openvet update
Fetch and verify the trusted logs, pinning their heads into openvet.lock.
openvet update reaches out to every log declared in openvet.toml,
verifies its signature chain forward from the previously pinned head (or
from the trust root, on a first run), and writes the new verified head
into openvet.lock.
Usage #
openvet updateThe command does no policy evaluation — that’s openvet check’s
job. update is purely about advancing your pinned view of the logs.
When to run it #
- The first time you set up a project (after
openvet init). - Whenever you want to consume newly published audits (no fixed cadence — run it when you need fresh audit material).
- After editing the
[[logs]]table inopenvet.toml.
update should not run automatically in CI: CI’s job is to verify the
pinned state, not to advance it.
TODO: document
--log <id>for selective updates and--forcefor reset-to-trust-root semantics.