+ iaRKtP0tRt^RIt^RIt^RIt^RIt^RIt^RIt^RIt^RI t ^RI t ^RI H t H t ^RI Ht^RIHtHtHtHtHt]!]4P,t]P,t]R, t]R, t]R, t]!]]!]4R7t.t]^k] P@!4t!]PD!4t#]^k]PH!4t%]^k]PH!4t&]^kR t'R t(R R lt)]PUR 4R4t+]PUR4R4t,]PUR4R4t-]PUR4R4t.]PURR.R7R4t/]PURR.R7R4t0]PURR.R7R4t1]PURR.R7R4t2]PUR 4R!4t3]PUR"4R#4t4]PUR$4R%4t5]PUR&4R'4t6]PUR(R.R7R)4t7]PUR*R.R7R+4t8]PUR,R.R7R-4t9]PUR.4R/4t:]PUR04R14t;R2R3lt]PUR84R94t?RLR:lt@R;R<ltAR=R>ltBR?R@ltC]D!]PPRARB44tG]D!]PPRCRD44tH^sI] P@!4tJREtKRFtLRGtMRHtNRItO]RJ8Xd ]O!4R#R#)Mapip-witness real-time viewer and scan orchestrator. Serves a web UI that shows live scan progress, attestation results, and allows subscribing to packages for automatic re-scanning on new releases. Architecture: - Flask app serving REST API + SSE (Server-Sent Events) for live updates - SQLite database for scan results, subscriptions, and queue state - Background scanner thread pulling from prioritized queue - Watchdog on attestations/ directory for immediate result display N)datetimetimezone)Path)FlaskResponsejsonifyrequestsend_from_directory attestationszpip_witness.dbstatic) static_foldercv\P!\\44p\PVnV#N)sqlite3connectstrDB_PATHRow row_factorydbs 7/Users/nkennedy/proj/node-post-install/viewer/server.pyget_dbr2s$ W &B[[BN Ic|\4pVPR4VP4VP4R#)a -- Scans: the immutable attestation record (one per Docker run) CREATE TABLE IF NOT EXISTS scans ( id INTEGER PRIMARY KEY AUTOINCREMENT, package TEXT NOT NULL, version TEXT, status TEXT NOT NULL DEFAULT 'queued', started_at TEXT, completed_at TEXT, attestation_path TEXT, pre_analysis_path TEXT, network_connections INTEGER DEFAULT 0, files_opened INTEGER DEFAULT 0, processes_spawned INTEGER DEFAULT 0, dns_lookups INTEGER DEFAULT 0, sockets_created INTEGER DEFAULT 0, packages_installed INTEGER DEFAULT 0, error TEXT, created_at TEXT DEFAULT (datetime('now')) ); -- Evaluations: policy results against an attestation (many per scan) -- Re-running policies creates a new evaluation row, old ones are kept CREATE TABLE IF NOT EXISTS evaluations ( id INTEGER PRIMARY KEY AUTOINCREMENT, scan_id INTEGER NOT NULL REFERENCES scans(id), risk_score INTEGER DEFAULT 0, risk_level TEXT DEFAULT 'UNKNOWN', policy_results TEXT, policy_version TEXT, created_at TEXT DEFAULT (datetime('now')) ); CREATE TABLE IF NOT EXISTS subscriptions ( id INTEGER PRIMARY KEY AUTOINCREMENT, package TEXT NOT NULL UNIQUE, last_scanned_version TEXT, last_scanned_at TEXT, scan_frequency TEXT DEFAULT 'on_release', priority INTEGER DEFAULT 50, notes TEXT, created_at TEXT DEFAULT (datetime('now')) ); CREATE INDEX IF NOT EXISTS idx_scans_package ON scans(package); CREATE INDEX IF NOT EXISTS idx_scans_status ON scans(status); CREATE INDEX IF NOT EXISTS idx_evaluations_scan ON evaluations(scan_id); CREATE INDEX IF NOT EXISTS idx_subscriptions_package ON subscriptions(package); N)r executescriptcommitclosers rinit_dbr8s1 B00 bIIKHHJrc0V^8dQhR\R\/#) event_typedatardict)formats"r __annotate__r&ss   4 rcRV R\P!V4 R2p\;_uu_4.p\\4FwrEVP V4K \V4Fp\PV4K RRR4R# \ PdTPT4Kui;i +'giR#;i)z+Send an event to all connected SSE clients.zevent: z data: z N) jsondumpssse_lock enumerate sse_clients put_nowaitqueueFullappendreversedpop)r!r"msgdeadiqs&& rbroadcast_eventr7ss JC k*DA  S!