Skip to main content

checks

Descriptionโ€‹

Displays all checks that were performed for the selected package version during analysis.

Use this command to view a summary of performed checks and integrate their results into CI/CD pipelines.

When working with reproducible build artifacts, it's recommended to use the checks command instead of other commands (such as inspect or list). The checks command displays information about the package version as a whole. The command output includes checks performed against all artifacts in the version.

The following check types can be displayed in the command output:

  • Software package analysis - standard scan of the main package version artifact
  • Software package analysis: repro - standard scan of the reproducible build artifact
  • Diff with: repro - comparison of the main package version artifact and its reproducible build artifact
  • Diff with: <version> - comparison of the main package version artifact with another package version
  • Reproducible build check - functional and behavioral similarity check between the main and the reproducible build artifacts

The first check (Software package analysis) is the default and always present for all analyzed package versions. Other checks are displayed only if they have actually been performed for a package version.

Every check type is assigned a label that shows the status information (pass or fail) for the check. The first two characters in the label are used to distinguish between check types:

  • L(n) - software package analysis with SAFE Levels enabled
  • CI - software package analysis with SAFE Levels disabled
  • C(n) - software package analysis with custom SAFE Levels
  • DF - comparison (diff) between package version artifacts
  • RB - reproducible build check

Usageโ€‹

rl-secure checks <purl> [<options>]

rl-secure checks --purl=<purl> [<options>]

Optionsโ€‹

OptionDescription
-p, --purlRequired. Package URL of the version for which you want to display checks, in the format [pkg:type/]<project></package><@version>.
--return-statusReturn status as exit code. This is useful when working with CI/CD. The following exit codes are supported: 0 - PASS, 1 - CI:FAIL, 2 - DF:FAIL, 3 - RB:FAIL
-s, --rl-storePath to an initialized package store containing the package URL. If you don't specify the path, the current directory is used.
--no-colorDon't add color to the output.
-h, --helpDisplay usage information and exit.

Examplesโ€‹

Show checks for a package versionโ€‹

This example shows how to display all checks performed for a specified package version.

When used, the --return-status option prints out the exit code to standard output. You can then retrieve it manually or set up your CI service to pick it up automatically.

The Diff with: 1.0.2 check in the output indicates that the package version (1.0.1) has been previously compared to another version (1.0.2) and a diff was successfully generated with the rl-secure report command.

The Software package analysis: repro check in the output indicates that the package version has a reproducible build artifact that was successfully analyzed.

Failed Reproducible build check in the output indicates there are differences between the main package version artifact and the reproducible build artifact potentially caused by tampering. In this case, it's recommended to generate the SAFE report (rl-html) with the rl-secure report command and the ?build=repro option. In the report, examine the Reproducibility page to better understand the detected issues.

The command expects the package store to exist in the current directory. Use the -s or --rl-store options to provide an alternative path to the package store.

rl-secure checks my-project/my-package@1.0.1