grekt trust
Sign an artifact as trusted using HMAC SHA256. Trusted artifacts are excluded from --fail-on evaluation in grekt scan.
bash
grekt trust <artifact>
grekt trust --generate-keyArguments
| Argument | Description |
|---|---|
artifact | Artifact ID (e.g., @scope/name). Optional when using --generate-key. |
Options
| Option | Description |
|---|---|
--generate-key | Generate a new GREKT_TRUST_KEY for HMAC signing |
Environment variables
| Variable | Description |
|---|---|
GREKT_TRUST_KEY | Required for signing. Generate with --generate-key. |
What it does
Signs the artifact ID with HMAC SHA256 using your GREKT_TRUST_KEY and writes the signature to grekt.yaml:
yaml
# Before
artifacts:
"@sketchy/tool": "1.0.0"
# After
artifacts:
"@sketchy/tool":
version: "1.0.0"
mode: lazy
trusted: "grk_sig_a1b2c3..."The signature covers only the artifact ID (not the version), so trust persists across version bumps.
Security model
- Only the holder of
GREKT_TRUST_KEYcan produce valid signatures trusted: true(plain boolean) is rejected — only HMAC signatures are accepted- Without
GREKT_TRUST_KEYset, all trust is ignored (safe default) - Forged signatures fail HMAC verification using constant-time comparison
Examples
Generate a new trust key:
bash
grekt trust --generate-keySign an artifact:
bash
export GREKT_TRUST_KEY="grk_trust_..."
grekt trust @sketchy/toolWARNING
Trusting an artifact does not make it safe. It only tells grekt to skip it during --fail-on evaluation. Always review the scan findings before trusting.
Related
- Security gating in CI/CD — Full setup guide with pipeline examples
- grekt untrust — Remove trusted status
- grekt scan — Scan artifacts with
--fail-onthreshold