e91da22836
- Introduced attestation inventory and subject-rekor mapping files for tracking Docker packages. - Added a comprehensive crypto registry decision document outlining defaults and required follow-ups. - Created an offline feeds manifest for bundling air-gap resources. - Implemented a script to generate and update binary manifests for curated binaries. - Added a verification script to ensure binary artefacts are located in approved directories. - Defined new schemas for AdvisoryEvidenceBundle, OrchestratorEnvelope, ScannerReportReadyPayload, and ScannerScanCompletedPayload. - Established project files for StellaOps.Orchestrator.Schemas and StellaOps.PolicyAuthoritySignals.Contracts. - Updated vendor manifest to track pinned binaries for integrity.
26 lines
1.1 KiB
Bash
26 lines
1.1 KiB
Bash
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
|
|
# Verifies binary artefacts live only in approved locations.
|
|
# Allowed roots: local-nugets (curated feed), .nuget/packages (cache), vendor (pinned binaries),
|
|
# offline (air-gap bundles/templates), plugins/tools/deploy/ops (module-owned binaries).
|
|
|
|
repo_root="$(git rev-parse --show-toplevel)"
|
|
cd "$repo_root"
|
|
|
|
# Extensions considered binary artefacts.
|
|
binary_ext="(nupkg|dll|exe|so|dylib|a|lib|tar|tar.gz|tgz|zip|jar|deb|rpm|bin)"
|
|
# Locations allowed to contain binaries.
|
|
allowed_prefix="^(local-nugets|local-nugets/packages|vendor|offline|plugins|tools|deploy|ops|third_party|docs/artifacts|samples|src/.*/Fixtures|src/.*/fixtures)/"
|
|
|
|
# Only consider files that currently exist in the working tree (skip deleted placeholders).
|
|
violations=$(git ls-files | while read -r f; do [[ -f "$f" ]] && echo "$f"; done | grep -E "\\.${binary_ext}$" | grep -Ev "$allowed_prefix" || true)
|
|
|
|
if [[ -n "$violations" ]]; then
|
|
echo "Binary artefacts found outside approved directories:" >&2
|
|
echo "$violations" >&2
|
|
exit 1
|
|
fi
|
|
|
|
printf "Binary layout OK (allowed roots: %s)\n" "$allowed_prefix"
|