slsa-framework
diff --git a/‎go.work.sum‎
Lines changed: 10 additions & 0 deletions b/‎go.work.sum‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎sourcetool/cmd/audit.go‎
Lines changed: 187 additions & 0 deletions b/‎sourcetool/cmd/audit.go‎
Lines changed: 187 additions & 0 deletions
diff --git a/‎sourcetool/main.go‎
Lines changed: 5 additions & 1 deletion b/‎sourcetool/main.go‎
Lines changed: 5 additions & 1 deletion
diff --git a/‎sourcetool/pkg/attest/log.go‎
Lines changed: 10 additions & 0 deletions b/‎sourcetool/pkg/attest/log.go‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎sourcetool/pkg/attest/provenance.go‎
Lines changed: 5 additions & 8 deletions b/‎sourcetool/pkg/attest/provenance.go‎
Lines changed: 5 additions & 8 deletions
diff --git a/‎sourcetool/pkg/attest/statement.go‎
Lines changed: 5 additions & 5 deletions b/‎sourcetool/pkg/attest/statement.go‎
Lines changed: 5 additions & 5 deletions
@@ -7,14 +7,18 @@ cloud.google.com/go/compute/metadata v0.3.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1h
 cloud.google.com/go/compute/metadata v0.5.2/go.mod h1:C66sj2AluDcIqakBq/M8lw8/ybHgOZqin2obFxa/E5k=
 cloud.google.com/go/firestore v1.15.0/go.mod h1:GWOxFXcv8GZUtYpWHw/w6IuYNux/BtmeVTMmjrm4yhk=
 cloud.google.com/go/monitoring v1.21.2/go.mod h1:hS3pXvaG8KgWTSz+dAdyzPrGUYmi2Q+WFX8g2hqVEZU=
+cloud.google.com/go/monitoring v1.24.0/go.mod h1:Bd1PRK5bmQBQNnuGwHBfUamAV1ys9049oEPHnn4pcsc=
 cloud.google.com/go/profiler v0.4.1/go.mod h1:LBrtEX6nbvhv1w/e5CPZmX9ajGG9BGLtGbv56Tg4SHs=
 cloud.google.com/go/profiler v0.4.2/go.mod h1:7GcWzs9deJHHdJ5J9V1DzKQ9JoIoTGhezwlLbwkOoCs=
 cloud.google.com/go/pubsub v1.45.1/go.mod h1:3bn7fTmzZFwaUjllitv1WlsNMkqBgGUb3UdMhI54eCc=
 cloud.google.com/go/pubsub v1.45.3/go.mod h1:cGyloK/hXC4at7smAtxFnXprKEFTqmMXNNd9w+bd94Q=
+cloud.google.com/go/pubsub v1.47.0/go.mod h1:LaENesmga+2u0nDtLkIOILskxsfvn/BXX9Ak1NFxOs8=
 cloud.google.com/go/security v1.17.5/go.mod h1:MA8w7SbQAQO9CQ9r0R7HR0F7g1AJoqx87SFLpapq3OU=
 cloud.google.com/go/security v1.18.3/go.mod h1:NmlSnEe7vzenMRoTLehUwa/ZTZHDQE59IPRevHcpCe4=
+cloud.google.com/go/security v1.18.5/go.mod h1:D1wuUkDwGqTKD0Nv7d4Fn2Dc53POJSmO4tlg1K1iS7s=
 cloud.google.com/go/storage v1.43.0/go.mod h1:ajvxEa7WmZS1PxvKRq4bq0tFT3vMd502JwstCcYv0Q0=
 cloud.google.com/go/storage v1.45.0/go.mod h1:wpPblkIuMP5jCB/E48Pz9zIo2S/zD8g+ITmxKkPCITE=
+cloud.google.com/go/storage v1.50.0/go.mod h1:l7XeiD//vx5lfqE3RavfmU9yvk5Pp0Zhcv482poyafY=
 cloud.google.com/go/trace v1.11.2/go.mod h1:bn7OwXd4pd5rFuAnTrzBuoZ4ax2XQeG3qNgYmfCy0Io=
 contrib.go.opencensus.io/exporter/stackdriver v0.13.14/go.mod h1:5pSSGY0Bhuk7waTHuDf4aQ8D2DrhgETRo9fy6k3Xlzc=
 cuelabs.dev/go/oci/ociregistry v0.0.0-20240404174027-a39bec0462d2/go.mod h1:pK23AUVXuNzzTpfMCA06sxZGeVQ/75FdVtW249de9Uo=
@@ -37,7 +41,9 @@ github.com/CycloneDX/cyclonedx-go v0.9.2/go.mod h1:vcK6pKgO1WanCdd61qx4bFnSsDJQ6
 github.com/DATA-DOG/go-sqlmock v1.5.2/go.mod h1:88MAG/4G7SMwSE3CeA0ZKzrT5CiOU3OJ+JlNzwDqpNU=
 github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.25.0/go.mod h1:obipzmGjfSjam60XLwGfqUkJsfiheAl+TUjG+4yzyPM=
 github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.48.1/go.mod h1:jyqM3eLpJ3IbIFDTKVz2rF9T/xWGW0rIriGwnz8l9Tk=
