mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-01-10 15:09:38 -05:00
62 lines
1.9 KiB
Plaintext
62 lines
1.9 KiB
Plaintext
|
#!/usr/bin/expect -f
|
||
|
# Note: Expects to be able to run 'sudo install' without a password
|
||
|
|
||
|
set timeout -1
|
||
|
set send_human {0.05 0 1 0.05 0.3}
|
||
|
set CTRLC \003
|
||
|
set record_name [lindex $argv 0];
|
||
|
|
||
|
proc expect_prompt {} {
|
||
|
# This matches the trailing 0m of our ANSI control sequence. See PS1 in Dockerfile.
|
||
|
expect "0m "
|
||
|
}
|
||
|
|
||
|
proc run_command {cmd} {
|
||
|
send -h "$cmd"
|
||
|
send "\r"
|
||
|
expect -timeout 1
|
||
|
}
|
||
|
|
||
|
# Start recording
|
||
|
spawn asciinema rec --overwrite /recordings/check-sbom.cast
|
||
|
send "\r"
|
||
|
expect_prompt
|
||
|
|
||
|
run_command "# Step 1: Install SLSA verifier"
|
||
|
expect_prompt
|
||
|
run_command "curl -sLO https://github.com/slsa-framework/slsa-verifier/releases/latest/download/slsa-verifier-linux-amd64"
|
||
|
expect_prompt
|
||
|
run_command "sudo install slsa-verifier-linux-amd64 /usr/local/bin/slsa-verifier"
|
||
|
expect_prompt
|
||
|
|
||
|
run_command "# Step 2: Download Constellation SBOM and provenance"
|
||
|
expect_prompt
|
||
|
run_command "curl -sLO https://github.com/edgelesssys/constellation/releases/latest/download/constellation.spdx.sbom"
|
||
|
expect_prompt
|
||
|
run_command "curl -sLO https://github.com/edgelesssys/constellation/releases/latest/download/constellation.intoto.jsonl"
|
||
|
expect_prompt
|
||
|
|
||
|
run_command "# Step 3: Check integrity of SBOM"
|
||
|
expect_prompt
|
||
|
run_command "slsa-verifier verify-artifact constellation.spdx.sbom --provenance-path constellation.intoto.jsonl --source-uri github.com/edgelesssys/constellation"
|
||
|
expect_prompt
|
||
|
|
||
|
run_command "# Step 4: Install grype (security scanner)"
|
||
|
expect_prompt
|
||
|
run_command "curl -sLO https://github.com/anchore/grype/releases/download/v0.56.0/grype_0.56.0_linux_amd64.tar.gz"
|
||
|
expect_prompt
|
||
|
run_command "tar -xvzf grype_0.56.0_linux_amd64.tar.gz"
|
||
|
expect_prompt
|
||
|
run_command "sudo install grype /usr/local/bin/grype"
|
||
|
expect_prompt
|
||
|
run_command "grype --help"
|
||
|
expect_prompt
|
||
|
|
||
|
run_command "# Step 5: Check for vulnerabilities"
|
||
|
expect_prompt
|
||
|
run_command "grype constellation.spdx.sbom -o table -q"
|
||
|
expect_prompt
|
||
|
|
||
|
# Stop recording
|
||
|
send "exit"
|