Skip to content

Commit 457c45c

Browse files
muscariellomuscariello
committed
feat(shadictl): track nested git repos in snapshots
Signed-off-by: Luca Muscariello <muscariello@ieee.org>
1 parent 2733a5d commit 457c45c

File tree

5 files changed

+391
-47
lines changed

5 files changed

+391
-47
lines changed

Justfile

Lines changed: 24 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -32,12 +32,19 @@ coverage:
3232
LLVM_SYSROOT="$(rustc --print sysroot)" \
3333
LLVM_HOST="$(rustc -Vv | awk '/host/ {print $2}')" \
3434
LLVM_BREW="$(brew --prefix llvm 2>/dev/null || true)" \
35+
LLVM_BREW_VERSIONED="$(brew --prefix llvm@21 2>/dev/null || true)" \
3536
LLVM_COV="$(command -v llvm-cov || true)" \
36-
LLVM_PROFDATA="$(command -v llvm-profdata || true)" \
37-
LLVM_COV="${LLVM_COV:-$LLVM_BREW/bin/llvm-cov}" \
38-
LLVM_PROFDATA="${LLVM_PROFDATA:-$LLVM_BREW/bin/llvm-profdata}" \
39-
LLVM_COV="${LLVM_COV:-$LLVM_SYSROOT/lib/rustlib/$LLVM_HOST/bin/llvm-cov}" \
40-
LLVM_PROFDATA="${LLVM_PROFDATA:-$LLVM_SYSROOT/lib/rustlib/$LLVM_HOST/bin/llvm-profdata}" \
37+
LLVM_PROFDATA="$(command -v llvm-profdata || true)"; \
38+
if [ -z "$LLVM_COV" ]; then \
39+
if [ -x "$LLVM_BREW/bin/llvm-cov" ]; then LLVM_COV="$LLVM_BREW/bin/llvm-cov"; \
40+
elif [ -x "$LLVM_BREW_VERSIONED/bin/llvm-cov" ]; then LLVM_COV="$LLVM_BREW_VERSIONED/bin/llvm-cov"; \
41+
else LLVM_COV="$LLVM_SYSROOT/lib/rustlib/$LLVM_HOST/bin/llvm-cov"; fi; \
42+
fi; \
43+
if [ -z "$LLVM_PROFDATA" ]; then \
44+
if [ -x "$LLVM_BREW/bin/llvm-profdata" ]; then LLVM_PROFDATA="$LLVM_BREW/bin/llvm-profdata"; \
45+
elif [ -x "$LLVM_BREW_VERSIONED/bin/llvm-profdata" ]; then LLVM_PROFDATA="$LLVM_BREW_VERSIONED/bin/llvm-profdata"; \
46+
else LLVM_PROFDATA="$LLVM_SYSROOT/lib/rustlib/$LLVM_HOST/bin/llvm-profdata"; fi; \
47+
fi; \
4148
SHADI_KEYCHAIN_TESTS=1 \
4249
PYO3_PYTHON="{{python312}}" RUSTFLAGS="-C link-arg=-L{{python_prefix}}/Frameworks/Python.framework/Versions/3.12/lib/python3.12/config-3.12-darwin -C link-arg=-lpython3.12 -C link-arg=-framework -C link-arg=CoreFoundation" \
4350
LLVM_COV="$LLVM_COV" LLVM_PROFDATA="$LLVM_PROFDATA" \
@@ -48,12 +55,19 @@ coverage-html:
4855
LLVM_SYSROOT="$(rustc --print sysroot)" \
4956
LLVM_HOST="$(rustc -Vv | awk '/host/ {print $2}')" \
5057
LLVM_BREW="$(brew --prefix llvm 2>/dev/null || true)" \
58+
LLVM_BREW_VERSIONED="$(brew --prefix llvm@21 2>/dev/null || true)" \
5159
LLVM_COV="$(command -v llvm-cov || true)" \
52-
LLVM_PROFDATA="$(command -v llvm-profdata || true)" \
53-
LLVM_COV="${LLVM_COV:-$LLVM_BREW/bin/llvm-cov}" \
54-
LLVM_PROFDATA="${LLVM_PROFDATA:-$LLVM_BREW/bin/llvm-profdata}" \
55-
LLVM_COV="${LLVM_COV:-$LLVM_SYSROOT/lib/rustlib/$LLVM_HOST/bin/llvm-cov}" \
56-
LLVM_PROFDATA="${LLVM_PROFDATA:-$LLVM_SYSROOT/lib/rustlib/$LLVM_HOST/bin/llvm-profdata}" \
60+
LLVM_PROFDATA="$(command -v llvm-profdata || true)"; \
61+
if [ -z "$LLVM_COV" ]; then \
62+
if [ -x "$LLVM_BREW/bin/llvm-cov" ]; then LLVM_COV="$LLVM_BREW/bin/llvm-cov"; \
63+
elif [ -x "$LLVM_BREW_VERSIONED/bin/llvm-cov" ]; then LLVM_COV="$LLVM_BREW_VERSIONED/bin/llvm-cov"; \
64+
else LLVM_COV="$LLVM_SYSROOT/lib/rustlib/$LLVM_HOST/bin/llvm-cov"; fi; \
65+
fi; \
66+
if [ -z "$LLVM_PROFDATA" ]; then \
67+
if [ -x "$LLVM_BREW/bin/llvm-profdata" ]; then LLVM_PROFDATA="$LLVM_BREW/bin/llvm-profdata"; \
68+
elif [ -x "$LLVM_BREW_VERSIONED/bin/llvm-profdata" ]; then LLVM_PROFDATA="$LLVM_BREW_VERSIONED/bin/llvm-profdata"; \
69+
else LLVM_PROFDATA="$LLVM_SYSROOT/lib/rustlib/$LLVM_HOST/bin/llvm-profdata"; fi; \
70+
fi; \
5771
SHADI_KEYCHAIN_TESTS=1 \
5872
PYO3_PYTHON="{{python312}}" RUSTFLAGS="-C link-arg=-L{{python_prefix}}/Frameworks/Python.framework/Versions/3.12/lib/python3.12/config-3.12-darwin -C link-arg=-lpython3.12 -C link-arg=-framework -C link-arg=CoreFoundation" \
5973
LLVM_COV="$LLVM_COV" LLVM_PROFDATA="$LLVM_PROFDATA" \

README.md

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -125,6 +125,13 @@ Each artifact includes resolved policy, timestamps, before/after Git state,
125125
SHA-256 hashes for captured Git payloads, and comparison fields such as
126126
`status_changed` and `overall_changed`.
127127

128+
If the workspace contains nested Git repos, the artifact also includes a
129+
`git.repositories` array with per-repo before/after state and comparison
130+
metadata. This is important for agent workflows like SecOps remediation where
131+
the agent may clone or update another repo under the current working folder:
132+
the outer repo can stay unchanged while the nested repo entry still reports the
133+
change.
134+
128135
### 4) Derive agent identities from a human source
129136

130137
```bash

0 commit comments

Comments
 (0)