resolve merge conflicts: keep new security advisories implementation

Author: zohayb23

.dockerignore

@@ -1 +1,9 @@
 config.yml
+evaluation_results
+.github
+.goreleaser.yml
+.gitignore
+example-config.yml
+github-repo
+*.png
+*.md

.github/CONTRIBUTING.md

@@ -6,15 +6,28 @@ We'd love to accept your patches and contributions to this project. There are ju
 
 Participation in this project comes under the [Contributor Covenant Code of Conduct](./CODE_OF_CONDUCT.md)
 
+## Local Development
+
+While working on tests, the best way to run the plugin is via `go run . debug --service=<your-service>`. Ensure your local `config` file is set up correctly beforehand.
+
+You may also pull the code locally and run the local Dockerfile:
+
+1. Pull the repo
+2. Modify `example-config.yml` to use your values, and rename it to `config.yml`
+3. Build the Docker Image: `make docker-build`
+4. Run the Docker Image: `make docker-run`
+5. Review the output in the directory you've specified in your config file
+
+## Required Token Scopes
+
+![Token Scopes](../token-scopes.png)
+
 ## Code Submission
 
 Thank you for considering submitting code to Privateer!
 
 - We follow the [GitHub Pull Request Model](https://help.github.com/articles/about-pull-requests/) for all contributions.
-- For large bodies of work, we recommend creating an issue using the "Feature Request" template to outline the feature that you wish to build, and describe how it will be implemented. This gives a chance for review to happen early, and ensures no wasted effort occurs.
-- For new features, documentation must be included. Currently we do not have a formalized documentation process, so please use your best judgment until a process is in place.
 - All submissions, including submissions by project members, will require review before being merged.
-- Once review has occurred, please rebase your PR down to a single commit. This will ensure a nice clean Git history.
 - Please write a [good Git Commit message](https://chris.beams.io/posts/git-commit/)
 - Please follow the code formatting instructions below
 

.github/workflows/build.yaml

@@ -11,7 +11,7 @@ permissions:
   pull-requests: read
 
 jobs:
-  lint:
+  build:
     name: build
     runs-on: ubuntu-latest
     steps:
@@ -24,4 +24,19 @@ jobs:
       - name: build
         run: make build
       - name: test
-        run: make test-cov
+        run: make test-cov
+      - name: test coverage check
+        env:
+          TESTCOVERAGE_THRESHOLD: 26
+        run: |
+          echo "Quality Gate: checking test coverage is above threshold ..."
+          echo "Threshold             : $TESTCOVERAGE_THRESHOLD %"
+          totalCoverage=`go tool cover -func=coverage.out | grep total | grep -Eo '[0-9]+\.[0-9]+'`
+          echo "Current test coverage : $totalCoverage %"
+          if (( $(echo "$totalCoverage $TESTCOVERAGE_THRESHOLD" | awk '{print ($1 >= $2)}') )); then
+              echo "OK"
+          else
+              echo "Current test coverage is below threshold. Please add more unit tests or adjust threshold to a lower value."
+              echo "Failed"
+              exit 1
+          fi

.github/workflows/docker-ci.yml

@@ -0,0 +1,30 @@
+name: Docker CI
+
+on:
+  push:
+    paths:
+      - 'Dockerfile'
+      - '.dockerignore'
+  pull_request:
+    paths:
+      - 'Dockerfile'
+      - '.dockerignore'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+        with:
+          persist-credentials: false
+      - name: Set up buildx
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435
+      - name: Build container image
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83
+        with:
+          context: .
+          file: ./Dockerfile
+          push: false

.github/workflows/lint.yaml

@@ -24,4 +24,4 @@ jobs:
       - name: golangci-lint
         uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9
         with:
-          version: v2.1
+          version: v2.5.0

.github/workflows/release.yml

@@ -20,7 +20,11 @@ jobs:
     needs: release
     runs-on: ubuntu-latest
     permissions:
+      attestations: write
       contents: write
+      id-token: write
+    outputs:
+      attestation_matrix: ${{ steps.generate_matrix.outputs.matrix }}
     steps:
       - name: Checkout
         uses: actions/checkout@v5
@@ -31,6 +35,10 @@ jobs:
         uses: actions/setup-go@v5
         with:
           go-version: 1.23.4
+      - name: Install Syft
+        uses: anchore/sbom-action/download-syft@f8bdd1d8ac5e901a77a92f111440fdb1b593736b
+        with:
+          syft-version: v1.33.0
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a
         with:
@@ -39,3 +47,36 @@ jobs:
           args: release --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Attest Build Provenance
+        uses: actions/attest-build-provenance@v3
+        with:
+          subject-checksums: dist/checksums.txt
+      - name: Generate attestation matrix
+        id: generate_matrix
+        run: |
+          matrix=$(ls dist/*.spdx.json | jq -R '{"sbom": ., "archive": sub("\\.spdx\\.json$"; "")}' | jq -s -c '{"include": .}')
+          echo "matrix=$matrix" >> $GITHUB_OUTPUT
+      - name: Upload artifacts
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
+        with:
+          name: dist
+          path: dist
+  attest-sboms:
+    needs: goreleaser
+    runs-on: ubuntu-latest
+    permissions:
+      attestations: write
+      id-token: write
+    strategy:
+      matrix: ${{ fromJson(needs.goreleaser.outputs.attestation_matrix) }}
+    steps:
+      - name: Download artifacts
+        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0
+        with:
+          name: dist
+          path: dist
+      - name: Attest SBOM
+        uses: actions/attest-sbom@4651f806c01d8637787e274ac3bdf724ef169f34
+        with:
+          subject-path: "${{ matrix.archive }}"
+          sbom-path: "${{ matrix.sbom }}"

