Add spoc push/pull command

This command provides functionality to pull security profiles from OCI registries, for example: ```console > ./build/spoc pull docker.io/saschagrunert/oras:latest 11:18:21.780411 Pulling profile from: docker.io/saschagrunert/oras:latest 11:18:21.780453 Verifying signature Verification for index.docker.io/saschagrunert/oras:latest -- The following checks were performed on each of these signatures: - Existence of the claims in the transparency log was verified offline - The code-signing certificate was verified using trusted certificate authority certificates [{"critical":{"identity":{"docker-reference":"index.docker.io/saschagrunert/oras"},"image":{"docker-manifest-digest":"sha256:8e88555d67c0871573a1fd161d1a9d9bea691959290232e90a83891d69e810c5"},"type":"cosign container image signature"},"optional":{"1.3.6.1.4.1.57264.1.1":"https://github.com/login/oauth","Bundle":{"SignedEntryTimestamp":"MEQCIHN8nkYyRN2YZSz7w9R4pswaPlDpaZRCAjcp5aCTVggCAiAXKuizJkZ+0MTubRqSzMwMzp7A+kDiFSeKmsxcv1QP1w==","Payload":{"body":"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiJlYTg1ODNjZjU2MzE1NDRiNDg5ZGRiZjNhMDY3ZGQwMDA4ZWMxNWM3NzRlMmJiYmM3NWUzOTYzOTg1YTJhMDBjIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FVUNJUUR0d282RnExbGN3bTd5ejc5SFhBNjJNRkpPc2JpazRwallVZkJFU2ErZi9RSWdQNDJxZXNNQ2R0bEFKNUtIQ3l0YzhWSWZWSFEvRERMcWhkRE1jY2FRN3dRPSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVTnZha05EUVdscFowRjNTVUpCWjBsVlQyRkVRVVUyTTBoQ1ltVktRVVJDZWtSbFJuSnBTVzlIZEZSbmQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcE5kMDE2U1hkTlZFRjRUbnBSTkZkb1kwNU5hazEzVFhwSmQwMVVRWGxPZWxFMFYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVV3YldkamVITnVTelkyU0V0WEt6QXlNU3Q1YVRFM0syOXJXVVJ6VjNsb1NsTTRWMk1LYmxGd1dVUlNlV1pqYVN0SFkzcHpiV2R6U0U5emVrSnBZazFRY0c5WmNGaFhhMVZFYzJVd01GQlVhRWxhY0ROYVMyRlBRMEZWWTNkblowWkVUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlV6T1VRMkNrOUNVM3BwVUdoMWFUbHdUazQwUmsxbVlqTmtaVk5CZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDBsUldVUldVakJTUVZGSUwwSkNZM2RHV1VWVVl6SmtlV1JYTld4amJsSkJZMjFXYTJGSFJqQk1iVTUyWWxSQmMwSm5iM0pDWjBWRlFWbFBMd3BOUVVWQ1FrSTFiMlJJVW5kamVtOTJUREprY0dSSGFERlphVFZxWWpJd2RtSkhPVzVoVnpSMllqSkdNV1JIWjNkbldXOUhRMmx6UjBGUlVVSXhibXREQ2tKQlNVVm1RVkkyUVVoblFXUm5SR1JRVkVKeGVITmpVazF0VFZwSWFIbGFXbnBqUTI5cmNHVjFUalE0Y21ZclNHbHVTMEZNZVc1MWFtZEJRVUZaWWlzS2FHMDVaa0ZCUVVWQmQwSklUVVZWUTBsUlJEa3dWbEZYYzNGTlduUnNjVVJvY0VwUlRraFJWbXgzVFVoTGNXeEtSRTVVYW1sUVdFUnZibEU1YUZGSlp3cEVOQzlSVW5KaFlTODRiV1poUVZsMFkxZHFSRXBEYTBGVVprOXRlRWRsTlcxbU1tcE1jR1JHZW5semQwTm5XVWxMYjFwSmVtb3dSVUYzVFVSaFFVRjNDbHBSU1hoQlVFOTNSbWMzVVdWNFJVTlZXRFE1V0N0RGNsSnBibTU2U0d0WWNtSXdXa0o2UlhaamN6RmtiSFpaZGpSR2JHMURkbmRtVUd4M2NXdzBiRUlLVURCQk0zbEJTWGRRYW5aUFYwa3djak5pTkd4clFqWjFOalZ2U1dGU01XbDBVa2R0VTJkR1RuaDRjM0ZOZHpjeGNsVmtlRUY2TTNKWlZtZFdhakJ2T0FwV1R6QmFhMDEyWWdvdExTMHRMVVZPUkNCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2c9PSJ9fX19","integratedTime":1679307470,"logIndex":15859996,"logID":"c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"}},"Issuer":"https://github.com/login/oauth","Subject":"sgrunert@redhat.com"}}] 