✨ CLI for scorecard-attestor (#2309)

* Reorganize

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Working commit

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Compile with local scorecard; go mod tidy

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Add signing code

Heavily borrowed from https://github.com/grafeas/kritis/blob/master/cmd/kritis/signer/main.go

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Update deps

* Naming
* Makefile

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Edit license, add lint.yml

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* checks: go mod tidy, license

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Address PR comments

* Split into checker/signer files
* Naming convention

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* License, remove golangci.yml

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Address PR comments

* Use cobra

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Add tests for root command

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Filter out checks that aren't needed for policy evaluation

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Add `make` targets for attestor; submit coverage stats

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Improvements

* Use sclog instead of glog
* Remove unneeded subcommands
* Formatting

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Flags: Make note-name constant and fix messaging

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Remove SupportedRequestTypes

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* go mod tidy

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* go mod tidy, makefile

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

* Fix GH actions run

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

Signed-off-by: Raghav Kaul <raghavkaul@google.com>

.github/workflows/integration.yml

@@ -76,6 +76,16 @@ jobs:
           retry_on: error
           timeout_minutes: 30
           command: make e2e-pat
+      
+      - name: Run attestor e2e
+        run: make e2e-attestor
+        env:
+          GITHUB_AUTH_TOKEN: ${{ secrets.GH_AUTH_TOKEN }}
+        with:
+          max_attempts: 3
+          retry_on: error
+          timeout_minutes: 10
+          command: make e2e-attestor
 
       - name: codecov
         uses: codecov/codecov-action@81cd2dc8148241f03f5839d295e000b8f761e378 # 2.1.0
@@ -83,6 +93,12 @@ jobs:
          files: ./e2e-coverage.out
          verbose: true
 
+      - name: codecov attestor
+        uses: codecov/codecov-action@81cd2dc8148241f03f5839d295e000b8f761e378 # 2.1.0
+        with:
+         files: ./attestor/e2e/e2e-coverage.out
+         verbose: true
+
       - name: find comment
         uses: peter-evans/find-comment@b657a70ff16d17651703a84bee1cb9ad9d2be2ea # v2.0.1
         id: fc

.github/workflows/main.yml

@@ -64,12 +64,17 @@ jobs:
          check-latest: true
          cache: true
      - name: Run unit-tests
-       run: make unit-test
+       run: make unit-test unit-test-attestor
      - name: Upload codecoverage
        uses: codecov/codecov-action@81cd2dc8148241f03f5839d295e000b8f761e378 # 2.1.0
        with:
          files: ./unit-coverage.out
          verbose: true
+     - name: Upload codecoverage attestor
+       uses: codecov/codecov-action@81cd2dc8148241f03f5839d295e000b8f761e378 # 2.1.0
+       with:
+         files: ./attestor/unit-coverage.out
+         verbose: true
   generate-mocks:
     name: generate-mocks
     runs-on: ubuntu-latest

.gitignore

@@ -1,5 +1,6 @@
 # binary.
 scorecard
+attestor/scorecard-attestor
 scorecard.docker
 scorecard.releaser
 gitblobcache

Makefile

@@ -123,7 +123,7 @@ build-cron: build-controller build-worker build-cii-worker \
 	build-shuffler build-bq-transfer build-github-server \
 	build-webhook build-add-script build-validate-script build-update-script
 
-build-targets = generate-mocks generate-docs build-scorecard build-cron build-proto
+build-targets = generate-mocks generate-docs build-scorecard build-cron build-proto build-attestor
 .PHONY: build $(build-targets)
 build: ## Build all binaries and images in the repo.
 build: $(build-targets)
@@ -239,6 +239,10 @@ cron/internal/bq/data-transfer.docker: cron/internal/bq/Dockerfile $(CRON_TRANSF
 			--tag $(IMAGE_NAME)-bq-transfer && \
 			touch cron/internal/bq/data-transfer.docker
 
