feat(pull): implement pull command with policy verification

[jmgilman]

Summary

• Implement the pull command to download and extract blob archives from OCI registries
• Add policy verification support: Sigstore keyless signatures, SLSA provenance
• Support multiple policy sources: config file rules, YAML files (--policy), OPA Rego (--policy-rego)
• Add comprehensive test coverage for pull command and policy package

Features

• Pull from OCI registries with alias resolution
• Policy verification: Sigstore keyless signatures, SLSA provenance
• Policy sources: Config file, YAML files, OPA Rego
• Output formats: Text and JSON (--output json)
• Quiet mode: Suppresses output when --quiet is set
• Directory handling: Creates destination if needed, skips existing files

Test plan

• Unit tests for prepareDestination function
• Unit tests for pullText and pullJSON output formatters
• Unit tests for policy file loading (LoadFile)
• Unit tests for policy conversion (ConvertConfigPolicy)
• Unit tests for policy building (BuildPolicies)
• Integration test with docker.io/meigma/blob-test:v1
• All linting passes (0 issues)

🤖 Generated with Claude Code

[kusari-inspector]

Kusari Analysis Results:

Caution

Flagged Issues Detected
These changes contain flagged issues that may introduce security risks.

While the code analysis shows no security issues across all 7 scanned files, the dependency analysis reveals a critical anomaly that blocks this PR. Two direct dependencies (github.com/meigma/blob/policy/opa and github.com/meigma/blob/policy/slsa) have version timestamps dated in the future (January 2026), which is highly irregular and could indicate compromised packages, system misconfiguration, or test dependencies incorrectly included in production code. This anomaly must be investigated and resolved before merging. Additionally, a transitive dependency uses a non-OSS license (BSD-2-Clause-Views) that requires compliance review. Action items: (1) Verify the source and authenticity of the future-dated packages, (2) Replace pseudo-versions with properly versioned releases, (3) Review license compatibility for the transitive dependency.

Note

View full detailed analysis result for more information on the output and the checks that were run.

Required Dependency Mitigations

• CRITICAL: Investigate future-dated version timestamps - The dependencies github.com/meigma/blob/policy/opa@v0.0.0-20260121212824-972ce5f91c94 and github.com/meigma/blob/policy/slsa@v0.0.0-20260121212824-972ce5f91c94 have version timestamps from January 21, 2026, which is in the future. This is highly unusual and could indicate: (1) system clock misconfiguration during build, (2) test/development dependencies not meant for production, or (3) potentially compromised packages. Verify the source and authenticity of these packages before proceeding. Consider using properly versioned releases instead of pseudo-versions.
• LICENSE ISSUE: Non-OSS license detected in transitive dependency - The package github.com/rcrowley/go-metrics@v0.0.0-20250401214520-65e299d6c5c9 (indirect dependency via github.com/meigma/blob/policy/opa) uses the 'BSD-2-Clause-Views' license which is marked as 'non oss'. Dependency path: github.com/rcrowley/go-metrics <- github.com/meigma/blob/policy/opa. Review whether this license is compatible with your project's licensing requirements. Consider reaching out to the OPA policy package maintainers to explore alternatives if this poses a compliance issue.

---

@kusari-inspector rerun - Trigger a re-analysis of this PR
@kusari-inspector feedback [your message] - Send feedback to our AI and team
See Kusari's documentation for setup and configuration.
Commit: e88762d, performed at: 2026-01-22T19:33:57Z

Found this helpful? Give it a 👍 or 👎 reaction!