11:18:24.793283 Creating file store in: /tmp/pull-1676121632 11:18:24.793286 Verifying reference: docker.io/saschagrunert/oras:latest 11:18:24.793308 Creating repository for index.docker.io/saschagrunert/oras 11:18:24.793335 Using tag: latest 11:18:24.793336 Copying profile from repository 11:18:26.119253 Reading profile 11:18:26.119324 Trying to unmarshal seccomp profile 11:18:26.119995 Got SeccompProfile: echo 11:18:26.119998 Saving profile in: /tmp/profile.yaml ``` Which successfully pulls the image into the local directory: ``` > cat /run/user/1000/profile.yaml | head --- apiVersion: security-profiles-operator.x-k8s.io/v1beta1 kind: SeccompProfile metadata: name: echo spec: defaultAction: SCMP_ACT_ERRNO architectures: - SCMP_ARCH_X86_64 syscalls: ``` Images can be pushed in the same way using `spoc push`, which also signs them via sigstore: ```console > export USERNAME=saschagrunert > export PASSWORD=my-pw > ./build/spoc push docker.io/saschagrunert/oras:latest 11:17:40.037409 Pushing profile /run/user/1000/profile.yaml to: docker.io/saschagrunert/oras:latest 11:17:40.037430 Creating file store in: /run/user/1000/push-4212591343 11:17:40.037435 Adding profile to store: /run/user/1000/profile.yaml 11:17:40.037463 Packing files 11:17:40.037586 Verifying reference: docker.io/saschagrunert/oras:latest 11:17:40.037594 Using tag: latest 11:17:40.037598 Creating repository for index.docker.io/saschagrunert/oras 11:17:40.037602 Using username and password 11:17:40.037605 Copying profile to repository 11:17:41.708424 Signing container image Generating ephemeral keys... Retrieving signed certificate... Note that there may be personally identifiable information associated with this signed artifact. This may include the email address associated with the account with which you authenticate. This information will be used for signing this artifact and will be stored in public transparency logs and cannot be removed later. By typing 'y', you attest that you grant (or have permission to grant) and agree to have this information stored permanently in transparency logs. Your browser will now be opened to: https://oauth2.sigstore.dev/auth/auth?access_type=online&client_id=sigstore&code_challenge=58LCHWGyhOt5tGJJeJ-B7CuToZEEYDgGflLYDOYxv7g&code_challenge_method=S256&nonce=2NH423dlp97y9YtbIaV2mV49xjY&redirect_uri=http%3A%2F%2Flocalhost%3A40989%2Fauth%2Fcallback&response_type=code&scope=openid+email&state=2NH41yRpWYjoFNumCx7hAbiqeHt Successfully verified SCT... tlog entry created with index: 15859996 Pushing signature to: index.docker.io/saschagrunert/oras ``` Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
kubernetes-sigs · Mar 20, 2023 · 74d4ffe · 74d4ffe
1 parent 9d3d1da
commit 74d4ffe
Show file tree

Hide file tree

Showing 4,172 changed files with 1,157,522 additions and 991 deletions.
