Skip to content

Commit

Permalink
Revert demo changes to good state (#17)
Browse files Browse the repository at this point in the history
Signed-off-by: John Kjell <john@testifysec.com>
  • Loading branch information
jkjell authored Oct 1, 2024
1 parent dec8c45 commit 2d7abd0
Show file tree
Hide file tree
Showing 3 changed files with 10 additions and 10 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/pipeline.yml
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ jobs:
pre-command: |
curl -sSfL https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64 -o /usr/local/bin/hadolint && \
chmod +x /usr/local/bin/hadolint
command: hadolint --ignore DL3002 -f sarif Dockerfile > hadolint.sarif
command: hadolint -f sarif Dockerfile > hadolint.sarif
artifact-upload-name: hadolint.sarif
artifact-upload-path: hadolint.sarif

Expand Down
2 changes: 1 addition & 1 deletion Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ RUN go build -o bin/software

FROM cgr.dev/chainguard/static@sha256:676e989769aa9a5254fbfe14abb698804674b91c4d574bb33368d87930c5c472

USER root
# USER root

COPY --from=builder /build/bin/software /software

Expand Down
16 changes: 8 additions & 8 deletions policy.rego
Original file line number Diff line number Diff line change
@@ -1,34 +1,34 @@
policy rego

// lint commandrun cmd validation
# lint commandrun cmd validation
package commandrun.cmd

import rego.v1

deny[msg] {
input.cmd != ["/bin/sh", "-c", "hadolint -f sarif Dockerfile > hadolint.sarif"]
msg := "unexpected cmd"
}

// all github jwt validation
# all github jwt validation
package github.attributes

import rego.v1

deny[msg] if {
deny[msg] {
input.jwt.claims.iss != "https://token.actions.githubusercontent.com"
msg := "unexpected issuer"
}

deny[msg] if {
deny[msg] {
input.projecturl != "https://github.com/testifysec/swf"
msg := "unexpected projecturl"
}

deny[msg] if {
deny[msg] {
not startswith(input.jwt.claims.workflow_ref, "testifysec/swf/.github/workflows/pipeline.yml")
msg := "unexpected workflow_ref"
}

// webhook attestor PR approval
# webhook attestor PR approval
package pr_review

deny[msg] {
Expand Down

0 comments on commit 2d7abd0

Please sign in to comment.