+github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.49.0/go.mod h1:6fTWu4m3jocfUZLYF5KsZC1TUfRvEjs7lM4crme/irw=
 github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.48.1/go.mod h1:viRWSEhtMZqz1rhwmOVKkWl6SwmVowfL9O2YR5gI2PE=
+github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.49.0/go.mod h1:wRbFgBQUVm1YXrvWKofAEmq9HNJTDphbAaJSSX01KUI=
 github.com/MakeNowJust/heredoc v1.0.0/go.mod h1:mG5amYoWBHf8vpLOuehzbGGw0EHxpZZ6lCpQ4fNJ8LE=
 github.com/Masterminds/semver/v3 v3.3.1/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
 github.com/OneOfOne/xxhash v1.2.8/go.mod h1:eZbhyaAYD41SGSSsnmcpxVoRiQ/MPUTjUdIIOT9Um7Q=
@@ -158,11 +164,13 @@ github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXE
 github.com/gabriel-vasile/mimetype v1.4.3/go.mod h1:d8uq/6HKRL6CGdk+aubisF/M5GcPfT7nKyLpA0lbSSk=
 github.com/gabriel-vasile/mimetype v1.4.8/go.mod h1:ByKUIKGjh1ODkGM1asKUbQZOLGrPjydw3hYPU2YU9t8=
 github.com/go-ini/ini v1.67.0/go.mod h1:ByCAeIL28uOIIG0E3PJtZPDL8WnHpFKFOtgjp+3Ies8=
+github.com/go-jose/go-jose/v3 v3.0.0/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxFMht0mSX+u8=
 github.com/go-piv/piv-go v1.11.0/go.mod h1:NZ2zmjVkfFaL/CF8cVQ/pXdXtuj110zEKGdJM6fJZZM=
 github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY=
 github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
 github.com/go-playground/validator/v10 v10.22.1/go.mod h1:dbuPbCMFw/DrkbEynArYaCwl3amGuJotoKCe95atGMM=
 github.com/go-playground/validator/v10 v10.24.0/go.mod h1:GGzBIJMuE98Ic/kJsBXbz1x/7cByt++cQ+YOuDM5wus=
+github.com/go-playground/validator/v10 v10.26.0/go.mod h1:I5QpIEbmr8On7W0TktmJAumgzX4CA1XNl4ZmDuVHKKo=
 github.com/go-redis/redismock/v9 v9.2.0/go.mod h1:18KHfGDK4Y6c2R0H38EUGWAdc7ZQS9gfYxc94k7rWT0=
 github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
 github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8=
@@ -294,6 +302,7 @@ github.com/pelletier/go-toml v1.9.5/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCko
 github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8/go.mod h1:HKlIX3XHQyzLZPlr7++PzdhaXEj94dEiJgZDTsxEqUI=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/sftp v1.13.6/go.mod h1:tz1ryNURKu77RL+GuCzmoJYxQczL3wLNNpPWagdg4Qk=
+github.com/pkg/sftp v1.13.7/go.mod h1:KMKI0t3T6hfA+lTR/ssZdunHo+uwq7ghoN09/FSu3DY=
 github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8=
 github.com/poy/onpar v1.1.2/go.mod h1:6X8FLNoxyr9kkmnlqpK6LSoiOtrO6MICtWwEuWkLjzg=
 github.com/prometheus/prometheus v0.51.0/go.mod h1:yv4MwOn3yHMQ6MZGHPg/U7Fcyqf+rxqiZfSur6myVtc=
@@ -302,6 +311,7 @@ github.com/protobom/protobom v0.5.2/go.mod h1:io5yUKGWBqGa2sx1n7aVPg+tG13Hun9oMz
 github.com/protocolbuffers/txtpbfmt v0.0.0-20231025115547-084445ff1adf/go.mod h1:jgxiZysxFPM+iWKwQwPR+y+Jvo54ARd4EisXxKYpB5c=
 github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
 github.com/redis/go-redis/v9 v9.7.0/go.mod h1:f6zhXITC7JUJIlPEiBOTXxJgPLdZcA93GewI7inzyWw=
+github.com/redis/go-redis/v9 v9.7.3/go.mod h1:bGUrSggJ9X9GUmZpZNEOQKaANxSGgOEBRltRTZHSvrA=
 github.com/rivo/uniseg v0.4.4/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
 github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
 github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
 
