mitre/linguist"
5 | ---
6 |
7 | # `mitre/linguist`
8 |
9 | Analyzes text files to identify their likely language. Does not provide a
10 | default query and can't be used as a top-level plugin in a policy file.
11 |
--------------------------------------------------------------------------------
/plugins/linguist/plugin.kdl:
--------------------------------------------------------------------------------
1 | publisher "mitre"
2 | name "linguist"
3 | version "0.4.2"
4 | license "Apache-2.0"
5 |
6 | entrypoint {
7 | on arch="aarch64-apple-darwin" "linguist"
8 | on arch="x86_64-apple-darwin" "linguist"
9 | on arch="x86_64-unknown-linux-gnu" "linguist"
10 | on arch="x86_64-pc-windows-msvc" "linguist.exe"
11 | }
12 |
--------------------------------------------------------------------------------
/library/hipcheck-macros/README.md:
--------------------------------------------------------------------------------
1 |
2 | # `hipcheck-macros`
3 |
4 | `hipcheck-macros` is a helper crate for [Hipcheck] which provides procedural
5 | macros. It's not intended for use by anyone else, and generally involves
6 | private APIs.
7 |
8 | ## License
9 |
10 | `hipcheck-macros` is Apache-2.0 licensed.
11 |
12 | [Hipcheck]: https://github.com/mitre/hipcheck
13 |
--------------------------------------------------------------------------------
/plugins/git/local-plugin.kdl:
--------------------------------------------------------------------------------
1 | publisher "mitre"
2 | name "git"
3 | version "0.0.0"
4 | license "Apache-2.0"
5 |
6 | entrypoint {
7 | on arch="aarch64-apple-darwin" "./target/debug/git"
8 | on arch="x86_64-apple-darwin" "./target/debug/git"
9 | on arch="x86_64-unknown-linux-gnu" "./target/debug/git"
10 | on arch="x86_64-pc-windows-msvc" "./target/debug/git.exe"
11 | }
12 |
--------------------------------------------------------------------------------
/plugins/npm/local-plugin.kdl:
--------------------------------------------------------------------------------
1 | publisher "mitre"
2 | name "npm"
3 | version "0.0.0"
4 | license "Apache-2.0"
5 |
6 | entrypoint {
7 | on arch="aarch64-apple-darwin" "./target/debug/npm"
8 | on arch="x86_64-apple-darwin" "./target/debug/npm"
9 | on arch="x86_64-unknown-linux-gnu" "./target/debug/npm"
10 | on arch="x86_64-pc-windows-msvc" "./target/debug/npm.exe"
11 | }
12 |
--------------------------------------------------------------------------------
/site/scripts/deno.json:
--------------------------------------------------------------------------------
1 | {
2 | "tasks": {
3 | "bundle": "deno run -A tasks/bundle.ts",
4 | "dev": "deno run -A --watch tasks/bundle.ts"
5 | },
6 | "imports": {
7 | "@luca/esbuild-deno-loader": "jsr:@luca/esbuild-deno-loader@^0.11.0",
8 | "esbuild": "npm:esbuild@^0.24.0"
9 | },
10 | "compilerOptions": {
11 | "lib": ["deno.window", "dom"]
12 | }
13 | }
14 |
--------------------------------------------------------------------------------
/plugins/git/local-release-plugin.kdl:
--------------------------------------------------------------------------------
1 | publisher "mitre"
2 | name "git"
3 | version "0.0.0"
4 | license "Apache-2.0"
5 |
6 | entrypoint {
7 | on arch="aarch64-apple-darwin" "./target/release/git"
8 | on arch="x86_64-apple-darwin" "./target/release/git"
9 | on arch="x86_64-unknown-linux-gnu" "./target/release/git"
10 | on arch="x86_64-pc-windows-msvc" "./target/release/git.exe"
11 | }
12 |
--------------------------------------------------------------------------------
/plugins/npm/local-release-plugin.kdl:
--------------------------------------------------------------------------------
1 | publisher "mitre"
2 | name "npm"
3 | version "0.0.0"
4 | license "Apache-2.0"
5 |
6 | entrypoint {
7 | on arch="aarch64-apple-darwin" "./target/release/npm"
8 | on arch="x86_64-apple-darwin" "./target/release/npm"
9 | on arch="x86_64-unknown-linux-gnu" "./target/release/npm"
10 | on arch="x86_64-pc-windows-msvc" "./target/release/npm.exe"
11 | }
12 |
--------------------------------------------------------------------------------
/plugins/binary/local-plugin.kdl:
--------------------------------------------------------------------------------
1 | publisher "mitre"
2 | name "binary"
3 | version "0.0.0"
4 | license "Apache-2.0"
5 |
6 | entrypoint {
7 | on arch="aarch64-apple-darwin" "./target/debug/binary"
8 | on arch="x86_64-apple-darwin" "./target/debug/binary"
9 | on arch="x86_64-unknown-linux-gnu" "./target/debug/binary"
10 | on arch="x86_64-pc-windows-msvc" "./target/debug/binary.exe"
11 | }
12 |
--------------------------------------------------------------------------------
/plugins/github/local-plugin.kdl:
--------------------------------------------------------------------------------
1 | publisher "mitre"
2 | name "github"
3 | version "0.0.0"
4 | license "Apache-2.0"
5 |
6 | entrypoint {
7 | on arch="aarch64-apple-darwin" "./target/debug/github"
8 | on arch="x86_64-apple-darwin" "./target/debug/github"
9 | on arch="x86_64-unknown-linux-gnu" "./target/debug/github"
10 | on arch="x86_64-pc-windows-msvc" "./target/debug/github.exe"
11 | }
12 |
--------------------------------------------------------------------------------
/library/hipcheck-kdl/Cargo.toml:
--------------------------------------------------------------------------------
1 | [package]
2 | name = "hipcheck-kdl"
3 | description = "Common KDL functionality used throughout the Hipcheck project"
4 | repository = "https://github.com/mitre/hipcheck"
5 | version = "0.1.0"
6 | license = "Apache-2.0"
7 | edition = "2024"
8 | publish = false
9 |
10 | [dependencies]
11 | kdl = { workspace = true }
12 | hipcheck-workspace-hack = { workspace = true }
13 |
--------------------------------------------------------------------------------
/sdk/python/src/hipcheck_sdk/__init__.py:
--------------------------------------------------------------------------------
1 | # SPDX-License-Identifier: Apache-2.0
2 |
3 | from hipcheck_sdk.options import *
4 |
5 | from hipcheck_sdk.engine import PluginEngine, MockResponses
6 | from hipcheck_sdk.server import Plugin, PluginServer
7 | from hipcheck_sdk.query import query, Endpoint
8 | from hipcheck_sdk.cli import get_parser_for, run_server_for
9 | from hipcheck_sdk.gen.types import *
10 |
--------------------------------------------------------------------------------
/xtask/src/workspace.rs:
--------------------------------------------------------------------------------
1 | // SPDX-License-Identifier: Apache-2.0
2 |
3 | use anyhow::{Result, anyhow};
4 | use std::path::{Path, PathBuf};
5 |
6 | /// Get the root directory of the workspace.
7 | pub fn root() -> Result
5 | {% if title %}{{ title }}{% else %}Info{% endif %}
6 |
10 |
--------------------------------------------------------------------------------
/plugins/review/plugin.kdl:
--------------------------------------------------------------------------------
1 | publisher "mitre"
2 | name "review"
3 | version "0.4.2"
4 | license "Apache-2.0"
5 |
6 | entrypoint {
7 | on arch="aarch64-apple-darwin" "review"
8 | on arch="x86_64-apple-darwin" "review"
9 | on arch="x86_64-unknown-linux-gnu" "review"
10 | on arch="x86_64-pc-windows-msvc" "review.exe"
11 | }
12 |
13 | dependencies {
14 | plugin "mitre/github" version="^0.4" manifest="https://hipcheck.mitre.org/dl/plugin/mitre/github.kdl"
15 | }
16 |
--------------------------------------------------------------------------------
/library/hipcheck-macros/Cargo.toml:
--------------------------------------------------------------------------------
1 | [package]
2 | name = "hipcheck-macros"
3 | description = "Helper macros for the `hipcheck` crate."
4 | repository = "https://github.com/mitre/hipcheck"
5 | version = "0.3.5"
6 | edition = "2024"
7 | license = "Apache-2.0"
8 |
9 | [lib]
10 | proc-macro = true
11 |
12 | [dependencies]
13 | proc-macro2 = { workspace = true }
14 | quote = { workspace = true }
15 | syn = { workspace = true }
16 | hipcheck-workspace-hack = { workspace = true }
17 |
--------------------------------------------------------------------------------
/plugins/activity/plugin.kdl:
--------------------------------------------------------------------------------
1 | publisher "mitre"
2 | name "activity"
3 | version "0.5.2"
4 | license "Apache-2.0"
5 |
6 | entrypoint {
7 | on arch="aarch64-apple-darwin" "activity"
8 | on arch="x86_64-apple-darwin" "activity"
9 | on arch="x86_64-unknown-linux-gnu" "activity"
10 | on arch="x86_64-pc-windows-msvc" "activity.exe"
11 | }
12 |
13 | dependencies {
14 | plugin "mitre/git" version="^0.5" manifest="https://hipcheck.mitre.org/dl/plugin/mitre/git.kdl"
15 | }
16 |
--------------------------------------------------------------------------------
/sdk/rust/src/types.rs:
--------------------------------------------------------------------------------
1 | // SPDX-License-Identifier: Apache-2.0
2 |
3 | typify_macro::import_types!(
4 | schema = "../schema/hipcheck_target_schema.json",
5 | derives = [schemars::JsonSchema],
6 | convert = {
7 | {
8 | type = "string",
9 | format = "uri",
10 | } = url::Url,
11 | {
12 | type = "string",
13 | format = "date-time"
14 | } = jiff::Zoned,
15 | {
16 | type = "string",
17 | format = "duration"
18 | } = jiff::Span,
19 | }
20 | );
21 |
--------------------------------------------------------------------------------
/site/templates/shortcodes/warn.html:
--------------------------------------------------------------------------------
1 |
2 | {% import "macros/icon.tera.html" as ic %}
3 |
4 |
7 | {{ body | markdown | safe }}
8 |
9 |
5 | {% if title %}{{ title }}{% else %}Info{% endif %}
6 |
10 |
--------------------------------------------------------------------------------
/plugins/identity/plugin.kdl:
--------------------------------------------------------------------------------
1 | publisher "mitre"
2 | name "identity"
3 | version "0.5.2"
4 | license "Apache-2.0"
5 |
6 | entrypoint {
7 | on arch="aarch64-apple-darwin" "identity"
8 | on arch="x86_64-apple-darwin" "identity"
9 | on arch="x86_64-unknown-linux-gnu" "identity"
10 | on arch="x86_64-pc-windows-msvc" "identity.exe"
11 | }
12 |
13 | dependencies {
14 | plugin "mitre/git" version="^0.5" manifest="https://hipcheck.mitre.org/dl/plugin/mitre/git.kdl"
15 | }
16 |
--------------------------------------------------------------------------------
/plugins/affiliation/plugin.kdl:
--------------------------------------------------------------------------------
1 | publisher "mitre"
2 | name "affiliation"
3 | version "0.5.2"
4 | license "Apache-2.0"
5 |
6 | entrypoint {
7 | on arch="aarch64-apple-darwin" "affiliation"
8 | on arch="x86_64-apple-darwin" "affiliation"
9 | on arch="x86_64-unknown-linux-gnu" "affiliation"
10 | on arch="x86_64-pc-windows-msvc" "affiliation.exe"
11 | }
12 |
13 | dependencies {
14 | plugin "mitre/git" version="^0.5" manifest="https://hipcheck.mitre.org/dl/plugin/mitre/git.kdl"
15 | }
16 |
--------------------------------------------------------------------------------
/plugins/typo/local-plugin.kdl:
--------------------------------------------------------------------------------
1 | publisher "mitre"
2 | name "typo"
3 | version "0.0.0"
