Skip to main content
The preferred way to manage custom attestation types is via the , so your Kosli configuration is version-controlled alongside your infrastructure. You can also manage custom attestation types through the Kosli CLI.
This page covers managing custom attestation types via Terraform. For an introduction to custom attestation types and creating them via the CLI, see Getting started: Attestations.
Custom attestation types define how Kosli validates evidence from tools that don’t have a built-in Kosli attestation command. Each type can include:
  • A JSON Schema (optional) that defines the expected structure of attestation data
  • jq rules (optional) that evaluate the data to determine compliance
At least one of the two must be provided.

Create a custom attestation type

With schema and jq rules

resource "kosli_custom_attestation_type" "security_scan" {
  name        = "security-scan"
  description = "Validates security scan results"

  schema = jsonencode({
    type = "object"
    properties = {
      critical_vulnerabilities = { type = "integer" }
      high_vulnerabilities     = { type = "integer" }
      scan_date                = { type = "string" }
    }
    required = ["critical_vulnerabilities", "high_vulnerabilities", "scan_date"]
  })

  jq_rules = [
    ".critical_vulnerabilities == 0",
    ".high_vulnerabilities < 5"
  ]
}

With jq rules only

resource "kosli_custom_attestation_type" "code_coverage" {
  name        = "code-coverage"
  description = "Requires at least 80% line coverage"

  jq_rules = [".line_coverage >= 80"]
}

With schema only

resource "kosli_custom_attestation_type" "deployment_record" {
  name        = "deployment-record"
  description = "Validates deployment record structure"

  schema = jsonencode({
    type = "object"
    properties = {
      deployed_by = { type = "string" }
      deployed_at = { type = "string" }
      environment = { type = "string" }
    }
    required = ["deployed_by", "deployed_at", "environment"]
  })
}

Import an existing custom attestation type

If you have custom attestation types created via the CLI, you can bring them under Terraform management by importing them into your .
  1. Find the attestation type name in the Kosli UI or run:
kosli list attestation-types
  1. Add a matching kosli_custom_attestation_type resource block to your configuration.
  2. Run the import: 
terraform import kosli_custom_attestation_type.security_scan security-scan
  1. Verify with terraform plan — no changes should be planned if the import succeeded.

Reference

Last modified on March 16, 2026