🧹 Add status to default fields for gatekeeper and sip

- Use Internal struct caching to avoid double command execution
- Use command resource pattern instead of conn.RunCommand
- Use more specific SIP enabled check (status: enabled)
- Add filevault to spelling expect.txt
- Add hasPersonalRecoveryKey, hasInstitutionalRecoveryKey, users fields to filevault

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: tas50

.github/actions/spelling/expect.txt

@@ -81,6 +81,7 @@ failback
 fargate
 filestore
 filesz
+filevault
 firefox
 firestore
 FLEXGROUP

providers/os/resources/macos_filevault.go

@@ -4,44 +4,122 @@
 package resources
 
 import (
-	"io"
+	"errors"
 	"strings"
+	"sync"
 
-	"go.mondoo.com/mql/v13/providers/os/connection/shared"
+	"go.mondoo.com/mql/v13/llx"
 )
 
-func (m *mqlMacosFilevault) status() (string, error) {
-	conn := m.MqlRuntime.Connection.(shared.Connection)
+type mqlMacosFilevaultInternal struct {
+	lock    sync.Mutex
+	fetched bool
+	output  string
+}
 
-	cmd, err := conn.RunCommand("fdesetup status")
-	if err != nil {
-		return "", err
+func (m *mqlMacosFilevault) fetchStatus() (string, error) {
+	if m.fetched {
+		return m.output, nil
+	}
+	m.lock.Lock()
+	defer m.lock.Unlock()
+	if m.fetched {
+		return m.output, nil
 	}
 
-	data, err := io.ReadAll(cmd.Stdout)
+	res, err := NewResource(m.MqlRuntime, "command", map[string]*llx.RawData{
+		"command": llx.StringData("fdesetup status"),
+	})
 	if err != nil {
 		return "", err
 	}
+	cmd := res.(*mqlCommand)
+	if exit := cmd.GetExitcode(); exit.Data != 0 {
+		return "", errors.New("fdesetup status failed: " + cmd.GetStderr().Data)
+	}
 
 	// fdesetup status outputs lines like:
 	// "FileVault is On."
 	// "FileVault is Off."
 	// "Encryption in progress: Percent completed = 50.0"
 	// "Decryption in progress: Percent completed = 50.0"
-	output := strings.TrimSpace(string(data))
-
-	// Return the first line which contains the primary status
+	output := strings.TrimSpace(cmd.GetStdout().Data)
 	lines := strings.SplitN(output, "\n", 2)
-	return strings.TrimSpace(lines[0]), nil
+
+	m.output = strings.TrimSpace(lines[0])
+	m.fetched = true
+	return m.output, nil
+}
+
+func (m *mqlMacosFilevault) status() (string, error) {
+	return m.fetchStatus()
 }
 
 func (m *mqlMacosFilevault) enabled() (bool, error) {
-	status, err := m.status()
+	status, err := m.fetchStatus()
 	if err != nil {
 		return false, err
 	}
 
-	// FileVault is considered enabled if it's on or encryption is in progress
 	return strings.Contains(status, "FileVault is On") ||
 		strings.Contains(status, "Encryption in progress"), nil
 }
+
+func (m *mqlMacosFilevault) runFdesetup(subcmd string) (string, error) {
+	res, err := NewResource(m.MqlRuntime, "command", map[string]*llx.RawData{
+		"command": llx.StringData("fdesetup " + subcmd),
+	})
+	if err != nil {
+		return "", err
+	}
+	cmd := res.(*mqlCommand)
+	if exit := cmd.GetExitcode(); exit.Data != 0 {
+		return "", errors.New("fdesetup " + subcmd + " failed: " + cmd.GetStderr().Data)
+	}
+	return strings.TrimSpace(cmd.GetStdout().Data), nil
+}
+
+func (m *mqlMacosFilevault) hasPersonalRecoveryKey() (bool, error) {
+	// fdesetup haspersonalrecoverykey outputs "true" or "false"
+	output, err := m.runFdesetup("haspersonalrecoverykey")
+	if err != nil {
+		return false, err
+	}
+	return output == "true", nil
+}
+
+func (m *mqlMacosFilevault) hasInstitutionalRecoveryKey() (bool, error) {
+	// fdesetup hasinstitutionalrecoverykey outputs "true" or "false"
+	output, err := m.runFdesetup("hasinstitutionalrecoverykey")
+	if err != nil {
+		return false, err
+	}
+	return output == "true", nil
+}
+
+func (m *mqlMacosFilevault) users() ([]any, error) {
+	// fdesetup list outputs lines like:
+	// "user1,85632A00-1234-5678-ABCD-123456789ABC"
+	// "user2,95632A00-1234-5678-ABCD-123456789ABC"
+	output, err := m.runFdesetup("list")
+	if err != nil {
+		return nil, err
+	}
+
+	if output == "" {
+		return []any{}, nil
+	}
+
+	var users []any
+	for _, line := range strings.Split(output, "\n") {
+		line = strings.TrimSpace(line)
+		if line == "" {
+			continue
+		}
+		// Each line is "username,UUID" — extract the username
+		parts := strings.SplitN(line, ",", 2)
+		users = append(users, parts[0])
+	}
+
+	return users, nil
+}

providers/os/resources/macos_gatekeeper.go

@@ -4,33 +4,54 @@
 package resources
 
 import (
-	"io"
+	"errors"
 	"strings"
+	"sync"
 