+build-attestor: ## Runs go build on scorecard attestor
+	# Run go build on scorecard attestor
+	cd attestor/; CGO_ENABLED=0 go build -trimpath -a -tags netgo -ldflags '$(LDFLAGS)' -o scorecard-attestor
+
 TOKEN_SERVER_DEPS = $(shell find clients/githubrepo/roundtripper/tokens/ -iname "*.go")
 build-github-server: ## Build GitHub token server
 build-github-server: clients/githubrepo/roundtripper/tokens/server/github-auth-server
@@ -323,6 +327,10 @@ e2e-gh-token: ## Runs e2e tests. Requires GITHUB_AUTH_TOKEN env var to be set to
 e2e-gh-token: build-scorecard check-env | $(GINKGO)
 	# Run e2e tests. GITHUB_AUTH_TOKEN set to secrets.GITHUB_TOKEN must be used to run this.
 	TOKEN_TYPE="GITHUB_TOKEN" $(GINKGO) --race -p -v -cover -coverprofile=e2e-coverage.out --keep-separate-coverprofiles ./...
+
+e2e-attestor: ## Runs e2e tests for scorecard-attestor
+	cd attestor/e2e; go test -covermode=atomic -coverprofile=e2e-coverage.out; cd ../..
+
 ###############################################################################
 
 ##@ TODO(#744)

attestor/command/check.go

@@ -0,0 +1,104 @@
+// Copyright 2022 Security Scorecard Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//	http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package command
+
+import (
+	"context"
+	"fmt"
+	"os"
+
+	"github.com/ossf/scorecard-attestor/policy"
+	"github.com/ossf/scorecard/v4/checker"
+	"github.com/ossf/scorecard/v4/checks"
+	sclog "github.com/ossf/scorecard/v4/log"
+	"github.com/ossf/scorecard/v4/pkg"
+)
+
+func runCheck() error {
+	ctx := context.Background()
+	logger := sclog.NewLogger(sclog.DefaultLevel)
+
+	// Read the Binauthz attestation policy
+	if policyPath == "" {
+		return fmt.Errorf("policy path is empty")
+	}
+	attestationPolicy, err := policy.ParseAttestationPolicyFromFile(policyPath)
+	if err != nil {
+		return fmt.Errorf("fail to load scorecard attestation policy: %v", err)
+	}
+
+	if repoURL == "" {
+		buildRepo := os.Getenv("REPO_NAME")
+		if buildRepo == "" {
+			return fmt.Errorf("repoURL not specified")
+		}
+		repoURL = buildRepo
+		logger.Info(fmt.Sprintf("Found repo URL %s Cloud Build environment", repoURL))
+	} else {
+		logger.Info(fmt.Sprintf("Running scorecard on %s", repoURL))
+	}
+
+	if commitSHA == "" {
+		buildSHA := os.Getenv("COMMIT_SHA")
+		if buildSHA == "" {
+			logger.Info("commit not specified, running on HEAD")
+		} else {
+			commitSHA = buildSHA
+			logger.Info(fmt.Sprintf("Found revision %s Cloud Build environment", commitSHA))
+		}
+	}
+
+	repo, repoClient, ossFuzzRepoClient, ciiClient, vulnsClient, err := checker.GetClients(
+		ctx, repoURL, "", logger)
+
+	requiredChecks := attestationPolicy.GetRequiredChecksForPolicy()
+
+	enabledChecks := map[string]checker.Check{
+		"BinaryArtifacts": {
+			Fn: checks.BinaryArtifacts,
+		},
+	}
+
+	// Filter out checks that won't be needed for policy-evaluation time
+	for name := range enabledChecks {
+		if _, isRequired := requiredChecks[name]; !isRequired {
+			delete(enabledChecks, name)
+		}
+	}
+
+	repoResult, err := pkg.RunScorecards(
+		ctx,
+		repo,
+		commitSHA,
+		enabledChecks,
+		repoClient,
+		ossFuzzRepoClient,
+		ciiClient,
+		vulnsClient,
+	)
+	if err != nil {
+		return fmt.Errorf("RunScorecards: %w", err)
+	}
+
+	result, err := attestationPolicy.EvaluateResults(&repoResult.RawResults)
+	if err != nil {
+		return fmt.Errorf("error when evaluating image %q against policy", image)
+	}
+	if result != policy.Pass {
+		return fmt.Errorf("image failed policy check %s:", image)
+	}
+	logger.Info("Policy check passed")
+	return nil
+}

