✨ CLI for scorecard-attestor

.gitignore

@@ -1,5 +1,6 @@
 # binary.
 scorecard
+attestor/scorecard-attestor
 scorecard.docker
 scorecard.releaser
 gitblobcache

Makefile

@@ -239,6 +239,10 @@ cron/internal/bq/data-transfer.docker: cron/internal/bq/Dockerfile $(CRON_TRANSF
 			--tag $(IMAGE_NAME)-bq-transfer && \
 			touch cron/internal/bq/data-transfer.docker
 
+build-attestor: ## Runs go build on scorecard attestor
+	# Run go build on scorecard attestor
+	cd attestor/; CGO_ENABLED=0 go build -trimpath -a -tags netgo -ldflags '$(LDFLAGS)' -o scorecard-attestor
+
 TOKEN_SERVER_DEPS = $(shell find clients/githubrepo/roundtripper/tokens/ -iname "*.go")
 build-github-server: ## Build GitHub token server
 build-github-server: clients/githubrepo/roundtripper/tokens/server/github-auth-server

attestor/.golangci.yml

@@ -0,0 +1,155 @@
+# Copyright 2022 Security Scorecard Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+run:
+  concurrency: 6
+  deadline: 5m
+issues:
+  # Maximum issues count per one linter.
+  # Set to 0 to disable.
+  # Default: 50
+  max-issues-per-linter: 0
+  # Maximum count of issues with the same text.
+  # Set to 0 to disable.
+  # Default: 3
+  max-same-issues: 0
+  new-from-rev: ""
+skip-files:
+  - cron/data/request.pb.go # autogenerated
+linters:
+  disable-all: true
+  enable:
+    - asciicheck
+    - bodyclose
+    - deadcode
+    - depguard
+    - dogsled
+    - errcheck
+    - errorlint
+    - exhaustive
+    - exportloopref
+    - gci
+    - gochecknoinits
+    - gocognit
+    - goconst
+    - gocritic
+    - gocyclo
+    - godot
+    - godox
+    - goerr113
+    - gofmt
+    - gofumpt
+    - goheader
+    - goimports
+    - gomodguard
+    - goprintffuncname
+    - gosec
+    - gosimple
+    - govet
+    - ineffassign
+    - lll
+    - makezero
+    - misspell
+    - nakedret
+    - nestif
+    - noctx
+    - nolintlint
+    - paralleltest
+    - predeclared
+    - staticcheck
+    - stylecheck
+    - thelper
+    - tparallel
+    - typecheck
+    - unconvert
+    - unparam
+    - unused
+    - varcheck
+    - whitespace
+    - wrapcheck
+linters-settings:
+  errcheck:
+    check-type-assertions: true
+    check-blank: true
+  exhaustive:
+    # https://golangci-lint.run/usage/linters/#exhaustive
+    default-signifies-exhaustive: true
+  govet:
+    enable:
+      - fieldalignment
+  godox:
+    keywords:
+      - BUG
+      - FIXME
+      - HACK
+  gci:
+    sections:
+      - standard
+      - default
+      - prefix(github.com/ossf/scorecard)
+  gocritic:
+    enabled-checks:
+      # Diagnostic
+      - appendAssign
+      - badCond
+      - caseOrder
+      - codegenComment
+      - commentedOutCode
+      - deprecatedComment
+      - dupBranchBody
+      - dupCase
+      - dupSubExpr
+      - exitAfterDefer
+      - flagName
+      - nilValReturn
+      - weakCond
+      - octalLiteral
+
+      # Performance
+      - appendCombine
+      - hugeParam
+      - rangeExprCopy
+      - rangeValCopy
+
+      # Style
+      - boolExprSimplify
+      - captLocal
+      - commentFormatting
+      - commentedOutImport
+      - defaultCaseOrder
+      - docStub
+      - elseif
+      - emptyFallthrough
+      - hexLiteral
+      - ifElseChain
+      - methodExprCall
+      - singleCaseSwitch
+      - typeAssertChain
+      - typeSwitchVar
+      - underef
+      - unlabelStmt
+      - unlambda
+
+      # Opinionated
+      - builtinShadow
+      - importShadow
+      - initClause
+      - nestingReduce
+      - paramTypeCombine
+      - ptrToRefParam
+      - typeUnparen
+      - unnecessaryBlock
+  wrapcheck:
+    ignorePackageGlobs:
+      - github.com/ossf/scorecard/v4/checks/fileparser

attestor/command/check.go

@@ -0,0 +1,85 @@
+package command
+
+import (
+	"context"
+	"os"
+
+	"github.com/golang/glog"
+	"github.com/ossf/scorecard-attestor/policy"
+	"github.com/ossf/scorecard/v4/checker"
+	"github.com/ossf/scorecard/v4/checks"
+	sclog "github.com/ossf/scorecard/v4/log"
+	"github.com/ossf/scorecard/v4/pkg"
+)
+
+func checkCommand() {
+	ctx := context.Background()
+
+	// Read the Binauthz attestation policy
+	if policyPath == "" {
+		exitOnBadFlags(SignerMode(mode), "policy path is empty")
+	}
+	attestationPolicy, err := policy.ParseAttestationPolicyFromFile(policyPath)
+	if err != nil {
+		glog.Fatalf("Fail to load scorecard attestation policy: %v", err)
+	}
+
+	if repoURL == "" {
+		buildRepo := os.Getenv("REPO_NAME")
+		if buildRepo == "" {
+			exitOnBadFlags(SignerMode(mode), "repoURL not specified")
+		}
+		repoURL = buildRepo
+		glog.Infof("Found repo URL %s Cloud Build environment", repoURL)
+	} else {
+		glog.Infof("Running scorecard on %s", repoURL)
+	}
+
+	if commitSHA == "" {
+		buildSHA := os.Getenv("COMMIT_SHA")
+		if buildSHA == "" {
+			glog.Infof("commit not specified, running on HEAD")
+		} else {
+			commitSHA = buildSHA
+			glog.Infof("Found revision %s Cloud Build environment", commitSHA)
+		}
+	}
+
+	logger := sclog.NewLogger(sclog.DefaultLevel)
+
+	repo, repoClient, ossFuzzRepoClient, ciiClient, vulnsClient, err := checker.GetClients(
+		ctx, repoURL, "", logger)
+
+	enabledChecks := map[string]checker.Check{
+		"BinaryArtifacts": {
+			Fn: checks.BinaryArtifacts,
+			SupportedRequestTypes: []checker.RequestType{
+				checker.CommitBased,
+			},
+		},
+	}
+
+	repoResult, err := pkg.RunScorecards(
+		ctx,
+		repo,
+		commitSHA,
+		enabledChecks,
+		repoClient,
+		ossFuzzRepoClient,
+		ciiClient,
+		vulnsClient,
+	)
+	if err != nil {
+		glog.Fatalf("RunScorecards: %w", err)
+	}
+
+	result, err := policy.RunChecksForPolicy(attestationPolicy, &repoResult.RawResults)
+	if err != nil {
+		glog.Fatalf("Error when evaluating image %q against policy", image)
+	}
+	if result != policy.Pass {
+		glog.Errorf("policy check failed on image %s:", image)
+		os.Exit(1)
+	}
+	glog.Infof("Image %q passes policy check", image)
+}