Skip to main content

libverify_core/controls/
mod.rs

1pub mod actions_pinned_dependencies;
2pub mod branch_history_integrity;
3pub mod branch_protection_admin_enforcement;
4pub mod branch_protection_enforcement;
5pub mod build_isolation;
6pub mod build_provenance;
7pub mod change_request_size;
8pub mod code_scanning_alerts_resolved;
9pub mod codeowners_coverage;
10pub mod conventional_title;
11pub mod default_branch_settings_baseline;
12pub mod dependency_completeness;
13pub mod dependency_license_compliance;
14pub mod dependency_provenance;
15pub mod dependency_signature;
16pub mod dependency_signer_verified;
17pub mod dependency_update_tool;
18pub mod description_quality;
19pub mod dismiss_stale_reviews_on_push;
20pub mod environment_protection_rules;
21pub mod hosted_build_platform;
22pub mod issue_linkage;
23pub mod merge_commit_policy;
24pub mod privileged_workflow_detection;
25pub mod provenance_authenticity;
26pub mod release_asset_attestation;
27pub mod release_traceability;
28pub mod repository_permissions_audit;
29pub mod required_status_checks;
30pub mod review_independence;
31pub mod sbom_attestation;
32pub mod scoped_change;
33pub mod secret_scanning;
34pub mod secret_scanning_push_protection;
35pub mod security_file_change;
36pub mod security_policy;
37pub mod security_test_in_ci;
38pub mod source_authenticity;
39pub mod stale_review;
40pub mod test_coverage;
41pub mod two_party_review;
42pub mod vulnerability_scanning;
43pub mod workflow_permissions_restricted;
44
45use crate::control::{Control, builtin};
46use crate::slsa::{SlsaLevel, SlsaTrack};
47
48use self::actions_pinned_dependencies::ActionsPinnedDependenciesControl;
49use self::branch_history_integrity::BranchHistoryIntegrityControl;
50use self::branch_protection_admin_enforcement::BranchProtectionAdminEnforcementControl;
51use self::branch_protection_enforcement::BranchProtectionEnforcementControl;
52use self::build_isolation::BuildIsolationControl;
53use self::build_provenance::BuildProvenanceControl;
54use self::change_request_size::ChangeRequestSizeControl;
55use self::code_scanning_alerts_resolved::CodeScanningAlertsResolvedControl;
56use self::codeowners_coverage::CodeownersCoverageControl;
57use self::conventional_title::ConventionalTitleControl;
58use self::default_branch_settings_baseline::DefaultBranchSettingsBaselineControl;
59use self::dependency_completeness::DependencyCompletenessControl;
60use self::dependency_license_compliance::DependencyLicenseComplianceControl;
61use self::dependency_provenance::DependencyProvenanceControl;
62use self::dependency_signature::DependencySignatureControl;
63use self::dependency_signer_verified::DependencySignerVerifiedControl;
64use self::dependency_update_tool::DependencyUpdateToolControl;
65use self::description_quality::DescriptionQualityControl;
66use self::dismiss_stale_reviews_on_push::DismissStaleReviewsOnPushControl;
67use self::environment_protection_rules::EnvironmentProtectionRulesControl;
68use self::hosted_build_platform::HostedBuildPlatformControl;
69use self::issue_linkage::IssueLinkageControl;
70use self::merge_commit_policy::MergeCommitPolicyControl;
71use self::privileged_workflow_detection::PrivilegedWorkflowDetectionControl;
72use self::provenance_authenticity::ProvenanceAuthenticityControl;
73use self::release_asset_attestation::ReleaseAssetAttestationControl;
74use self::release_traceability::ReleaseTraceabilityControl;
75use self::repository_permissions_audit::RepositoryPermissionsAuditControl;
76use self::required_status_checks::RequiredStatusChecksControl;
77use self::review_independence::ReviewIndependenceControl;
78use self::sbom_attestation::SbomAttestationControl;
79use self::scoped_change::ScopedChangeControl;
80use self::secret_scanning::SecretScanningControl;
81use self::secret_scanning_push_protection::SecretScanningPushProtectionControl;
82use self::security_file_change::SecurityFileChangeControl;
83use self::security_policy::SecurityPolicyControl;
84use self::security_test_in_ci::SecurityTestInCiControl;
85use self::source_authenticity::SourceAuthenticityControl;
86use self::stale_review::StaleReviewControl;
87use self::test_coverage::TestCoverageControl;
88use self::two_party_review::TwoPartyReviewControl;
89use self::vulnerability_scanning::VulnerabilityScanningControl;
90use self::workflow_permissions_restricted::WorkflowPermissionsRestrictedControl;
91
92/// Instantiates a control by its string ID.