-	"go.mondoo.com/mql/v13/providers/os/connection/shared"
+	"go.mondoo.com/mql/v13/llx"
 )
 
-func (m *mqlMacosGatekeeper) status() (string, error) {
-	conn := m.MqlRuntime.Connection.(shared.Connection)
+type mqlMacosGatekeeperInternal struct {
+	lock    sync.Mutex
+	fetched bool
+	output  string
+}
 
-	cmd, err := conn.RunCommand("spctl --status")
-	if err != nil {
-		return "", err
+func (m *mqlMacosGatekeeper) fetchStatus() (string, error) {
+	if m.fetched {
+		return m.output, nil
+	}
+	m.lock.Lock()
+	defer m.lock.Unlock()
+	if m.fetched {
+		return m.output, nil
 	}
 
-	data, err := io.ReadAll(cmd.Stdout)
+	res, err := NewResource(m.MqlRuntime, "command", map[string]*llx.RawData{
+		"command": llx.StringData("spctl --status"),
+	})
 	if err != nil {
 		return "", err
 	}
+	cmd := res.(*mqlCommand)
+	if exit := cmd.GetExitcode(); exit.Data != 0 {
+		return "", errors.New("spctl --status failed: " + cmd.GetStderr().Data)
+	}
 
 	// spctl --status outputs:
 	// "assessments enabled" (Gatekeeper on)
 	// "assessments disabled" (Gatekeeper off)
-	return strings.TrimSpace(string(data)), nil
+	m.output = strings.TrimSpace(cmd.GetStdout().Data)
+	m.fetched = true
+	return m.output, nil
+}
+
+func (m *mqlMacosGatekeeper) status() (string, error) {
+	return m.fetchStatus()
 }
 
 func (m *mqlMacosGatekeeper) enabled() (bool, error) {
-	status, err := m.status()
+	status, err := m.fetchStatus()
 	if err != nil {
 		return false, err
 	}

providers/os/resources/macos_sip.go

@@ -4,41 +4,61 @@
 package resources
 
 import (
-	"io"
+	"errors"
 	"strings"
+	"sync"
 
-	"go.mondoo.com/mql/v13/providers/os/connection/shared"
+	"go.mondoo.com/mql/v13/llx"
 )
 
-func (m *mqlMacosSip) status() (string, error) {
-	conn := m.MqlRuntime.Connection.(shared.Connection)
+type mqlMacosSipInternal struct {
+	lock    sync.Mutex
+	fetched bool
+	output  string
+}
 
-	cmd, err := conn.RunCommand("csrutil status")
-	if err != nil {
-		return "", err
+func (m *mqlMacosSip) fetchStatus() (string, error) {
+	if m.fetched {
+		return m.output, nil
+	}
+	m.lock.Lock()
+	defer m.lock.Unlock()
+	if m.fetched {
+		return m.output, nil
 	}
 
-	data, err := io.ReadAll(cmd.Stdout)
+	res, err := NewResource(m.MqlRuntime, "command", map[string]*llx.RawData{
+		"command": llx.StringData("csrutil status"),
+	})
 	if err != nil {
 		return "", err
 	}
+	cmd := res.(*mqlCommand)
+	if exit := cmd.GetExitcode(); exit.Data != 0 {
+		return "", errors.New("csrutil status failed: " + cmd.GetStderr().Data)
+	}
 
 	// csrutil status outputs:
 	// "System Integrity Protection status: enabled."
 	// "System Integrity Protection status: disabled."
 	// May also include individual configuration flags on separate lines
-	output := strings.TrimSpace(string(data))
-
-	// Return the first line which contains the primary status
+	output := strings.TrimSpace(cmd.GetStdout().Data)
 	lines := strings.SplitN(output, "\n", 2)
-	return strings.TrimSpace(lines[0]), nil
+
+	m.output = strings.TrimSpace(lines[0])
+	m.fetched = true
+	return m.output, nil
+}
+
+func (m *mqlMacosSip) status() (string, error) {
+	return m.fetchStatus()
 }
 
 func (m *mqlMacosSip) enabled() (bool, error) {
-	status, err := m.status()
+	status, err := m.fetchStatus()
 	if err != nil {
 		return false, err
 	}
 
-	return strings.Contains(status, "enabled"), nil
+	return strings.Contains(status, "status: enabled"), nil
 }

providers/os/resources/os.lr

@@ -2269,18 +2269,24 @@ macos.filevault @defaults("enabled status") {
   enabled() bool
   // FileVault status (On, Off, Encryption in progress, Decryption in progress)
   status() string
+  // Whether a personal recovery key exists
+  hasPersonalRecoveryKey() bool
+  // Whether an institutional recovery key exists
+  hasInstitutionalRecoveryKey() bool
+  // Users that can unlock the FileVault encrypted drive
+  users() []string
 }
 
 // macOS Gatekeeper application execution policy
-macos.gatekeeper @defaults("enabled") {
+macos.gatekeeper @defaults("enabled status") {
   // Whether Gatekeeper assessments are enabled
   enabled() bool
   // Gatekeeper assessment status (assessments enabled, assessments disabled)
   status() string
 }
 
 // macOS System Integrity Protection (SIP)
-macos.sip @defaults("enabled") {
+macos.sip @defaults("enabled status") {
   // Whether System Integrity Protection is enabled
   enabled() bool
   // SIP status message