fix(security): harden image context and runtime receipts
Some checks failed
CD Pipeline / deploy (push) Has been cancelled

This commit is contained in:
ogt
2026-07-10 19:13:22 +08:00
parent c839ac3eff
commit b2be34a923
12 changed files with 246 additions and 16 deletions

View File

@@ -23,6 +23,11 @@ def _parser() -> argparse.ArgumentParser:
parser.add_argument("--root", type=Path, default=ROOT)
parser.add_argument("--detail-limit", type=int, default=30)
parser.add_argument("--compact", action="store_true")
parser.add_argument(
"--source-commit",
default="",
help="Bind emitted source receipt to the caller-provided Gitea commit SHA.",
)
parser.add_argument(
"--strict",
action="store_true",
@@ -37,6 +42,15 @@ def main(argv: list[str] | None = None) -> int:
root=args.root,
detail_limit=args.detail_limit,
)
source_commit = str(args.source_commit or "").strip()
if source_commit:
if len(source_commit) != 40 or any(
char not in "0123456789abcdefABCDEF" for char in source_commit
):
print("--source-commit must be a 40-character hexadecimal Gitea SHA", file=sys.stderr)
return 2
report["receipt_kind"] = "security_governance_source_receipt"
report["source_commit"] = source_commit
if args.compact:
output = {
"policy": report["policy"],