4 | license "Apache-2.0"
5 |
6 | entrypoint {
7 | on arch="aarch64-apple-darwin" "./target/debug/typo"
8 | on arch="x86_64-apple-darwin" "./target/debug/typo"
9 | on arch="x86_64-unknown-linux-gnu" "./target/debug/typo"
10 | on arch="x86_64-pc-windows-msvc" "./target/debug/typo.exe"
11 | }
12 |
13 | dependencies {
14 | plugin "mitre/npm" version="0.0.0" manifest="./plugins/npm/local-plugin.kdl"
15 | }
16 |
--------------------------------------------------------------------------------
/tests/test-plugins/activity-container/local-plugin.kdl:
--------------------------------------------------------------------------------
1 | publisher "mitre"
2 | name "activity-container"
3 | version "0.0.0"
4 | license "Apache-2.0"
5 |
6 | entrypoint {
7 | on arch="aarch64-apple-darwin" "activity-container-deploy.sh"
8 | on arch="x86_64-apple-darwin" "activity-container-deploy.sh"
9 | on arch="x86_64-unknown-linux-gnu" "activity-container-deploy.sh"
10 | }
11 |
12 | dependencies {
13 | plugin "mitre/git" version="0.0.0" manifest="./plugins/git/local-plugin.kdl"
14 | }
15 |
--------------------------------------------------------------------------------
/plugins/fuzz/local-plugin.kdl:
--------------------------------------------------------------------------------
1 | publisher "mitre"
2 | name "fuzz"
3 | version "0.0.0"
4 | license "Apache-2.0"
5 |
6 | entrypoint {
7 | on arch="aarch64-apple-darwin" "./target/debug/fuzz"
8 | on arch="x86_64-apple-darwin" "./target/debug/fuzz"
9 | on arch="x86_64-unknown-linux-gnu" "./target/debug/fuzz"
10 | on arch="x86_64-pc-windows-msvc" "./target/debug/fuzz.exe"
11 | }
12 |
13 | dependencies {
14 | plugin "mitre/github" version="0.0.0" manifest="./plugins/github/local-plugin.kdl"
15 | }
16 |
--------------------------------------------------------------------------------
/plugins/review/local-plugin.kdl:
--------------------------------------------------------------------------------
1 | publisher "mitre"
2 | name "review"
3 | version "0.0.0"
4 | license "Apache-2.0"
5 |
6 | entrypoint {
7 | on arch="aarch64-apple-darwin" "./target/debug/review"
8 | on arch="x86_64-apple-darwin" "./target/debug/review"
9 | on arch="x86_64-unknown-linux-gnu" "./target/debug/review"
10 | on arch="x86_64-pc-windows-msvc" "./target/debug/review.exe"
11 | }
12 |
13 | dependencies {
14 | plugin "mitre/github" version="0.0.0" manifest="./plugins/github/local-plugin.kdl"
15 | }
16 |
--------------------------------------------------------------------------------
/sdk/python/tests/context.py:
--------------------------------------------------------------------------------
1 | # SPDX-License-Identifier: Apache-2.0
2 |
3 | from pytest import fixture
4 |
5 | from hipcheck_sdk import *
6 |
7 |
8 | @fixture
9 | def options_disable_rfd9_compat():
10 | opts_before = get_options()
11 | set_option("rfd9_compat", False)
12 | yield
13 | set_options(opts_before)
14 |
15 |
16 | @fixture
17 | def options_enable_rfd9_compat():
18 | opts_before = get_options()
19 | set_option("rfd9_compat", True)
20 | yield
21 | set_options(opts_before)
22 |
--------------------------------------------------------------------------------
/config/benchmark-targets.kdl:
--------------------------------------------------------------------------------
1 | targets {
2 | // NOTE: the parser of this file expects the following order repo url=<> ref=<> type=<>
3 | // git repository with about 700 commits
4 | repo url="https://github.com/mitre/hipcheck" ref="hipcheck-v3.11.0" type="repo"
5 | // popular Python repo with approximately 3000 commits
6 | repo url="jinja2" ref="3.1.6" type="pypi"
7 | // popular NPM package with approximately 6000 commits as of v5.0.0
8 | repo url="express" ref="v5.0.0" type="npm"
9 | }
10 |
11 |
--------------------------------------------------------------------------------
/plugins/activity/local-plugin.kdl:
--------------------------------------------------------------------------------
1 | publisher "mitre"
2 | name "activity"
3 | version "0.0.0"
4 | license "Apache-2.0"
5 |
6 | entrypoint {
7 | on arch="aarch64-apple-darwin" "./target/debug/activity"
8 | on arch="x86_64-apple-darwin" "./target/debug/activity"
9 | on arch="x86_64-unknown-linux-gnu" "./target/debug/activity"
10 | on arch="x86_64-pc-windows-msvc" "./target/debug/activity.exe"
11 | }
12 |
13 | dependencies {
14 | plugin "mitre/git" version="0.0.0" manifest="./plugins/git/local-plugin.kdl"
15 | }
16 |
--------------------------------------------------------------------------------
/plugins/typo/local-release-plugin.kdl:
--------------------------------------------------------------------------------
1 | publisher "mitre"
2 | name "typo"
3 | version "0.0.0"
4 | license "Apache-2.0"
5 |
6 | entrypoint {
7 | on arch="aarch64-apple-darwin" "./target/release/typo"
8 | on arch="x86_64-apple-darwin" "./target/release/typo"
9 | on arch="x86_64-unknown-linux-gnu" "./target/release/typo"
10 | on arch="x86_64-pc-windows-msvc" "./target/release/typo.exe"
11 | }
12 |
13 | dependencies {
14 | plugin "mitre/npm" version="0.0.0" manifest="./plugins/npm/local-release-plugin.kdl"
15 | }
16 |
--------------------------------------------------------------------------------
/sdk/python/docs/source/index.rst:
--------------------------------------------------------------------------------
1 | .. hipcheck-sdk documentation master file, created by
2 | sphinx-quickstart on Fri Mar 21 16:01:33 2025.
3 | You can adapt this file completely to your liking, but it should at least
4 | contain the root `toctree` directive.
5 |
6 | hipcheck-sdk documentation
7 | ==========================
8 |
9 | API documentation for the `Hipcheck
7 | {{ body | markdown | safe }}
8 |
9 | mitre/git"
5 | ---
6 |
7 | # `mitre/git`
8 |
9 | Provides access to Git commit history data. Does not define a default query
10 | and can't be used as a top-level plugin in a policy file.
11 |
12 | ## Configuration
13 |
14 | | Parameter | Type | Explanation |
15 | |:--------------------|:--------|:--------------|
16 | | `commit-cache-size` | `Integer` | Optional number of repositories to retain in cache. Defaults to one. |
17 |
--------------------------------------------------------------------------------
/site/static/dl/install.sh:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env sh
2 |
3 | # This installer delegates to the "real" installer included with each new
4 | # release of Hipcheck.
5 |
6 | HC_VERSION="3.14.0"
7 | REPO="https://github.com/mitre/hipcheck"
8 | INSTALLER="$REPO/releases/download/hipcheck-v$HC_VERSION/hipcheck-installer.sh"
9 |
10 | # Check that curl is installed and error out if it isn't.
11 | if ! command -v curl >/dev/null; then
12 | echo "error: 'curl' is required to run the installer" 1>&2
13 | exit 1
14 | fi
15 |
16 | curl -LsSf "$INSTALLER" | sh "$@"
17 |
--------------------------------------------------------------------------------
/plugins/affiliation/local-release-plugin.kdl:
--------------------------------------------------------------------------------
1 | publisher "mitre"
2 | name "affiliation"
3 | version "0.0.0"
4 | license "Apache-2.0"
5 |
6 | entrypoint {
7 | on arch="aarch64-apple-darwin" "./target/release/affiliation"
8 | on arch="x86_64-apple-darwin" "./target/release/affiliation"
9 | on arch="x86_64-unknown-linux-gnu" "./target/release/affiliation"
10 | on arch="x86_64-pc-windows-msvc" "./target/release/affiliation.exe"
11 | }
12 |
13 | dependencies {
14 | plugin "mitre/git" version="0.0.0" manifest="./plugins/git/local-release-plugin.kdl"
15 | }
16 |
--------------------------------------------------------------------------------
/plugins/github/src/cli.rs:
--------------------------------------------------------------------------------
1 | // SPDX-License-Identifier: Apache-2.0
2 |
3 | use anyhow::Result;
4 | use clap::Parser;
5 | use hipcheck_sdk::LogLevel;
6 |
7 | #[derive(Parser, Debug)]
8 | pub struct Cli {
9 | #[arg(long)]
10 | pub port: u16,
11 |
12 | #[arg(long, default_value_t=LogLevel::Error)]
13 | pub log_level: LogLevel,
14 |
15 | #[arg(trailing_var_arg(true), allow_hyphen_values(true), hide = true)]
16 | pub unknown_args: Vechc schema"
5 | ---
6 |
7 | # `hc schema`
8 |
9 | The `hc schema` command is intended to help users of Hipcheck who are trying
10 | to integrate Hipcheck into other tools and systems. Hipcheck supports a JSON
11 | output format for analyses, and `hc schema` produces a JSON schema description
12 | of that output.
13 |
14 | `hc schema` takes the name of the target type for which to print the schema.
15 | For the list of target types, see [the documentation for the `hc check` command](@/docs/guide/cli/hc-check.md).
16 |
17 | `hc schema` also takes the usual [General Flags](@/docs/guide/cli/general-flags.md).
18 |
--------------------------------------------------------------------------------
/hipcheck/src/shell/macros.rs:
--------------------------------------------------------------------------------
1 | // SPDX-License-Identifier: Apache-2.0
2 |
3 | //! Macros that mirror/replace those from the standard library using the global [`Shell`][crate::shell::Shell].
4 |
5 | macro_rules! println {
6 | ($($arg:tt)+) => {
7 | $crate::shell::Shell::println(format!($($arg)*));
8 | };
9 |
10 | () => {
11 | $crate::shell::Shell::println("");
12 | }
13 | }
14 |
15 | // public re-export
16 | pub(crate) use println;
17 |
18 | macro_rules! eprintln {
19 | ($($arg:tt)+) => {
20 | $crate::shell::Shell::eprintln(format!($($arg)*));
21 | };
22 |
23 | () => {
24 | $crate::shell::Shell::eprintln("");
25 | }
26 | }
27 |
28 | pub(crate) use eprintln;
29 |
--------------------------------------------------------------------------------
/site/content/docs/contributing/testing.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Testing Changes
3 | weight: 2
4 | ---
5 |
6 | # Testing Changes
7 |
8 | All changes to Hipcheck must pass continuous integration (CI) tests prior
9 | to being merged. You can simulate this test suite, at least on your own
10 | operating system and architecture, using the following command:
11 |
12 | ```sh
13 | $ cargo xtask ci
14 | ```
15 |
16 | Passing this command is not a _guarantee_ of passing the official CI suite
17 | on GitHub, but is a good way to approximate things locally.
18 |
19 | If you want faster tests locally, we also recommend installing `cargo-nextest`.
20 | The `cargo xtask ci` command will use it instead of `cargo test` if it's
21 | installed.
22 |
--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/feature_request.md:
--------------------------------------------------------------------------------
1 | ---
2 | name: Feature request
3 | about: Suggest an idea for this project
4 | title: ''
5 | labels: 'type: enhancement'
6 | assignees: ''
7 |
8 | ---
9 |
10 | **Is your feature request related to a problem? Please describe.**
11 | A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
12 |
13 | **Describe the solution you'd like**
14 | A clear and concise description of what you want to happen.
15 |
16 | **Describe alternatives you've considered**
17 | A clear and concise description of any alternative solutions or features you've considered.