diff --git a/.dockerignore b/.dockerignore
@@ -1 +1 @@
-build
+/build
diff --git a/.gitignore b/.gitignore
@@ -2,8 +2,8 @@
 *.swp
 .idea
 .vagrant
+/build
 Vagrantfile
-build
 build.tar.gz
 image.tar
 result
diff --git a/Dockerfile.ubi.dockerignore b/Dockerfile.ubi.dockerignore
@@ -2,7 +2,7 @@
 *_test.go
 test/
 .git/
-build/
+/build/
 _output
 examples/
 hack/

diff --git a/cmd/spoc/main.go b/cmd/spoc/main.go
@@ -25,11 +25,14 @@ import (
 	"github.com/urfave/cli/v2"
 
 	"sigs.k8s.io/security-profiles-operator/cmd"
+	"sigs.k8s.io/security-profiles-operator/internal/pkg/cli/puller"
+	"sigs.k8s.io/security-profiles-operator/internal/pkg/cli/pusher"
 	"sigs.k8s.io/security-profiles-operator/internal/pkg/cli/recorder"
 	"sigs.k8s.io/security-profiles-operator/internal/pkg/cli/runner"
 )
 
 func main() {
+	log.SetFlags(log.Lmicroseconds)
 	app, _ := cmd.DefaultApp()
 	app.Usage = "Security Profiles Operator CLI"
 
@@ -94,6 +97,62 @@ func main() {
 				},
 			},
 		},
+		&cli.Command{
+			Name:      "push",
+			Aliases:   []string{"p"},
+			Usage:     "push a profile to a container registry",
+			Action:    push,
+			ArgsUsage: "FILE",
+			Flags: []cli.Flag{
+				&cli.StringFlag{
+					Name:        pusher.FlagProfile,
+					Aliases:     []string{"f"},
+					Usage:       "the profile to be used",
+					DefaultText: pusher.DefaultInputFile,
+					TakesFile:   true,
+				},
+				&cli.StringFlag{
+					Name:    pusher.FlagUsername,
+					Aliases: []string{"u"},
+					EnvVars: []string{"USERNAME"},
+					Usage:   "the username for registry authentication",
+				},
+				&cli.StringFlag{
+					Name:    pusher.FlagPassword,
+					Aliases: []string{"p"},
+					EnvVars: []string{"PASSWORD"},
+					Usage:   "the password for registry authentication",
+				},
+			},
+		},
+		&cli.Command{
+			Name:      "pull",
+			Aliases:   []string{"l"},
+			Usage:     "pull a profile from a container registry",
+			Action:    pull,
+			ArgsUsage: "IMAGE",
+			Flags: []cli.Flag{
+				&cli.StringFlag{
+					Name:        puller.FlagOutputFile,
+					Aliases:     []string{"o"},
+					Usage:       "the output file to store the profile",
+					DefaultText: puller.DefaultOutputFile,
+					TakesFile:   true,
+				},
+				&cli.StringFlag{
+					Name:    puller.FlagUsername,
+					Aliases: []string{"u"},
+					EnvVars: []string{"USERNAME"},
+					Usage:   "the username for registry authentication",
+				},
+				&cli.StringFlag{
+					Name:    puller.FlagPassword,
+					Aliases: []string{"p"},
+					EnvVars: []string{"PASSWORD"},
+					Usage:   "the password for registry authentication",
+				},
+			},
+		},
 	)
 
 	if err := app.Run(os.Args); err != nil {
@@ -128,3 +187,31 @@ func run(ctx *cli.Context) error {
 
 	return nil
 }
+
+// pull runs the `spoc push` subcommand.
+func push(ctx *cli.Context) error {
+	options, err := pusher.FromContext(ctx)
+	if err != nil {
+		return fmt.Errorf("build options: %w", err)
+	}
+
+	if err := pusher.New(options).Run(); err != nil {
+		return fmt.Errorf("run pusher: %w", err)
+	}
+
+	return nil
+}
+
+// pull runs the `spoc pull` subcommand.
