#!/usr/bin/expect -f # Note: Expects to be able to run 'sudo install' without a password set timeout -1 set send_human {0.05 0 1 0.05 0.3} set CTRLC \003 set record_name [lindex $argv 0]; proc expect_prompt {} { # This matches the trailing 0m of our ANSI control sequence. See PS1 in Dockerfile. expect "0m " } proc run_command {cmd} { send -h "$cmd" send "\r" expect -timeout 1 } # Start recording spawn asciinema rec --overwrite /recordings/check-sbom.cast send "\r" expect_prompt run_command "# Step 1: Install SLSA verifier" expect_prompt run_command "curl -sLO https://github.com/slsa-framework/slsa-verifier/releases/latest/download/slsa-verifier-linux-amd64" expect_prompt run_command "sudo install slsa-verifier-linux-amd64 /usr/local/bin/slsa-verifier" expect_prompt run_command "# Step 2: Download Constellation SBOM and provenance" expect_prompt run_command "curl -sLO https://github.com/edgelesssys/constellation/releases/latest/download/constellation.spdx.sbom" expect_prompt run_command "curl -sLO https://github.com/edgelesssys/constellation/releases/latest/download/constellation.intoto.jsonl" expect_prompt run_command "# Step 3: Check integrity of SBOM" expect_prompt run_command "slsa-verifier verify-artifact constellation.spdx.sbom --provenance-path constellation.intoto.jsonl --source-uri github.com/edgelesssys/constellation" expect_prompt run_command "# Step 4: Install grype (security scanner)" expect_prompt run_command "curl -sLO https://github.com/anchore/grype/releases/download/v0.56.0/grype_0.56.0_linux_amd64.tar.gz" expect_prompt run_command "tar -xvzf grype_0.56.0_linux_amd64.tar.gz" expect_prompt run_command "sudo install grype /usr/local/bin/grype" expect_prompt run_command "grype --help" expect_prompt run_command "# Step 5: Check for vulnerabilities" expect_prompt run_command "grype constellation.spdx.sbom -o table -q" expect_prompt # Stop recording send "exit"