Revert demo changes to good state (#17)

Signed-off-by: John Kjell <john@testifysec.com>

.github/workflows/pipeline.yml

@@ -40,7 +40,7 @@ jobs:
       pre-command: |
         curl -sSfL https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64 -o /usr/local/bin/hadolint && \
         chmod +x /usr/local/bin/hadolint
-      command: hadolint --ignore DL3002 -f sarif Dockerfile > hadolint.sarif
+      command: hadolint -f sarif Dockerfile > hadolint.sarif
       artifact-upload-name: hadolint.sarif
       artifact-upload-path: hadolint.sarif
 

Dockerfile

@@ -20,7 +20,7 @@ RUN go build -o bin/software
 
 FROM cgr.dev/chainguard/static@sha256:676e989769aa9a5254fbfe14abb698804674b91c4d574bb33368d87930c5c472
 
-USER root
+# USER root
 
 COPY --from=builder /build/bin/software /software
 

policy.rego

@@ -1,34 +1,34 @@
-policy rego
-
-// lint commandrun cmd validation
+# lint commandrun cmd validation
 package commandrun.cmd
 
+import rego.v1
+
 deny[msg] {
 	input.cmd != ["/bin/sh", "-c", "hadolint -f sarif Dockerfile > hadolint.sarif"]
 	msg := "unexpected cmd"
 }
 
-// all github jwt validation
+# all github jwt validation
 package github.attributes
 
 import rego.v1
 
-deny[msg] if {
+deny[msg] {
 	input.jwt.claims.iss != "https://token.actions.githubusercontent.com"
 	msg := "unexpected issuer"
 }
 
-deny[msg] if {
+deny[msg] {
 	input.projecturl != "https://github.com/testifysec/swf"
 	msg := "unexpected projecturl"
 }
 
-deny[msg] if {
+deny[msg] {
 	not startswith(input.jwt.claims.workflow_ref, "testifysec/swf/.github/workflows/pipeline.yml")
 	msg := "unexpected workflow_ref"
 }
 
-// webhook attestor PR approval
+# webhook attestor PR approval
 package pr_review
 
 deny[msg] {