Skip to main content

Module integrity

libverify_core

Module integrity 

Source
Expand description

Release integrity verification predicates.

Pure functions amenable to formal verification with Creusot. The critical decision logic is proven correct in the gh-verify-verif crate.

Functionsยง

branch_history_severity
Core predicate for branch history integrity severity (Source L2). Zero merge commits (linear history) -> Pass, any merge commits -> Error.
branch_protection_enforcement_severity
Core predicate for technical enforcement severity (Source L3). Zero violations (CI passed + independent review) -> Pass, any violations -> Error.
build_isolation_severity
Core predicate for build isolation severity (Build L3). Zero non-isolated builds -> Pass, any non-isolated -> Error.
build_provenance_severity
Core predicate for build provenance verification severity. Zero unverified attestations โ†’ Pass, any unverified โ†’ Error.
conventional_title_severity
Core predicate for conventional title severity (CC8.1). Title is conventional -> Pass, otherwise -> Error.
dependency_signature_severity
Core predicate for dependency signature verification severity. Zero unverified dependencies -> Pass, any unverified -> Error.
description_quality_severity
Core predicate for description quality severity (CC8.1). Body length >= minimum -> Pass, otherwise -> Error.
hosted_build_severity
Core predicate for hosted build platform severity (Build L2). Zero non-hosted builds -> Pass, any non-hosted -> Error.
is_approver_independent
Core predicate for the four-eyes principle. An approver is independent iff they are neither a commit author nor the change request author.
merge_commit_policy_severity
Core predicate for merge commit policy severity (CC8.1). Zero merge commits -> Pass, any merge commits -> Error.
provenance_authenticity_severity
Core predicate for provenance authenticity severity (Build L2). Zero unauthenticated attestations -> Pass, any unauthenticated -> Error.
release_traceability_severity
Core predicate for release traceability severity (CC7.1). At least one linked change request -> Pass, none -> Error.
required_status_checks_severity
Core predicate for required status checks severity. Pass iff zero check runs have a failing conclusion.
security_file_change_severity
Core predicate for security file change severity (CC7.2). Zero sensitive files changed -> Pass, any sensitive -> Error.
short_sha
Truncate a SHA to 7 characters for display.
signature_severity
Core predicate for signature verification result severity. Verified by Creusot in gh-verify-verif crate.
stale_review_severity
Core predicate for stale review severity (CC7.2). Zero stale approvals -> Pass, any stale -> Error.
two_party_review_severity
Core predicate for two-party review severity (Source L4). At least 2 independent approvers -> Pass, fewer -> Error.