+ $A OOA    ::  A  s/B7B +B7 &B4 0B73B4 4B77 C z /api/eventsca\P!^dR7o\;_uu_4\P S4RRR4V3Rlp\ V!4RRRRR/R 7# +'giL-;i) z#SSE endpoint for real-time updates.)maxsizeNc3<"RxSP^R7pVxK \Pd RxK6i;i5i)zevent: connected data: {} timeoutz : keepalive )getr.Empty)r3r6s rgeneratesse_stream..generatesA.. (eeBe' ;; ('' (s A"A?A?Aztext/event-streamz Cache-Controlzno-cachezX-Accel-Bufferingno)mimetypeheaders)r.Queuer*r,r0r)r?r6s @r sse_streamrEs][[-A 1 ( HJ)<,j:MtT VV s A"" A2 /c4\\\4R4#)z index.html)r r STATIC_DIRrrindexrJs s: ==rz /api/scansc\4pVPR4P4pVP4\ VUu.uFp\ V4NK up4#uupi)z6SELECT * FROM scans ORDER BY created_at DESC LIMIT 100rexecutefetchallrrr$rrowsrs r list_scansrRsP B ::@ hj HHJ T*TDGT* ++*Az/api/scans/c8\4pVPRV34P4pVP4V'g\ RR/4R3#\ V4pVP R4'd\PPVR,4'dp\VR,4;_uu_4p\P!V4pRRR4\P!\P!XR,44pWcR&VPR V34P4pV'd_VR ,VR &VR ,VR &VR ,VR &VR,VR&VR,VR&\P!VR,4VR&M ^VR &RVR &VP R4'dj\PPVR,4'd>\VR,4;_uu_4p\P!V4VR&RRR4\ V4# +'giELb;i \ dp\#T4TR&Rp?ELORp?ii;i \ dLi;i +'giLg;i \ dLwi;i) SELECT * FROM scans WHERE id = ?error not foundattestation_pathNpayload attestationattestation_errorzLSELECT * FROM evaluations WHERE scan_id = ? ORDER BY created_at DESC LIMIT 1 risk_score risk_levelideval_id created_at eval_datepolicy_versionpolicy_results policy_eval UNEVALUATEDpre_analysis_path pre_analysis)rrMfetchonerrr$r=ospathexistsopenr(loadloadsbase64 b64decode Exceptionr) scan_idrrowresultfenveloperZeeval_rows & rget_scanrzs1 B **7' D M M OCHHJ -.33 #YFzz$%%"''..@R9S*T*T 1f/011Q99Q<2jj!1!1(92E!FGG$+= ! zzV  hj ' 5|' 5|$TNy&|4{#+,<#=  $(JJx8H/I$JF= ! !|,|zz%&&277>>&AT:U+V+V f0122a)-1~&3 6?E211 1*-a&F& ' 1    32   sr"I<H,=I6 I'%J ?I8J , H= 7 I I$ II$' I54I58 J J J JJz /api/scanPOST)methodsc \P;'g/pVPRR4P4pV'g\ RR/4R3#VPR^24p\ 4pVP RWPR4W PR R 434VP R WPR434P4^,pVP4VP4\PV\P!4WPR4V34\R R VRVRVPR4RV/4\ R VRR/4#)zQueue a package for scanning.packagerVpackage requiredpriorityzOINSERT INTO scan_queue (package, version, priority, source) VALUES (?, ?, ?, ?)versionsourcemanualQINSERT INTO scans (package, version, status) VALUES (?, ?, 'queued') RETURNING id scan_queuedr_statusqueued)rr(r=striprrrMrirr scan_queueputtimer7)r"r~rrrss r start_scanrs5 <<  2Dhhy"%++-G !345s::xx B'H BJJY ((9%x(H1MNjj[ ((9%&hjGIIKHHJNNHdiik7HHY4GQRM gy'9dhhy6IH$ D'8X6 77rz/api/subscriptionsGETc\4pVPR4P4pVP4\ VUu.uFp\ V4NK up4#uupi)z;SELECT * FROM subscriptions ORDER BY priority DESC, packagerLrOs rlist_subscriptionsrsK B ::S T ] ] _DHHJ T*TDGT* ++*rSc V\P;'g/pVPRR4P4pV'g\ RR/4R3#\ 4pVP RWPR^24VPRR434VP4TP4\R RT/4\YPR^ 4R R 7\ R RRT/4# \d3pTP4\ R\T4/4R3uR p?