From 2d7abd0bb5920fd5aaa5d4963d8ab9e674722074 Mon Sep 17 00:00:00 2001
From: John Kjell <john@testifysec.com>
Date: Tue, 1 Oct 2024 17:26:11 -0400
Subject: [PATCH] Revert demo changes to good state (#17)

Signed-off-by: John Kjell <john@testifysec.com>
---
 .github/workflows/pipeline.yml |  2 +-
 Dockerfile                     |  2 +-
 policy.rego                    | 16 ++++++++--------
 3 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml
index 6fe2a8c..e34c284 100644
--- a/.github/workflows/pipeline.yml
+++ b/.github/workflows/pipeline.yml
@@ -40,7 +40,7 @@ jobs:
       pre-command: |
         curl -sSfL https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64 -o /usr/local/bin/hadolint && \
         chmod +x /usr/local/bin/hadolint
-      command: hadolint --ignore DL3002 -f sarif Dockerfile > hadolint.sarif
+      command: hadolint -f sarif Dockerfile > hadolint.sarif
       artifact-upload-name: hadolint.sarif
       artifact-upload-path: hadolint.sarif
 
diff --git a/Dockerfile b/Dockerfile
index 6c4c1a5..a4a0f94 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -20,7 +20,7 @@ RUN go build -o bin/software
 
 FROM cgr.dev/chainguard/static@sha256:676e989769aa9a5254fbfe14abb698804674b91c4d574bb33368d87930c5c472
 
-USER root
+# USER root
 
 COPY --from=builder /build/bin/software /software
 
diff --git a/policy.rego b/policy.rego
index 5af5cfd..19b89b3 100644
--- a/policy.rego
+++ b/policy.rego
@@ -1,34 +1,34 @@
-policy rego
-
-// lint commandrun cmd validation
+# lint commandrun cmd validation
 package commandrun.cmd
 
+import rego.v1
+
 deny[msg] {
 	input.cmd != ["/bin/sh", "-c", "hadolint -f sarif Dockerfile > hadolint.sarif"]
 	msg := "unexpected cmd"
 }
 
-// all github jwt validation
+# all github jwt validation
 package github.attributes
 
 import rego.v1
 
-deny[msg] if {
+deny[msg] {
 	input.jwt.claims.iss != "https://token.actions.githubusercontent.com"
 	msg := "unexpected issuer"
 }
 
-deny[msg] if {
+deny[msg] {
 	input.projecturl != "https://github.com/testifysec/swf"
 	msg := "unexpected projecturl"
 }
 
-deny[msg] if {
+deny[msg] {
 	not startswith(input.jwt.claims.workflow_ref, "testifysec/swf/.github/workflows/pipeline.yml")
 	msg := "unexpected workflow_ref"
 }
 
-// webhook attestor PR approval
+# webhook attestor PR approval
 package pr_review
 
 deny[msg] {