93fn instantiate(id: &str) -> Option<Box<dyn Control>> {
94    match id {
95        builtin::SOURCE_AUTHENTICITY => Some(Box::new(SourceAuthenticityControl)),
96        builtin::REVIEW_INDEPENDENCE => Some(Box::new(ReviewIndependenceControl)),
97        builtin::BRANCH_HISTORY_INTEGRITY => Some(Box::new(BranchHistoryIntegrityControl)),
98        builtin::BRANCH_PROTECTION_ENFORCEMENT => {
99            Some(Box::new(BranchProtectionEnforcementControl))
100        }
101        builtin::TWO_PARTY_REVIEW => Some(Box::new(TwoPartyReviewControl)),
102        builtin::BUILD_PROVENANCE => Some(Box::new(BuildProvenanceControl)),
103        builtin::REQUIRED_STATUS_CHECKS => Some(Box::new(RequiredStatusChecksControl)),
104        builtin::HOSTED_BUILD_PLATFORM => Some(Box::new(HostedBuildPlatformControl)),
105        builtin::PROVENANCE_AUTHENTICITY => Some(Box::new(ProvenanceAuthenticityControl)),
106        builtin::BUILD_ISOLATION => Some(Box::new(BuildIsolationControl)),
107        builtin::DEPENDENCY_SIGNATURE => Some(Box::new(DependencySignatureControl)),
108        builtin::DEPENDENCY_PROVENANCE_CHECK => Some(Box::new(DependencyProvenanceControl)),
109        builtin::DEPENDENCY_SIGNER_VERIFIED => Some(Box::new(DependencySignerVerifiedControl)),
110        builtin::DEPENDENCY_COMPLETENESS => Some(Box::new(DependencyCompletenessControl)),
111        builtin::CHANGE_REQUEST_SIZE => Some(Box::new(ChangeRequestSizeControl)),
112        builtin::TEST_COVERAGE => Some(Box::new(TestCoverageControl)),
113        builtin::SCOPED_CHANGE => Some(Box::new(ScopedChangeControl)),
114        builtin::ISSUE_LINKAGE => Some(Box::new(IssueLinkageControl)),
115        builtin::STALE_REVIEW => Some(Box::new(StaleReviewControl)),
116        builtin::DESCRIPTION_QUALITY => Some(Box::new(DescriptionQualityControl)),
117        builtin::MERGE_COMMIT_POLICY => Some(Box::new(MergeCommitPolicyControl)),
118        builtin::CONVENTIONAL_TITLE => Some(Box::new(ConventionalTitleControl)),
119        builtin::SECURITY_FILE_CHANGE => Some(Box::new(SecurityFileChangeControl)),
120        builtin::RELEASE_TRACEABILITY => Some(Box::new(ReleaseTraceabilityControl)),
121        builtin::CODEOWNERS_COVERAGE => Some(Box::new(CodeownersCoverageControl)),
122        builtin::SECRET_SCANNING => Some(Box::new(SecretScanningControl)),
123        builtin::VULNERABILITY_SCANNING => Some(Box::new(VulnerabilityScanningControl)),
124        builtin::SECURITY_POLICY => Some(Box::new(SecurityPolicyControl)),
125        builtin::SECRET_SCANNING_PUSH_PROTECTION => {
126            Some(Box::new(SecretScanningPushProtectionControl))
127        }
128        builtin::BRANCH_PROTECTION_ADMIN_ENFORCEMENT => {
129            Some(Box::new(BranchProtectionAdminEnforcementControl))
130        }
131        builtin::DISMISS_STALE_REVIEWS_ON_PUSH => Some(Box::new(DismissStaleReviewsOnPushControl)),
132        builtin::ACTIONS_PINNED_DEPENDENCIES => Some(Box::new(ActionsPinnedDependenciesControl)),
133        builtin::ENVIRONMENT_PROTECTION_RULES => Some(Box::new(EnvironmentProtectionRulesControl)),
134        builtin::CODE_SCANNING_ALERTS_RESOLVED => Some(Box::new(CodeScanningAlertsResolvedControl)),
135        builtin::DEPENDENCY_LICENSE_COMPLIANCE => {
136            Some(Box::new(DependencyLicenseComplianceControl))
137        }
138        builtin::SBOM_ATTESTATION => Some(Box::new(SbomAttestationControl)),
139        builtin::RELEASE_ASSET_ATTESTATION => Some(Box::new(ReleaseAssetAttestationControl)),
140        builtin::PRIVILEGED_WORKFLOW_DETECTION => {
141            Some(Box::new(PrivilegedWorkflowDetectionControl))
142        }
143        builtin::WORKFLOW_PERMISSIONS_RESTRICTED => {
144            Some(Box::new(WorkflowPermissionsRestrictedControl))
145        }
146        builtin::DEPENDENCY_UPDATE_TOOL => Some(Box::new(DependencyUpdateToolControl)),
147        builtin::REPOSITORY_PERMISSIONS_AUDIT => Some(Box::new(RepositoryPermissionsAuditControl)),
148        builtin::DEFAULT_BRANCH_SETTINGS_BASELINE => {
149            Some(Box::new(DefaultBranchSettingsBaselineControl))
150        }
151        builtin::SECURITY_TEST_IN_CI => Some(Box::new(SecurityTestInCiControl)),
152        _ => None,
153    }
154}
155
156/// Returns the SARIF-friendly description for a built-in control ID.
