New Case Study:See how Anthropic automated 95% of dependency reviews with Socket.Learn More
Socket
Sign inDemoInstall
Socket
Sign inDemoInstall

@transmute/cli

Package Overview
Dependencies
Maintainers
0
Versions
70
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

@transmute/cli

Transmute Command Line Interface

  • 0.9.5
  • latest
  • Source
  • npm
  • Socket score
Version published
Weekly downloads
35
decreased by-20.45%
Maintainers
0
Weekly downloads
 
Created
Source

Transmute

CI NPM

Questions?

Usage

GitHub Action

name: CI
on: [push]
jobs:
  scitt:
    runs-on: ubuntu-latest
    steps:
      - name: Issue Statement
        id: issue_statement
        uses: transmute-industries/transmute@main
        with:
          transmute: |
            scitt issue-statement ./tests/fixtures/private.sig.key.cbor \
            ./tests/fixtures/message.json \
            --output ./tests/fixtures/message.hash-envelope.cbor
      - name: Verify Statement Hash
        id: verify_message
        uses: transmute-industries/transmute@main
        with:
          transmute: |
            scitt verify-statement-hash ./tests/fixtures/public.sig.key.cbor \
            ./tests/fixtures/message.hash-envelope.cbor \
            3073d614f853aaec9a1146872c7bab75495ee678c8864ed3562f8787555c1e22
      - name: Issue Receipt
        id: issue_receipt
        uses: transmute-industries/transmute@main
        with:
          transmute: |
            scitt issue-receipt ./tests/fixtures/private.notary.key.cbor \
            ./tests/fixtures/message.hash-envelope.cbor \
            --log ./tests/fixtures/trans.json
      - name: Verify Receipt Hash
        id: verify_receipt
        uses: transmute-industries/transmute@main
        with:
          transmute: |
            scitt verify-receipt-hash ./tests/fixtures/public.notary.key.cbor \
            ./tests/fixtures/message.hash-envelope-with-receipt.cbor \
            3073d614f853aaec9a1146872c7bab75495ee678c8864ed3562f8787555c1e22

See CI for more examples.

Nodejs CLI

Install as global binary:

npm i -g @transmute/cli@latest
Getting Started

echo '"@context":
  - https://www.w3.org/ns/credentials/v2
  - https://www.w3.org/ns/credentials/examples/v2
type:
  - VerifiableCredential
  - MyPrototypeCredential
credentialSubject:
  !sd mySubjectProperty: mySubjectValue
' > ./tests/fixtures/issuer-disclosable-claims.yaml

echo '"@context":
  - https://www.w3.org/ns/credentials/v2
  - https://www.w3.org/ns/credentials/examples/v2
type:
  - VerifiableCredential
  - MyPrototypeCredential
credentialSubject:
  mySubjectProperty: mySubjectValue
' > ./tests/fixtures/holder-disclosed-claims.yaml

transmute jose keygen --alg ES256 \
--output ./tests/fixtures/private.sig.jwk.json

transmute vcwg issue-credential ./tests/fixtures/private.sig.jwk.json \
 ./tests/fixtures/issuer-disclosable-claims.yaml \
--credential-type application/vc-ld+sd-jwt \
--output ./tests/fixtures/issuer-disclosable-claims.sd-jwt

See scripts for more examples.

graph after ci runs

TODO: all command examples

Use Cases

Software Supply Chain

In Search of Transparency
Product Integrity

sbom-tool generate -b ./dist -bc ./ -pn transmute -ps transmute.industries \
-pv `jq -r .version package.json` -nsu `git rev-parse --verify HEAD`

transmute scitt issue-statement ./tests/fixtures/private.notary.key.cbor \
./dist/_manifest/spdx_2.2/manifest.spdx.json \
--iss https://software.vendor.example \
--sub `jq -r .documentNamespace ./dist/_manifest/spdx_2.2/manifest.spdx.json` \
--content-type application/spdx+json \
--location https://github.com/.../dist/_manifest/spdx_2.2/manifest.spdx.json \
--output ./dist/_manifest/spdx_2.2/manifest.spdx.scitt.cbor

transmute scitt issue-receipt ./tests/fixtures/private.notary.key.cbor \
./dist/_manifest/spdx_2.2/manifest.spdx.scitt.cbor \
--iss https://software.notary.example \
--sub `jq -r .documentNamespace ./dist/_manifest/spdx_2.2/manifest.spdx.json` \
--log ./tests/fixtures/trans.json \
--output ./dist/_manifest/spdx_2.2/manifest.spdx.scitt.cbor

transmute scitt verify-receipt-hash ./tests/fixtures/public.notary.key.cbor \
./dist/_manifest/spdx_2.2/manifest.spdx.scitt.cbor \
`cat ./dist/_manifest/spdx_2.2/manifest.spdx.json.sha256`
command line image of build script execution
Compliance Automation
name: CI
on: [push]
jobs:
  scitt:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Push Transparency
        uses: transmute-industries/transmute@main
        with:
          neo4j-uri: ${{ secrets.NEO4J_URI }}
          neo4j-user: ${{ secrets.NEO4J_USERNAME }}
          neo4j-password: ${{ secrets.NEO4J_PASSWORD }}
          transmute: |
            graph assist ./dist/_manifest/spdx_2.2/manifest.spdx.scitt.cbor \
              --credential-type application/cose \
              --graph-type application/gql \
              --push
graph query results

Keywords

FAQs

Package last updated on 27 Aug 2024

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

Oracle Drags Its Feet in the JavaScript Trademark Dispute

Security News

Oracle Drags Its Feet in the JavaScript Trademark Dispute

Oracle seeks to dismiss fraud claims in the JavaScript trademark dispute, delaying the case and avoiding questions about its right to the name.

By Sarah Gooding  -  Feb 07, 2025
SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

About

Packages

npm

Go

Maven

PyPI

Rubygems

Stay in touch

Get open source security insights delivered straight into your inbox.

  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc