Skip to content

feat(tool-scubagoggles-gws): google workspace config attestor example#32

Draft
colek42 wants to merge 2 commits into
mainfrom
feat/tool-scubagoggles-gws
Draft

feat(tool-scubagoggles-gws): google workspace config attestor example#32
colek42 wants to merge 2 commits into
mainfrom
feat/tool-scubagoggles-gws

Conversation

@colek42

@colek42 colek42 commented May 29, 2026

Copy link
Copy Markdown
Contributor

What

A tool-scubagoggles-gws example for the rookery scubagoggles attestor: attest a Google Workspace tenant's raw configuration (not ScubaGoggles' verdict) under cilock, then gate it with our own deny-based Common Controls Rego.

Full create → verify cycle (validated end-to-end against a live tenant)

reproduce.sh:

  1. cilock run -- scubagoggles gws -b commoncontrols … → signed DSSE collection with scubagoggles/v0.1 (the raw provider config; no verdict).
  2. Build a witness policy that trusts the run's signer and embeds the rego; cilock sign it.
  3. cilock verify -p policy-signed.json -k key.pub -a attestation.json -s sha256:<domain>policyverify runs the rego inside the signature-verified envelope.

A non-compliant tenant denies (gate blocks) on the failing controls (phishing-resistant MFA 1.1, 12h session 4.1, 2–8 super-admins 6.2).

Contents

  • policy/gws_commoncontrols.rego (+ tests, opa test 6/6) — our rego reading input.predicate.config. Control intent informed by CISA's SCuBA baseline (CC0-1.0); rego original (CISA's reads input.policies + emits tests, which doesn't fit the policyverify deny[] contract).
  • raw/sample-provider-input.jsonsynthetic example.org data for an offline opa eval demo.

Privacy

No real tenant configuration is committed. A real run's attestation.json carries live GWS settings (admin accounts, OU layout, auth policy) and is kept out of this public repo; raw/ is synthetic only.

Draft — paired with the rookery doc attestation/detection/docs/scubagoggles.doc.md (testifysec/judge#5152) which references this example via examples_repo.

🤖 Generated with Claude Code

cole-rgb and others added 2 commits May 28, 2026 20:59
Tool-integration example for the rookery `scubagoggles` attestor: attest a
Google Workspace tenant's RAW configuration (not ScubaGoggles' verdict) under
cilock, then gate it with our own deny-based Common Controls Rego — full
create→verify cycle, validated end-to-end against a live tenant.

- reproduce.sh: `cilock run -- scubagoggles gws …` (create) → build+`cilock sign`
  a witness policy embedding the rego, trusting the run's signer → `cilock
  verify -s sha256:<domain>` (verify). policyverify evaluates the rego inside
  the signature-verified envelope; a non-compliant tenant denies (gate blocks).
- policy/gws_commoncontrols.rego (+ tests, 6/6): our rego reading
  input.predicate.config; control intent informed by CISA's SCuBA baseline
  (CC0-1.0), rego original.
- raw/sample-provider-input.json: SYNTHETIC example.org data (deliberately
  non-compliant) for an offline policy demo. No real tenant config is committed
  — a real run's attestation.json holds live GWS settings and must stay out of
  this public repo.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…-171

Expand the example beyond Common Controls to the GWS baselines a NIST 800-171
(CUI) assessment draws on:

- gws_gmail.rego: DMARC must enforce (not p=none), SPF + DKIM published,
  anomalous-attachment protection — email authenticity / anti-spoofing,
  supporting the System & Communications Protection family (3.13).
- gws_drive.rego: external sharing not unrestricted, no web publishing —
  controlling the flow of CUI to external parties, supporting Access Control
  (3.1.3 / 3.1.22).

reproduce.sh now collects commoncontrols+gmail+drive and embeds all three rego
modules in the verify policy; opa test is 15/15. Validated end-to-end through
`cilock run` → `cilock sign` → `cilock verify` against a live tenant: the gate
denies with 9 findings across the three baselines.

Per-control GWS→800-171 mapping stays in the platform; the rego references only
GWS control ids.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants