml (Security Policy)

Policy file defines signing requirements, required attestations, SLSA level, vulnerability thresholds, FIPS requirements, and allowed registries.

Environment Variables

Configuration includes COSIGN_KEY_PATH, COSIGN_PASSWORD, KMS_KEY, INTELLIGENCE_ENDPOINT, INTELLIGENCE_API_KEY, SECURITY_POLICY, OUTPUT_FORMAT, OUTPUT_FILE, LOG_LEVEL, and LOG_FILE.

Exit Codes and Error Handling

Exit codes communicate results: 0 for success, 1 for signature verification failed, 2 for compliance check failed, 3 for image not found, 4 for network error, 5 for invalid configuration, and 64 for invalid command line.

Performance Tuning

You can enable parallel scanning with specified job count, enable caching of results with TTL, or set timeout for intelligence queries.

Troubleshooting

Signing Key Not Found

Check that the key file exists, verify the key is readable, or use explicit key path.

Verification Fails

Get detailed error info, check if image exists in registry, or verify signature with Cosign directly.

Intelligence Core Unreachable

Check the endpoint, set custom endpoint, or try alternative intelligence service.

SBOM Generation Empty

Run verbose SBOM generation, check for supported languages/package managers, or force deep scan.