gitpolicy

package
v0.29.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 23, 2026 License: Apache-2.0 Imports: 10 Imported by: 0

Documentation

Overview

Package gitpolicy provides verification of gittuf-style repository policies. It verifies branch protection rules and signer requirements against a local git repository, reporting which policies are enforced.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type BranchProtectionConfig

type BranchProtectionConfig struct {
	RequirePR            bool `json:"require_pr"`
	RequireReviews       bool `json:"require_reviews"`
	MinReviewers         int  `json:"min_reviewers,omitempty"`
	RequireSignedCommits bool `json:"require_signed_commits"`
	EnforceAdmins        bool `json:"enforce_admins"`
}

BranchProtectionConfig defines branch protection requirements.

type BranchProtectionStatus

type BranchProtectionStatus struct {
	RequirePR            bool `json:"require_pr"`
	RequireReviews       bool `json:"require_reviews"`
	MinReviewers         int  `json:"min_reviewers,omitempty"`
	RequireSignedCommits bool `json:"require_signed_commits"`
	EnforceAdmins        bool `json:"enforce_admins"`
	Verified             bool `json:"verified"`

	// Evidence tracks what was observed in commit history.
	MergeCommitCount  int `json:"merge_commit_count"`
	SignedCommitCount int `json:"signed_commit_count"`
	TotalCommitCount  int `json:"total_commit_count"`
}

BranchProtectionStatus reports branch protection verification results.

func VerifyBranchProtection

func VerifyBranchProtection(repo *git.Repository, ref string, policy *Policy, maxCommits int) (*BranchProtectionStatus, error)

VerifyBranchProtection checks the commit history on a ref for evidence of branch protection enforcement. It examines merge commit patterns (indicating PR workflow) and cryptographically verifies commit signatures (indicating signing policy).

type Policy

type Policy struct {
	Rules             []PolicyRuleConfig                `json:"rules,omitempty"`
	ProtectedBranches map[string]BranchProtectionConfig `json:"protected_branches,omitempty"`
	RequiredSigners   map[string][]string               `json:"required_signers,omitempty"`
	// LoadedFrom records which file the policy was loaded from (set during discovery).
	LoadedFrom string `json:"-"`
}

Policy represents a parsed gittuf-style policy.

func LoadPolicy

func LoadPolicy(repo *git.Repository, repoPath string) (*Policy, error)

LoadPolicy discovers and loads a gittuf policy from a git repository. It first checks for a gittuf policy ref (refs/gittuf/policy), then falls back to the .gittuf/ directory in the working tree.

func LoadPolicyFromPath

func LoadPolicyFromPath(path string) (*Policy, error)

LoadPolicyFromPath loads a policy from an explicit file or directory path.

type PolicyRule

type PolicyRule struct {
	Name        string `json:"name"`
	Description string `json:"description"`
	Enforced    bool   `json:"enforced"`
	Details     string `json:"details,omitempty"`
}

PolicyRule represents a single policy rule and its enforcement status.

type PolicyRuleConfig

type PolicyRuleConfig struct {
	Name           string   `json:"name"`
	Pattern        string   `json:"pattern"`
	AuthorizedKeys []string `json:"authorized_keys,omitempty"`
	Threshold      int      `json:"threshold,omitempty"`
}

PolicyRuleConfig defines a single policy rule from a gittuf policy file.

type SignerPolicyStatus

type SignerPolicyStatus struct {
	RequiredSigners []string `json:"required_signers,omitempty"`
	VerifiedSigners []string `json:"verified_signers,omitempty"`
	MissingSigners  []string `json:"missing_signers,omitempty"`
	AllSigned       bool     `json:"all_signed"`
}

SignerPolicyStatus reports signer policy verification results.

func VerifySignerPolicy

func VerifySignerPolicy(repo *git.Repository, ref string, policy *Policy, opts VerifyOptions) (*SignerPolicyStatus, error)

VerifySignerPolicy walks commits on a ref and verifies that commit signers match the required signers defined in the policy.

type VerificationResult

type VerificationResult struct {
	Verified         bool                    `json:"verified"`
	Ref              string                  `json:"ref"`
	PolicyRules      []PolicyRule            `json:"policy_rules,omitempty"`
	BranchProtection *BranchProtectionStatus `json:"branch_protection,omitempty"`
	SignerPolicy     *SignerPolicyStatus     `json:"signer_policy,omitempty"`
	ErrorMsg         string                  `json:"error,omitempty"`
	Warnings         []string                `json:"warnings,omitempty"`
}

VerificationResult holds the outcome of policy verification.

func VerifyPolicy

func VerifyPolicy(opts VerifyOptions) (*VerificationResult, error)

VerifyPolicy orchestrates the full policy verification flow. It opens the repository, discovers or loads the policy, and evaluates branch protection and signer requirements.

type VerifyOptions

type VerifyOptions struct {
	// RepoPath is the path to the local git repository.
	RepoPath string
	// TargetRef is the ref to verify policy against (e.g., "refs/heads/main").
	TargetRef string
	// PolicyPath is an explicit path to a policy file or directory. Optional.
	PolicyPath string
	// CertIdentity is the expected signer identity for commit signatures.
	CertIdentity string
	// CertIssuer is the expected OIDC issuer.
	CertIssuer string
	// MaxCommits limits how many commits to walk for verification.
	MaxCommits int
}

VerifyOptions configures policy verification.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL