constellation/docs/screencasts/docker/check-sbom.expect

62 lines
1.9 KiB
Plaintext
Raw Normal View History

#!/usr/bin/expect -f
# Note: Expects to be able to run 'sudo install' without a password
set timeout -1
set send_human {0.05 0 1 0.05 0.3}
set CTRLC \003
set record_name [lindex $argv 0];
proc expect_prompt {} {
# This matches the trailing 0m of our ANSI control sequence. See PS1 in Dockerfile.
expect "0m "
}
proc run_command {cmd} {
send -h "$cmd"
send "\r"
expect -timeout 1
}
# Start recording
spawn asciinema rec --overwrite /recordings/check-sbom.cast
send "\r"
expect_prompt
run_command "# Step 1: Install SLSA verifier"
expect_prompt
run_command "curl -sLO https://github.com/slsa-framework/slsa-verifier/releases/latest/download/slsa-verifier-linux-amd64"
expect_prompt
run_command "sudo install slsa-verifier-linux-amd64 /usr/local/bin/slsa-verifier"
expect_prompt
run_command "# Step 2: Download Constellation SBOM and provenance"
expect_prompt
run_command "curl -sLO https://github.com/edgelesssys/constellation/releases/latest/download/constellation.spdx.sbom"
expect_prompt
run_command "curl -sLO https://github.com/edgelesssys/constellation/releases/latest/download/constellation.intoto.jsonl"
expect_prompt
run_command "# Step 3: Check integrity of SBOM"
expect_prompt
run_command "slsa-verifier verify-artifact constellation.spdx.sbom --provenance-path constellation.intoto.jsonl --source-uri github.com/edgelesssys/constellation"
expect_prompt
run_command "# Step 4: Install grype (security scanner)"
expect_prompt
run_command "curl -sLO https://github.com/anchore/grype/releases/download/v0.56.0/grype_0.56.0_linux_amd64.tar.gz"
expect_prompt
run_command "tar -xvzf grype_0.56.0_linux_amd64.tar.gz"
expect_prompt
run_command "sudo install grype /usr/local/bin/grype"
expect_prompt
run_command "grype --help"
expect_prompt
run_command "# Step 5: Check for vulnerabilities"
expect_prompt
run_command "grype constellation.spdx.sbom -o table -q"
expect_prompt
# Stop recording
send "exit"