attestor/command/cli.go

@@ -0,0 +1,108 @@
+// Copyright 2022 Security Scorecard Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package pkg defines fns for running Scorecard checks on a Repo.
+
+package command
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/spf13/cobra"
+)
+
+var (
+	// input flags
+	repoURL            string
+	commitSHA          string
+	mode               string
+	image              string
+	policyPath         string
+	attestationProject string
+	overwrite          bool
+	// input flags: pgp key flags
+	pgpPriKeyPath string
+	pgpPassphrase string
+	// pkix key flags
+	pkixPriKeyPath string
+	pkixAlg        string
+
+	// input flags: kms flags
+	kmsKeyName   string
+	kmsDigestAlg string
+)
+
+func addCheckFlags(cmd *cobra.Command) {
+	cmd.PersistentFlags().StringVar(&policyPath, "policy", "", "(required for check) scorecard attestation policy file path, e.g., /tmp/policy-binauthz.yml")
+	cmd.MarkPersistentFlagRequired("policy")
+	cmd.PersistentFlags().StringVar(&repoURL, "repo-url", "", "Repo URL from which source was built")
+	cmd.MarkPersistentFlagRequired("repo-url")
+	cmd.PersistentFlags().StringVar(&commitSHA, "commit", "", "Git SHA at which image was built")
+}
+
+func addSignFlags(cmd *cobra.Command) {
+	cmd.PersistentFlags().StringVar(&image, "image", "", "Image url, e.g., gcr.io/foo/bar@sha256:abcd")
+	cmd.MarkPersistentFlagRequired("image")
+	cmd.PersistentFlags().StringVar(&attestationProject, "attestation-project", "", "project id for GCP project that stores attestation, use image project if set to empty")
+	cmd.PersistentFlags().BoolVar(&overwrite, "overwrite", false, "overwrite attestation if already existed (default false)")
+	cmd.PersistentFlags().StringVar(&kmsKeyName, "kms-key-name", "", "kms key name, in the format of in the format projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*")
+	cmd.PersistentFlags().StringVar(&kmsDigestAlg, "kms-digest-alg", "", "kms digest algorithm, must be one of SHA256|SHA384|SHA512, and the same as specified by the key version's algorithm")
+	cmd.PersistentFlags().StringVar(&pgpPriKeyPath, "pgp-private-key", "", "pgp private signing key path, e.g., /dev/shm/key.pgp")
+	cmd.PersistentFlags().StringVar(&pgpPassphrase, "pgp-passphrase", "", "passphrase for pgp private key, if any")
+	cmd.PersistentFlags().StringVar(&pkixPriKeyPath, "pkix-private-key", "", "pkix private signing key path, e.g., /dev/shm/key.pem")
+	cmd.PersistentFlags().StringVar(&pkixAlg, "pkix-alg", "", "pkix signature algorithm, e.g., ecdsa-p256-sha256")
+
+}
+
+// Export for testability
+var RootCmd = &cobra.Command{
+	Use:   "scorecard-attestor",
+	Short: "scorecard-attestor generates attestations based on scorecard results",
+}
+
+var checkAndSignCmd = &cobra.Command{
+	Use:   "attest",
+	Short: "Run scorecard and sign a container image according to policy",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		if err := runCheck(); err != nil {
+			return err
+		}
+		return runSign()
+	},
+}
+
+var checkCmd = &cobra.Command{
+	Use:   "verify",
+	Short: "Run scorecard and check an image against a policy",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		return runCheck()
+	},
+}
+
+func init() {
+	RootCmd.AddCommand(checkCmd, checkAndSignCmd)
+
+	addCheckFlags(checkAndSignCmd)
+	addSignFlags(checkAndSignCmd)
+
+	addCheckFlags(checkCmd)
+}
+
+func Execute() {
+	if err := RootCmd.Execute(); err != nil {
+		fmt.Println(err)
+		os.Exit(1)
+	}
+}