18 |
19 | **Additional context**
20 | Add any other context or screenshots about the feature request here.
21 |
--------------------------------------------------------------------------------
/plugins/activity/Cargo.toml:
--------------------------------------------------------------------------------
1 | [package]
2 | name = "activity"
3 | version = "0.5.2"
4 | license = "Apache-2.0"
5 | edition = "2024"
6 | repository = "https://github.com/mitre/hipcheck"
7 | publish = false
8 |
9 | [dependencies]
10 | clap = { workspace = true, features = ["derive"] }
11 | hipcheck-sdk = { workspace = true, features = ["macros"] }
12 | jiff = { workspace = true, features = ["serde"] }
13 | tracing = { workspace = true }
14 | serde = { workspace = true, features = ["derive", "rc"] }
15 | serde_json = { workspace = true }
16 | tokio = { workspace = true, features = ["rt"] }
17 | hipcheck-workspace-hack = { workspace = true }
18 |
19 | [dev-dependencies]
20 | hipcheck-sdk = { workspace = true, features = ["mock_engine"] }
21 |
--------------------------------------------------------------------------------
/sdk/python/docs/Makefile:
--------------------------------------------------------------------------------
1 | # Minimal makefile for Sphinx documentation
2 | #
3 |
4 | # You can set these variables from the command line, and also
5 | # from the environment for the first two.
6 | SPHINXOPTS ?=
7 | SPHINXBUILD ?= sphinx-build
8 | SOURCEDIR = source
9 | BUILDDIR = build
10 |
11 | # Put it first so that "make" without argument is like "make help".
12 | help:
13 | @$(SPHINXBUILD) -M help "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)
14 |
15 | .PHONY: help Makefile
16 |
17 | # Catch-all target: route all unknown targets to Sphinx using the new
18 | # "make mode" option. $(O) is meant as a shortcut for $(SPHINXOPTS).
19 | %: Makefile
20 | @$(SPHINXBUILD) -M $@ "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)
21 |
--------------------------------------------------------------------------------
/site/content/docs/guide/config/_index.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Configuration
3 | template: docs.html
4 | page_template: docs_page.html
5 | weight: 2
6 | sort_by: weight
7 | ---
8 |
9 | # Configuration
10 |
11 | This section covers how to configure Hipcheck through policy files.
12 |
13 |
14 |
15 | {% waypoint(title="Policy Files", path="@/docs/guide/config/policy-file.md", icon="file") %}
16 | How to configure what plugins to use and how to score their results.
17 | {% end %}
18 |
19 | {% waypoint(title="Policy Expressions", path="@/docs/guide/config/policy-expr.md", icon="message-square") %}
20 | How to convert individual analysis results into a pass/fail determination.
21 | {% end %}
22 |
23 |
24 |
--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/bug_report.md:
--------------------------------------------------------------------------------
1 | ---
2 | name: Bug report
3 | about: Create a report to help us improve
4 | title: ''
5 | labels: 'type: bug'
6 | assignees: ''
7 |
8 | ---
9 |
10 | **Describe the bug**
11 | A clear and concise description of what the bug is.
12 |
13 | **To Reproduce**
14 | Steps to reproduce the behavior.
15 |
16 | **Expected behavior**
17 | A clear and concise description of what you expected to happen.
18 |
19 | **Screenshots**
20 | If applicable, add screenshots to help explain your problem.
21 |
22 | **Desktop (please complete the following information):**
23 | - Operating System: [e.g. macOS]
24 | - Hipcheck Version [e.g. 3.6.0]
25 |
26 | **Additional context**
27 | Add any other context about the problem here.
28 |
--------------------------------------------------------------------------------
/tests/test-plugins/activity-container/Cargo.toml:
--------------------------------------------------------------------------------
1 | [package]
2 | name = "activity-container"
3 | version = "0.4.0"
4 | license = "Apache-2.0"
5 | edition = "2024"
6 | publish = false
7 |
8 | [dependencies]
9 | clap = { workspace = true, features = ["derive"] }
10 | hipcheck-sdk = { workspace = true, features = ["macros"] }
11 | jiff = { workspace = true, features = ["serde"] }
12 | log = { workspace = true }
13 | schemars = { workspace = true, features = ["url2"] }
14 | serde = { workspace = true, features = ["derive", "rc"] }
15 | serde_json = { workspace = true }
16 | tokio = { workspace = true, features = ["rt"] }
17 | hipcheck-workspace-hack = { workspace = true }
18 |
19 | [dev-dependencies]
20 | hipcheck-sdk = { workspace = true, features = ["mock_engine"] }
21 |
--------------------------------------------------------------------------------
/plugins/linguist/src/util/fs.rs:
--------------------------------------------------------------------------------
1 | // SPDX-License-Identifier: Apache-2.0
2 |
3 | use crate::error::*;
4 | use crate::linguist::LanguageFile;
5 | use std::{fs, path::Path, str::FromStr};
6 |
7 | /// Read a file to a string.
8 | pub fn read_string
12 |
13 | {% waypoint(title="Repo Structure", path="@/docs/contributing/developer-docs/repo-structure.md") %}
14 | List of key directories in the Hipcheck repository.
15 | {% end %}
16 |
17 | {% waypoint(title="Architecture", path="@/docs/contributing/developer-docs/architecture.md") %}
18 | Hipcheck's distributed architecture and how plugins get started.
19 | {% end %}
20 |
21 | {% waypoint(title="Query System", path="@/docs/contributing/developer-docs/plugin-query-system/index.md") %}
22 | The life of a plugin query from inception, through gRPC, to SDK, and back.
23 | {% end %}
24 |
25 |
26 |
--------------------------------------------------------------------------------
/hipcheck/src/util/http/agent.rs:
--------------------------------------------------------------------------------
1 | // SPDX-License-Identifier: Apache-2.0
2 |
3 | //! Globally defined agent containing system TLS Certs.
4 |
5 | use crate::Result;
6 | use rustls::ClientConfig;
7 | use rustls_platform_verifier::ConfigVerifierExt;
8 | use std::sync::{Arc, OnceLock};
9 | use ureq::{Agent, AgentBuilder};
10 |
11 | /// Global static holding the agent with the appropriate TLS certs.
12 | static AGENT: OnceLock
15 |
16 | {% waypoint(title="Starting Debugging", path="@/docs/guide/debugging/starting.md", icon="thumbs-up") %}
17 | The basics for how to check Hipcheck's execution setup before anything else.
18 | {% end %}
19 |
20 | {% waypoint(title="Logging", path="@/docs/guide/debugging/logging.md", icon="list") %}
21 | How to configure Hipcheck's logging, including a variety of filtering options.
22 | {% end %}
23 |
24 | {% waypoint(title="Using a Debugger", path="@/docs/guide/debugging/debugger.md", icon="paperclip") %}
25 | How to debug Hipcheck using a separate debugger.
26 | {% end %}
27 |
28 |
29 |
--------------------------------------------------------------------------------
/plugins/entropy/Cargo.toml:
--------------------------------------------------------------------------------
1 | [package]
2 | name = "entropy"
3 | version = "0.5.2"
4 | license = "Apache-2.0"
5 | edition = "2024"
6 | repository = "https://github.com/mitre/hipcheck"
7 | publish = false
8 |
9 | [dependencies]
10 | clap = { workspace = true, features = ["derive"] }
11 | dashmap = { workspace = true, features = ["inline", "rayon"] }
12 | finl_unicode = { workspace = true, features = ["grapheme_clusters"] }
13 | hipcheck-sdk = { workspace = true, features = ["macros"] }
14 | rayon = { workspace = true }
15 | schemars = { workspace = true }
16 | serde = { workspace = true }
17 | serde_json = { workspace = true }
18 | tracing = { workspace = true }
19 | tokio = { workspace = true, features = ["rt"] }
20 | unicode-normalization = { workspace = true }
21 | hipcheck-workspace-hack = { workspace = true }
22 |
23 | [dev-dependencies]
24 | hipcheck-sdk = { workspace = true, features = ["macros", "mock_engine"] }
25 |
--------------------------------------------------------------------------------
/hipcheck/src/shell/color_choice.rs:
--------------------------------------------------------------------------------
1 | // SPDX-License-Identifier: Apache-2.0
2 |
3 | //! Utilities for handling whether or not to use color while printing output.
4 |
5 | use crate::error::{Error, Result};
6 | use std::str::FromStr;
7 |
8 | /// Selection of whether the CLI output should use color.
9 | #[derive(Debug, Default, Copy, Clone, PartialEq, clap::ValueEnum)]
10 | pub enum ColorChoice {
11 | /// Always use color output
12 | Always,
13 | /// Never use color output
14 | Never,
15 | /// Guess whether to use color output
16 | #[default]
17 | Auto,
18 | }
19 |
20 | impl FromStr for ColorChoice {
21 | type Err = Error;
22 |
23 | fn from_str(s: &str) -> Result
13 |
14 | {% waypoint(title="Getting Started", path="@/docs/getting-started/_index.md", icon="map-pin") %}
15 | A guide to installing and running Hipcheck for the first time.
16 | {% end %}
17 |
18 | {% waypoint(title="Complete Guide", path="@/docs/guide/_index.md", icon="map") %}
19 | A complete guide to all of Hipcheck's functionality.
20 | {% end %}
21 |
22 | {% waypoint(title="Contribute", path="@/docs/contributing/_index.md", icon="award") %}
23 | Learn how to make contributions to Hipcheck itself.
24 | {% end %}
25 |
26 | {% waypoint(title="RFDs", path="@/docs/rfds/_index.md", icon="pen-tool") %}
27 | Design documents proposing important changes to Hipcheck.
28 | {% end %}
29 |
30 |
31 |
--------------------------------------------------------------------------------
/sdk/python/docs/make.bat:
--------------------------------------------------------------------------------
1 | @ECHO OFF
2 |
3 | pushd %~dp0
4 |
5 | REM Command file for Sphinx documentation
6 |
7 | if "%SPHINXBUILD%" == "" (
8 | set SPHINXBUILD=sphinx-build
9 | )
10 | set SOURCEDIR=source
11 | set BUILDDIR=build
12 |
13 | %SPHINXBUILD% >NUL 2>NUL
14 | if errorlevel 9009 (
15 | echo.
16 | echo.The 'sphinx-build' command was not found. Make sure you have Sphinx
17 | echo.installed, then set the SPHINXBUILD environment variable to point
18 | echo.to the full path of the 'sphinx-build' executable. Alternatively you
19 | echo.may add the Sphinx directory to PATH.
20 | echo.
21 | echo.If you don't have Sphinx installed, grab it from
22 | echo.https://www.sphinx-doc.org/
23 | exit /b 1
24 | )
25 |
26 | if "%1" == "" goto help
27 |
28 | %SPHINXBUILD% -M %1 %SOURCEDIR% %BUILDDIR% %SPHINXOPTS% %O%
29 | goto end
30 |
31 | :help
32 | %SPHINXBUILD% -M help %SOURCEDIR% %BUILDDIR% %SPHINXOPTS% %O%
33 |
34 | :end
35 | popd
36 |
--------------------------------------------------------------------------------
/site/scripts/src/footer/main.ts:
--------------------------------------------------------------------------------
1 | import { setupDocsNav } from "./docs.ts";
2 | import { setupInstallerPicker } from "./installer.ts";
3 | import { setupSmoothScrolling } from "./scroll.ts";
4 | import { setupSearch, setupSearchModal } from "./search.ts";
5 | import { setupThemeController } from "./theme.ts";
6 |
7 | /**
8 | * Run all page setup operations, initializing all interactive widgets.
9 | *
10 | * There are currently three widgets:
11 | *
12 | * - Theme Controller in the navigation bar.
13 | * - Installer Picker on the homepage.
14 | * - Search button in the navigation bar.