+func pull(ctx *cli.Context) error {
+	options, err := puller.FromContext(ctx)
+	if err != nil {
+		return fmt.Errorf("build options: %w", err)
+	}
+
+	if err := puller.New(options).Run(); err != nil {
+		return fmt.Errorf("run puller: %w", err)
+	}
+
+	return nil
+}
diff --git a/go.mod b/go.mod
@@ -9,10 +9,12 @@ require (
 	github.com/cert-manager/cert-manager v1.11.0
 	github.com/containers/common v0.51.0
 	github.com/go-logr/logr v1.2.3
+	github.com/google/go-containerregistry v0.14.0
 	github.com/jellydator/ttlcache/v3 v3.0.1
 	github.com/maxbrunsfeld/counterfeiter/v6 v6.6.1
 	github.com/mogensen/kubernetes-split-yaml v0.4.0
 	github.com/nxadm/tail v1.4.8
+	github.com/opencontainers/image-spec v1.1.0-rc2
 	github.com/opencontainers/runc v1.1.4
 	github.com/opencontainers/runtime-spec v1.1.0-rc.1
 	github.com/openshift/api v0.0.0-20221205111557-f2fbb1d1cd5e
@@ -21,6 +23,7 @@ require (
 	github.com/prometheus/client_golang v1.14.0
 	github.com/prometheus/client_model v0.3.0
 	github.com/seccomp/libseccomp-golang v0.10.0
+	github.com/sigstore/cosign/v2 v2.0.0
 	github.com/stretchr/testify v1.8.2
 	github.com/urfave/cli/v2 v2.25.0
 	golang.org/x/mod v0.9.0
@@ -34,6 +37,7 @@ require (
 	k8s.io/cli-runtime v0.26.2
 	k8s.io/client-go v0.26.2
 	k8s.io/klog/v2 v2.90.1
+	oras.land/oras-go/v2 v2.0.2
 	sigs.k8s.io/controller-runtime v0.14.5
 	sigs.k8s.io/controller-tools v0.11.3
 	sigs.k8s.io/mdtoc v1.1.0
@@ -42,64 +46,213 @@ require (
 )
 
 require (
+	cloud.google.com/go/compute v1.18.0 // indirect
+	cloud.google.com/go/compute/metadata v0.2.3 // indirect
+	cuelang.org/go v0.4.3 // indirect
+	filippo.io/edwards25519 v1.0.0 // indirect
+	github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo/helper v0.2.0 // indirect
+	github.com/Azure/azure-sdk-for-go v68.0.0+incompatible // indirect
+	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
+	github.com/Azure/go-autorest/autorest v0.11.28 // indirect
+	github.com/Azure/go-autorest/autorest/adal v0.9.21 // indirect
+	github.com/Azure/go-autorest/autorest/azure/auth v0.5.12 // indirect
+	github.com/Azure/go-autorest/autorest/azure/cli v0.4.6 // indirect
+	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
+	github.com/Azure/go-autorest/logger v0.2.1 // indirect
+	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
 	github.com/BurntSushi/toml v1.2.1 // indirect
+	github.com/Microsoft/go-winio v0.6.0 // indirect
+	github.com/OneOfOne/xxhash v1.2.8 // indirect
+	github.com/ThalesIgnite/crypto11 v1.2.5 // indirect
+	github.com/agnivade/levenshtein v1.1.1 // indirect
+	github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.4 // indirect
+	github.com/alibabacloud-go/cr-20160607 v1.0.1 // indirect
+	github.com/alibabacloud-go/cr-20181201 v1.0.10 // indirect
+	github.com/alibabacloud-go/darabonba-openapi v0.1.18 // indirect
+	github.com/alibabacloud-go/debug v0.0.0-20190504072949-9472017b5c68 // indirect
+	github.com/alibabacloud-go/endpoint-util v1.1.1 // indirect
+	github.com/alibabacloud-go/openapi-util v0.0.11 // indirect
+	github.com/alibabacloud-go/tea v1.1.18 // indirect
+	github.com/alibabacloud-go/tea-utils v1.4.4 // indirect
+	github.com/alibabacloud-go/tea-xml v1.1.2 // indirect
+	github.com/aliyun/credentials-go v1.2.3 // indirect
+	github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d // indirect
+	github.com/aws/aws-sdk-go-v2 v1.17.3 // indirect
+	github.com/aws/aws-sdk-go-v2/config v1.18.8 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.13.8 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.21 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.27 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.21 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.28 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ecr v1.15.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.12.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.21 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.12.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.18.0 // indirect
+	github.com/aws/smithy-go v1.13.5 // indirect