157/// Falls back to "Custom control" for unknown IDs.
158pub fn control_description(id: &str) -> &'static str {
159    match instantiate(id) {
160        Some(c) => c.description(),
161        None => "Custom control",
162    }
163}
164
165/// Returns all SLSA controls required for the given track up to the given level.
166pub fn slsa_controls_for_level(track: SlsaTrack, level: SlsaLevel) -> Vec<Box<dyn Control>> {
167    crate::slsa::controls_for_level(track, level)
168        .into_iter()
169        .filter_map(|id| instantiate(id.as_str()))
170        .collect()
171}
172
173/// Returns all SLSA controls across both tracks up to the given levels.
174pub fn slsa_controls(source_level: SlsaLevel, build_level: SlsaLevel) -> Vec<Box<dyn Control>> {
175    let mut controls = slsa_controls_for_level(SlsaTrack::Source, source_level);
176    controls.extend(slsa_controls_for_level(SlsaTrack::Build, build_level));
177    controls
178}
179
180/// Returns all SLSA controls (Source L4 + Build L3 + Dependencies L4).
181pub fn all_slsa_controls() -> Vec<Box<dyn Control>> {
182    let mut controls = slsa_controls(SlsaLevel::L4, SlsaLevel::L3);
183    controls.extend(slsa_controls_for_level(
184        SlsaTrack::Dependencies,
185        SlsaLevel::L4,
186    ));
187    controls
188}
189
190/// Returns compliance controls (non-SLSA, SOC2/ASPM mapped).
191pub fn compliance_controls() -> Vec<Box<dyn Control>> {
192    vec![
193        Box::new(ChangeRequestSizeControl),
194        Box::new(TestCoverageControl),
195        Box::new(ScopedChangeControl),
196        Box::new(IssueLinkageControl),
197        Box::new(StaleReviewControl),
198        Box::new(DescriptionQualityControl),
199        Box::new(MergeCommitPolicyControl),
200        Box::new(ConventionalTitleControl),
201        Box::new(SecurityFileChangeControl),
202        Box::new(ReleaseTraceabilityControl),
203        Box::new(CodeownersCoverageControl),
204        Box::new(SecretScanningControl),
205        Box::new(VulnerabilityScanningControl),
206        Box::new(SecurityPolicyControl),
207        Box::new(SecretScanningPushProtectionControl),
208        Box::new(BranchProtectionAdminEnforcementControl),
209        Box::new(DismissStaleReviewsOnPushControl),
210        Box::new(ActionsPinnedDependenciesControl),
211        Box::new(EnvironmentProtectionRulesControl),
212        Box::new(CodeScanningAlertsResolvedControl),
213        Box::new(DependencyLicenseComplianceControl),
214        Box::new(SbomAttestationControl),
215        Box::new(ReleaseAssetAttestationControl),
216        Box::new(PrivilegedWorkflowDetectionControl),
217        Box::new(WorkflowPermissionsRestrictedControl),
218        Box::new(DependencyUpdateToolControl),
219        Box::new(RepositoryPermissionsAuditControl),
220        Box::new(DefaultBranchSettingsBaselineControl),
221        Box::new(SecurityTestInCiControl),
222    ]
223}
224
225/// Returns repository-posture controls only (no PR-scoped compliance controls).
226///
227/// These evaluate repository-level security configuration:
228/// CODEOWNERS, secret scanning, vulnerability scanning, and security policy.
229pub fn posture_controls() -> Vec<Box<dyn Control>> {
230    vec![
231        Box::new(CodeownersCoverageControl),
232        Box::new(SecretScanningControl),
233        Box::new(VulnerabilityScanningControl),
234        Box::new(SecurityPolicyControl),
235        Box::new(SecretScanningPushProtectionControl),
236        Box::new(BranchProtectionAdminEnforcementControl),
237        Box::new(DismissStaleReviewsOnPushControl),
238        Box::new(ActionsPinnedDependenciesControl),
239        Box::new(EnvironmentProtectionRulesControl),
240        Box::new(CodeScanningAlertsResolvedControl),
241        Box::new(DependencyLicenseComplianceControl),
242        Box::new(SbomAttestationControl),
243        Box::new(ReleaseAssetAttestationControl),
244        Box::new(PrivilegedWorkflowDetectionControl),
245        Box::new(WorkflowPermissionsRestrictedControl),
246        Box::new(DependencyUpdateToolControl),
247        Box::new(RepositoryPermissionsAuditControl),
248        Box::new(DefaultBranchSettingsBaselineControl),
249        Box::new(SecurityTestInCiControl),
250    ]
251}
252
253/// Returns all controls (all SLSA + compliance).