15 | */
16 | function setup() {
17 | setupThemeController();
18 | setupInstallerPicker();
19 | setupSearchModal();
20 | setupSearch();
21 | setupSmoothScrolling();
22 | setupDocsNav();
23 | }
24 |
25 | /**
26 | * Do setup, logging errors to the console.
27 | */
28 | (function () {
29 | try {
30 | setup();
31 | } catch (e) {
32 | console.error(e);
33 | }
34 | })();
35 |
--------------------------------------------------------------------------------
/hipcheck/build.rs:
--------------------------------------------------------------------------------
1 | // SPDX-License-Identifier: Apache-2.0
2 |
3 | include!("src/target/types.rs");
4 |
5 | use anyhow::Result;
6 | use pathbuf::pathbuf;
7 | use schemars::schema_for;
8 | use std::{fs, path::Path};
9 |
10 | fn generate_schemars_for_target_types(out_dir: &Path) -> Result<()> {
11 | let out_schemars = vec![("target", schema_for!(Target))];
12 | for (key, schema) in out_schemars {
13 | let out_path = pathbuf![out_dir, format!("hipcheck_{}_schema.json", key).as_str()];
14 | fs::write(out_path, serde_json::to_string_pretty(&schema).unwrap()).unwrap();
15 | }
16 | Ok(())
17 | }
18 |
19 | fn main() -> Result<()> {
20 | generate_schemars_for_target_types(Path::new("../sdk/schema"))?;
21 |
22 | // Make the target available as a compile-time env var for plugin arch
23 | // resolution
24 | println!(
25 | "cargo:rustc-env=TARGET={}",
26 | std::env::var("TARGET").unwrap()
27 | );
28 | println!("cargo:rerun-if-changed-env=TARGET");
29 |
30 | Ok(())
31 | }
32 |
--------------------------------------------------------------------------------
/.github/workflows/docker.yml:
--------------------------------------------------------------------------------
1 | name: Docker
2 |
3 | # Run once a week on Monday at midnight.
4 | # Plus be able to run it on command.
5 | on:
6 | schedule:
7 | - cron: "0 0 * * 1"
8 | workflow_dispatch:
9 |
10 | jobs:
11 | build:
12 | name: "Build Containerfile"
13 | runs-on: ubuntu-latest
14 | steps:
15 | - name: Check out the repo
16 | uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
17 | with:
18 | persist-credentials: false
19 |
20 | - name: Setup Qemu
21 | uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
22 |
23 | - name: Setup Docker buildx
24 | uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
25 |
26 | - name: Run Docker build
27 | uses: docker/build-push-action@1dc73863535b631f98b2378be8619f83b136f4a0 # v6.17.0
28 | with:
29 | file: dist/Containerfile
30 | push: false
31 |
--------------------------------------------------------------------------------
/library/hipcheck-common/Cargo.toml:
--------------------------------------------------------------------------------
1 | [package]
2 | name = "hipcheck-common"
3 | description = "Common functionality for the Hipcheck gRPC protocol"
4 | repository = "https://github.com/mitre/hipcheck"
5 | version = "0.4.2"
6 | license = "Apache-2.0"
7 | edition = "2024"
8 |
9 | [dependencies]
10 | anyhow = { workspace = true }
11 | clap = { workspace = true, features = ["cargo", "derive", "string"] }
12 | prost = { workspace = true }
13 | serde = { workspace = true, features = ["derive", "rc"] }
14 | serde_json = { workspace = true }
15 | thiserror = { workspace = true }
16 | tonic = { workspace = true }
17 | tonic-prost = { workspace = true }
18 | hipcheck-workspace-hack = { workspace = true }
19 |
20 | [build-dependencies]
21 | anyhow = { workspace = true }
22 | pathbuf = { workspace = true }
23 | tonic-prost-build = { workspace = true }
24 |
25 | [features]
26 | default = ["rfd9-compat"]
27 | rfd9-compat = []
28 |
29 | [package.metadata.cargo-machete]
30 | ignored = ["prost", "tonic"]
31 |
--------------------------------------------------------------------------------
/site/content/docs/guide/debugging/debugger.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Using a Debugger
3 | weight: 3
4 | ---
5 |
6 | # Debugger
7 |
8 | Hipcheck can be run under a debugger like `gdb` or `lldb`. Because Hipcheck is
9 | written in Rust, we recommend using the Rust-patched versions of `gdb` or `lldb`
10 | which ship with the Rust standard tooling. These versions of the tools include
11 | specific logic to demangle Rust symbols to improve the experience of debugging
12 | Rust code.
13 |
14 | You can install these tools by following the standard [Rust installation
15 | instructions](https://www.rust-lang.org/tools/install).
16 |
17 | With one of these debuggers installed, you can then use them to set breakpoints
18 | during Hipcheck's execution, and do all the normal program debugging processes
19 | you're familiar with if you've used a debugger before. Explaining the use of
20 | these tools is outside of the scope of the Hipcheck documentation, so we defer
21 | to their respective documentation sources.
22 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | # The target directory, where all the build artifacts go.
2 | /target/
3 | /target
4 | .target/
5 | ./target/
6 | .target
7 | ./target
8 |
9 | # These are backup files generated by rustfmt
10 | **/*.rs.bk
11 |
12 | # macOS file
13 | .DS_Store
14 |
15 | # Visual Studio Code directory
16 | .vscode
17 |
18 | # IntelliJ IDEA Directory
19 | .idea
20 |
21 | # dotenv env configuration file
22 | .env
23 |
24 | # Vim swap files
25 | .*.swp
26 |
27 | # We generate a file with this name when prepping each release, and don't
28 | # want it to be checked in.
29 | CHANGELOG-NEXT.md
30 |
31 | # File generated by cargo-flamegraph
32 | flamegraph.svg
33 |
34 | # Generated file based on the protobuf definition.
35 | /hipcheck/src/hipcheck.rs
36 |
37 | # Editor-specific directory for Zed
38 | .zed
39 |
40 | # Python environment dir
41 | venv
42 |
43 | # Python pycache and SDK build dirs
44 | __pycache__
45 | sdk/python/build/
46 | sdk/python/dist/
47 | sdk/python/hipcheck_sdk.egg-info/
48 | sdk/python/docs/build/
49 |
--------------------------------------------------------------------------------
/xtask/src/task/manifest/util/agent.rs:
--------------------------------------------------------------------------------
1 | // SPDX-License-Identifier: Apache-2.0
2 |
3 | //! Globally defined agent containing system TLS Certs.
4 |
5 | use anyhow::Result;
6 | use rustls::ClientConfig;
7 | use rustls_platform_verifier::ConfigVerifierExt;
8 | use std::sync::{Arc, OnceLock};
9 | use ureq::{Agent, AgentBuilder};
10 |
11 | /// Global static holding the agent with the appropriate TLS certs.
12 | static AGENT: OnceLockhc setup"
5 | ---
6 |
7 | # `hc setup`
8 |
9 | The `hc setup` command is intended to be run after first installing Hipcheck,
10 | and again after updating Hipcheck, to ensure you have the required configuration
11 | and data files needed for Hipcheck to run.
12 |
13 | When installing Hipcheck, regardless of method, you are only installing the
14 | `hc` binary, not these additional configuration files. `hc setup` identifies
15 | the correct location in your system for configuration files and writes the
16 | files to that directory.
17 |
18 | It also produces an export command that should be used to set the `HC_CONFIG`
19 | environmental variable to the relevant directory, as necessary to run `hc check`.
20 |
21 | Please note that in some cases, `hc setup` may default to a directory that
22 | requires escalated privileges. You can resolve this by running `sudo hc setup` or
23 | passing in the your desired directory with `hc setup --config [directory path]`.
24 |
25 | `hc setup` supports Hipcheck's [General Flags](@/docs/guide/cli/general-flags.md).
26 |
--------------------------------------------------------------------------------
/tests/test-plugins/activity-container/activity-container-deploy.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | # Default values
4 | IMAGE_TAR="./tests/test-plugins/activity-container/activity-image.tar"
5 | IMAGE_NAME="activity-image"
6 | PORT=8888
7 |
8 | while [[ $# -gt 0 ]]; do
9 | if [[ "$1" == "--port" && -n "$2" && "$2" =~ ^[0-9]+$ ]]; then
10 | PORT="$2"
11 | shift 2
12 | else
13 | # Collect any other arguments to pass to docker run
14 | EXTRA_ARGS="$EXTRA_ARGS $1"
15 | shift
16 | fi
17 | done
18 |
19 | if [[ ! -f "$IMAGE_TAR" ]]; then
20 | echo "Error: Image tar file '$IMAGE_TAR' not found!"
21 | exit 1
22 | fi
23 |
24 |
25 | # Check if the image is already loaded
26 | if ! docker images | grep -q "$IMAGE_NAME"; then
27 | echo "Image '$IMAGE_NAME' not found. Loading the image..."
28 | if ! docker load -i "$IMAGE_TAR" > /dev/null 2>&1; then
29 | echo "Error: Failed to load image '$IMAGE_TAR'."
30 | exit 1
31 | fi
32 | fi
33 | # Otherwise, the image is already loaded
34 |
35 | # Format the run statement for container port mapping
36 | docker run --init -p "$PORT":50051 activity-image
37 |
--------------------------------------------------------------------------------
/sdk/python/pyproject.toml:
--------------------------------------------------------------------------------
1 | [project]
2 | name = "hipcheck-sdk"
3 | version = "0.2.1"
4 | description = "An SDK for developing Hipcheck plugins"
5 | readme = "README.md"
6 | authors = [
7 | { name = "j-lanson", email = "jlanson@mitre.org" }
8 | ]
9 | requires-python = ">=3.10"
10 | classifiers = [
11 | "Programming Language :: Python :: 3",
12 | "Operating System :: OS Independent"
13 | ]
14 | license = "Apache-2.0"
15 | license-files = ["LICENSE"]
16 |
17 | dependencies = [
18 | "asyncio>=3.4.3",
19 | "coverage>=7.6.12",
20 | "datamodel-code-generator>=0.28.5",
21 | "grpcio>=1.70.0",
22 | "grpcio-tools>=1.70.0",
23 | "logging>=0.4.9.6",
24 | "pydantic>=2.10.6",
25 | "pytest>=8.3.5",
26 | "pytest-asyncio>=0.26.0",
27 | "sphinx>=8.1.3",
28 | "wheel>=0.45.1",
29 | ]
30 |
31 | [project.urls]
32 | Homepage = "https://hipcheck.mitre.org/"
33 | Documentation = "https://hipcheck.mitre.org/sdk/python/hipcheck_sdk.html"
34 | Repository = "https://github.com/mitre/hipcheck.git"
35 | Issues = "https://github.com/mitre/hipcheck/issues"
36 |
37 | [build-system]
38 | requires = ["hatchling"]
39 | build-backend = "hatchling.build"
40 |
--------------------------------------------------------------------------------
/hipcheck/src/init/indicatif_log_bridge.rs:
--------------------------------------------------------------------------------
1 | // SPDX-License-Identifier: Apache-2.0
2 |
3 | //! The `indicatif-log-bridge` crate discards filtering information when using env_logger, so I'm writting my own.
4 |
5 | use crate::shell::Shell;
6 | use env_logger::Logger;
7 | use log::SetLoggerError;
8 |
9 | pub struct LogWrapper(pub Logger);
10 |
11 | impl log::Log for LogWrapper {
12 | fn enabled(&self, metadata: &log::Metadata) -> bool {
13 | self.0.enabled(metadata)
14 | }
15 |
16 | fn log(&self, record: &log::Record) {
17 | // Don't suspend the shell if we're not gonna log the message.