#R p?ii;i)r~rrVrrzINSERT INTO subscriptions (package, priority, notes) VALUES (?, ?, ?) ON CONFLICT(package) DO UPDATE SET priority = excluded.priority, notes = excluded.notesrnotesNsubscription_added subscription)rrr subscribed) rr(r=rrrrMrrrrrr7start_scan_internal)r"r~rrxs radd_subscriptionrs <<  2Dhhy"%++-G !345s:: B /  - hhz2."0E F   HHJ(9g*>?((:r*B>Z HlIw? @@ /  Q()3../sAC++ D(6'D#D(#D(z/api/subscriptions/DELETEc\4pVPRV34VP4VP4\ RRV/4\ RR/4#)z+DELETE FROM subscriptions WHERE package = ?subscription_removedr~rremoved)rrMrrr7r)r~rs& rremove_subscriptionr"sL BJJ/scansc\4pVPRV34P4pVP4\ VUu.uFp\ V4NK up4#uupi)z:All scans for a specific package, ordered by version/date.zmSELECT * FROM scans WHERE package = ? AND status = 'completed' ORDER BY completed_at DESC LIMIT 50rLr~rrPrQs& r package_scansrs[ B :: 2   hj  HHJ T*TDGT* ++*A z/api/dashboardc\4pRVPR4P4^,RVPR4P4^,RVPR4P4^,RVPR4P4^,R VPR 4P4^,R /R .R .R// pVPR4P4pVUu/uFq3R,;'gRVR,bK upVR &VPR4P4pVUu.uFp\ V4NK upVR &VPR4P4pVUu.uFp\ V4NK upVR &VPR4P4pRVR,;'g^RVR,;'g^RVR,;'g^RVR,;'g^RVR,;'g^/VR&VP 4\ V4#uupiuupiuupi) z*Aggregate dashboard data for the overview.total_packageszBSELECT COUNT(DISTINCT package) FROM scans WHERE status='completed' total_scans3SELECT COUNT(*) FROM scans WHERE status='completed'r0SELECT COUNT(*) FROM scans WHERE status='queued'runningz1SELECT COUNT(*) FROM scans WHERE status='running'failed0SELECT COUNT(*) FROM scans WHERE status='failed'risk_distribution top_riskyrecent_completions aggregatezgSELECT risk_level, COUNT(DISTINCT package) as c FROM scans WHERE status='completed' GROUP BY risk_levelr^UNKNOWNca SELECT package, MAX(risk_score) as score, MAX(risk_level) as level, COUNT(*) as scans, SUM(network_connections) as net FROM scans WHERE status='completed' AND risk_level NOT IN ('CLEAN') GROUP BY package ORDER BY score DESC LIMIT 20 zSELECT id, package, version, risk_level, risk_score, network_connections, files_opened, completed_at FROM scans WHERE status='completed' ORDER BY completed_at DESC LIMIT 15z SELECT SUM(network_connections) as net, SUM(files_opened) as files, SUM(processes_spawned) as procs, SUM(dns_lookups) as dns, SUM(packages_installed) as pkgs FROM scans WHERE status='completed' network_connectionsnet files_openedrprocesses_spawnedprocs dns_lookupsdnspackages_installedpkgs)rrMrirNr$rr)rdrPrQrts r dashboardrs. B"**%ijssuvwxrzz"WXaacdef"**OPYY[\]^2::QR[[]^_`"**OPYY[\]^RRbR A ::q hj MQQDq o::AcFBDQA ::   (,,t!d1gt,AkN :: w hj 1551tAw5A **   s5zQG ))S\..Qs5zQc&k..Q AkNHHJ 1:CR- 6s6H7 H7H<?Iz/api/reeval-allc\4pVPR4P4pVP4^pVF(p\P VR,4V^, pK* \ RRV/4\RRRV/4#)zNRe-evaluate ALL existing attestations with current policies. No Docker needed.zNSELECT id FROM scans WHERE status='completed' AND attestation_path IS NOT NULLr_reeval_startedcountrqueued_for_reeval)rrMrNr reeval_queuerr7r)rrPrrQs r reeval_allrs B ::X hj HHJ E 4!  $w&67 H17EB CCrz/api/reeval/cJ\PV4\RRRV/4#)z0Re-evaluate a single scan with current policies.rrrs)rrr)rss&r reeval_singlers'W H19gF GGrz/api/explain/c~\4pVPRV34P4pVP4V'g\ RR/4R3#\ V4pVP R4'd'\P!VP RR44M/p.pVP R/4P4F5wrgVP R.4FpVPR V R V 24K K7 .p .p .p /p .p .p.pVP R 4'EdY\PPVR ,4'Ed,\VR ,4;_uu_4p\P!V4pR R R 4\P!\ P"!XR ,44pVP R/4P R.4pVEFpVP R/4pRV9Ed<VR,EF-pV PRVP R4RVP RR4RVP RR4R,/4VP R4pV'Ed2VP R.4FjpV PVP RR4 RVP RR4 RVP RR4 RVP R R4 R!VR, R"2 4Kl VP R#.4F9pVPVP R$R4 RVP R%R4 24K; VP R&.4FLpVPVP RR4 RVP R'R4 R(VP R)R4 24KN VP R*4;'g/P%4FdpR+V9dVP'R+^4^,MR+pV P V^4^,V V&RTFpVV9gK V PV4K Kf EK0 R,V9gEKcVR,,F'pV PVR-, R.VR/, 24K) EK \+V P4R0R17R2,p\-V P/44p RP1.R3NVR4, NR.NVP R/4;'gR5 NR6NVP R7R84 NR9NVP R:^4 NR;N\3V4 NRN\3V 4 NR?NV 'd\5^ 4P1V 4MR= NR@NV'd\5^ 4P1V4MR= NRAN\3V4 NRBNV'd\5^ 4P1V4MR= NRCN\3V 4 NRBN\5^ 4P1RDV 44 NRENV NRFN\5^ 4P1RGV44 NRHNV 'd\5^ 4P1V 4MR= NRIN\3V 4 NRBN\5^ 4P1V 4 NRJN4p!^R Ip"V"P94p#V#P:P=RKRLRMRNROV!/.RP7p$V$P>^,P@p%\ RSV%/4# +'giELz;i \(dELi;i \BdRQp%LB\(dp&RRT& 2p%R p&?&LVR p&?&ii;i)Uz=Use Claude API to explain scan findings with actual evidence.rUrVrWrXrdz{}policies violations[z] rYNrZ predicater r[ processespid processidprogramrcmdline:NNr connectionssyscall? familyaddress:portz (PID r dnsLookups serverAddress serverPortsocketstypez proto=protocol openedfilesrFrr==rcV^,)#)rI)xs&rexplain_scan..2s !A$r)key:NNaYou are a supply chain security forensic analyst. A pip package was installed inside a sandboxed Docker container with full ptrace system call tracing. Every syscall (execve, openat, socket, connect, bind, sendto) was intercepted and recorded. The attestation was then evaluated against Rego security policies. Your job: analyze the EVIDENCE below and explain what happened. Cite specific IPs, file paths, process names, and policy violations. Do NOT speculate beyond what the evidence shows. If something is benign, explain WHY it's benign (e.g. "151.101.64.223 is Fastly CDN which hosts PyPI packages"). If something is suspicious, point to the specific evidence. ## Package r~latestz# ## Policy Evaluation Risk Level: r^rz | Score: r]z | Total violations: z Violations: z(none)z$ ## EVIDENCE: Network Connections (z total) z ## EVIDENCE: DNS Lookups z ## EVIDENCE: Sockets Created (z) z" ## EVIDENCE: Processes Spawned (c3b"TF%pRVR, RVR, RVR, 2xK' R#5i)zPID r: rz | rNrI).0ps& r explain_scan..Ls1 ]J\QQuXJb9c!I,@J\s-/z ## EVIDENCE: Files Accessed (z total) Top directories: c38"TFwrRV RV R2xK R#5i)z rz filesNrI)rrrs& rrrPs! 