254pub fn all_controls() -> Vec<Box<dyn Control>> {
255    let mut controls = all_slsa_controls();
256    controls.extend(compliance_controls());
257    controls
258}
259
260#[cfg(test)]
261mod tests {
262    use super::*;
263    use crate::control::builtin;
264    use crate::slsa::control_slsa_mapping;
265
266    #[test]
267    fn slsa_l1_returns_l1_controls_only() {
268        let controls = slsa_controls(SlsaLevel::L1, SlsaLevel::L1);
269        for c in &controls {
270            let mapping = control_slsa_mapping(&c.id()).expect("should be SLSA-mapped");
271            assert!(
272                mapping.level <= SlsaLevel::L1,
273                "{:?} is L{:?} but should be L1 or below",
274                c.id(),
275                mapping.level
276            );
277        }
278    }
279
280    #[test]
281    fn all_slsa_includes_l3_build_and_l4_source() {
282        let controls = all_slsa_controls();
283        let ids: Vec<_> = controls.iter().map(|c| c.id()).collect();
284        assert!(
285            ids.iter()
286                .any(|id| id.as_str() == builtin::TWO_PARTY_REVIEW)
287        );
288        assert!(ids.iter().any(|id| id.as_str() == builtin::BUILD_ISOLATION));
289    }
290
291    #[test]
292    fn all_controls_includes_compliance() {
293        let controls = all_controls();
294        let ids: Vec<_> = controls.iter().map(|c| c.id()).collect();
295        assert!(
296            ids.iter()
297                .any(|id| id.as_str() == builtin::CHANGE_REQUEST_SIZE)
298        );
299        assert!(ids.iter().any(|id| id.as_str() == builtin::ISSUE_LINKAGE));
300    }
301
302    #[test]
303    fn compliance_plus_slsa_equals_all() {
304        use crate::control::builtin;
305        let compliance = compliance_controls();
306        let slsa = all_slsa_controls();
307        assert_eq!(
308            compliance.len() + slsa.len(),
309            builtin::ALL.len(),
310            "compliance + SLSA controls must cover all built-in controls"
311        );
312    }
313
314    #[test]
315    fn compliance_controls_are_not_slsa_mapped() {
316        use crate::slsa::control_slsa_mapping;
317        let controls = compliance_controls();
318        for c in &controls {
319            assert!(
320                control_slsa_mapping(&c.id()).is_none(),
321                "{:?} should not be SLSA-mapped",
322                c.id()
323            );
324        }
325    }
326
327    #[test]
328    fn compliance_controls_have_unique_ids() {
329        let controls = compliance_controls();
330        let mut ids: Vec<_> = controls.iter().map(|c| c.id()).collect();
331        let original_len = ids.len();
332        ids.sort_by_key(|id| id.as_str().to_string());
333        ids.dedup();
334        assert_eq!(
335            ids.len(),
336            original_len,
337            "all compliance control IDs must be unique"
338        );
339    }
340
341    #[test]
342    fn all_controls_count() {
343        let slsa = all_slsa_controls();
344        let compliance = compliance_controls();
345        let all = all_controls();
346        assert_eq!(
347            all.len(),
348            slsa.len() + compliance.len(),
349            "all_controls = SLSA + compliance"
350        );
351    }
352
353    #[test]
354    fn slsa_controls_for_level_source_l2() {
355        let controls = slsa_controls_for_level(SlsaTrack::Source, SlsaLevel::L2);
356        let ids: Vec<_> = controls.iter().map(|c| c.id()).collect();
357        assert!(
358            ids.iter()
359                .any(|id| id.as_str() == builtin::BRANCH_HISTORY_INTEGRITY)
360        );
361        assert!(
362            !ids.iter()
363                .any(|id| id.as_str() == builtin::BRANCH_PROTECTION_ENFORCEMENT)
364        );
365    }
366
367    #[test]
368    fn slsa_controls_for_level_build_l2() {
369        let controls = slsa_controls_for_level(SlsaTrack::Build, SlsaLevel::L2);
370        let ids: Vec<_> = controls.iter().map(|c| c.id()).collect();
371        assert!(
372            ids.iter()
373                .any(|id| id.as_str() == builtin::HOSTED_BUILD_PLATFORM)
374        );
375        assert!(
376            ids.iter()
377                .any(|id| id.as_str() == builtin::PROVENANCE_AUTHENTICITY)
378        );
379        assert!(!ids.iter().any(|id| id.as_str() == builtin::BUILD_ISOLATION));
380    }
381}