18 | if log::logger().enabled(record.metadata()) {
19 | Shell::in_suspend(|| self.0.log(record))
20 | }
21 | }
22 |
23 | fn flush(&self) {
24 | Shell::in_suspend(|| self.0.flush())
25 | }
26 | }
27 |
28 | impl LogWrapper {
29 | pub fn try_init(self) -> Result<(), SetLoggerError> {
30 | if !Shell::is_init() {
31 | panic!("Initialize the global shell before initializing this logger");
32 | }
33 |
34 | let max_filter_level = self.0.filter();
35 |
36 | log::set_boxed_logger(Box::new(self))?;
37 |
38 | log::set_max_level(max_filter_level);
39 |
40 | Ok(())
41 | }
42 | }
43 |
--------------------------------------------------------------------------------
/plugins/churn/src/metric.rs:
--------------------------------------------------------------------------------
1 | // SPDX-License-Identifier: Apache-2.0
2 |
3 | use std::iter::Iterator;
4 |
5 | /// Calculate the arithmetic mean for a set of floats. Returns an option to account
6 | /// for the possibility of dividing by zero.
7 | pub fn mean(data: &[f64]) -> Option
21 |
22 | {% waypoint(title="Install Hipcheck", path="@/docs/getting-started/install.md", icon="download") %}
23 | A guide to all methods for installing Hipcheck.
24 | {% end %}
25 |
26 | {% waypoint(title="Why Hipcheck?", path="@/docs/getting-started/why.md", icon="book-open") %}
27 | Some history on the creation and purpose of Hipcheck.
28 | {% end %}
29 |
30 |
31 | {% waypoint(title="Quickstart: Your First Analysis", path="@/docs/getting-started/first-run.md", icon="watch") %}
32 | A walkthrough of running Hipcheck for the first time.
33 | {% end %}
34 |
35 |
36 |
--------------------------------------------------------------------------------
/sdk/python/docs/source/conf.py:
--------------------------------------------------------------------------------
1 | # SPDX-License-Identifier: Apache-2.0
2 |
3 | # Configuration file for the Sphinx documentation builder.
4 | #
5 | # For the full list of built-in configuration values, see the documentation:
6 | # https://www.sphinx-doc.org/en/master/usage/configuration.html
7 |
8 | import os
9 | import sys
10 |
11 | sys.path.insert(0, os.path.abspath("../../src/hipcheck_sdk"))
12 |
13 | # -- Project information -----------------------------------------------------
14 | # https://www.sphinx-doc.org/en/master/usage/configuration.html#project-information
15 |
16 | project = "hipcheck-sdk"
17 | copyright = "2025, Julian Lanson"
18 | author = "Julian Lanson"
19 | release = "0.2.1"
20 |
21 | # -- General configuration ---------------------------------------------------
22 | # https://www.sphinx-doc.org/en/master/usage/configuration.html#general-configuration
23 |
24 | extensions = [
25 | "sphinx.ext.viewcode",
26 | "sphinx.ext.autodoc",
27 | ]
28 |
29 | templates_path = ["_templates"]
30 | exclude_patterns = []
31 |
32 |
33 | # -- Options for HTML output -------------------------------------------------
34 | # https://www.sphinx-doc.org/en/master/usage/configuration.html#options-for-html-output
35 |
36 | html_theme = "alabaster"
37 | html_static_path = ["_static"]
38 |
--------------------------------------------------------------------------------
/sdk/python/tests/test_mock_responses.py:
--------------------------------------------------------------------------------
1 | # SPDX-License-Identifier: Apache-2.0
2 |
3 | import pytest
4 | import asyncio
5 |
6 | from hipcheck_sdk import *
7 | from hipcheck_sdk.error import UnknownPluginQuery
8 |
9 |
10 | def test_mock_responses():
11 | expected = 2
12 | engine = PluginEngine.mock([(("mitre/example/nondefault", 1), expected)])
13 | try:
14 | res = asyncio.run(engine.query("mitre/example", 1))
15 | assert false
16 | except UnknownPluginQuery:
17 | pass
18 | try:
19 | res = asyncio.run(engine.query("mitre/example/nondefault", 2))
20 | assert false
21 | except UnknownPluginQuery:
22 | pass
23 |
24 | res = asyncio.run(engine.query("mitre/example/nondefault", 1))
25 | assert res == expected
26 |
27 | engine = PluginEngine.mock(
28 | [
29 | (("mitre/example", 1), 1),
30 | (("mitre/example", 2), 2),
31 | (("mitre/example", 3), 3),
32 | ]
33 | )
34 |
35 | async def run(engine):
36 | builder = engine.batch("mitre/example")
37 | builder.query(1)
38 | builder.query(2)
39 | builder.query(3)
40 |
41 | return await builder.send()
42 |
43 | res = asyncio.run(run(engine))
44 | assert res == [1, 2, 3]
45 |
--------------------------------------------------------------------------------
/site/content/docs/guide/concepts/_index.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Key Concepts
3 | template: docs.html
4 | page_template: docs_page.html
5 | sort_by: weight
6 | weight: 1
7 | ---
8 |
9 | # Key Concepts
10 |
11 | To understand Hipcheck, it's useful to understand some of the key concepts
12 | underlying its design, which we'll explore here.
13 |
14 |
15 |
16 |
17 | {% waypoint(title="Targets", path="@/docs/guide/concepts/targets.md", icon="target") %}
18 | How Hipcheck identifies what package or project to analyze.
19 | {% end %}
20 |
21 | {% waypoint(title="Data", path="@/docs/guide/concepts/data/index.md", icon="database") %}
22 | How Hipcheck collects data from external sources.
23 | {% end %}
24 |
25 | {% waypoint(title="Analyses", path="@/docs/guide/concepts/analyses.md", icon="alert-triangle") %}
26 | What kinds of analyses Hipcheck is focused on.
27 | {% end %}
28 |
29 | {% waypoint(title="Scoring", path="@/docs/guide/concepts/scoring/index.md", icon="activity") %}
30 | How Hipcheck converts individual analysis results into a risk score.
31 | {% end %}
32 |
33 | {% waypoint(title="Concerns", path="@/docs/guide/concepts/concerns.md", icon="list") %}
34 | How plugins report extra information to support manual analysis.
35 | {% end %}
36 |
37 |
38 |
--------------------------------------------------------------------------------
/.config/hakari.toml:
--------------------------------------------------------------------------------
1 | # This file contains settings for `cargo hakari`.
2 | # See https://docs.rs/cargo-hakari/latest/cargo_hakari/config for a full list of options.
3 |
4 | hakari-package = "hipcheck-workspace-hack"
5 |
6 | # Format version for hakari's output. Version 4 requires cargo-hakari 0.9.22 or above.
7 | dep-format-version = "4"
8 |
9 | # Setting workspace.resolver = "2" or higher in the root Cargo.toml is HIGHLY recommended.
10 | # Hakari works much better with the v2 resolver. (The v2 and v3 resolvers are identical from
11 | # hakari's perspective, so you're welcome to set either.)
12 | #
13 | # For more about the new feature resolver, see:
14 | # https://blog.rust-lang.org/2021/03/25/Rust-1.51.0.html#cargos-new-feature-resolver
15 | resolver = "2"
16 |
17 | # Add triples corresponding to platforms commonly used by developers here.
18 | # https://doc.rust-lang.org/rustc/platform-support.html
19 | platforms = [
20 | "x86_64-unknown-linux-gnu",
21 | "x86_64-apple-darwin",
22 | "aarch64-apple-darwin",
23 | "x86_64-pc-windows-msvc",
24 | ]
25 |
26 | # Write out exact versions rather than a semver range. (Defaults to false.)
27 | exact-versions = true
28 |
29 | # Don't include 'xtask' in cargo-hakari's workspace hack calculations.
30 | [traversal-excludes]
31 | workspace-members = ["xtask"]
32 |
--------------------------------------------------------------------------------
/hipcheck/src/shell/verbosity.rs:
--------------------------------------------------------------------------------
1 | // SPDX-License-Identifier: Apache-2.0
2 |
3 | //! Utilities for managing and controlling the verbosity of hipcheck.
4 |
5 | use super::Shell;
6 |
7 | /// How verbose CLI output should be.
8 | #[derive(Debug, Default, Copy, Clone, PartialEq, clap::ValueEnum)]
9 | pub enum Verbosity {
10 | /// Output results, not progress indicators.
11 | Quiet,
12 | /// Output results and progress indicators.
13 | #[default]
14 | Normal,
15 | // This one is only used in testing.
16 | /// Do not output anything.
17 | #[value(hide = true)]
18 | Silent,
19 | }
20 |
21 | impl Verbosity {
22 | /// [Verbosity::Quiet] if `quiet` is true, [Verbosity::Normal] otherwise.
23 | pub fn use_quiet(quiet: bool) -> Verbosity {
24 | if quiet {
25 | Verbosity::Quiet
26 | } else {
27 | Verbosity::Normal
28 | }
29 | }
30 | }
31 |
32 | /// A [SilenceGuard] is created by calling [Shell::silence], which returns an opaque
33 | /// value of this type. Once that value is [drop]ped, the global [Shell]'s verbosity is set to
34 | /// whatever it was prior to calling [Shell::silence].
35 | #[derive(Debug)]
36 | pub struct SilenceGuard {
37 | pub(super) previous_verbosity: Verbosity,
38 | }
39 |
40 | impl Drop for SilenceGuard {
41 | fn drop(&mut self) {
42 | Shell::set_verbosity(self.previous_verbosity);
43 | }
44 | }
45 |
--------------------------------------------------------------------------------
/site/content/docs/guide/plugins/mitre-fuzz.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: "mitre/fuzz"
3 | extra:
4 | nav_title: "mitre/fuzz"
5 | ---
6 |
7 | # `mitre/fuzz`
8 |
9 | Checks if a project participates in OSS Fuzz.
10 |
11 | ## Configuration
12 |
13 | None
14 |
15 | ## Default Policy Expression
16 |
17 | ```
18 | (eq $ #t)
19 | ```
20 |
21 | ## Default Query: `mitre/fuzz`
22 |
23 | Returns `true` if the project _does_ participate in OSS Fuzz, `false` otherwise.
24 |
25 | ## Explanation
26 |
27 | Repos being checked by Hipcheck may receive regular fuzz testing. This analysis
28 | checks if the repo is participating in the OSS Fuzz program. If it is fuzzed,
29 | this is considered a signal of a repository being lower risk.
30 |
31 | ## Limitations
32 |
33 | * __Not all languagues supported__: Robust fuzzing tools do not exist for every
34 | language. It is possible fuzz testing was not done because no good option for it
35 | existed at the time. Lack of fuzzing in those cases would still indicate a higher
36 | risk, but it would not necessarily indicate bad software development practices.
37 | * __Only OSS Fuzz checked__: At this time, Hipcheck only checks if the repo
38 | participates in Google's OSS Fuzz. Other fuzz testing programs exist, but a repo
39 | will not pass this analysis if it uses one of those instead.
40 |
--------------------------------------------------------------------------------
/hipcheck/src/init/git2_log_shim.rs:
--------------------------------------------------------------------------------
1 | // SPDX-License-Identifier: Apache-2.0
2 |
3 | //! Log shim function to redirect [git2] trace messages to [log].
4 |
5 | use crate::hc_error;
6 |
7 | /// Shim the [git2] crate's tracing infrastructure with calls to the [log] crate which we use.
8 | pub fn git2_set_trace_log_shim() {
9 | git2::trace_set(git2::TraceLevel::Trace, |level, msg| {
10 | use git2::TraceLevel;
11 | use log::{Level, RecordBuilder};
12 |
13 | // Coerce fatal down to error since there's no trivial equivalent.
14 | let log_level = match level {
15 | TraceLevel::Debug => Level::Debug,
16 | TraceLevel::Fatal | TraceLevel::Error => Level::Error,
17 | TraceLevel::Warn => Level::Warn,
18 | TraceLevel::Info => Level::Info,
19 | TraceLevel::Trace => Level::Trace,
20 | // git2 should not produce trace messages with no level.