7hda1#Rs&!hsz Sensitive files accessed: z# ## EVIDENCE: Packages Installed (a --- Analyze this evidence in 3 sections: **What happened** - Walk through exactly what the install did: which processes ran, where network connections went (identify the IPs), what files were touched. Cite the evidence. **Risk assessment** - For each policy violation, explain whether it represents real risk or expected behavior, citing the specific evidence. If connections went to known infrastructure (PyPI CDN, Docker DNS), say so. If unknown IPs appear, flag them explicitly. **Verdict** - Is this package safe to install? Be direct. If it's clean, say so confidently and explain why. If there are concerns, identify exactly what needs investigation.zclaude-sonnet-4-20250514iroleusercontent)model max_tokensmessagesz7Anthropic SDK not installed. Run: pip install anthropiczError calling Claude API: explanation) .ssh.aws.gnupg.kube.envshadow credentialsid_rsa id_ed25519.pypirc)"rrMrirrr$r=r(roitemsr0rjrkrlrmrnrprqkeysrsplitrrsortedsumvaluesrlenchr anthropic Anthropicr!creatertext ImportError)'rsrrtscanrerrpolrevidence_networkevidence_processesevidence_files_sensitiveevidence_files_dirsevidence_packages evidence_dnsevidence_socketsrvrwrZattsattr"rrrrsfilepathdirnamesenspkgtop_dirsrpromptr5clientmessager"rxs'& r explain_scanrNs B **7' D M M OCHHJ -.33 9DBF((K[B\B\$**TXX&6=>bdKJ __Z4::< r*A   $r!o .+= !L xx"##tQ=RRSTUTYTYZcdfTgShhijkjojopvwyjzi{|BCDEPCQBRRS%T!"&@&)WW\2%> , 3 3quu_R7P6QQRSTSXSXYefhSiRj4k l&?%(WWY%; 0 7 7155";M:NaPQPUPUV\]_P`Oaahijininoyz|i}h~8!A&<*+})=)C)C(I(I(KHDG8Ohooc1&=a&@Y\G;N;R;RSZ\];^ab;b/8)[#'8#3$<$C$CH$M)[)L)/:%#J//)00CK=3y>BR1ST 0GT)//1GLH)0023K+r+r+r i +r  +r HHY'3384 +r 5 +rXXlI . /+r0:+r;?((Search scans by package name, risk level, or network activity.r6rr has_networkrrrzpackage LIKE ?rzrisk_level = ?trueznetwork_connections > 0 suspiciousznetwork_connections > 12rz1=1z!SELECT COUNT(*) FROM scans WHERE zSELECT * FROM scans WHERE z* ORDER BY created_at DESC LIMIT ? OFFSET ?resultsr)rrr=rrrrr0rrrMrirNrrr$) r6rrPrrrrrrrrPrQs r search_scansrTss  b!'')A <<  FB 'D,,""="5K GLL$$Wc23S 9E !!(A. /F BJ F*+ !Ah *+ djjl#f34l"45(2GLL $E JJ:5'BF K T T VWX YE :: $UG+UV  hj HHJ I6AQ6QVX`bhi jj6s:H z /api/statsc\4pRVPR4P4^,RVPR4P4^,RVPR4P4^,RVPR4P4^,RVPR 4P4^,R VPR 4P4^,R VPR 4P4^,;'g^RVPR4P4^,;'g^/pVP4\ V4#)rzSELECT COUNT(*) FROM scanscompleted_scansr failed_scansr queued_scansr subscriptionsz"SELECT COUNT(*) FROM subscriptions high_riskzBSELECT COUNT(*) FROM scans WHERE risk_level IN ('HIGH','CRITICAL')total_network_connectionsz*SELECT SUM(network_connections) FROM scanstotal_files_openedz#SELECT SUM(files_opened) FROM scans)rrMrirr)rstatss r get_statsr^s& Brzz">?HHJ1M2::&[\eeghij #UV__abcd #UV__abcd$HIRRTUVWRZZ dennpqrs#RZZ0\%]%f%f%hij%k%p%popbjj)NOXXZ[\]bbab EHHJ 5>rc0V^8dQhR\R\/#r rYreturnr#)r%s"rr&r&s,,C,D,rcV'd&\PPV4'g/#\V4;_uu_4p\P !V4pRRR4\P !