Skip to content

Evaluate on full framework controls #362

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
puerco wants to merge 41 commits into
base: main
Choose a base branch
from
Open

Evaluate on full framework controls #362

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
41 commits
Select commit Hold shift + click to select a range
3ff1cad
Add all control labels and level conf
puerco Mar 5, 2026
0f6ca96
Support full controls
puerco Mar 5, 2026
9434285
Make tests pass (easy 😅)
puerco Mar 5, 2026
278862d
Streamline GetBranchControls API in tool
puerco Mar 5, 2026
22acaa2
Streamline get controls on backend
puerco Mar 5, 2026
7f64f4a
Add GetBranchControlsAtCommit to tool
puerco Mar 5, 2026
45be338
Unify control and set types
puerco Mar 6, 2026
5d34332
Rename ControlSet to ControlNameSet
puerco Mar 6, 2026
8a999d1
Rename slsa.ControlSetStatus to slsa.ControlSet
puerco Mar 6, 2026
3bc6a6c
Fix linter nits
puerco Mar 6, 2026
3455363
Redesign of the attester API
puerco Mar 9, 2026
e2f7b32
Update github backend to latest interface
puerco Mar 9, 2026
2107e70
Remove deprecated notes in tree collector
puerco Mar 9, 2026
07dbe76
Merge controlset with git fields
puerco Mar 9, 2026
f6fe256
Unify sourcetool API w/components
puerco Mar 9, 2026
38f700e
Update audit to new backend
puerco Mar 9, 2026
15c2bc7
Update commands to new source tool API
puerco Mar 9, 2026
24afe41
Update attest pkg tests
puerco Mar 9, 2026
db77af8
Fix bug in subject extrction
puerco Mar 9, 2026
6c4123c
Wire back allow merge commits
puerco Mar 9, 2026
557286e
Correct githb control gen
puerco Mar 10, 2026
406b942
ControlSet: Fix panic when date is nil
puerco Mar 10, 2026
deb3611
Don't add .git con GH URLs
puerco Mar 10, 2026
a49b1a1
Wire authenticator to repos
puerco Mar 10, 2026
d576f10
Lazy init of VCS backend
puerco Mar 10, 2026
cb4c0a8
Update auditor to use components
puerco Mar 10, 2026
76edad6
Fix linter nits
puerco Mar 10, 2026
feb0709
update integration tests
puerco Mar 10, 2026
bbd0bbc
Bump go in dockerfile
puerco Mar 10, 2026
36314bf
Regenerate fakes
puerco Mar 10, 2026
a9b8bd7
Formalize attestation push
puerco Mar 11, 2026
b389ef4
Default policy now defaults to SLSA0
puerco Mar 11, 2026
7db8ed8
Move checklevelprov to use tool.Attest()
puerco Mar 11, 2026
47ac14a
Models: Add Reference interface
puerco Mar 11, 2026
d9e4f40
Add revision interface
puerco Mar 11, 2026
bea844b
Add GetDefaultBranch method to backend
puerco Mar 11, 2026
f24ad48
Add TagCommit fetch to backend
puerco Mar 11, 2026
203cc3b
Fix verifycommit to work with any revision
puerco Mar 11, 2026
1835fb6
Make aloow-merge-comm reusable
puerco Mar 11, 2026
e206c73
Use revision opts flags
puerco Mar 11, 2026
6d092d4
Finish the tag controls implementation
puerco Mar 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
# This is used to we scrap the go version and use in CI to get the latest go version
# and we use dependabot to keep the go version up to date
FROM golang:1.25.7
FROM golang:1.25.8
156 changes: 78 additions & 78 deletions go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,15 +1,15 @@
module github.com/slsa-framework/source-tool

go 1.25.7
go 1.25.8

require (
github.com/carabiner-dev/attestation v0.2.0
github.com/carabiner-dev/collector v0.2.8
github.com/carabiner-dev/signer v0.3.7
github.com/carabiner-dev/attestation v0.2.1
github.com/carabiner-dev/collector v0.2.10-0.20260310234513-8d637f10649f
github.com/carabiner-dev/signer v0.3.8-0.20260310160610-a37998585604
github.com/carabiner-dev/vcslocator v0.4.0
github.com/fatih/color v1.18.0
github.com/go-git/go-billy/v6 v6.0.0-20250627091229-31e2a16eef30
github.com/go-git/go-git/v6 v6.0.0-20250711134917-1f24ae85fe16
github.com/go-git/go-billy/v6 v6.0.0-20260226131633-45bd0956d66f
github.com/go-git/go-git/v6 v6.0.0-20260305211659-2083cf940afa
github.com/google/go-github/v69 v69.2.0
github.com/google/uuid v1.6.0
github.com/hashicorp/go-retryablehttp v0.7.8
Expand All @@ -25,9 +25,9 @@ require (

