chore: Add dirhash examples to tutorial

Signed-off-by: Matthias Glastra <[email protected]>

docs/tutorials/getting-started.md

@@ -1,6 +1,7 @@
 # Getting Started
 
 ## Intro
+
 This quick tutorial will walk you through a simple example of how Witness can be used. To complete it
 successfully, you will need the following:
 
@@ -16,12 +17,14 @@ You will also of course need to have witness installed, which can be achieved by
 ### 1. Create a Keypair
 
 ><span class="tip-text">💡 Tip: Witness supports keyless signing with [SPIRE](https://spiffe.io/)!</span>
-```
+
+```shell
 openssl genpkey -algorithm ed25519 -outform PEM -out testkey.pem
 openssl pkey -in testkey.pem -pubout > testpub.pem
 ```
 
 ### 2. Create a Witness Configuration
+
 ><span class="tip-text">💡 Tip: Witness supports creating attestations for a wide variety of services,
 > including Github Actions </span>
 
@@ -30,7 +33,7 @@ openssl pkey -in testkey.pem -pubout > testpub.pem
 - `witness help` will show all configuration options
 - command-line arguments overrides configuration file values.
 
-```
+```yaml
 ## .witness.yaml
 
 run:
@@ -44,22 +47,26 @@ verify:
 ```
 
 ### 3. Record attestations for a build step
+
 ><span class="tip-text">💡 Tip: You can upload the recorded attestations to an [Archivista](https://github.com/in-toto/archivista) server by using the `--enable-archivista` flag!</span>
+
 - The `-a {attestor}` flag allows you to define which attestors run
 - ex. `-a maven -a gcp -a gitlab` would be used for a maven build running on a GitLab runner on GCP.
 - Defining step names is important, these will be used in the policy.
 - This should happen as a part of a CI step
 
-```
+```shell
 witness run --step build -o test-att.json -- go build -o=testapp .
 ```
 
+><span class="tip-text">💡 Tip: When you run a step with many files as the product of that step, like node_modules, it could be beneficial to collapse the result into a hash of the directory content. You can use `--dirhash-glob <glob-pattern>` to match the directory or use it multiple times to use different glob patterns. E.g. `--dirhash-glob node_modules/*`</span>
+
 ### 4. View the attestation data in the signed DSSE Envelope
 
 - This data can be stored and retrieved from Archivista
 - This is the data that is evaluated against the Rego policy
 
-```
+```shell
 cat test-att.json | jq -r .payload | base64 -d | jq
 ```
 
@@ -73,7 +80,7 @@ Look [here](/docs/concepts/policy.md) for full documentation on Witness Policies
 > - Witness will require all attestations to succeed
 > - Witness will evaluate the rego policy against the JSON object in the corresponding attestor
 
-```
+```json
 ## policy.json
 
 {
@@ -113,7 +120,7 @@ Look [here](/docs/concepts/policy.md) for full documentation on Witness Policies
 
 ### 6. Replace the variables in the policy
 
-```
+```shell
 id=`sha256sum testpub.pem | awk '{print $1}'` && sed -i "s/{{PUBLIC_KEY_ID}}/$id/g" policy.json
 pubb64=`cat testpub.pem | base64 -w 0` && sed -i "s/{{B64_PUBLIC_KEY}}/$pubb64/g" policy.json
 ```
@@ -122,19 +129,28 @@ pubb64=`cat testpub.pem | base64 -w 0` && sed -i "s/{{B64_PUBLIC_KEY}}/$pubb64/g
 
 Keep this key safe, its owner will control the policy gates.
 
-```
+```shell
 witness sign -f policy.json --signer-file-key-path testkey.pem --outfile policy-signed.json
 ```
 
 ### 8. Verify the Binary Meets Policy Requirements
 
-This process works across air-gap as long as you have the signed policy file, correct binary, and public key or certificate authority corresponding to the private 
-key that signed the policy.
-```
+This process works across air-gap as long as you have the signed policy file, correct binary, and public key or certificate authority corresponding to the private key that signed the policy.
+
+```shell
 witness verify -f testapp -a test-att.json -p policy-signed.json -k testpub.pem
 ```
+
+If you want to verify a directory as a subject you can use the following.
+
+```shell
+witness verify --directory-path node_modules/example -a test-att.json -p policy-signed.json -k testpub.pem
+```
+
 ### 9. Profit
+
 `witness verify` will return a `non-zero` exit and reason in the case of failure, but hopefully you should have gotten sweet sweet silence with a `0` exit status, victory! If not, try again and if that fails please [file an issue](https://github.com/in-toto/witness/issues/new/choose)!
 
 ## What's Next?
+
 If you enjoyed this intro to Witness, you might benefit from taking things a step further by learning about [Witness Policies](./artifact-policy.md).