reel upload
Requires --agent
Upload forensic artifacts to an S3 evidence vault.
Upload commands generate artifacts, send them to S3, and delete local copies. This is the primary mechanism for scheduled evidence collection. For local exports, see reel export.
S3 Flags
All upload subcommands share these S3 configuration flags:
| Flag | Description |
|---|---|
| --s3-bucket | S3 bucket name (required) |
| --s3-region | AWS region |
| --s3-secret-name | Kubernetes secret with AWS credentials |
S3 configuration can also be set via pod annotations. See S3 Evidence Vault.
Subcommands
Every export subcommand has a matching upload counterpart with identical flags plus the S3 flags above.
| Command | Artifact |
|---|---|
| upload sbom | Software Bill of Materials |
| upload cbom | Cryptographic Bill of Materials |
| upload sarif | SARIF security scan results |
| upload malware | Malware scan results |
| upload checkpoint | CRIU process state |
| upload layer | Filesystem diff |
| upload frame | Checkpoint + layer archive |
| upload memory | Memory dump (ELF core) |
| upload volatile | Runtime state snapshot |
| upload metadata | Container metadata |
| upload files | Container files |
| upload inventory | Forensic file inventory |
S3 Key Pattern
Artifacts are organized in S3 by date, type, and source:
{date}/{type}/{cluster}_{node}_{namespace}_{pod}_{container}_{timestamp}.{ext}