\P!XR,44pVPR/4PR.4pR.R\4R.R.R .R .R ./pVEFpVPR /4pRV9EdVR,EFpVR,PR VPR4RVPRR4RVPRR4/4VR,PVPR/4P44VPR4p V 'gKV PR.4Ffp VR,PV PRR4 RV PRR4 RV PRR4 RV PRR4 24Kh V PR .4FSp VR ,PV PRR4 RV PRR4 RV PRR4 24KU V PR.4F@p VR ,PV PRR4 RV PRR4 24KB EK RV9d<VR,F.p VR,PV R, RV R , 24K0 R!V9gEKUVR!,FSpVR ,PVPR".44VR ,PVPR#.44KU EK \VR,4VR&V# +'giELO;i \ d/u#i;i)$z9Load and parse attestation envelope into normalized data.NrZrr rrrrrrsetup_pyr[rrrrrr rrrrrrr r rrrrr rsetupPyAnalysissuspiciousCallsnetworkImports)rjrkrlrmr(rnrorprqr=setr0updater.extendr0rr)rYrvrwrZrCrurDr"rrrrErrIas& rload_attestation_datarksc 277>>2B#C#C ( " # #qyy|H$**V--hy.ABC{{;+//CR#%b*bRJ<C77="-Dd"k**A;'..quu[1!155B#7!155B#70 7O**155+C+H+H+JK%% *Cs!$!;A"9-44#$552#6"7qx9K8LAaeeT]^`NaMbbcdedidijpqsdtcu v"<"%B!7A"9-44hr8J7K1QUUSYZ\M]L^^_`a`e`efpqs`t_u5vw"8!$r!:A"5M00AEE/"4M3NaPQPUPUVbcePfOg1hi";+"T! ++C:&--V RI?O.PQ, D(/00A:&--aee4Er.JK:&--aee4Db.IJ118!1w K$ # #L  s8N5N!D9N5FN5%A;N5! N2 , N55 OOc<V^8dQhR\R\R\/#)r old_datanew_datara)r$)r%s"rr&r&s!<<4<4<D<rcj aRR\\VPR.44\VPR.44, 4R\\VPR.44\VPR.44, 4/RR\\VPR.44\VPR.44, 4R\\VPR.44\VPR.44, 4/RR\\VPR.44\VPR.44, 4R\\VPR.44\VPR.44, 4/RR\\VPR.44\VPR.44, 4R\\VPR.44\VPR.44, 4/RR\\VPR.44\VPR.44, 4R\\VPR.44\VPR.44, 4/RRVPR.4UUu.uF;pVR ,VPR.4Uu0uF q3R ,kK up9gK9VNK= uppRVPR.4UUu.uF;pVR ,VPR.4Uu0uF q3R ,kK up9gK9VNK= upp/R R\\VPR .44\VPR .44, 4R\\VPR .44\VPR .44, 4//p^pV\VR,R,4^ ,, pV\VR,R,4R ,, pV\VR,R,4^,, pV\VR,R,4^,, pV\VR,R,4^,, pV\VR ,R,4^,, pVR,R,Uau.uFGo\;QJdV3R lR4F 'gK R M RM!V3R lR44'gKESNKI ppV\V4^,, pWtR&\ V4VR&V^28dRMV^8dRMV^8dRM V^8dRMRVR&V#uupiuuppiuupiuuppiuupi)z2Compute the diff between two attestation datasets.raddedrrrrrrrrcg?c3,<"TF qS9xK R#5irrI)rrErvs& rrcompute_diff.. sa/`1f/`sTFsensitive_files_addedchange_risk_scoreCRITICALHIGHMEDIUMLOWrchange_risk_level) r#r$r%r&z /etc/shadowz /etc/passwdr'r)r,)r0rgr=r3anyr)rmrnrrdiffrrvsensitive_filess&& ` r compute_diffr}s  VC Y ;X\\R[]_E`Aaab   VC Wb 9:SgWYAZ=[[\ vc(,,w";?#hllS]_aFbBccd   VC Y ;X\\R[]_E`Aaab   VC UB 783x||ESU?V;WWX vc(,,ub"9:SeUWAX=YYZ   k2!>d!>A9HLLQ\^`Da-bDaq llDa-bba!>d 8<< R#@f#@aY?#hllS]_aFbBccd 7 DD DCY( )B ..DCW g& '# --DCZ ) *Q ..DC[!'* +a //DCU G$ % ))DCZ ) *R //D#'w-"8b"8Q#a/`a###a/`aaq"8Ob C 2 %%D$3 ! #D D bj "*BJ   KG.cd0ef&bsT !V,V&=VV%!V*"V%*V*" V*"5V0V0V0<V0V%V*"z-/api/diff//c\4pVPRV34P4pVPRV34P4pVP4V'd V'g\ RR/4R3#\ VR,4p\ VR,4p\ WV4pRVRVR,RVR,/VR &RVRVR,RVR,/VR &\ V4#) z2Compare two scan attestations and return the diff.rUrVzscan not foundrXrYr_r~rold_scannew_scan)rrMrirrrkr}) old_scan_id new_scan_idrold_rownew_rowrmrnr{s&& r diff_scansrs Bjj;k^LUUWGjj;k^LUUWGHHJ '!123S88$W-?%@AH$W-?