Fix initial pre-commit violations

.pre-commit-config.yaml

@@ -15,4 +15,6 @@ repos:
   rev: v4.4.0
   hooks:
   - id: end-of-file-fixer
+    exclude: ^docs/
+    exclude_types: [markdown]
   - id: trailing-whitespace

CODE_OF_CONDUCT.md

@@ -131,4 +131,3 @@ For answers to common questions about this code of conduct, see the FAQ at
 [Mozilla CoC]: https://github.com/mozilla/diversity
 [FAQ]: https://www.contributor-covenant.org/faq
 [translations]: https://www.contributor-covenant.org/translations
-

MAINTAINERS.md

@@ -5,4 +5,4 @@
 | Cole Kennedy (TestifySec)      | [@colek42](https://github.com/colek42) |
 | John Kjell (TestifySec)     | [@jkjell](https://github.com/jkjell) |
 | Mikhail Swift (TestifySec) | [@mikhailswift](https://github.com/mikhailswift) |
-| Aditya Sirish (NYU)       | [@adityasaky](https://github.com/adityasaky) |
+| Aditya Sirish (NYU)       | [@adityasaky](https://github.com/adityasaky) |

dev/build-and-push-builders.sh

@@ -19,27 +19,27 @@ cd ..
 go mod tidy
 go mod vendor
 make
-cd dev
+cd dev || exit
 
 RED='\033[0;31m'
 
 sha=$(git rev-parse --short HEAD)
-tag=$(git describe --tags $(git rev-list --tags --max-count=1))
-imagetag=`echo registry.gitlab.com/testifysec/demos/witness-demo/builder:${tag}-${sha}-golang-1.17.3`
+tag=$(git describe --tags "$(git rev-list --tags --max-count=1)")
+imagetag=registry.gitlab.com/testifysec/demos/witness-demo/builder:"${tag}"-"${sha}"-golang-1.17.3
 
 
-docker build -f ./Dockerfile.go-builder -t ${imagetag} ./../
-docker push ${imagetag}
+docker build -f ./Dockerfile.go-builder -t "${imagetag}" ./../
+docker push "${imagetag}"
 
-printf "Published witness image to:\n${RED}${imagetag}\n"
+printf "Published witness image to:\n%s%s\n" "${RED}" "${imagetag}"
 
-nodeIDs=($(kubectl -n spire exec -it spire-server-0 -- /opt/spire/bin/spire-server agent list | grep 'spiffe://dev.testifysec.com/spire/agent/gcp_iit' | cut -f 2- -d ':' | tr -d ' ' | tr -d '\r'))
+IFS=" " read -r -a nodeIDs <<< "$(kubectl -n spire exec -it spire-server-0 -- /opt/spire/bin/spire-server agent list | grep 'spiffe://dev.testifysec.com/spire/agent/gcp_iit' | cut -f 2- -d ':' | tr -d ' ' | tr -d '\r'))"
 
-for node in ${nodeIDs[@]}; do
+for node in "${nodeIDs[@]}"; do
 kubectl exec -n spire spire-server-0 -- \
     /opt/spire/bin/spire-server entry create \
-    -parentID ${node} \
+    -parentID "${node}" \
     -spiffeID spiffe://dev.testifysec.com/witness-demo/builder \
-    -selector k8s:container-image:${imagetag} \
+    -selector k8s:container-image:"${imagetag}" \
     -selector k8s:ns:gitlab-runner
 done

docgen/verify.sh

@@ -1,3 +1,5 @@
+#!/bin/sh
+
 # Copyright 2021 The Witness Contributors
 #
 # Licensed under the Apache License, Version 2.0 (the "License");

docs/attestor.md

@@ -1 +1 @@
-# WIP
+# WIP

docs/policy.md

@@ -1,11 +1,11 @@
 # Policies
 
 TestifySec Witness policies allow users to make assertions and test attestation collections generated during a `Witness run`.
-Examples of when a policy could be enforced include 
+Examples of when a policy could be enforced include
 
 - within a [Kubernetes admission controller](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/)
 - at the end of a CI/CD pipeline
-- prior to image promotion, or 
+- prior to image promotion, or
 - before deployment to an execution environment.
 
 Policies help you ensure that all expected attestations are within a collection and support embedded
@@ -35,7 +35,7 @@ Evaluating a Witness policy involves a few different steps:
 
 ## Schema
 
-Policies are JSON documents that are signed and wrapped in [DSSE envelopes](https://github.com/secure-systems-lab/dsse). The DSSE payload type will be 
+Policies are JSON documents that are signed and wrapped in [DSSE envelopes](https://github.com/secure-systems-lab/dsse). The DSSE payload type will be
 `https://witness.testifysec.com/policy/v0.1`.
 