attestor/command/sign.go

@@ -0,0 +1,105 @@
+// Copyright 2022 Security Scorecard Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//	http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package command
+
+import (
+	"fmt"
+	"io/ioutil"
+
+	"github.com/grafeas/kritis/pkg/attestlib"
+	"github.com/grafeas/kritis/pkg/kritis/metadata/containeranalysis"
+	"github.com/grafeas/kritis/pkg/kritis/signer"
+	"github.com/grafeas/kritis/pkg/kritis/util"
+	sclog "github.com/ossf/scorecard/v4/log"
+)
+
+const scorecardNoteID = "ossf-scorecard-attestation"
+
+func runSign() error {
+	logger := sclog.NewLogger(sclog.DefaultLevel)
+
+	// Create a client
+	client, err := containeranalysis.New()
+	if err != nil {
+		return fmt.Errorf("could not initialize the client %v", err)
+	}
+
+	// Read the signing credentials
+	// Either kmsKeyName or pgpPriKeyPath needs to be set
+	if kmsKeyName == "" && pgpPriKeyPath == "" && pkixPriKeyPath == "" {
+		return fmt.Errorf("neither kms_key_name, pgp_private_key, or pkix_private_key is specified")
+	}
+	var cSigner attestlib.Signer
+	if kmsKeyName != "" {
+		logger.Info(fmt.Sprintf("Using kms key %s for signing.", kmsKeyName))
+		if kmsDigestAlg == "" {
+			return fmt.Errorf("kms_digest_alg is unspecified, must be one of SHA256|SHA384|SHA512, and the same as specified by the key version's algorithm")
+		}
+		cSigner, err = signer.NewCloudKmsSigner(kmsKeyName, signer.DigestAlgorithm(kmsDigestAlg))
+		if err != nil {
+			return fmt.Errorf("creating kms signer failed: %v\n", err)
+		}
+	} else if pgpPriKeyPath != "" {
+		logger.Info("Using pgp key for signing.")
+		signerKey, err := ioutil.ReadFile(pgpPriKeyPath)
+		if err != nil {
+			return fmt.Errorf("fail to read signer key: %v\n", err)
+		}
+		// Create a cryptolib signer
+		cSigner, err = attestlib.NewPgpSigner(signerKey, pgpPassphrase)
+		if err != nil {
+			return fmt.Errorf("creating pgp signer failed: %v\n", err)
+		}
+	} else {
+		logger.Info("Using pkix key for signing.")
+		signerKey, err := ioutil.ReadFile(pkixPriKeyPath)
+		if err != nil {
+			return fmt.Errorf("fail to read signer key: %v\n", err)
+		}
+		sAlg := attestlib.ParseSignatureAlgorithm(pkixAlg)
+		if sAlg == attestlib.UnknownSigningAlgorithm {
+			return fmt.Errorf("empty or unknown PKIX signature algorithm: %s\n", pkixAlg)
+		}
+		cSigner, err = attestlib.NewPkixSigner(signerKey, sAlg, "")
+		if err != nil {
+			return fmt.Errorf("creating pkix signer failed: %v\n", err)
+		}
+	}
+
+	// Parse attestation project
+	if attestationProject == "" {
+		attestationProject = util.GetProjectFromContainerImage(image)
+		logger.Info(fmt.Sprintf("Using image project as attestation project: %s\n", attestationProject))
+	} else {
+		logger.Info(fmt.Sprintf("Using specified attestation project: %s\n", attestationProject))
+	}
+
+	// Check note name
+	scorecardNoteName := fmt.Sprintf("projects/%s/notes/%s", attestationProject, scorecardNoteID)
+
+	err = util.CheckNoteName(scorecardNoteName)
+	if err != nil {
+		return fmt.Errorf("note name is invalid %v", err)
+	}
+
+	// Create signer
+	r := signer.New(client, cSigner, scorecardNoteName, attestationProject, overwrite)
+	// Sign image
+	err = r.SignImage(image)
+	if err != nil {
+		return fmt.Errorf("signing image failed: %v", err)
+	}
+	return nil
+}

attestor/e2e/command_test.go

@@ -0,0 +1,59 @@
+// Copyright 2022 Security Scorecard Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//	http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+package e2e
+
+import (
+	"bytes"
+	"strings"
+	"testing"
+
+	"github.com/ossf/scorecard-attestor/command"
+	"github.com/spf13/cobra"
+)
+
+func execute(t *testing.T, c *cobra.Command, args ...string) (string, error) {
+	t.Helper()
+
+	buf := new(bytes.Buffer)
+	c.SetOut(buf)
+	c.SetErr(buf)
+	c.SetArgs(args)
+
+	err := c.Execute()
+	return strings.TrimSpace(buf.String()), err
+}
+
+func TestRootCmd(t *testing.T) {
+	tt := []struct {
+		name string
+		args []string
+	}{
+		{
+			name: "test check-only from root",
+			args: []string{
+				"verify",
+				"--policy=../policy/testdata/policy-binauthz.yaml",
+				"--repo-url=https://github.com/ossf-tests/scorecard",
+			},
+		},
+	}
+
+	for _, tc := range tt {
+		_, err := execute(t, command.RootCmd, tc.args...)
+
+		if err != nil {
+			t.Fatalf("%s: %s", tc.name, err)
+		}
+	}
+}