+	github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20220228164355-396b2034c795 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/blang/semver v3.5.1+incompatible // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
+	github.com/chrismellard/docker-credential-acr-env v0.0.0-20220119192733-fe33c00cee21 // indirect
+	github.com/clbanning/mxj/v2 v2.5.6 // indirect
+	github.com/cockroachdb/apd/v2 v2.0.1 // indirect
+	github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be // indirect
+	github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect
+	github.com/coreos/go-oidc/v3 v3.5.0 // indirect
 	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
+	github.com/cyberphone/json-canonicalization v0.0.0-20220623050100-57a0ce2678a7 // indirect
 	github.com/cyphar/filepath-securejoin v0.2.3 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/digitorus/pkcs7 v0.0.0-20221212123742-001c36b64ec3 // indirect
+	github.com/digitorus/timestamp v0.0.0-20221019182153-ef3b63b79b31 // indirect
+	github.com/dimchansky/utfbom v1.1.1 // indirect
+	github.com/docker/cli v23.0.1+incompatible // indirect
+	github.com/docker/distribution v2.8.1+incompatible // indirect
+	github.com/docker/docker v23.0.1+incompatible // indirect
+	github.com/docker/docker-credential-helpers v0.7.0 // indirect
 	github.com/emicklei/go-restful/v3 v3.9.0 // indirect
+	github.com/emicklei/proto v1.6.15 // indirect
 	github.com/evanphx/json-patch v5.6.0+incompatible // indirect
 	github.com/evanphx/json-patch/v5 v5.6.0 // indirect
 	github.com/fatih/color v1.13.0 // indirect
 	github.com/fsnotify/fsnotify v1.6.0 // indirect
+	github.com/ghodss/yaml v1.0.0 // indirect
+	github.com/go-chi/chi v4.1.2+incompatible // indirect
+	github.com/go-jose/go-jose/v3 v3.0.0 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/go-openapi/analysis v0.21.4 // indirect
+	github.com/go-openapi/errors v0.20.3 // indirect
 	github.com/go-openapi/jsonpointer v0.19.5 // indirect
 	github.com/go-openapi/jsonreference v0.20.0 // indirect
+	github.com/go-openapi/loads v0.21.2 // indirect
+	github.com/go-openapi/runtime v0.25.0 // indirect
+	github.com/go-openapi/spec v0.20.7 // indirect
+	github.com/go-openapi/strfmt v0.21.3 // indirect
 	github.com/go-openapi/swag v0.22.3 // indirect
+	github.com/go-openapi/validate v0.22.0 // indirect
+	github.com/go-piv/piv-go v1.10.0 // indirect
+	github.com/go-playground/locales v0.14.0 // indirect
+	github.com/go-playground/universal-translator v0.18.0 // indirect
+	github.com/go-playground/validator/v10 v10.11.1 // indirect
 	github.com/gobuffalo/flect v0.3.0 // indirect
+	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/godbus/dbus/v5 v5.1.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang-jwt/jwt/v4 v4.4.2 // indirect
+	github.com/golang/glog v1.0.0 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
-	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/golang/protobuf v1.5.3 // indirect
+	github.com/golang/snappy v0.0.4 // indirect
 	github.com/gomarkdown/markdown v0.0.0-20210514010506-3b9f47219fe7 // indirect
+	github.com/google/certificate-transparency-go v1.1.4 // indirect
 	github.com/google/gnostic v0.6.9 // indirect
 	github.com/google/go-cmp v0.5.9 // indirect
+	github.com/google/go-github/v50 v50.0.0 // indirect
+	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
+	github.com/google/trillian v1.5.1-0.20220819043421-0a389c4bb8d9 // indirect
 	github.com/google/uuid v1.3.0 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.2.3 // indirect
+	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.1 // indirect
+	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/imdario/mergo v0.3.13 // indirect
-	github.com/inconshreveable/mousetrap v1.0.1 // indirect
+	github.com/in-toto/in-toto-golang v0.6.0 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/jedisct1/go-minisign v0.0.0-20211028175153-1c139d1cc84b // indirect
+	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/klauspost/compress v1.16.0 // indirect
+	github.com/leodido/go-urn v1.2.1 // indirect
+	github.com/letsencrypt/boulder v0.0.0-20221109233200-85aa52084eaf // indirect
 	github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
+	github.com/magiconair/properties v1.8.7 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.16 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