require (
dario.cat/mergo v1.0.2 // indirect
github.com/CycloneDX/cyclonedx-go v0.9.2 // indirect
github.com/CycloneDX/cyclonedx-go v0.10.0 // indirect
github.com/Microsoft/go-winio v0.6.2 // indirect
github.com/ProtonMail/go-crypto v1.3.0 // indirect
github.com/ProtonMail/go-crypto v1.4.0 // indirect
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
github.com/avast/retry-go/v4 v4.7.0 // indirect
github.com/blang/semver v3.5.1+incompatible // indirect
Expand All @@ -36,87 +36,88 @@ require (
github.com/carabiner-dev/github v0.2.2 // indirect
github.com/carabiner-dev/hasher v0.2.3 // indirect
github.com/carabiner-dev/jsonl v0.2.1 // indirect
github.com/carabiner-dev/openeox v0.0.0-20251126193927-142e907140f5 // indirect
github.com/carabiner-dev/openeox v0.0.0-20260302211234-88fe8a305401 // indirect
github.com/carabiner-dev/osv v0.0.0-20250124012120-b8ce4531cd92 // indirect
github.com/carabiner-dev/policy v0.4.1-0.20251211203139-302be2dfaf0d // indirect
github.com/carabiner-dev/policy v0.4.2 // indirect
github.com/carabiner-dev/predicates v0.1.0 // indirect
github.com/cenkalti/backoff/v5 v5.0.3 // indirect
github.com/clipperhouse/displaywidth v0.6.0 // indirect
github.com/clipperhouse/stringish v0.1.1 // indirect
github.com/clipperhouse/uax29/v2 v2.3.0 // indirect
github.com/cloudflare/circl v1.6.2 // indirect
github.com/cespare/xxhash/v2 v2.3.0 // indirect
github.com/clipperhouse/displaywidth v0.11.0 // indirect
github.com/clipperhouse/uax29/v2 v2.7.0 // indirect
github.com/cloudflare/circl v1.6.3 // indirect
github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be // indirect
github.com/containerd/stargz-snapshotter/estargz v0.18.1 // indirect
github.com/containerd/stargz-snapshotter/estargz v0.18.2 // indirect
github.com/coreos/go-oidc/v3 v3.17.0 // indirect
github.com/cyberphone/json-canonicalization v0.0.0-20241213102144-19d51d7fe467 // indirect
github.com/cyphar/filepath-securejoin v0.6.1 // indirect
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 // indirect
github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 // indirect
github.com/docker/cli v29.0.3+incompatible // indirect
github.com/digitorus/pkcs7 v0.0.0-20250730155240-ffadbf3f398c // indirect
github.com/digitorus/timestamp v0.0.0-20250524132541-c45532741eea // indirect
github.com/docker/cli v29.3.0+incompatible // indirect
github.com/docker/distribution v2.8.3+incompatible // indirect
github.com/docker/docker-credential-helpers v0.9.3 // indirect
github.com/docker/docker-credential-helpers v0.9.5 // indirect
github.com/emirpasic/gods v1.18.1 // indirect
github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
github.com/go-git/gcfg/v2 v2.0.2 // indirect
github.com/go-git/go-billy/v5 v5.7.0 // indirect
github.com/go-git/go-git/v5 v5.16.5 // indirect
github.com/go-git/go-billy/v5 v5.8.0 // indirect
github.com/go-git/go-git/v5 v5.17.0 // indirect
github.com/go-jose/go-jose/v4 v4.1.3 // indirect
github.com/go-logr/logr v1.4.3 // indirect
github.com/go-logr/stdr v1.2.2 // indirect
github.com/go-openapi/analysis v0.24.1 // indirect
github.com/go-openapi/errors v0.22.4 // indirect
github.com/go-openapi/jsonpointer v0.22.1 // indirect
github.com/go-openapi/jsonreference v0.21.3 // indirect
github.com/go-openapi/loads v0.23.2 // indirect
github.com/go-openapi/runtime v0.29.2 // indirect
github.com/go-openapi/spec v0.22.1 // indirect
github.com/go-openapi/strfmt v0.25.0 // indirect
github.com/go-openapi/swag v0.25.4 // indirect
github.com/go-openapi/swag/cmdutils v0.25.4 // indirect
github.com/go-openapi/swag/conv v0.25.4 // indirect
github.com/go-openapi/swag/fileutils v0.25.4 // indirect
