Add tag protection to policy (#279)

puerco · web-flow · commit 302c1502d296 · 2025-08-02T19:07:13.000-06:00
* Update branch protection control description

Signed-off-by: Adolfo Garcia Veytia (puerco) &lt;puerco@carabiner.dev&gt;

* Add tag protection to generated policy

This commit adds the tag protection entry to the generated policy
when it is reported in the active controls.

Signed-off-by: Adolfo Garcia Veytia (puerco) &lt;puerco@carabiner.dev&gt;

---------

Signed-off-by: Adolfo Garcia Veytia (puerco) &lt;puerco@carabiner.dev&gt;
diff --git a/pkg/policy/policy.go b/pkg/policy/policy.go
@@ -276,6 +276,16 @@ func (pe *PolicyEvaluator) CreateLocalPolicy(ctx context.Context, repo *models.R
 			},
 		},
 	}
+
+	// If the controls returned
+	controls := slsa.Controls(provPred.GetControls())
+	tagHygiene := controls.GetControl(slsa.TagHygiene)
+	if tagHygiene != nil {
+		p.ProtectedTag = &ProtectedTag{
+			Since:      tagHygiene.GetSince(),
+			TagHygiene: true,
+		}
+	}
 	data, err := json.MarshalIndent(&p, "", "  ")
 	if err != nil {
 		return "", err
diff --git a/pkg/slsa/slsa_types.go b/pkg/slsa/slsa_types.go
@@ -189,6 +189,9 @@ type ControlRecommendedAction struct {
 // which are active in the set.
 func (cs *ControlSetStatus) GetActiveControls() *Controls {
 	ret := Controls{}
+	if cs == nil {
+		return &ret
+	}
 	for _, c := range cs.Controls {
 		if c.State == StateActive {
 			ret.AddControl(&provenance.Control{
diff --git a/pkg/sourcetool/backends/vcs/github/github.go b/pkg/sourcetool/backends/vcs/github/github.go
@@ -201,7 +201,7 @@ func (b *Backend) ControlConfigurationDescr(branch *models.Branch, config models
 		)
 	case models.CONFIG_TAG_RULES:
 		return fmt.Sprintf(
-			"Enable push/update/delete protection for all tags in %s",
+			"Enable force push/update/delete protection for all tags in %s",
 			repo.Path,
 		)
 	default:
diff --git a/pkg/sourcetool/tool.go b/pkg/sourcetool/tool.go
@@ -220,6 +220,15 @@ func (t *Tool) createPolicy(r *models.Repository, branch *models.Branch, control
 			},
 		},
 	}
+
+	// If the controls returned
+	tagHygiene := controls.GetActiveControls().GetControl(slsa.TagHygiene)
+	if tagHygiene != nil {
+		p.ProtectedTag = &policy.ProtectedTag{
+			Since:      tagHygiene.GetSince(),
+			TagHygiene: true,
+		}
+	}
 	return p, nil
 }
 

Original file line number	Diff line number	Diff line change
`@@ -201,7 +201,7 @@ func (b Backend) ControlConfigurationDescr(branch models.Branch, config models`
`201`	`201`	`)`
`202`	`202`	`case models.CONFIG_TAG_RULES:`
`203`	`203`	`return fmt.Sprintf(`
`204`		`- "Enable push/update/delete protection for all tags in %s",`
	`204`	`+ "Enable force push/update/delete protection for all tags in %s",`
`205`	`205`	`repo.Path,`
`206`	`206`	`)`
`207`	`207`	`default:`