checks
Descriptionโ
Displays all checks that were performed for the selected package version during analysis.
Use this command to view a summary of performed checks and integrate their results into CI/CD pipelines.
When working with reproducible build artifacts, it's recommended to use the checks
command instead of other commands (such as inspect
or list
).
The checks
command displays information about the package version as a whole.
The command output includes checks performed against all artifacts in the version.
The following check types can be displayed in the command output:
- Software package analysis - standard scan of the main package version artifact
- Software package analysis: repro - standard scan of the reproducible build artifact
- Diff with: repro - comparison of the main package version artifact and its reproducible build artifact
- Diff with:
<version>
- comparison of the main package version artifact with another package version - Reproducible build check - functional and behavioral similarity check between the main and the reproducible build artifacts
The first check (Software package analysis) is the default and always present for all analyzed package versions. Other checks are displayed only if they have actually been performed for a package version.
Every check type is assigned a label that shows the status information (pass or fail) for the check. The first two characters in the label are used to distinguish between check types:
L(n)
- software package analysis with SAFE Levels enabledCI
- software package analysis with SAFE Levels disabledC(n)
- software package analysis with custom SAFE LevelsDF
- comparison (diff) between package version artifactsRB
- reproducible build check
Usageโ
rl-secure checks <purl> [<options>]
rl-secure checks --purl=<purl> [<options>]
Optionsโ
Option | Description |
---|---|
-p, --purl | Required. Package URL of the version for which you want to display checks, in the format [pkg:type/]<project></package><@version> . |
--return-status | Return status as exit code. This is useful when working with CI/CD. The following exit codes are supported: 0 - PASS, 1 - CI:FAIL, 2 - DF:FAIL, 3 - RB:FAIL |
-s, --rl-store | Path to an initialized package store containing the package URL. If you don't specify the path, the current directory is used. |
--no-color | Don't add color to the output. |
-h, --help | Display usage information and exit. |
Examplesโ
Show checks for a package versionโ
This example shows how to display all checks performed for a specified package version.
When used, the --return-status
option prints out the exit code to standard output.
You can then retrieve it manually or set up your CI service to pick it up automatically.
The Diff with: 1.0.2
check in the output indicates that the package version (1.0.1) has been previously compared to another version (1.0.2) and a diff was successfully generated with the rl-secure report
command.
The Software package analysis: repro
check in the output indicates that the package version has a reproducible build artifact that was successfully analyzed.
Failed Reproducible build check
in the output indicates there are differences between the main package version artifact and the reproducible build artifact potentially caused by tampering.
In this case, it's recommended to generate the SAFE report (rl-html
) with the rl-secure report command and the ?build=repro
option.
In the report, examine the Reproducibility page to better understand the detected issues.
The command expects the package store to exist in the current directory.
Use the -s
or --rl-store
options to provide an alternative path to the package store.
- Input
- Input with --return-status
- Output - PASS
- Output - FAIL
rl-secure checks my-project/my-package@1.0.1
rl-secure checks my-project/my-package@1.0.1 --return-status
STATUS: All checks have passed - 5/5 PASS
----------------------------------------------------------------
L1:PASS - Check (1/5) > Software package analysis
DF:PASS - Check (2/5) > Diff with: 1.0.2
L1:PASS - Check (3/5) > Software package analysis: repro
DF:PASS - Check (4/5) > Diff with: repro
RB:PASS - Check (5/5) > Reproducible build check
STATUS: Some checks have failed - 1/5 FAIL
----------------------------------------------------------------
L1:PASS - Check (1/5) > Software package analysis
DF:PASS - Check (2/5) > Diff with: 1.0.2
L1:PASS - Check (3/5) > Software package analysis: repro
DF:PASS - Check (4/5) > Diff with: repro
RB:FAIL - Check (5/5) > Reproducible build check