grabit

Grabit

Grabit is a utility that helps the definition, downloading and integrity validation of external assets accessible via HTTPS/HTTP.

The integrity of the assets is verified by storing the subresource integrity of the assets and validating it every time the assets are downloaded.

It's typically used as part of a build pipeline when external assets need to be used and their integrity needs to be validated to guard against supply chain attacks.

Installation

go install github.com/cisco-open/grabit@latest

Usage

Typically usage involves 3 steps:

• Definition of the assets
• Lock file committing
• Asset downloading

Definition of the assets

Manually run Grabit to generate the lock file grabit.lock with the definition of all the assets that will be used during the asset downloading step:

$ grabit add https://example.com/
$ cat grabit.lock
[[Resource]]
Urls = ['https://example.com/']
Integrity = 'sha256-6o+sfGX7WJsNU1YPUlH3T56bJDR43Laz6nm142RJyNk='

Lock file committing

The grabit.lock contains the list of all the assets defined in the previous step along with the information needed to perform validation. You will want to commit this file in your source code repository.

Asset downloading

The build pipeline will then consume the lock file by running the following to download all the assets and check their integrity:

$ grabit download --dir .
# Use the assets...

Support

We are continuously improving the tool and adding more feature. Please see the open issues to see the list of planned items and feel free to open a new issue in case something that you'd like to see is missing.