3 min read
At Kosli, we believe that governance in software delivery shouldn’t be a bottleneck – it should be an extension of how your teams already work. That’s why we’re excited to introduce custom attestations in Kosli.
Here’s the short version:
➡️ What are custom attestations? They let you record facts about your workflows – with evidence – using controls that actually match your processes.
➡️ Why does this matter? Because generic attestations can miss the mark. They’re either too rigid or too generic, leaving gaps in trust and compliance.
➡️ What’s new? Now you can define your own attestation types, complete with schemas and evaluation criteria, so your governance reflects your reality – not just what’s written in a framework.
What’s in scope?
✔️ A new Attestations section in Kosli – including a Firehose page showing all attestations and a Types page for managing custom types.
✔️ Custom attestation types you can define, version, and reuse across flows, environments, and policies.
✔️ Support for different evaluation strategies – with the first implementation using JQ matchers for flexible JSON-based evaluation.
These custom types bring governance closer to how you actually work, ensuring that every attestation is tied to real evidence and real evaluation – without losing speed.
Key insights & resources
We’ve seen firsthand how generic attestations can leave gaps in trust. Custom attestations close that gap by letting you:
✔️ Define the data schema and evaluation criteria for your attestation.
✔️ Use the same flexibility in flows, environments, and controls.
✔️ Keep a clear audit trail of how compliance was evaluated – including links back to your Git commits, CI runs, and the evaluation result.
Want to learn more? We’ve gathered these deep dives and related resources to help you get started:
- Making Kosli Generic Attestations – the basics of attestation data and why they matter
- Moving to a Zero Trust Model with Kosli’s Custom Attestations – how custom attestations support a Zero Trust mindset
- Migrating Generic Attestations to Custom Attestations – how to transition from generic to custom attestations smoothly
- Using Kosli Attest in GitHub Action Workflows: Some Tips – making these new attestations work in your CI/CD pipelines
Let’s keep building
This is just the first step. We’re actively exploring ways to:
✔️ Provide easier schema creation and testing tools
✔️ Support other evaluation strategies (like Rego or JSON Logic) for even more flexibility
✔️ Make governance more dynamic and evidence-based across the SDLC
We’d love to hear how you’re tackling governance in your environments. Are generic controls holding you back? Have you already tried to map custom governance to your flows?