attestor/go.mod

@@ -4,44 +4,112 @@ go 1.19
 
 require (
 	github.com/ossf/scorecard/v4 v4.6.0
+	github.com/spf13/cobra v1.6.1
 	gopkg.in/yaml.v2 v2.4.0
 )
 
 require (
-	cloud.google.com/go v0.102.1 // indirect
-	cloud.google.com/go/compute v1.7.0 // indirect
-	cloud.google.com/go/iam v0.3.0 // indirect
-	cloud.google.com/go/storage v1.23.0 // indirect
+	cloud.google.com/go/kms v1.4.0 // indirect
+	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
+	github.com/Azure/go-autorest/autorest v0.11.22 // indirect
+	github.com/Azure/go-autorest/autorest/adal v0.9.17 // indirect
+	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
+	github.com/Azure/go-autorest/logger v0.2.1 // indirect
+	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
+	github.com/Masterminds/semver/v3 v3.1.1 // indirect
+	github.com/caarlos0/env/v6 v6.10.0 // indirect
+	github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be // indirect
+	github.com/containerd/stargz-snapshotter/estargz v0.12.1 // indirect
+	github.com/containerd/typeurl v1.0.2 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/docker/cli v20.10.20+incompatible // indirect
+	github.com/docker/distribution v2.8.1+incompatible // indirect
+	github.com/docker/docker v20.10.20+incompatible // indirect
+	github.com/docker/docker-credential-helpers v0.7.0 // indirect
+	github.com/fatih/color v1.13.0 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/google/go-containerregistry v0.12.0 // indirect
+	github.com/google/gofuzz v1.1.0 // indirect
+	github.com/googleapis/gnostic v0.2.2 // indirect
+	github.com/gophercloud/gophercloud v0.1.0 // indirect
+	github.com/h2non/filetype v1.1.3 // indirect
+	github.com/hashicorp/golang-lru v0.5.4 // indirect
+	github.com/imdario/mergo v0.3.12 // indirect
+	github.com/inconshreveable/mousetrap v1.0.1 // indirect
+	github.com/json-iterator/go v1.1.11 // indirect
+	github.com/klauspost/compress v1.15.11 // indirect
+	github.com/mattn/go-colorable v0.1.12 // indirect
+	github.com/mattn/go-isatty v0.0.14 // indirect
+	github.com/mattn/go-runewidth v0.0.13 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
+	github.com/moby/buildkit v0.10.3 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.1 // indirect
+	github.com/olekukonko/tablewriter v0.0.5 // indirect
+	github.com/opencontainers/go-digest v1.0.0 // indirect
+	github.com/opencontainers/image-spec v1.1.0-rc2 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/rhysd/actionlint v1.6.15 // indirect
+	github.com/rivo/uniseg v0.2.0 // indirect
+	github.com/robfig/cron v1.2.0 // indirect
+	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/vbatts/tar-split v0.11.2 // indirect
+	golang.org/x/sync v0.1.0 // indirect
+	golang.org/x/term v0.1.0 // indirect
+	golang.org/x/time v0.0.0-20220922220347-f3bd1da661af // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+	k8s.io/api v0.18.8 // indirect
+	k8s.io/apimachinery v0.18.8 // indirect
+	k8s.io/client-go v0.18.8 // indirect
+	k8s.io/klog v1.0.0 // indirect
+	k8s.io/klog/v2 v2.80.1 // indirect
+	k8s.io/utils v0.0.0-20211116205334-6203023598ed // indirect
+	mvdan.cc/sh/v3 v3.5.1 // indirect
+	sigs.k8s.io/release-utils v0.6.0 // indirect
+	sigs.k8s.io/structured-merge-diff/v3 v3.0.0 // indirect
+	sigs.k8s.io/yaml v1.2.0 // indirect
+)
+
+require (
+	cloud.google.com/go v0.104.0 // indirect
+	cloud.google.com/go/compute v1.10.0 // indirect
+	cloud.google.com/go/containeranalysis v0.6.0 // indirect
+	cloud.google.com/go/iam v0.5.0 // indirect
+	cloud.google.com/go/storage v1.27.0 // indirect
 	github.com/bombsimon/logrusr/v2 v2.0.1 // indirect
 	github.com/bradleyfalzon/ghinstallation/v2 v2.1.0 // indirect
 	github.com/go-logr/logr v1.2.3 // indirect
 	github.com/gobwas/glob v0.2.3
 	github.com/golang-jwt/jwt/v4 v4.4.1 // indirect
+	github.com/golang/glog v1.0.0 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
-	github.com/google/go-cmp v0.5.8 // indirect
+	github.com/google/go-cmp v0.5.9 // indirect
 	github.com/google/go-github/v38 v38.1.0 // indirect
 	github.com/google/go-github/v45 v45.2.0 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/uuid v1.3.0 // indirect
 	github.com/google/wire v0.5.0 // indirect
-	github.com/googleapis/enterprise-certificate-proxy v0.1.0 // indirect
-	github.com/googleapis/gax-go/v2 v2.5.1 // indirect
-	github.com/googleapis/go-type-adapters v1.0.0 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.2.0 // indirect
+	github.com/googleapis/gax-go/v2 v2.6.0 // indirect
+	github.com/grafeas/kritis v0.2.3-0.20210120183821-faeba81c520c
 	github.com/shurcooL/githubv4 v0.0.0-20201206200315-234843c633fa // indirect
 	github.com/shurcooL/graphql v0.0.0-20200928012149-18c5c3165e3a // indirect
 	github.com/sirupsen/logrus v1.9.0 // indirect
 	go.opencensus.io v0.23.0 // indirect
 	gocloud.dev v0.26.0 // indirect
-	golang.org/x/crypto v0.0.0-20220331220935-ae2d96664a29 // indirect
-	golang.org/x/net v0.0.0-20220722155237-a158d28d115b // indirect
-	golang.org/x/oauth2 v0.0.0-20220718184931-c8730f7fcb92 // indirect
-	golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f // indirect
-	golang.org/x/text v0.3.7 // indirect
-	golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f // indirect
-	google.golang.org/api v0.92.0 // indirect
+	golang.org/x/crypto v0.1.0 // indirect
+	golang.org/x/net v0.1.0 // indirect
+	golang.org/x/oauth2 v0.1.0 // indirect
+	golang.org/x/sys v0.1.0 // indirect
+	golang.org/x/text v0.4.0 // indirect
+	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
+	google.golang.org/api v0.99.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20220812140447-cec7f5303424 // indirect
-	google.golang.org/grpc v1.48.0 // indirect
+	google.golang.org/genproto v0.0.0-20221014173430-6e2ab493f96b // indirect
+	google.golang.org/grpc v1.50.1 // indirect
 	google.golang.org/protobuf v1.28.1 // indirect
 )
+
+replace github.com/ossf/scorecard/v4 => ../