21 | other @ TraceLevel::None => panic!("Unsupported git2 log level: {other:?}"),
22 | };
23 |
24 | let mut record_builder = RecordBuilder::new();
25 |
26 | record_builder.level(log_level).target("libgit2");
27 |
28 | let msg_str = std::str::from_utf8(msg).unwrap_or("non-UTF8 string received in callback");
29 |
30 | log::logger().log(&record_builder.args(format_args!("{}", msg_str)).build());
31 | })
32 | .map_err(|e| hc_error!("Failed to set git2 callback: {}", e))
33 | .unwrap();
34 | }
35 |
--------------------------------------------------------------------------------
/plugins/churn/src/types.rs:
--------------------------------------------------------------------------------
1 | // SPDX-License-Identifier: Apache-2.0
2 |
3 | use schemars::JsonSchema;
4 | use serde::{Deserialize, Serialize};
5 | use std::result::Result;
6 |
7 | #[derive(Debug, Serialize, Deserialize, Clone, PartialEq, Eq, Hash, JsonSchema)]
8 | pub struct Commit {
9 | pub hash: String,
10 | pub written_on: Resultmitre/activity"
5 | ---
6 |
7 | # `mitre/activity`
8 |
9 | Determines if a project is actively maintained.
10 |
11 | ## Configuration
12 |
13 | | Parameter | Type | Explanation |
14 | |:----------|:----------|:--------------|
15 | | `weeks` | `Integer` | The permitted number of weeks before a project is considered inactive. |
16 |
17 | ## Default Policy Expression
18 |
19 | ```
20 | (lte $ P{config.weeks or 71}w)
21 | ```
22 |
23 | ## Default Query: `mitre/activity`
24 |
25 | Returns a `Span` representing the time from the most recent commit to now.
26 |
27 | ## Limitations
28 |
29 | * __Cases where lack of updates is warranted__: Sometimes work on a piece of
30 | software stops because it is complete, and there is no longer a need to
31 | update it. In this case, a repository being flagged as failing this analysis
32 | may not be truly risky for lack of activity. However, _most of the time_
33 | we expect that lack of updates ought to be concern, and so considering this
34 | metric when analyzing software supply chain risk is reasonable. If you
35 | are in a context where lack of updates is desirable or not concerning, you
36 | may consider changing the configuration to a different duration, or disabling
37 | the analysis entirely.
38 |
--------------------------------------------------------------------------------
/sdk/python/docs/source/hipcheck_sdk.rst:
--------------------------------------------------------------------------------
1 | hipcheck\_sdk package
2 | =====================
3 |
4 | Subpackages
5 | -----------
6 |
7 | Submodules
8 | ----------
9 |
10 | hipcheck\_sdk.cli module
11 | ------------------------
12 |
13 | .. automodule:: hipcheck_sdk.cli
14 | :members:
15 | :undoc-members:
16 | :show-inheritance:
17 |
18 | hipcheck\_sdk.engine module
19 | ---------------------------
20 |
21 | .. automodule:: hipcheck_sdk.engine
22 | :members:
23 | :undoc-members:
24 | :show-inheritance:
25 |
26 | hipcheck\_sdk.error module
27 | --------------------------
28 |
29 | .. automodule:: hipcheck_sdk.error
30 | :members:
31 | :undoc-members:
32 | :show-inheritance:
33 |
34 | hipcheck\_sdk.options module
35 | ----------------------------
36 |
37 | .. automodule:: hipcheck_sdk.options
38 | :members:
39 | :undoc-members:
40 | :show-inheritance:
41 |
42 | hipcheck\_sdk.query module
43 | --------------------------
44 |
45 | .. automodule:: hipcheck_sdk.query
46 | :members:
47 | :undoc-members:
48 | :show-inheritance:
49 |
50 | hipcheck\_sdk.server module
51 | ---------------------------
52 |
53 | .. automodule:: hipcheck_sdk.server
54 | :members:
55 | :undoc-members:
56 | :show-inheritance:
57 |
58 |
59 | Module contents
60 | ---------------
61 |
62 | .. automodule:: hipcheck_sdk
63 | :members:
64 | :undoc-members:
65 | :show-inheritance:
66 |
--------------------------------------------------------------------------------
/xtask/src/task/manifest/mod.rs:
--------------------------------------------------------------------------------
1 | // SPDX-License-Identifier: Apache-2.0
2 |
3 | mod download_manifest;
4 | mod kdl;
5 | mod local;
6 | mod remote;
7 | mod util;
8 |
9 | use download_manifest::DownloadManifestEntry;
10 |
11 | use anyhow::Result;
12 | use std::collections::HashSet;
13 |
14 | #[allow(unused)]
15 | pub use kdl::ParseKdlNode;
16 |
17 | pub fn run() -> Result<()> {
18 | let api_token = std::env::var("HC_GITHUB_TOKEN")?;
19 | let releases = remote::get_hipcheck_plugin_releases(&api_token)?;
20 |
21 | for (name, remote_entries) in releases.0 {
22 | // We know all releases off the hipcheck github repo are mitre-published
23 | let local_manifest_path = local::get_download_manifest_path("mitre", &name)?;
24 | let local_entries = local::try_parse_download_manifest(&local_manifest_path)?;
25 |
26 | let remote_set = HashSet::
16 |
17 | {% waypoint(title="Creating a Plugin", path="@/docs/guide/making-plugins/creating-a-plugin.md", icon="box") %}
18 | How to start making a new Hipcheck plugin.
19 | {% end %}
20 |
21 | {% waypoint(title="The Rust Plugin SDK", path="@/docs/guide/making-plugins/rust-sdk.md", icon="tool") %}
22 | How to use the Rust SDK to create a plugin.
23 | {% end %}
24 |
25 | {% waypoint(title="The Python Plugin SDK", path="@/docs/guide/making-plugins/python-sdk.md", icon="tool") %}
26 | How to use the Python SDK to create a plugin.
27 | {% end %}
28 |
29 | {% waypoint(title="The Query Protocol", path="@/docs/guide/making-plugins/query-protocol.md", icon="tool") %}
30 | A description of the query protocol for non-SDK users.
31 | {% end %}
32 |
33 | {% waypoint(title="Packaging and Releasing a Plugin", path="@/docs/guide/making-plugins/release.md", icon="tool") %}
34 | How to prepare a plugin for use and release.
35 | {% end %}
36 |
37 |
38 |
--------------------------------------------------------------------------------
/site/scripts/src/util/web.ts:
--------------------------------------------------------------------------------
1 | /**
2 | * document.querySelector with type conversion and error handling.
3 | */
4 | export function querySelector(selector: string): HTMLElement {
5 | const $elem = document.querySelector(selector);
6 | if ($elem === null) throw new QueryError(`could not find ${selector}`);
7 | return $elem as HTMLElement;
8 | }
9 |
10 | /**
11 | * document.querySelectorAll with type conversions and error handling.
12 | */
13 | export function querySelectorAll(selector: string): Array
16 |
17 | {% waypoint(title="Coordinating Changes", path="@/docs/contributing/coordinating-changes.md", icon="user") %}
18 | A guide to all methods for installing Hipcheck.
19 | {% end %}
20 |
21 | {% waypoint(title="Testing Changes", path="@/docs/contributing/testing.md", icon="cloud-lightning") %}
22 | Some history on the creation and purpose of Hipcheck.
23 | {% end %}
24 |
25 | {% waypoint(title="Intellectual Property", path="@/docs/contributing/intellectual-property.md", icon="shield") %}
26 | A walkthrough of running Hipcheck for the first time.
27 | {% end %}
28 |
29 | {% waypoint(title="Describing Changes", path="@/docs/contributing/describing-changes.md", icon="message-circle") %}
30 | A walkthrough of running Hipcheck for the first time.
31 | {% end %}
32 |
33 | {% waypoint(title="PR Review Checklist", path="@/docs/contributing/pr-review.md", icon="message-circle") %}
34 | Things to track when reviewing a PR.
35 | {% end %}
36 |
37 | {% waypoint(title="Developer Docs", path="@/docs/contributing/developer-docs/_index.md") %}
38 | Documentation for Hipcheck developers.
39 | {% end %}
40 |
41 |
42 |
--------------------------------------------------------------------------------
/SECURITY.md:
--------------------------------------------------------------------------------
1 | # Security Policy
2 |
3 | The following is the security policy for the `hipcheck` binary crate found in this workspace.
4 |
5 | ## Reporting a Vulnerability
6 |
7 | You can report a vulnerability using the "Report a Vulnerability" button under
8 | the "Security" tab of the repository. If we find that a vulnerability is legitimate,
9 | we will create a [RustSec](https://rustsec.org/) advisory.
10 |
11 | Please give us 90 days to respond to a vulnerability disclosure. In general, we
12 | will try to produce fixes and respond publicly to disclosures faster than that.
13 |
14 | We ask that you _not_ create advisories yourself; instead please submit
15 | vulnerability reports to us first so we can plan a response. If we accept the
16 | legitimacy of a vulnerability, please wait for us to respond publicly to the
17 | vulnerability before publicly disclosing the vulnerability yourself.
18 |
19 | Our response will include publication of new versions, yanking of old versions,
20 | and public disclosure of the vulnerability and its fixes in the RustSec database.
21 |
22 | We consider soundness violations (violations of safe Rust's memory, thread, or
23 | type safety guarantees) to be at least informational vulnerabilities and
24 | will treat them as such.
25 |
26 | RustSec advisories are automatically imported into the GitHub Security Advisory
27 | system and the OSV database, so you do not need to create duplicate reports for
28 | those systems.
--------------------------------------------------------------------------------
/site/templates/macros/breadcrumbs.tera.html:
--------------------------------------------------------------------------------
1 | {% macro breadcrumbs(current) %}
2 | {# TODO: Don't hide this on mobile #}
3 |
44 | {% endmacro breadcrumbs %}
45 |
--------------------------------------------------------------------------------
/site/templates/partials/head.tera.html:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 | {% if page and page.title %}
11 | {% set title = page.title %}
12 | {% elif section and section.title %}
13 | {% set title = section.title %}
14 | {% else %}
15 | {% set title = config.extra.title %}
16 | {% endif %}
17 |
18 | {% if page and page.description %}
19 | {% set description = page.description %}
20 | {% elif section and section.description %}
21 | {% set description = section.description %}
22 | {% else %}
23 | {% set description = config.extra.description %}
24 | {% endif %}
25 |
26 |
27 |
28 |
29 |
30 |
31 |
32 |
33 |
34 |
35 |
--------------------------------------------------------------------------------
/site/content/docs/guide/concepts/data/index.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Data
3 | weight: 2
4 | template: docs_page.html
5 | ---
6 |
7 | # Data
8 |
9 | To analyze packages, Hipcheck needs to gather data about those packages.
10 | That data can come from a variety of sources, including:
11 |
12 | - Git commit histories
13 | - The GitHub API or, in the future, similar source repository platform
14 | APIs
15 | - Package host APIs like the NPM API
16 |
17 | Each of these sources store information about the history of a project,
18 | which may be relevant for understanding the _practices_ associated with
19 | the code's development, or for detecting possible active supply chain
20 | _attacks_.
21 |
22 | Hipcheck tries to cleanly distinguish between _data_, _analyses_, and
23 | _configuration_. _Data_ is the raw pieces of information pulled from
24 | exterior sources. It is solely factual, recording prior events.
25 | _Analyses_ are computations performed on data which produce _measures_,
26 | and which may also produce _concerns_. Finally, _configuration_ is an
27 | expression of the user's policy, which turns the _measures_ produced
28 | by analyses into a _score_ and a _recommendation_. This is perhaps
29 | easier to see in a diagram.
30 |
31 | 
32 |
33 | With this structure, Hipcheck tries to cleanly separate the parts
34 | that are _factual_, from the parts that are _measuring_ facts, and
35 | from the parts that are applying subjective policies on those
36 | measurements.