github.com/go-openapi/swag/jsonname v0.25.4 // indirect
github.com/go-openapi/swag/jsonutils v0.25.4 // indirect
github.com/go-openapi/swag/loading v0.25.4 // indirect
github.com/go-openapi/swag/mangling v0.25.4 // indirect
github.com/go-openapi/swag/netutils v0.25.4 // indirect
github.com/go-openapi/swag/stringutils v0.25.4 // indirect
github.com/go-openapi/swag/typeutils v0.25.4 // indirect
github.com/go-openapi/swag/yamlutils v0.25.4 // indirect
github.com/go-openapi/validate v0.25.1 // indirect
github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
github.com/go-openapi/analysis v0.24.3 // indirect
github.com/go-openapi/errors v0.22.7 // indirect
github.com/go-openapi/jsonpointer v0.22.5 // indirect
github.com/go-openapi/jsonreference v0.21.5 // indirect
github.com/go-openapi/loads v0.23.3 // indirect
github.com/go-openapi/runtime v0.29.3 // indirect
github.com/go-openapi/spec v0.22.4 // indirect
github.com/go-openapi/strfmt v0.26.0 // indirect
github.com/go-openapi/swag v0.25.5 // indirect
github.com/go-openapi/swag/cmdutils v0.25.5 // indirect
github.com/go-openapi/swag/conv v0.25.5 // indirect
github.com/go-openapi/swag/fileutils v0.25.5 // indirect
github.com/go-openapi/swag/jsonname v0.25.5 // indirect
github.com/go-openapi/swag/jsonutils v0.25.5 // indirect
github.com/go-openapi/swag/loading v0.25.5 // indirect
github.com/go-openapi/swag/mangling v0.25.5 // indirect
github.com/go-openapi/swag/netutils v0.25.5 // indirect
github.com/go-openapi/swag/stringutils v0.25.5 // indirect
github.com/go-openapi/swag/typeutils v0.25.5 // indirect
github.com/go-openapi/swag/yamlutils v0.25.5 // indirect
github.com/go-openapi/validate v0.25.2 // indirect
github.com/go-viper/mapstructure/v2 v2.5.0 // indirect
github.com/goccy/go-json v0.10.5 // indirect
github.com/gogo/protobuf v1.3.2 // indirect
github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
github.com/google/certificate-transparency-go v1.3.2 // indirect
github.com/google/certificate-transparency-go v1.3.3 // indirect
github.com/google/go-cmp v0.7.0 // indirect
github.com/google/go-containerregistry v0.20.7 // indirect
github.com/google/go-containerregistry v0.21.2 // indirect
github.com/google/go-github/v73 v73.0.0 // indirect
github.com/google/go-querystring v1.1.0 // indirect
github.com/google/go-querystring v1.2.0 // indirect
github.com/gorilla/mux v1.8.1 // indirect
github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.3 // indirect
github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0 // indirect
github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
github.com/in-toto/in-toto-golang v0.9.0 // indirect
github.com/in-toto/in-toto-golang v0.10.0 // indirect
github.com/inconshreveable/mousetrap v1.1.0 // indirect
github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
github.com/jedisct1/go-minisign v0.0.0-20241212093149-d2f9f49435c7 // indirect
github.com/kevinburke/ssh_config v1.4.0 // indirect
github.com/klauspost/compress v1.18.1 // indirect
github.com/kevinburke/ssh_config v1.6.0 // indirect
github.com/klauspost/compress v1.18.4 // indirect
github.com/klauspost/cpuid/v2 v2.3.0 // indirect
github.com/mattn/go-colorable v0.1.14 // indirect
github.com/mattn/go-isatty v0.0.20 // indirect
github.com/mattn/go-runewidth v0.0.19 // indirect
github.com/mattn/go-runewidth v0.0.21 // indirect
github.com/mitchellh/go-homedir v1.1.0 // indirect
github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 // indirect
github.com/oklog/ulid v1.3.1 // indirect
github.com/oklog/ulid/v2 v2.1.1 // indirect
github.com/olekukonko/cat v0.0.0-20250911104152-50322a0618f6 // indirect
github.com/olekukonko/errors v1.1.0 // indirect