attestor/policy/attestation_policy.go

@@ -36,12 +36,23 @@ type AttestationPolicy struct {
 	AllowedBinaryArtifacts []string `yaml:"allowedBinaryArtifacts"`
 }
 
-// Run attestation policy checks on raw data.
-func RunChecksForPolicy(policy *AttestationPolicy, raw *checker.RawResults,
-	dl checker.DetailLogger,
-) (PolicyResult, error) {
-	if policy.PreventBinaryArtifacts {
-		checkResult, err := CheckPreventBinaryArtifacts(policy.AllowedBinaryArtifacts, raw, dl)
+// Allows us to run fewer scorecard checks if some policy values
+// are don't-cares
+func (ap *AttestationPolicy) GetRequiredChecksForPolicy() map[string]bool {
+	requiredChecks := make(map[string]bool)
+
+	if ap.PreventBinaryArtifacts {
+		requiredChecks["BinaryArtifacts"] = true
+	}
+
+	return requiredChecks
+}
+
+// Run attestation policy checks on raw data
+func (ap *AttestationPolicy) EvaluateResults(raw *checker.RawResults) (PolicyResult, error) {
+	dl := checker.NewLogger()
+	if ap.PreventBinaryArtifacts {
+		checkResult, err := CheckPreventBinaryArtifacts(ap.AllowedBinaryArtifacts, raw, dl)
 
 		if !checkResult || err != nil {
 			return checkResult, err

attestor/root.go

@@ -0,0 +1,21 @@
+// Copyright 2022 Security Scorecard Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//	http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package main
+
+import "github.com/ossf/scorecard-attestor/command"
+
+func main() {
+	command.Execute()
+}