+	github.com/miekg/pkcs11 v1.1.1 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
+	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/mmarkdown/mmark v2.0.40+incompatible // indirect
 	github.com/moby/sys/mountinfo v0.6.2 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/mozillazg/docker-credential-acr-helper v0.3.0 // indirect
+	github.com/mpvl/unique v0.0.0-20150818121801-cbe035fff7de // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/oklog/ulid v1.3.1 // indirect
+	github.com/open-policy-agent/opa v0.49.0 // indirect
+	github.com/opencontainers/go-digest v1.0.0 // indirect
+	github.com/opentracing/opentracing-go v1.2.0 // indirect
+	github.com/pelletier/go-toml/v2 v2.0.6 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/prometheus/common v0.37.0 // indirect
-	github.com/prometheus/procfs v0.8.0 // indirect
+	github.com/prometheus/common v0.39.0 // indirect
+	github.com/prometheus/procfs v0.9.0 // indirect
+	github.com/protocolbuffers/txtpbfmt v0.0.0-20201118171849-f6a6b3f636fc // indirect
+	github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
+	github.com/sassoftware/relic v0.0.0-20210427151427-dfb082b79b74 // indirect
+	github.com/secure-systems-lab/go-securesystemslib v0.4.0 // indirect
+	github.com/segmentio/ksuid v1.0.4 // indirect
+	github.com/shibumi/go-pathspec v1.3.0 // indirect
+	github.com/sigstore/fulcio v1.1.0 // indirect
+	github.com/sigstore/rekor v1.0.1 // indirect
+	github.com/sigstore/sigstore v1.5.1 // indirect
+	github.com/sigstore/timestamp-authority v0.2.1 // indirect
 	github.com/sirupsen/logrus v1.9.0 // indirect
+	github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect
+	github.com/spf13/afero v1.9.3 // indirect
+	github.com/spf13/cast v1.5.0 // indirect
 	github.com/spf13/cobra v1.6.1 // indirect
+	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/spf13/viper v1.15.0 // indirect
+	github.com/spiffe/go-spiffe/v2 v2.1.2 // indirect
+	github.com/subosito/gotenv v1.4.2 // indirect
+	github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d // indirect
+	github.com/tchap/go-patricia/v2 v2.3.1 // indirect
+	github.com/tent/canonical-json-go v0.0.0-20130607151641-96e4ba3a7613 // indirect
+	github.com/thales-e-security/pool v0.0.2 // indirect
+	github.com/theupdateframework/go-tuf v0.5.2 // indirect
+	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
+	github.com/tjfoc/gmsm v1.3.2 // indirect
+	github.com/transparency-dev/merkle v0.0.1 // indirect
+	github.com/vbatts/tar-split v0.11.2 // indirect
+	github.com/xanzy/go-gitlab v0.80.2 // indirect
+	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
+	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 // indirect
-	golang.org/x/oauth2 v0.4.0 // indirect
+	github.com/yashtewari/glob-intersection v0.1.0 // indirect
+	github.com/zeebo/errs v1.3.0 // indirect
+	go.mongodb.org/mongo-driver v1.11.1 // indirect
+	go.opencensus.io v0.24.0 // indirect
+	go.opentelemetry.io/otel v1.13.0 // indirect
+	go.opentelemetry.io/otel/trace v1.13.0 // indirect
+	go.step.sm/crypto v0.25.0 // indirect
+	go.uber.org/atomic v1.10.0 // indirect
+	go.uber.org/multierr v1.9.0 // indirect
+	go.uber.org/zap v1.24.0 // indirect
+	golang.org/x/crypto v0.6.0 // indirect
+	golang.org/x/exp v0.0.0-20220823124025-807a23277127 // indirect
+	golang.org/x/oauth2 v0.6.0 // indirect
 	golang.org/x/sys v0.6.0 // indirect
 	golang.org/x/term v0.6.0 // indirect
 	golang.org/x/text v0.8.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
-	golang.org/x/tools v0.6.0 // indirect
+	golang.org/x/tools v0.7.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
+	google.golang.org/api v0.110.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20230110181048-76db0878b65f // indirect
+	google.golang.org/genproto v0.0.0-20230209215440-0dfe4f8abfcc // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/ini.v1 v1.67.0 // indirect
+	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-Original file line number
+Diff line change
@@ Expand Up / @@ -2,7 +2,7 @@ @@
     *_test.go
     test/
     .git/
-    build/
+    /build/
     _output
     examples/
     hack/
@@ Expand Down @@