.goreleaser.yaml

@@ -42,8 +42,66 @@ changelog:
       - "^docs:"
       - "^test:"
 
+checksum:
+  name_template: "checksums.txt"
+
 release:
   prerelease: auto
 
+sboms:
+  - # ID of the sbom config, must be unique.
+    #
+    # Default: 'default'.
+    id: sboms
+
+    # List of names of the SBOM documents created at this step
+    # (relative to the dist dir).
+    #
+    # Each element configured is made available as variables. For example:
+    #   documents: ["foo", "bar"]
+    #
+    # would make the following variables that can be referenced as template keys:
+    #   document0: "foo"
+    #   document1: "bar"
+    #
+    # Note that multiple sbom values are only allowed if the value of
+    # "artifacts" is "any".
+    #
+    # Default:
+    #   When "binary":   ["{{ .Binary }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}.sbom.json"]
+    #   When "any":      []
+    #   Otherwise:       ["{{ .ArtifactName }}.sbom.json"]
+    # Templates: allowed.
+    documents:
+      - "${artifact}.spdx.json"
+
+    # Path to the SBOM generator command
+    #
+    # Note: the process CWD will be set to the same location as "dist"
+    #
+    # Default: 'syft'.
+    cmd: syft
+
+    # Command line arguments for the command
+    #
+    # Default: ["$artifact", "--output", "spdx-json=$document", "--enrich", "all"].
+    # Templates: allowed.
+    # args: ["$artifact", "--output", "cyclonedx-json=$document"]
+
+    # Which artifacts to catalog.
+    #
+    # Valid options are:
+    # - any:        let the SBOM tool decide which artifacts available in
+    #               the cwd should be cataloged
+    # - source:     source archive
+    # - package:    Linux packages (deb, rpm, apk, etc)
+    # - installer:  Windows MSI installers (Pro only)
+    # - diskimage:  macOS DMG disk images (Pro only)
+    # - archive:    archives from archive pipe
+    # - binary:     binaries output from the build stage
+    #
+    # Default: 'archive'.
+    artifacts: archive
+
 universal_binaries:
   - replace: true

Dockerfile

@@ -1,27 +1,30 @@
-FROM alpine:3.21 AS core
+FROM alpine:3.22 AS core
 RUN apk add --no-cache wget tar unzip
 
 WORKDIR /app
-ARG VERSION=0.7.0
+ARG VERSION=0.9.1
 ARG PLATFORM=Linux_x86_64  # Change this based on your target system
 
 RUN wget https://github.com/privateerproj/privateer/releases/download/v${VERSION}/privateer_${PLATFORM}.tar.gz
 RUN tar -xzf privateer_${PLATFORM}.tar.gz
 
-FROM golang:1.23.4-alpine3.21 AS plugin
+FROM golang:1.25.1-alpine3.22 AS plugin
 RUN apk add --no-cache make git
 WORKDIR /plugin
 COPY . .
 RUN make binary
 
-FROM golang:1.23.4-alpine3.21
-RUN apk add --no-cache make git && \
-    mkdir -p /.privateer/bin
+FROM golang:1.25.1-alpine3.22
+RUN addgroup -g 1001 -S appgroup && adduser -u 1001 -S appuser -G appgroup
+
+RUN mkdir -p /.privateer/bin && chown -R appuser:appgroup /.privateer
 WORKDIR /.privateer/bin
+USER appuser
+
 COPY --from=core /app/privateer .
 COPY --from=plugin /plugin/github-repo .
 COPY --from=plugin /plugin/container-entrypoint.sh .
 
 # The config file must be provided at run time.
-# example: docker run -v /path/to/config.yml:/.privateer/bin/config.yml privateer-image
+# example: docker run -v /path/to/config.yml:/.privateer/config.yml privateer-image
 CMD ["./container-entrypoint.sh"]

Makefile

@@ -4,6 +4,8 @@ BUILD_WIN=@env GOOS=windows GOARCH=amd64 go build -o $(PACKNAME).exe
 BUILD_LINUX=@env GOOS=linux GOARCH=amd64 go build -o $(PACKNAME)
 BUILD_MAC=@env GOOS=darwin GOARCH=amd64 go build -o $(PACKNAME)-darwin
 
+COVERAGE = $(shell go tool cover -func=coverage.out | grep total | grep -Eo '[0-9]+\.[0-9]+')
+
 release: package release bin
 release-candidate: package release-candidate
 binary: package build
@@ -35,21 +37,24 @@ build:
 package: tidy test
 	@echo "  >  Packaging static files..."
 