%@AH  +Dk9gi6H)U\]fUghDk9gi6H)U\]fUghD 4=rz/api/package//versionsc\4pVPRV34P4pVP4\ VUu.uFp\ V4NK up4#uupi)z9Get all scanned versions of a package for diff selection.zSELECT id, package, version, status, risk_level, risk_score, network_connections, files_opened, completed_at FROM scans WHERE package = ? AND status = 'completed' ORDER BY completed_at DESCrLrs& rpackage_versionsr/s] B :: )    hj  HHJ T*TDGT* ++*rc\4pVPRW34P4^,pVP4VP 4\ P V\P!4WV34V#)r)rrMrirrrrr)r~rrrrrss&&&& rrrBsd Bjj[ hjGIIKHHJNNHdiik7WEF NrcJV^8dQhR\R\R,R\/#)r r~rNrs)rr)r%s"rr&r&Ns%>>c>C$J>>rc\4pV'dV RV 2MTpVPRV34VP4\RRVRVRV/4\RV 2, pVP RRR 7RV 2p\ P!R R R R RRRV R2RRV 2RV. RRRR7\VPV R244pVR, pV'd\V^,4MRp VP4'd \V4MRp V 'd \V 4M/p VPRWV PR^4V PR^4V PR^4V PR^4V PR^4V PR ^4V3 4VP4V 'd\PV4\R!RVRVRVRV PR^4RV PR^4/4VP%4R# \ P d9TPR"T34TP4\R#RTRTR$R%/4L^\"dSp TPR&\T 4T34TP4\R#RTRTR$\T 4/4Rp ? LRp ? ii;i TP%4i;i)'zExecute a pip-witness Docker scan. Only produces attestation + metrics. Policy evaluation happens separately in the eval queue.r zHUPDATE scans SET status='running', started_at=datetime('now') WHERE id=? scan_startedr_r~rscan-Tparentsexist_okdockerrunz--rmz--cap-add=SYS_PTRACEz--security-optzseccomp=unconfinedz-vz:/attestationsz-ez STEP_NAME=zpip-witness:latesti,)capture_outputr8r<z-*.jsonzpre-analysis.jsonNa; UPDATE scans SET status='completed', completed_at=datetime('now'), attestation_path=?, pre_analysis_path=?, network_connections=?, files_opened=?, processes_spawned=?, dns_lookups=?, sockets_created=?, packages_installed=? WHERE id=? rrrrsockets_createdrscan_completedzZUPDATE scans SET status='failed', error='timeout', completed_at=datetime('now') WHERE id=? scan_failedrVr<zRUPDATE scans SET status='failed', error=?, completed_at=datetime('now') WHERE id=?)rrMrr7ATTESTATION_DIRmkdir subprocessrlistglobrrlextract_metricsr= eval_queuerTimeoutExpiredrrr) r~rrsrpkg_spec scan_att_dir step_name att_filesrhatt_pathpre_pathmetricsrxs &&& rrun_scanrNs B*1'"WI&wHJJY\c[efIIKNT7Iw SZ$[\4&5 ):: 4$7G9%  uf #%57K l^>2 Z {+ !8  -  dC  **i[+@AB #&99 (13y|$t(4(;(;(=(=3|$4/7/(+R  kk/3W[[QR5Skk-q17;;}a3Pkk+Q/=QST1U     NN7 #( '9gy' !7;;/Da#H GKK:+      $ $` oryq{|  gy'7T]'^_ ] gjmnojpryiz{  gy'7TWXYTZ'[\\]  sLB+H>HC*HA J7J:J7$J7%AJ2-J:2J77J::K c$V^8dQhR\/#)r rs)r)r%s"rr&r&s3rc\4pVPRV34P4pV'dVR,'gVP4R#TR,p^RIHpV!V4pVPRWP R^4VP RR4\P!V4R 34VP4\R R VR VR ,R VR ,RVP R^4RVP RR4RVP R^4/4VP4R# \d,p\RT RT 2\PR7Rp?LCRp?ii;i TP4i;i)zQRun all Rego policies against a scan's attestation. Creates an evaluation record.z?SELECT attestation_path, package, version FROM scans WHERE id=?rYN)evaluate_all_policiesz INSERT INTO evaluations (scan_id, risk_score, risk_level, policy_results, policy_version) VALUES (?, ?, ?, ?, ?) r]r^rz v2-9policieseval_completedrsr~rtotal_violationszEval error for scan rfile)rrMrirrerr=r(r)rr7rrprintsysstderr)rsrrtrrrSrxs& r evaluate_scanrsK B **VY`Xb c l l nC c,--  %&H5'1  {{<3W[[w5Wjj!>3 4 ( w 3y>9c)n '++lA6 gkkR^`gFh  ,> B+     F $WIRs3#**EEF  s+B>D// E%:!E E( E%%E((E:c0V^8dQhR\R\/#r`r#)r%s"rr&r&scdrc R^R^R^R^R^R^/p\V4;_uu_4p\P!V4pRRR4\P!