 ### `policy` Object
@@ -135,7 +135,7 @@ Example of a constraint that would allow use of any certificate, as long as it b
 
 Rego modules are expected to output a data with the name of `deny` in the case of a rego policy evaluation failure.
 `deny` can be a string or an array of strings and should be populated with a human-readable string describing why the
-policy was denied. Any other data output by the module will be ignored. 
+policy was denied. Any other data output by the module will be ignored.
 
 Following is an example output for a valid rego policy:
 

install-witness.sh

@@ -1,12 +1,12 @@
 #!/bin/bash
 #  Copyright 2023 The Witness Contributors
-# 
+#
 #  Licensed under the Apache License, Version 2.0 (the "License");
 #  you may not use this file except in compliance with the License.
 #  You may obtain a copy of the License at
-# 
+#
 #       http://www.apache.org/licenses/LICENSE-2.0
-# 
+#
 #  Unless required by applicable law or agreed to in writing, software
 #  distributed under the License is distributed on an "AS IS" BASIS,
 #  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -19,16 +19,16 @@ set -eou pipefail
 # Create a temporary directory for downloaded files
 TEMPDIR=$(mktemp -d)
 # trap syscalls and delete the temporary directory
-trap "rm -rf $TEMPDIR" EXIT
+trap 'rm -rf $TEMPDIR' EXIT
 
 #install directory should be the first argument or default to /usr/local/bin
 INSTALL_DIR=${1:-"/usr/local/bin"}
 
 # resolve symlinks
-INSTALL_DIR=$(readlink -f $INSTALL_DIR)
+INSTALL_DIR=$(readlink -f "$INSTALL_DIR")
 
 # check for bad install directory
-if [ ! -d $INSTALL_DIR ]; then
+if [ ! -d "$INSTALL_DIR" ]; then
     echo "Install directory $INSTALL_DIR does not exist"
     exit 1
 fi
@@ -49,7 +49,7 @@ if [ "$ARCH" == "aarch64" ]; then
 fi
 
 ### Determine if Arch is supported
-if [ $ARCH != "amd64" ] && [ $ARCH != "arm64" ]; then
+if [ "$ARCH" != "amd64" ] && [ "$ARCH" != "arm64" ]; then
     echo "Unsupported architecture"
     exit 1
 fi
@@ -60,7 +60,7 @@ OS=$(uname -s)
 OS=$(echo "$OS" | tr '[:upper:]' '[:lower:]')
 FILENAME="witness_${VERSION}_${OS}_${ARCH}.tar.gz"
 DOWNLOAD_URL="https://github.com/in-toto/witness/releases/download/v$VERSION/$FILENAME"
-EXPECTED_CHECKSUM="$(curl -L -s  https://github.com/in-toto/witness/releases/download/v$VERSION/witness_${VERSION}_checksums.txt | grep -w "witness_${VERSION}_${OS}_$ARCH.tar.gz$" | awk '{print $1}')"
+EXPECTED_CHECKSUM="$(curl -L -s  "https://github.com/in-toto/witness/releases/download/v$VERSION/witness_${VERSION}_checksums.txt" | grep -w "witness_${VERSION}_${OS}_$ARCH.tar.gz$" | awk '{print $1}')"
 readonly EXPECTED_CHECKSUM EXPECTED_CHECKSUM
 
 echo "Latest version of Witness is $VERSION"
@@ -70,17 +70,17 @@ echo expected checksum: "$EXPECTED_CHECKSUM"
 
 
 ## Check to see if OS is supported
-if [ $OS != "linux" ] && [ $OS != "darwin" ]; then
+if [ "$OS" != "linux" ] && [ "$OS" != "darwin" ]; then
     echo "Unsupported OS"
     exit 1
 fi
 
 # Download the binary to the temporary directory
-cd $TEMPDIR
-curl -s -LO $DOWNLOAD_URL
+cd "$TEMPDIR"
+curl -s -LO "$DOWNLOAD_URL"
 
 # Verify the checksum
-FILE_CHECKSUM=$(sha256sum -b witness_${VERSION}_${OS}_${ARCH}.tar.gz | awk '{print $1}')
+FILE_CHECKSUM=$(sha256sum -b "witness_${VERSION}_${OS}_${ARCH}.tar.gz" | awk '{print $1}')
 
 echo file checksum: "    $FILE_CHECKSUM"
 
