fix(security): harden image context and runtime receipts
Some checks failed
CD Pipeline / deploy (push) Has been cancelled
Some checks failed
CD Pipeline / deploy (push) Has been cancelled
This commit is contained in:
@@ -23,6 +23,11 @@ def _parser() -> argparse.ArgumentParser:
|
||||
parser.add_argument("--root", type=Path, default=ROOT)
|
||||
parser.add_argument("--detail-limit", type=int, default=30)
|
||||
parser.add_argument("--compact", action="store_true")
|
||||
parser.add_argument(
|
||||
"--source-commit",
|
||||
default="",
|
||||
help="Bind emitted source receipt to the caller-provided Gitea commit SHA.",
|
||||
)
|
||||
parser.add_argument(
|
||||
"--strict",
|
||||
action="store_true",
|
||||
@@ -37,6 +42,15 @@ def main(argv: list[str] | None = None) -> int:
|
||||
root=args.root,
|
||||
detail_limit=args.detail_limit,
|
||||
)
|
||||
source_commit = str(args.source_commit or "").strip()
|
||||
if source_commit:
|
||||
if len(source_commit) != 40 or any(
|
||||
char not in "0123456789abcdefABCDEF" for char in source_commit
|
||||
):
|
||||
print("--source-commit must be a 40-character hexadecimal Gitea SHA", file=sys.stderr)
|
||||
return 2
|
||||
report["receipt_kind"] = "security_governance_source_receipt"
|
||||
report["source_commit"] = source_commit
|
||||
if args.compact:
|
||||
output = {
|
||||
"policy": report["policy"],
|
||||
|
||||
Reference in New Issue
Block a user