CLI reference
Source of truth: rookery/cilock/cmd/cilock/main.go and rookery/cilock/internal/cmd/. All defaults and flag names below match cilock 1.1.0.
GitHub Action reference
Source of truth: cilock-action/action.yml.
GitLab component reference
Source of truth: cilock-action/gitlab/cilock.gitlab-ci.yml and cilock-action/gitlab/README.md.
Attestor catalog
Every attestor compiled into the default cilock binary (verified against cilock 1.1.0's cilock attestors list output), with its predicate type URL, lifecycle phase, and a one-line summary. Per-attestor JSON schemas live upstream in the witness docs (linked in the table); CI/lock and witness use compatible schemas, with CI/lock attestation types namespaced under https//witness.dev/attestations//v0.1. CI/lock accepts both via legacy aliases. Several attestors emit upstream-typed predicates (SLSA, OpenVEX, in-toto link, SLSA VSA) instead of an aflock-namespaced one; those exact types are shown in the table.
Policy schema
A CI/lock policy is a signed DSSE document that declares which attestation collections must appear, which functionaries are trusted to sign each step, and which OPA Rego rules must pass against attestation contents.
Configuration
CI/lock supports a YAML config file that persists CLI flag values, so you don't have to repeat them on every invocation. CLI flags always override config file values.
Compatibility
What CI/lock is built for, tested against, and known to interoperate with.