@@ -0,0 +1,187 @@
+/*
+Copyright © 2025 NAME HERE <EMAIL ADDRESS>
+*/
+package cmd
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"log"
+
+	"github.com/spf13/cobra"
+
+	"github.com/slsa-framework/slsa-source-poc/sourcetool/pkg/attest"
+	"github.com/slsa-framework/slsa-source-poc/sourcetool/pkg/audit"
+	"github.com/slsa-framework/slsa-source-poc/sourcetool/pkg/ghcontrol"
+)
+
+type AuditMode int
+
+const (
+	AuditModeBasic AuditMode = 1
+	AuditModeFull  AuditMode = 2
+)
+
+// Enable audit mode enum
+// String is used both by fmt.Print and by Cobra in help text
+func (e *AuditMode) String() string {
+	switch *e {
+	case AuditModeBasic:
+		return "basic"
+	case AuditModeFull:
+		return "full"
+	}
+	return "error"
+}
+
+// Set must have pointer receiver so it doesn't change the value of a copy
+func (e *AuditMode) Set(v string) error {
+	switch v {
+	case "basic":
+		*e = AuditModeBasic
+		return nil
+	case "full":
+		*e = AuditModeFull
+		return nil
+	default:
+		return errors.New(`must be one of "foo", "bar", or "moo"`)
+	}
+}
+
+// Type is only used in help text
+func (e *AuditMode) Type() string {
+	return "AuditMode"
+}
+
+type AuditArgs struct {
+	owner        string
+	repo         string
+	branch       string
+	auditDepth   int
+	endingCommit string
+	auditMode    AuditMode
+}
+
+func (aa *AuditArgs) Validate() error {
+	if aa.owner == "" || aa.repo == "" || aa.branch == "" {
+		return errors.New("must set owner, repo, and branch flags")
+	}
+	return nil
+}
+
+var (
+	auditArgs = &AuditArgs{}
+
+	auditCmd = &cobra.Command{
+		Use:   "audit",
+		Short: "Audits the SLSA properties and controls of a repository",
+		Long: `Checks the revisions on the specified branch within the repository.
+
+Revisions 'pass'and audit if they have:
+1. A corresponding VSA
+2. Corresponding source provenance
+3. The revision (commit) listed in the provenance matches the revision reported by GitHub
+
+Future:
+* Check the provenance to validate the verifiedLevels in the VSA match expectations
+  (i.e. that the VSA was issued correctly)
+`,
+		Run: func(cmd *cobra.Command, args []string) {
+			err := doAudit(auditArgs)
+			if err != nil {
+				log.Fatal(err)
+			}
+		},
+	}
+)
+
+func printResult(ghc *ghcontrol.GitHubConnection, ar *audit.AuditCommitResult, mode AuditMode) {
+	good := ar.IsGood()
+	status := "passed"
+	if !good {
+		status = "failed"
+	}
+	fmt.Printf("commit: %s - %v\n", ar.Commit, status)
+
+	if good && AuditModeBasic == mode {
+		return
+	}
+
+	if ar.VsaPred != nil {
+		fmt.Printf("\tvsa: %v\n", ar.VsaPred.GetVerifiedLevels())
+	} else {
+		fmt.Printf("\tvsa: none\n")
+	}
+	if ar.ProvPred != nil {
+		fmt.Print("\tprov:\n")