37 |
--------------------------------------------------------------------------------
/plugins/github/src/github/rest/code_search.rs:
--------------------------------------------------------------------------------
1 | // SPDX-License-Identifier: Apache-2.0
2 |
3 | use crate::tls::authenticated_agent::AuthenticatedAgent;
4 | use anyhow::{Result, anyhow};
5 | use serde_json::Value;
6 |
7 | /// Endpoint for GitHub Code Search.
8 | const CODE_SEARCH: &str = "https://api.github.com/search/code";
9 |
10 | /// Check if the given repo participates in OSS-Fuzz.
11 | pub fn check_fuzzing(agent: &AuthenticatedAgent<'_>, repo: &str) -> Result
13 |
29 | {% endblock %}
30 |
31 | {% block content %}
32 |
14 |
28 | {{ page.title }}
15 |
16 |
26 |
27 |
17 |
21 |
18 | 
19 |
20 |
22 |
25 | Written by {{ page.authors.0 }}
23 |Posted on {{ page.date | date(format="%B %-d, %Y") }}
24 |
33 |
39 | {% endblock %}
40 |
--------------------------------------------------------------------------------
/site/templates/shortcodes/waypoint.html:
--------------------------------------------------------------------------------
1 |
2 | {% import "macros/icon.tera.html" as ic %}
3 |
4 |
25 |
--------------------------------------------------------------------------------
/xtask/Cargo.toml:
--------------------------------------------------------------------------------
1 | [package]
2 | name = "xtask"
3 | description = "Hipcheck development task runner."
4 | version = "0.1.0"
5 | license = "Apache-2.0"
6 | edition = "2024"
7 | # This ensures we do not publish this to Crates.io, and that
8 | # 'dist' doesn't try to create any releases of this, since it's just
9 | # internal tooling.
10 | publish = false
11 |
12 | [dependencies]
13 | anyhow = { workspace = true }
14 | clap = { workspace = true, features = ["cargo", "derive", "string"] }
15 | clap-verbosity-flag = { workspace = true }
16 | convert_case = { workspace = true }
17 | csv = { workspace = true }
18 | env_logger = { workspace = true }
19 | glob = { workspace = true }
20 | itertools = { workspace = true }
21 | jiff = { workspace = true, features = ["alloc", "serde", "std"] }
22 | kdl = { workspace = true }
23 | log = { workspace = true }
24 | pathbuf = { workspace = true }
25 | pep440_rs = { workspace = true }
26 | pyproject-toml = { workspace = true }
27 | rayon = { workspace = true }
28 | regex = { workspace = true }
29 | # Exactly matching the version of rustls used by ureq
30 | # Get rid of default features since we don't use the AWS backed crypto
31 | # provider (we use ring) and it breaks stuff on windows.
32 | rustls = { workspace = true, features = ["logging", "std", "tls12", "ring"] }
33 | rustls-platform-verifier = { workspace = true }
34 | serde = { workspace = true, features = ["derive"] }
35 | serde_json = { workspace = true }
36 | toml = { workspace = true }
37 | ureq = { workspace = true, features = ["json", "tls"] }
38 | url = { workspace = true, features = ["serde"] }
39 | which = { workspace = true }
40 | xshell = { workspace = true }
41 |
--------------------------------------------------------------------------------
/xtask/src/task/changelog.rs:
--------------------------------------------------------------------------------
1 | // SPDX-License-Identifier: Apache-2.0
2 |
3 | use crate::ChangelogArgs;
4 | use anyhow::{Context, Result};
5 | use log::LevelFilter;
6 | use xshell::{Shell, cmd};
7 |
8 | /// Execute the changelog task.
9 | pub fn run(args: ChangelogArgs) -> Result<()> {
10 | which::which("git-cliff").context(
11 | "changelog requires `git-cliff` to be installed. Please install it with `cargo install git-cliff`.")?;
12 |
13 | let sh = Shell::new()?;
14 |
15 | // Get the root of the workspace, and make sure the shell is in it.
16 | // `git-cliff` expects to be run from the root of the workspace.
17 | let root = crate::workspace::root()?;
18 | sh.change_dir(root);
19 |
20 | // Warn the user about what version we're bumping to.
21 | //
22 | // Avoid running the extra external command if we won't see the result.
23 | if log::max_level() >= LevelFilter::Warn {
24 | let new_version = {
25 | let full = cmd!(sh, "git cliff --bumped-version").read()?;
26 | full.strip_prefix("hipcheck-").unwrap_or(&full).to_owned()
27 | };
28 |
29 | log::warn!(
30 | "bumping to {}; this may not be the version you want",
31 | new_version
32 | );
33 | }
34 |
35 | // We don't overwrite the CHANGELOG.md file, and instead by default
36 | // write to a different output file.
37 | let output = "CHANGELOG-NEXT.md";
38 |
39 | // Only include the bump flag if requested by the user.
40 | let bump = args.bump.then_some("--bump");
41 | cmd!(sh, "git cliff {bump...} -o {output}")
42 | .quiet()
43 | .ignore_stdout()
44 | .ignore_stderr()
45 | .run()?;
46 |
47 | log::warn!("finished; check {} to proceed", output);
48 | Ok(())
49 | }
50 |
--------------------------------------------------------------------------------
/site/scripts/src/footer/docs.ts:
--------------------------------------------------------------------------------
1 | import { updateIcon } from "../util/icon.ts";
2 | import { querySelectorAll } from "../util/web.ts";
3 |
4 | /**
5 | * Sets up the collapse/expand functionality for docs navigation.
6 | */
7 | export function setupDocsNav() {
8 | let $toggles;
9 |
10 | try {
11 | $toggles = querySelectorAll(".docs-nav-toggle");
12 | } catch (_e) {
13 | // Swallow these errors.
14 | return;
15 | }
16 |
17 | $toggles.forEach(($toggle) => {
18 | // Get the icon inside the toggle.
19 | const $toggleIcon = $toggle.querySelector(
20 | ".toggle-icon use",
21 | ) as HTMLElement;
22 | if ($toggleIcon === null) {
23 | console.log(`no icon found for toggle: '${$toggle}'`);
24 | return;
25 | }
26 |
27 | $toggle.addEventListener("click", (e) => {
28 | e.preventDefault();
29 |
30 | // Find the subsection list associated with the current toggle.
31 | const $parent = $toggle.parentElement?.parentElement;
32 | if ($parent === null || $parent === undefined) return;
33 | const $subsection = $parent.querySelector(
34 | ".docs-nav-section",
35 | ) as HTMLElement;
36 | if ($subsection === null) return;
37 |
38 | // Hide or show it.
39 | $subsection.classList.toggle("hidden");
40 |
41 | if (sectionIsHidden($subsection)) {
42 | updateIcon($toggleIcon, "chevron-right", "chevron-down");
43 | } else {
44 | updateIcon($toggleIcon, "chevron-down", "chevron-right");
45 | }
46 | });
47 | });
48 | }
49 |
50 | function sectionIsHidden($subsection: HTMLElement): boolean {
51 | return $subsection.classList.contains("hidden");
52 | }
53 |
--------------------------------------------------------------------------------
/tests/test-plugins/dummy_sha256/src/main.rs:
--------------------------------------------------------------------------------
1 | // SPDX-License-Identifier: Apache-2.0
2 |
3 | use clap::Parser;
4 | use hipcheck_sdk::{LogLevel, prelude::*};
5 | use sha2::{Digest, Sha256};
6 |
7 | #[query]
8 | async fn query_sha256(_engine: &mut PluginEngine, content: Vec
34 |
38 |
35 | {{ page.content | safe }}
36 |
37 | hc update"
5 | ---
6 |
7 | # `hc update`
8 |
9 | When Hipcheck is installed using the recommend install scripts provided with
10 | each release, the install scripts also provide an "updater" program, built
11 | by `cargo-dist` (which Hipcheck uses to handle creating prebuilt artifacts
12 | with each release, and with announcing each release on GitHub Releases).
13 | This updater program handles checking for a newer version of Hipcheck,
14 | downloading it, and replacing the current version with the newer one.
15 | The updater is provided as a separate binary (named either `hc-update`
16 | or `hipcheck-update`, due to historic bugs).
17 |
18 | The `hc update` command simply delegates to this separate update program,
19 | and provides the same interface that this separate update program does.
20 | In general, you only need to run `hc update` with no arguments, followed
21 | by `hc setup` to ensure your configuration and data files are setup.
22 |
23 | If you want to specifically download a version besides the most recent
24 | version of Hipcheck, you can use the following flags:
25 |
26 | - `--tag hc scoring"
5 | ---
6 |
7 | # `hc scoring`
8 |
9 | Hipcheck's scoring system works by calculating percentages for how much each
10 | analysis in the user's configured analysis tree contributes to the overall
11 | score, based on weights users set for each analysis and category.
12 |
13 | The `hc scoring` command takes that configured tree and weights, calculates
14 | scoring percentages, and displays them to the user to make it clear how their
15 | current policies will be converted to scores based on the results of a run
16 | of analyses.
17 |
18 | The help text looks like:
19 |
20 | ```
21 | Print the tree used to weight analyses during scoring
22 |
23 | Usage: hc scoring [OPTIONS]
24 |
25 | Options:
26 | -h, --help Print help (see more with '--help')
27 |
28 | Output Flags:
29 | -v, --verbosity hc explain"
5 | ---
6 |
7 | # `hc explain`
8 |
9 | The `hc explain` command is provided to give users insight into some of the
10 | current settings, information, or logic to use for understanding or debugging.
11 |
12 | The following is the CLI help text for `hc explain`:
13 |
14 | ```
15 | View setup information to help debug
16 |
17 | Usage: hc explain [OPTIONS] hc ready"
5 | ---
6 |
7 | # `hc ready`
8 |
9 | `hc ready` is a command for checking that Hipcheck is ready to run analyses.
10 | This is intended to help the user debug issues with a Hipcheck installation,
11 | including problems like missing configuration files, inaccessible config,
12 | data, or cache paths, missing authentication tokens, and more.
13 |
14 | `hc ready` starts all the plugins specified in the
15 | [policy file](@/docs/guide/config/policy-file.md) and confirms that initial
16 | configuration is successful. If `hc ready` doesn't report any problems with
17 | plugins, that means they are installed, runnable by Hipcheck, and are able to
18 | load their configuration without issues.
19 |
20 | Since `hc ready` does not involve the analysis subsystem like
21 | [`hc check`](@/docs/guide/cli/hc-check.md) does, it will not expose plugin
22 | issues that would only occur while analyzing a target.
23 |
24 | `hc ready` has no special flags currently, and only accepts the
25 | [General Flags](@/docs/guide/cli/general-flags.md) that _all_ Hipcheck
26 | commands accept.
27 |
28 | The output of `hc ready` is a report containing key information about
29 | Hipcheck, the third-party tools it relies on as external data sources,
30 | the paths it's currently using for configuration files, data files,
31 | and local repository clones, along with any API tokens it will use
32 | for external API access.
33 |
34 | If all required information is found and passes requirements for Hipcheck
35 | to run, it will report that Hipcheck is ready to run.
36 |
37 | We recommend running `hc ready` before running Hipcheck the first time,
38 | and as a good first debugging step if Hipcheck begins reporting issues.
39 |
--------------------------------------------------------------------------------
/site/content/docs/guide/plugins/mitre-identity.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: "mitre/identity"
3 | extra:
4 | nav_title: "mitre/identity"
5 | ---
6 |
7 | # `mitre/identity`
8 |
9 | Checks if a project's contributions have the same author and committer.
10 |
11 | ## Configuration
12 |
13 | | Parameter | Type | Explanation |
14 | |:--------------------|:--------|:--------------|
15 | | `percent-threshold` | `Float` | Percentage of "merge-by-self" contributions to accept. |
16 |
17 | ## Default Policy Expression
18 |
19 | ```
20 | (lte
21 | (divz
22 | (count (filter (eq #t) $))
23 | (count $))
24 | {config.percent-threshold or 0.2})
25 | ```
26 |
27 | ## Default Query: `mitre/identity`
28 |
29 | Returns an array of booleans indicating if commits have matching committer
30 | and author.