-test:
+vet:
 	@echo "  >  Validating code ..."
 	@go vet ./...
+
+test: vet
 	@go clean -testcache
 	@go test ./...
 
 tidy:
 	@echo "  >  Tidying go.mod ..."
 	@go mod tidy
 
-test-cov:
+test-cov: vet
 	@echo "Running tests and generating coverage output ..."
 	@go test ./... -coverprofile coverage.out -covermode count
-	@sleep 2 # Sleeping to allow for coverage.out file to get generated
-	@echo "Current test coverage : $(shell go tool cover -func=coverage.out | grep total | grep -Eo '[0-9]+\.[0-9]+') %"
+
+print-cov:
+	@echo "Current test coverage : $(COVERAGE)%"
 
 release-candidate: tidy test
 	@echo "  >  Building release candidate for Linux..."

README.md

@@ -1,18 +1,31 @@
 # Privateer Plugin for GitHub Repositories
 
-This plugin is designed to test a GitHub repository using automated assessments compatible with the [Gemara](https://github.com/ossf/gemara) Layer 4 data types.
+This application performs automated assessments against GitHub repositories using controls defined in the [Open Source Project Security Baseline v2025.02.25](https://baseline.openssf.org). The application consumes the OSPS Baseline controls using [Gemara](https://github.com/ossf/gemara) layer 2 and produces results of the automated assessments using layer 4.
 
-Many of the assessments require a [Security Insights](https://github.com/ossf/security-insights) file to be present at the root of the repository, or `./github/security-insights.yml`.
+Many of the assessments depend upon the presence of a [Security Insights](https://github.com/ossf/security-insights) file at the root of the repository, or `./github/security-insights.yml`.
 
 ## Work in Progress
 
-Assessment development is currently addressing the [Open Source Project Security Baseline v2025.02.25](https://baseline.openssf.org).
+Currently 39 control requirements across OSPS Baselines levels 1-3 are covered, with 13 not yet implemented. [Maturity Level 1](https://baseline.openssf.org/versions/2025-02-25.html#level-1) requirements are the most rigorously tested and are recommended for use. The results of these layer 1 assessments are integrated into [LFX Insights](https://insights.linuxfoundation.org/project/k8s/repository/kubernetes-kubernetes/security), powering the [Security & Best Practices results](https://insights.linuxfoundation.org/docs/metrics/security/).
 
-As possible, the goal is to work on the OSPS Baseline maturity levels from the lowest to highest.
+![alt text](kubernetes_insights_baseline.png)
+
+Level 2 and Level 3 requirements are undergoing current development and may be less rigorously tested.
+
+## Docker Usage
+
+```sh
+# build the image
+docker build . -t local
+docker run \
+  --mount type=bind,source=./config.yml,destination=/.privateer/config.yml \
+  --mount type=bind,source=./evaluation_results,destination=/.privateer/bin/evaluation_results \
+  local
+```
 
 ## GitHub Actions Usage
 
-We've pushed an image to docker hub for use in GitHub Actions. Many tests are currently pending implementation, and only `Maturity Level 1` is currently recommended for use.
+We've pushed an image to docker hub for use in GitHub Actions.
 
 You will also need to set up a GitHub personal access token with the repository read permissions. This token should be added to your config file, or — if using the example pipeline below — as a secret in your repository.
 
@@ -22,18 +35,10 @@ You will also need to set up a GitHub personal access token with the repository
 - [Workflow Definition](https://github.com/privateerproj/.github/blob/main/.github/workflows/osps-baseline.yml)
 - [Action Results](https://github.com/privateerproj/.github/actions/runs/13691384519/job/38285134201)
 
-## Local Development
-
-While working on tests, the best way to run the plugin is via `go run . debug --service=<your-service>`. Ensure your local `config` file is set up correctly beforehand.
-
-You may also pull the code locally and run the local Dockerfile:
+## Contributing
 
-1. Pull the repo
-2. Modify `example-config.yml` to use your values, and rename it to `config.yml`
-3. Build the Docker Image: `make docker-build`
-4. Run the Docker Image: `make docker-run`
-5. Review the output in the directory you've specified in your config file
+Contributions are welcome! Please see our [Contributing Guidelines](.github/CONTRIBUTING.md) for more information.
 
-## Required Token Scopes
+## License
 
-![Token Scopes](./token-scopes.png)
+This project is licensed under the Apache 2.0 License - see the [LICENSE](LICENSE) file for details.