\P !XR,44pVP R /4P R .4pVEF&pVP R /4pR V9dVR ,p\V4VR&VFp VR;;,\V P R /44, uu&V P R4p V 'gKLVR;;,\V P R.44, uu&VR;;,\V P R.44, uu&VR;;,\V P R.44, uu&K RV9gEKVR,VR&EK) V# +'giEL;i \dT#i;i)z1Extract key metrics from an attestation envelope.rrrrrrNrZrr r[rr rrrrtotalInstalled) rmr(rnrorprqr=r3rr) rYrrvrwrZrCrDr"rrrs & rrrs q.!5H!q+Q0DaG " # #qyy|H$**V--hy.ABC{{;+//CC77="-Dd"[)/25z+,AN+s1553K/LL+%% *Cs 12c#'')R:P6QQ2 56#cggmUW>X:YY6 .#cgglB6O2PP.  4'045E0F,- N+$ # #&   N s5GGCGBG1G G  G G'&G' SCAN_WORKERS8 EVAL_WORKERS4c \P^R7wrr#p\;_uu_4\ ^, sRRR4\ Y#T4\;_uu_4\ ^,sRRR4\P4K \PdKi;i +'giLs;i \d)p\RT 2\PR7Rp?LRp?ii;i +'giL;i \;_uu_4\ ^,sRRR4M +'giM;i\P4i;i)z.Pulls from scan_queue, runs Docker containers.r;NzScan worker error: r) rr=r.r>rrrrrrrr task_done)rtsr~rrsrxs r scan_workerrs  6@nnQn6O 3H'G  A L # Ww /#"! #  "{{      > 's+#** = = >#"""! #"""  "sjBB$ B7C-B! B!$ B4 7 C*C% D%C**D- C= ED&  E& D6 1EcL\P^R7p\ T4\P4K: \PdKRi;i \ d)p\ RT 2\PR7Rp?L`Rp?ii;i \P4i;i)uFPulls from eval_queue, runs OPA policy evaluation. Fast — no Docker.r;zEval worker error: rN) rr=r.r>rrrrrrrrsrxs r eval_workerrs   nnQn/G # ' "  "{{    > 's+#** = = >  "8; AAA B "BB B  B B#cL\P^R7p\ T4\P4K: \PdKRi;i \ d)p\ RT 2\PR7Rp?L`Rp?ii;i \P4i;i)zRPulls from reeval_queue, re-evaluates existing attestations with current policies.r;zRe-eval worker error: rN) rr=r.r>rrrrrrrrs r reeval_workerrs  "&&q&1G % ' "  " " ${{    A *1#.SZZ @ @ A  " " $rc \P!^4\P4p\P4p\ P4p\ ;_uu_4\pRRR4V^8gV^8gV^8g X^8gK\RV RX R\ RV RV 2 4K +'giLN;i)zPeriodic status logging.Nz Queues: scan=z (running=rFz ) | eval=z | reeval=) rsleeprqsizerrrrrr)sqeqrqrs r status_loggerrs  2            !  "G 6R!VrAv1 M"Zy,yQSPTT^_a^bc d s "B// B? c \4\PRRR7\\4F1p\ P !\RRV 2R7P4K3 \\4F1p\ P !\RRV 2R7P4K3 \\4F1p\ P !\RRV 2R7P4K3 \ P !\RR7P4\R\ R\ R \ R 24\\P P#R R 44p\R V 24\$P'RVRRR7R#)Trr)targetdaemonrzeval-zreeval-)rrz pip-witness: z scan workers, z eval workers, z reeval workersPORTiz/pip-witness viewer running at http://localhost:z0.0.0.0F)hostrdebugthreadedN)rrrranger threadingThreadrstartrrrrrrrjenvironr=appr)r5rs rmainr s( I$6<  Dqc{KQQS!<  Dqc{KQQS!<  d71#OUUW!M$7==? M,|nOT`Saap qr rzz~~fd+ ,D ;D6 BCGGUTGBr__main__cV^8dQh/^\9d\\P,;R&^\9d\P;R&^\9d\P;R&^\9d\P;R&#)r r,rrr)__conditional_annotations__rr.rD PriorityQueue)r%s"rr&r&ss  F$#T%++ #G N87E  7O P('EKK'Q R*)ekk)S r)N2internal)Qr__doc__rpr(rjr.rrrrrrrpathlibrflaskrrrrr __file__parentAPP_DIR PROJECT_DIRrrrH__name__rrr,Lockr*rrrDrrrrr7routerErJrRrzrrrrrrrrrrrNrTr^rkr}rrrrrrrrr=rrrrrrrrrr&)rs@rrs    'HH x.  nn . $ $ x   HC O4"$ # >> #("5"5"7 7++- '!KKM ) 4v =VV.3>><,, %&.'.b;)8*8@ %1,2, &2A3A< )H:>*?*< V V?J]J]Z *+ ,, , 44n vh/D0D" &9H:H  '&:I1;I1X= k kF<  (,^<~ :;<( ,- ,. ,$ >B<R2::>>.#67 2::>>.#67  NN$#( # % e"C4 zFr