31 |
32 | ## Explanation
33 |
34 | Identity analysis looks at whether the author and committer identities for
35 | each commit are the same, as part of gauging the likelihood that commits
36 | are receiving some degree of review before being merged into a repository.
37 |
38 | When author and committer identity are the same, that may indicate that a
39 | commit did _not_ receive review, which could be a cause for concern. At the
40 | larger level, having a large percentage of commits with the same author
41 | and committer identities may indicate a project that lacks code review.
42 |
43 | ## Limitations
44 |
45 | * __Not every project uses a workflow that accords with this analysis__:
46 | While some Git projects may use a workflow that involves the generation
47 | of patchfiles to then be reviewed and applied by project maintainers,
48 | many may not. In some cases, a workflow may produce final commits where
49 | the author and committer identity are the same, even though the commit
50 | received review.
51 |
--------------------------------------------------------------------------------
/site/content/docs/guide/concepts/concerns.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Concerns
3 | weight: 6
4 | ---
5 |
6 | # Concerns
7 |
8 | Besides a risk score and a recommendation, Hipcheck's other major output
9 | is a list of "concerns" from individual analyses. "Concerns" are Hipcheck's
10 | mechanism for analyses to report specific information about what they found
11 | that they think the user may be interested in knowing and possibly
12 | investigating further. For example, some of Hipcheck's analyses that work
13 | on individual commits will produce the hashes of commits they find concerning,
14 | so users can audit those commits by hand if they want to do so.
15 |
16 | Concerns are the most flexible mechanism Hipcheck has, as they are essentially
17 | a way for analyses to report freeform text out to the user. They do not have
18 | a specific structured format, and they are not considered at all for the
19 | purpose of scoring. The specific concerns which may be reported vary from
20 | analysis to analysis.
21 |
22 | In general, we want analyses to report concerns wherever possible. For
23 | some analyses, there may not be a reasonable type of concern to report;
24 | for example, the "activity" analysis checks the date of the most recent
25 | commit to a project to see if the project appears "active," and the
26 | _only_ fact that it's assessing is also the fact which results in the
27 | measure the analysis produces, so there's not anything sensible for
28 | the analysis to report as a concern.
29 |
30 | However, many analysis _do_ have meaningful concerns they can report, and if an
31 | analysis _could_ report a type of concern but _doesn't_, we consider that
32 | something worth changing. Contributions to make Hipcheck report more concerns,
33 | or to make existing concerns more meaningful, are [always appreciated](@/docs/contributing/_index.md)!
34 |
--------------------------------------------------------------------------------
/xtask/src/task/manifest/util/authenticated_agent.rs:
--------------------------------------------------------------------------------
1 | // SPDX-License-Identifier: Apache-2.0
2 |
3 | //! Defines an authenticated [`Agent`] type that adds token auth to all requests.
4 |
5 | use crate::task::manifest::util::{agent, redacted::Redacted};
6 | use anyhow::Result;
7 | use ureq::{Agent, Request};
8 |
9 | /// An [`Agent`] which authenticates requests with token auth.
10 | ///
11 | /// This wrapper is used to work around the fact that `ureq` removed functionality
12 | /// to do this as part of the [`Agent`] type directly.
13 | pub struct AuthenticatedAgent<'token> {
14 | /// The agent used to make the request.
15 | agent: &'static Agent,
16 |
17 | /// The token to use with each request.
18 | token: Redacted<&'token str>,
19 | }
20 |
21 | impl<'token> AuthenticatedAgent<'token> {
22 | /// Construct a new authenticated agent.
23 | pub fn new(token: &'token str) -> Result
25 |
26 | {% waypoint(title="Key Concepts", path="@/docs/guide/concepts/_index.md", icon="key") %}
27 | An explanation of the ideas underpinning Hipcheck's design.
28 | {% end %}
29 |
30 | {% waypoint(title="Configuration", path="@/docs/guide/config/_index.md", icon="settings") %}
31 | How to configure Hipcheck and describe your policies to apply.
32 | {% end %}
33 |
34 | {% waypoint(title="CLI Reference", path="@/docs/guide/cli/_index.md", icon="terminal") %}
35 | Reference for all CLI commands and arguments.
36 | {% end %}
37 |
38 | {% waypoint(title="Debugging", path="@/docs/guide/debugging/_index.md", icon="target") %}
39 | How to identify errors during Hipcheck execution.
40 | {% end %}
41 |
42 | {% waypoint(title="Plugins", path="@/docs/guide/plugins/_index.md", icon="box") %}
43 | Index of existing plugins for Hipcheck, both for data and analyses.
44 | {% end %}
45 |
46 | {% waypoint(title="Making Plugins", path="@/docs/guide/making-plugins/_index.md", icon="tool") %}
47 | A guide for making new Hipcheck plugins.
48 | {% end %}
49 |
50 |
51 |
--------------------------------------------------------------------------------
/hipcheck/src/init/mod.rs:
--------------------------------------------------------------------------------
1 | // SPDX-License-Identifier: Apache-2.0
2 |
3 | mod git2_log_shim;
4 | mod git2_rustls_transport;
5 | mod indicatif_log_bridge;
6 |
7 | use crate::shell::{Shell, verbosity::Verbosity};
8 | use env_logger::Env;
9 | use rustls::crypto::{CryptoProvider, ring};
10 |
11 | /// Initialize global state for the program.
12 | ///
13 | /// **NOTE:** The order in which these operations are done is precise, and
14 | /// should not be changed!
15 | pub fn init() {
16 | init_shell();
17 | init_logging();
18 | init_libgit2();
19 | init_cryptography();
20 | init_software_versions();
21 | }
22 |
23 | fn init_shell() {
24 | Shell::init(Verbosity::Normal);
25 | }
26 |
27 | fn init_logging() {
28 | let env = Env::new().filter("HC_LOG").write_style("HC_LOG_STYLE");
29 | let logger = env_logger::Builder::from_env(env).build();
30 | indicatif_log_bridge::LogWrapper(logger)
31 | .try_init()
32 | .expect("logging initialization must succeed");
33 | }
34 |
35 | fn init_libgit2() {
36 | // Tell the `git2` crate to pass its tracing messages to the log crate.
37 | git2_log_shim::git2_set_trace_log_shim();
38 |
39 | // Make libgit2 use a rustls + ureq based transport for executing the git
40 | // protocol over http(s). I would normally just let libgit2 use its own
41 | // implementation but have seen that this rustls/ureq transport is 2-3 times
42 | // faster on my machine — enough of a performance bump to warrant using this.
43 | git2_rustls_transport::register();
44 | }
45 |
46 | fn init_cryptography() {
47 | // Install a process-wide default crypto provider.
48 | CryptoProvider::install_default(ring::default_provider())
49 | .expect("installed process-wide default crypto provider");
50 | }
51 |
52 | fn init_software_versions() {
53 | if let Err(e) = crate::version::init_software_versions() {
54 | panic!("initial dependency version checking failed: {:?}", e);
55 | }
56 | }
57 |
--------------------------------------------------------------------------------
/dist-workspace.toml:
--------------------------------------------------------------------------------
1 | [workspace]
2 |
3 | # All the packages which 'cargo-dist' is responsible for.
4 | # This is _only_ the binary packages in the overall project, so it excludes
5 | # libraries including any SDKs and our supporting libraries.
6 | members = ["cargo:."]
7 |
8 | # Config for 'dist'
9 | [dist]
10 | # The preferred dist version to use in CI (Cargo.toml SemVer syntax)
11 | cargo-dist-version = "0.30.2"
12 | # CI backends to support
13 | ci = "github"
14 | # Which actions to run on pull requests
15 | pr-run-mode = "plan"
16 | # Path that installers should place binaries in
17 | install-path = ["~/.local/bin", "~/.hipcheck/bin"]
18 | # Target platforms to build apps for (Rust target-triple syntax)
19 | targets = ["aarch64-apple-darwin", "x86_64-apple-darwin", "x86_64-unknown-linux-gnu", "x86_64-pc-windows-msvc"]
20 | # Whether to install an updater program
21 | install-updater = true
22 | # Build only the required packages, and individually
23 | precise-builds = true
24 | # The installers to generate for each app
25 | installers = []
26 |
27 | # NOTE: MUST be synced manually with runners in `.github/workflows/hipcheck.yml`
28 | [dist.github-custom-runners]
29 | global = "ubuntu-22.04"
30 | # Ensure Apple Silicon macOS builds run natively rather than cross-compiling
31 | # from x86. Also makes sure our Apple Silicon macOS release builds match the
32 | # runner used for regular CI testing.
33 | aarch64-apple-darwin = "macos-14"
34 | # Update our Ubuntu release runs away from Ubuntu 20.04, which is now being
35 | # sunset by GitHub. They only track the last two LTS Ubuntu releases for free
36 | # runners, and with 24.04 out they're sunsetting 20.04. We're *just* moving to
37 | # 22.04, since releases compiled against 22.04's glibc should be forwards-
38 | # compatible with 24.04, but if we built on 24.04 the glibc *would not* be
39 | # backwards-compatible.
40 | x86_64-unknown-linux-gnu = "ubuntu-22.04"
41 |
--------------------------------------------------------------------------------
/site/templates/shortcodes/install.html:
--------------------------------------------------------------------------------
1 |
2 | {% import "macros/icon.tera.html" as ic %}
3 |
4 |
5 |
14 |
19 |
--------------------------------------------------------------------------------
/sdk/python/src/hipcheck_sdk/gen/types.py:
--------------------------------------------------------------------------------
1 | # SPDX-License-Identifier: Apache-2.0
2 | # generated by datamodel-codegen:
3 | # filename: hipcheck_target_schema.json
4 |
5 | from __future__ import annotations
6 |
7 | from enum import Enum
8 | from typing import Optional
9 |
10 | from pydantic import AnyUrl, BaseModel, ConfigDict, Field, RootModel
11 |
12 |
13 | class GitHub(BaseModel):
14 | owner: str
15 | repo: str
16 |
17 |
18 | class KnownRemote1(BaseModel):
19 | model_config = ConfigDict(
20 | extra='forbid',
21 | )
22 | GitHub_1: GitHub = Field(..., alias='GitHub')
23 |
24 |
25 | class KnownRemote(RootModel[KnownRemote1]):
26 | root: KnownRemote1
27 |
28 |
29 | class LocalGitRepo(BaseModel):
30 | git_ref: str = Field(..., description="The Git ref we're referring to.")
31 | path: str = Field(..., description='The path to the repo.')
32 |
33 |
34 | class PackageHost(Enum):
35 | Npm = 'Npm'
36 | PyPI = 'PyPI'
37 |
38 |
39 | class RemoteGitRepo(BaseModel):
40 | known_remote: Optional[KnownRemote] = None
41 | url: AnyUrl
42 |
43 |
44 | class Package(BaseModel):
45 | host: PackageHost = Field(..., description='What host the package is from.')
46 | name: str = Field(..., description='The package name')
47 | purl: AnyUrl = Field(..., description='A package url for the package.')
48 | version: str = Field(..., description='The package version')
49 |
50 |
51 | class Target(BaseModel):
52 | local: LocalGitRepo = Field(..., description='The path to the local repository.')
53 | package: Optional[Package] = Field(
54 | None, description='The package associated with the target, if any.'
55 | )
56 | remote: Optional[RemoteGitRepo] = Field(
57 | None, description='The url of the remote repository, if any.'
58 | )
59 | specifier: str = Field(
60 | ..., description='The original specifier provided by the user.'
61 | )
62 |
--------------------------------------------------------------------------------
15 |
18 | curl -LsSf {{ config.base_url }}/dl/install.sh | sh