feat(tool-scubagoggles-gws): google workspace config attestor example#32
Draft
colek42 wants to merge 2 commits into
Draft
feat(tool-scubagoggles-gws): google workspace config attestor example#32colek42 wants to merge 2 commits into
colek42 wants to merge 2 commits into
Conversation
Tool-integration example for the rookery `scubagoggles` attestor: attest a Google Workspace tenant's RAW configuration (not ScubaGoggles' verdict) under cilock, then gate it with our own deny-based Common Controls Rego — full create→verify cycle, validated end-to-end against a live tenant. - reproduce.sh: `cilock run -- scubagoggles gws …` (create) → build+`cilock sign` a witness policy embedding the rego, trusting the run's signer → `cilock verify -s sha256:<domain>` (verify). policyverify evaluates the rego inside the signature-verified envelope; a non-compliant tenant denies (gate blocks). - policy/gws_commoncontrols.rego (+ tests, 6/6): our rego reading input.predicate.config; control intent informed by CISA's SCuBA baseline (CC0-1.0), rego original. - raw/sample-provider-input.json: SYNTHETIC example.org data (deliberately non-compliant) for an offline policy demo. No real tenant config is committed — a real run's attestation.json holds live GWS settings and must stay out of this public repo. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…-171 Expand the example beyond Common Controls to the GWS baselines a NIST 800-171 (CUI) assessment draws on: - gws_gmail.rego: DMARC must enforce (not p=none), SPF + DKIM published, anomalous-attachment protection — email authenticity / anti-spoofing, supporting the System & Communications Protection family (3.13). - gws_drive.rego: external sharing not unrestricted, no web publishing — controlling the flow of CUI to external parties, supporting Access Control (3.1.3 / 3.1.22). reproduce.sh now collects commoncontrols+gmail+drive and embeds all three rego modules in the verify policy; opa test is 15/15. Validated end-to-end through `cilock run` → `cilock sign` → `cilock verify` against a live tenant: the gate denies with 9 findings across the three baselines. Per-control GWS→800-171 mapping stays in the platform; the rego references only GWS control ids. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
A
tool-scubagoggles-gwsexample for the rookeryscubagogglesattestor: attest a Google Workspace tenant's raw configuration (not ScubaGoggles' verdict) under cilock, then gate it with our own deny-based Common Controls Rego.Full create → verify cycle (validated end-to-end against a live tenant)
reproduce.sh:cilock run -- scubagoggles gws -b commoncontrols …→ signed DSSE collection withscubagoggles/v0.1(the raw provider config; no verdict).cilock signit.cilock verify -p policy-signed.json -k key.pub -a attestation.json -s sha256:<domain>→policyverifyruns the rego inside the signature-verified envelope.A non-compliant tenant denies (gate blocks) on the failing controls (phishing-resistant MFA 1.1, 12h session 4.1, 2–8 super-admins 6.2).
Contents
policy/gws_commoncontrols.rego(+ tests,opa test6/6) — our rego readinginput.predicate.config. Control intent informed by CISA's SCuBA baseline (CC0-1.0); rego original (CISA's readsinput.policies+ emitstests, which doesn't fit thepolicyverifydeny[]contract).raw/sample-provider-input.json— synthetic example.org data for an offlineopa evaldemo.Privacy
No real tenant configuration is committed. A real run's
attestation.jsoncarries live GWS settings (admin accounts, OU layout, auth policy) and is kept out of this public repo;raw/is synthetic only.🤖 Generated with Claude Code