+		fmt.Printf("\t\tcontrols: %v\n", ar.ProvPred.Controls)
+		if ar.ProvPred.PrevCommit == ar.GhPriorCommit {
+			fmt.Printf("\t\tPrevCommit matches GH commit: true\n")
+		} else {
+			fmt.Printf("\t\tPrevCommit matches GH commit: false: %s != %s\n", ar.ProvPred.PrevCommit, ar.GhPriorCommit)
+		}
+	} else {
+		fmt.Printf("\tprov: none\n")
+	}
+	if ar.GhControlStatus != nil {
+		fmt.Printf("\tgh controls: %v\n", ar.GhControlStatus.Controls)
+	}
+
+	fmt.Printf("\tlink: https://github.com/%s/%s/commit/%s\n", ghc.Owner(), ghc.Repo(), ar.GhPriorCommit)
+}
+
+func doAudit(auditArgs *AuditArgs) error {
+	err := auditArgs.Validate()
+	if err != nil {
+		return err
+	}
+
+	ghc := ghcontrol.NewGhConnection(auditArgs.owner, auditArgs.repo, ghcontrol.BranchToFullRef(auditArgs.branch)).WithAuthToken(githubToken)
+	ctx := context.Background()
+	verifier := getVerifier()
+	pa := attest.NewProvenanceAttestor(ghc, verifier)
+
+	auditor := audit.NewAuditor(ghc, pa, verifier)
+
+	latestCommit, err := ghc.GetLatestCommit(ctx, auditArgs.branch)
+	if err != nil {
+		return fmt.Errorf("could not get latest commit for %s", auditArgs.branch)
+	}
+
+	fmt.Printf("Auditing branch %s starting from revision %s\n", auditArgs.branch, latestCommit)
+
+	count := 0
+	for ar, err := range auditor.AuditBranch(ctx, auditArgs.branch) {
+		if ar == nil {
+			return err
+		}
+		if err != nil {
+			fmt.Printf("\terror: %v\n", err)
+		}
+		printResult(ghc, ar, auditArgs.auditMode)
+		if auditArgs.endingCommit != "" && auditArgs.endingCommit == ar.Commit {
+			fmt.Printf("Found ending commit %s\n", auditArgs.endingCommit)
+			return nil
+		}
+		if auditArgs.auditDepth > 0 && count >= auditArgs.auditDepth {
+			fmt.Printf("Reached depth limit %d\n", auditArgs.auditDepth)
+			return nil
+		}
+		count++
+	}
+
+	return nil
+}
+
+func init() {
+	rootCmd.AddCommand(auditCmd)
+
+	auditCmd.Flags().StringVar(&auditArgs.owner, "owner", "", "The GitHub repository owner - required.")
+	auditCmd.Flags().StringVar(&auditArgs.repo, "repo", "", "The GitHub repository name - required.")
+	auditCmd.Flags().StringVar(&auditArgs.branch, "branch", "", "The branch within the repository - required.")
+	auditCmd.Flags().IntVar(&auditArgs.auditDepth, "depth", 0, "The max number of revisions to audit (depth <= audit all revisions).")
+	auditCmd.Flags().StringVar(&auditArgs.endingCommit, "ending-commit", "", "The commit to stop auditing at.")
+	auditArgs.auditMode = AuditModeBasic
+	auditCmd.Flags().Var(&auditArgs.auditMode, "audit-mode", "'basic' for limited details (default), 'full' for all details")
+}
@@ -3,8 +3,12 @@ Copyright © 2025 NAME HERE <EMAIL ADDRESS>
 */
 package main
 