github.com/olekukonko/ll v0.1.3 // indirect
github.com/olekukonko/tablewriter v1.1.2 // indirect
github.com/olekukonko/errors v1.2.0 // indirect
github.com/olekukonko/ll v0.1.7 // indirect
github.com/olekukonko/tablewriter v1.1.3 // indirect
github.com/opencontainers/go-digest v1.0.0 // indirect
github.com/opencontainers/image-spec v1.1.1 // indirect
github.com/openvex/go-vex v0.2.7 // indirect
github.com/package-url/packageurl-go v0.1.4 // indirect
github.com/package-url/packageurl-go v0.1.5 // indirect
github.com/pjbgf/sha1cd v0.5.0 // indirect
github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
github.com/pkg/errors v0.9.1 // indirect
Expand All @@ -127,40 +128,39 @@ require (
github.com/sergi/go-diff v1.4.0 // indirect
github.com/shibumi/go-pathspec v1.3.0 // indirect
github.com/sigstore/protobuf-specs v0.5.0 // indirect
github.com/sigstore/rekor v1.4.3 // indirect
github.com/sigstore/rekor-tiles/v2 v2.0.1 // indirect
github.com/sigstore/rekor v1.5.0 // indirect
github.com/sigstore/rekor-tiles/v2 v2.2.1 // indirect
github.com/sigstore/sigstore v1.10.4 // indirect
github.com/sigstore/timestamp-authority/v2 v2.0.3 // indirect
github.com/sigstore/timestamp-authority/v2 v2.0.5 // indirect
github.com/sirupsen/logrus v1.9.4 // indirect
github.com/skeema/knownhosts v1.3.2 // indirect
github.com/spdx/tools-golang v0.5.5 // indirect
github.com/spdx/tools-golang v0.5.7 // indirect
github.com/spf13/pflag v1.0.10 // indirect
github.com/theupdateframework/go-tuf v0.7.0 // indirect
github.com/theupdateframework/go-tuf/v2 v2.4.1 // indirect
github.com/transparency-dev/formats v0.0.0-20251017110053-404c0d5b696c // indirect
github.com/transparency-dev/formats v0.1.0 // indirect
github.com/transparency-dev/merkle v0.0.2 // indirect
github.com/vbatts/tar-split v0.12.2 // indirect
github.com/xanzy/ssh-agent v0.3.3 // indirect
go.mongodb.org/mongo-driver v1.17.6 // indirect
go.opentelemetry.io/auto/sdk v1.2.1 // indirect
go.opentelemetry.io/otel v1.38.0 // indirect
go.opentelemetry.io/otel/metric v1.38.0 // indirect
go.opentelemetry.io/otel/trace v1.38.0 // indirect
go.opentelemetry.io/otel v1.42.0 // indirect
go.opentelemetry.io/otel/metric v1.42.0 // indirect
go.opentelemetry.io/otel/trace v1.42.0 // indirect
go.yaml.in/yaml/v3 v3.0.4 // indirect
golang.org/x/crypto v0.46.0 // indirect
golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b // indirect
golang.org/x/mod v0.30.0 // indirect
golang.org/x/net v0.48.0 // indirect
golang.org/x/oauth2 v0.33.0 // indirect
golang.org/x/sync v0.19.0 // indirect
golang.org/x/sys v0.41.0 // indirect
golang.org/x/crypto v0.48.0 // indirect
golang.org/x/mod v0.33.0 // indirect
golang.org/x/net v0.51.0 // indirect
golang.org/x/oauth2 v0.36.0 // indirect
golang.org/x/sync v0.20.0 // indirect
golang.org/x/sys v0.42.0 // indirect
golang.org/x/term v0.40.0 // indirect
golang.org/x/text v0.32.0 // indirect
golang.org/x/time v0.14.0 // indirect
golang.org/x/tools v0.39.0 // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20250929231259-57b25ae835d4 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20251103181224-f26f9409b101 // indirect
google.golang.org/grpc v1.76.0 // indirect
golang.org/x/text v0.34.0 // indirect
golang.org/x/time v0.15.0 // indirect
golang.org/x/tools v0.42.0 // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20260226221140-a57be14db171 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20260226221140-a57be14db171 // indirect
google.golang.org/grpc v1.79.2 // indirect
gopkg.in/warnings.v0 v0.1.2 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
k8s.io/klog/v2 v2.140.0 // indirect
)
Loading
Loading