@@ -90,19 +90,19 @@ if [ "$EXPECTED_CHECKSUM" != "$FILE_CHECKSUM" ]; then
 fi
 
 # Extract and install the binary
-tar -xzf witness_${VERSION}_${OS}_${ARCH}.tar.gz
+tar -xzf "witness_${VERSION}_${OS}_${ARCH}.tar.gz"
 
 # Check if the user has write permission for /usr/local/bin/witness
-if [ -w $INSTALL_DIR ]; then
+if [ -w "$INSTALL_DIR" ]; then
   # If the user has write permission, move the binary to /usr/local/bin
-  mv witness $INSTALL_DIR
+  mv witness "$INSTALL_DIR"
 else
   # If the user doesn't have write permission, check if the script is running in an interactive terminal
   if [ -n "$TERM" ]; then
     # If the script is running in an interactive terminal, prompt for sudo and move the binary to /usr/local/bin
     echo "You don't have permission to move the file, if you would like to install Witness to ${INSTALL_DIR}, please enter your password."
     echo "You can also install Witness to a different directory by running this script with the directory as the first argument."
-    sudo -v && sudo mv witness $INSTALL_DIR
+    sudo -v && sudo mv witness "$INSTALL_DIR"
   else
     # If the script is not running in an interactive terminal, print an error message and exit
     echo "You don't have permission to move the file, please run with sudo."
@@ -112,8 +112,8 @@ fi
 
 # Return to the original directory and remove the temporary directory silently
 cd - > /dev/null
-rm -rf $TEMPDIR
+rm -rf "$TEMPDIR"
 
 # Check if the binary is installed
 witness version
-echo "Witness v${VERSION} has been installed at ${INSTALL_DIR}/witness"
+echo "Witness v${VERSION} has been installed at ${INSTALL_DIR}/witness"

test/common.sh

@@ -1,3 +1,5 @@
+#!/bin/sh
+
 # Copyright 2022 The Witness Contributors
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -12,13 +14,12 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-#/bin/sh
 checkprograms() {
-  local result=0
+  result=0
   for prog in "$@"
   do
-    if ! command -v $prog > /dev/null; then
-      printf "$prog is required to run this script. please ensure if is installed and in your PATH\n"
+    if ! command -v "$prog" > /dev/null; then
+      printf "%s is required to run this script. please ensure if is installed and in your PATH\n" "$prog"
       result=1
     fi
   done

test/test-oci.sh

@@ -1,3 +1,5 @@
+#!/bin/sh
+
 # Copyright 2022 The Witness Contributors
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -12,7 +14,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-#!/bin/sh
 set -e
 
 DIR="$( cd -- "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )"

test/test.sh

@@ -1,3 +1,5 @@
+#! /bin/sh
+
 # Copyright 2021 The Witness Contributors
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -12,7 +14,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-#! /bin/sh
 set -e
 
 DIR="$( cd -- "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )"
@@ -35,8 +36,7 @@ rm -f ./policy-signed.json ./build.attestation.json ./package.attestation.json .
 ../bin/witness -c test.yaml run -k failkey.pem -o ./fail.attestation.json  -- go build -o=testapp .
 ../bin/witness -c test.yaml run -s package -k ./testkey2.pem -o package.attestation.json -- tar czf ./testapp.tar.tgz ./testapp
 set +e
-../bin/witness -c test.yaml verify -a ./fail.attestation.json -a ./package.attestation.json
-if [ $? -eq 0 ]; then
+if ../bin/witness -c test.yaml verify -a ./fail.attestation.json -a ./package.attestation.json; then
   echo "expected verify to fail"
   exit 1
 fi

test/test.yaml

@@ -23,7 +23,7 @@ sign:
     signer-file-key-path: testkey.pem
     outfile: policy-signed.json
 verify:
-    attestations: 
+    attestations:
         - "build.attestation.json"
         - "package.attestation.json"
     policy: policy-signed.json

test/testkey.pem

@@ -1,3 +1,3 @@
 -----BEGIN PRIVATE KEY-----
 MC4CAQAwBQYDK2VwBCIEII9dV22AUVzYNgjrfD2GSDou6dWLKKw+OiG39s/ZcXWi
------END PRIVATE KEY-----
+-----END PRIVATE KEY-----

test/testpub.pem

@@ -1,3 +1,3 @@
 -----BEGIN PUBLIC KEY-----
 MCowBQYDK2VwAyEAf29oPP8UghByG852uBdOxrJKKn7MM5hTbP9esgOZ/k0=
------END PUBLIC KEY-----
+-----END PUBLIC KEY-----