-import "github.com/slsa-framework/slsa-source-poc/sourcetool/cmd"
+import (
+	"github.com/slsa-framework/slsa-source-poc/sourcetool/cmd"
+)
 
 func main() {
+	// To enable debug logging
+	// Add this line slog.SetLogLoggerLevel(slog.LevelDebug)
 	cmd.Execute()
 }
@@ -0,0 +1,10 @@
+package attest
+
+import (
+	"fmt"
+	"log/slog"
+)
+
+func Debugf(format string, args ...any) {
+	slog.Debug(fmt.Sprintf(format, args...))
+}
@@ -174,7 +174,7 @@ func (pa ProvenanceAttestor) createCurrentProvenance(ctx context.Context, commit
 func (pa ProvenanceAttestor) GetProvenance(ctx context.Context, commit, ref string) (*spb.Statement, *SourceProvenancePred, error) {
 	notes, err := pa.gh_connection.GetNotesForCommit(ctx, commit)
 	if notes == "" {
-		log.Printf("didn't find notes for commit %s", commit)
+		Debugf("didn't find notes for commit %s", commit)
 		return nil, nil, nil
 	}
 
@@ -190,12 +190,9 @@ func (pa ProvenanceAttestor) GetProvenance(ctx context.Context, commit, ref stri
 func (pa ProvenanceAttestor) getProvFromReader(reader *BundleReader, commit, ref string) (*spb.Statement, *SourceProvenancePred, error) {
 	for {
 		stmt, err := reader.ReadStatement(MatchesTypeAndCommit(SourceProvPredicateType, commit))
-		if err != nil {
-			return nil, nil, err
-		}
 		if err != nil {
 			// Ignore errors, we want to check all the lines.
-			log.Printf("error while processing line: %v", err)
+			Debugf("error while processing line: %v", err)
 			continue
 		}
 
@@ -212,11 +209,11 @@ func (pa ProvenanceAttestor) getProvFromReader(reader *BundleReader, commit, ref
 			// Should be good!
 			return stmt, prevProdPred, nil
 		} else {
-			log.Printf("prov '%v' does not reference commit '%s' for branch '%s', skipping", stmt, commit, ref)
+			Debugf("prov '%v' does not reference commit '%s' for branch '%s', skipping", stmt, commit, ref)
 		}
 	}
 
-	log.Printf("didn't find commit %s for ref %s", commit, ref)
+	Debugf("didn't find commit %s for ref %s", commit, ref)
 	return nil, nil, nil
 }
 
@@ -250,7 +247,7 @@ func (pa ProvenanceAttestor) CreateSourceProvenance(ctx context.Context, prevAtt
 
 	// No prior provenance found, so we just go with current.
 	if prevProvStmt == nil || prevProvPred == nil {
-		log.Printf("No previous provenance found, have to bootstrap\n")
+		Debugf("No previous provenance found, have to bootstrap\n")
 		return curProv, nil
 	}
 
 
@@ -5,7 +5,6 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"log"
 
 	spb "github.com/in-toto/attestation/go/v1"
 	"google.golang.org/protobuf/encoding/protojson"
@@ -31,7 +30,7 @@ func (br *BundleReader) convertLineToStatement(line string) (*spb.Statement, err
 	} else {
 		// We ignore errors because there could be other stuff in the
 		// bundle this line came from.
-		log.Printf("Line '%s' failed verification: %v", line, err)
+		Debugf("Line '%s' failed verification: %v", line, err)
 	}
 
 	// TODO: add support for 'regular' DSSEs.
@@ -68,11 +67,11 @@ type StatementMatcher func(*spb.Statement) bool
 func MatchesTypeAndCommit(predicateType, commit string) StatementMatcher {
 	return func(statement *spb.Statement) bool {
 		if statement.GetPredicateType() != predicateType {
-			log.Printf("statement predicate type (%s) doesn't match %s", statement.GetPredicateType(), predicateType)
+			Debugf("statement predicate type (%s) doesn't match %s", statement.GetPredicateType(), predicateType)
 			return false
 		}
 		if !DoesSubjectIncludeCommit(statement, commit) {
-			log.Printf("statement \n%v\n does not match commit %s", StatementToString(statement), commit)
+			Debugf("statement \n%v\n does not match commit %s", StatementToString(statement), commit)
 			return false
 		}
 		return true
@@ -102,7 +101,8 @@ func (br *BundleReader) ReadStatement(matcher StatementMatcher) (*spb.Statement,
 		}
 		statement, err := br.convertLineToStatement(line)
 		if err != nil {
-			return nil, fmt.Errorf("problem converting line to statement line: '%s', error: %w", line, err)
+			// Ignore errors, the next line could be fine.
+			Debugf("problem converting line to statement line: '%s', error: %v", line, err)
 		}
 		if statement == nil {
 			// Not sure what this is, just continue