RUNE Audit — compliance evidence collection and verification for IEC 62443 / SLSA

These details have been verified by PyPI

Project links

GitHub Statistics

Maintainers

lpasquali

These details have not been verified by PyPI

Project links

Documentation

Project description

rune-audit

Auditing and compliance tracking for the RUNE platform.

rune-audit collects, verifies, and reports on security and compliance evidence across the RUNE ecosystem. It verifies SLSA Level 3 build provenance, manages VEX (Vulnerability Exploitability eXchange) documents, and generates IEC 62443 evidence matrices.

Architecture

rune-audit
  collect      Gather SBOMs, CVE scans, VEX documents from all repos
  vex          Manage and validate OpenVEX documents
  compliance   IEC 62443 evidence matrix and gap analysis
  slsa         SLSA Level 3 provenance verification
  report       Full, summary, and delta audit reports
  config       Display current configuration

Evidence sources: GitHub Attestations API, SBOM files, CVE scan results, OpenVEX documents.

Outputs: Rich terminal tables, Markdown reports, JSON exports.

Installation

pip install rune-audit

Or for development:

git clone https://github.com/lpasquali/rune-audit.git
cd rune-audit
pip install -e ".[dev]"

Quick Start

# Verify SLSA L3 provenance for a single repo
rune-audit slsa verify rune --tag v0.0.0a2

# Verify SLSA across all ecosystem repos
rune-audit slsa verify-all --tag v0.0.0a2

# Show IEC 62443 evidence matrix
rune-audit compliance matrix

# Show compliance gaps
rune-audit compliance gaps

# Validate VEX documents
rune-audit vex validate

# List VEX statements
rune-audit vex list

# Generate full audit report
rune-audit report full

# Show configuration
rune-audit config show

External OSS projects (compliance-config & packs)

For non-RUNE repositories, use compliance-config.yaml and builtin packs (rune-audit init, rune-audit sr2 verify --pack …). Documentation lives in rune-docs: External projects (rune-docs#227–#232).

Multi-repo SR-2 matrix (HTML / JSON / Markdown): rune-audit sr2 dashboard --base-path .. (see rune-docs#212).

Supported Evidence Types

Type	Description	Source
SLSA Provenance	Build attestation verification	GitHub Attestations API
SBOM	Software Bill of Materials	CycloneDX / SPDX
CVE Scans	Vulnerability scan results	pip-audit, grype
VEX	Vulnerability Exploitability eXchange	OpenVEX documents
License	License compliance status	SPDX headers, LICENSE files

Configuration

Variable	Description	Default
`RUNE_AUDIT_GITHUB_TOKEN`	GitHub API token (fallback: `gh auth token`)	--
`RUNE_AUDIT_REPOS`	Comma-separated repo list	All 8 RUNE program repos
`RUNE_AUDIT_OUTPUT_DIR`	Report output directory	`./audit-output/`

Optional YAML config file: rune-audit.yaml

Compliance Context

IEC 62443-4-1 ML4: This repository aligns with IEC 62443-4-1 Maturity Level 4 secure development requirements.
SLSA Level 3: Build provenance is verified against all five SLSA L3 requirements (provenance exists, signed, trusted builder, version-controlled source, isolated build).

Documentation

Full documentation is consolidated in rune-docs.

License

Apache License 2.0. See LICENSE.

Project details

These details have been verified by PyPI

Project links

GitHub Statistics

Maintainers

lpasquali

These details have not been verified by PyPI

Project links

Documentation

Release history Release notifications | RSS feed

0.1.1 yanked

Apr 10, 2026

Reason this release was yanked:

agents to blame

This version

0.0.0a1 pre-release

Apr 10, 2026

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

rune_audit-0.0.0a1.tar.gz (77.5 kB view details)

Uploaded Apr 10, 2026 Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

The dropdown lists show the available interpreters, ABIs, and platforms. Enable javascript to be able to filter the list of wheel files.

rune_audit-0.0.0a1-py3-none-any.whl (99.1 kB view details)

Uploaded Apr 10, 2026 Python 3

File details

Details for the file rune_audit-0.0.0a1.tar.gz.

File metadata

Download URL: rune_audit-0.0.0a1.tar.gz
Upload date: Apr 10, 2026
Size: 77.5 kB
Tags: Source
Uploaded using Trusted Publishing? Yes
Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for rune_audit-0.0.0a1.tar.gz
Algorithm	Hash digest
SHA256	`7e7841520c9ee56f9d1f2a71ad30b68969cc1cfcf6e4fdce09a172c7b4ff8629`
MD5	`d19faf02d812710a0fd21fab5ae43de2`
BLAKE2b-256	`e4cc8ead99295c8c4a58c6ec5aa3013ed57a5662ce290b8fed7b894adb18128c`

See more details on using hashes here.

Provenance

The following attestation bundles were made for rune_audit-0.0.0a1.tar.gz:

Publisher: publish-pypi.yml on lpasquali/rune-audit

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Statement:
- Statement type: https://in-toto.io/Statement/v1
- Predicate type: https://docs.pypi.org/attestations/publish/v1
- Subject name: rune_audit-0.0.0a1.tar.gz
- Subject digest: 7e7841520c9ee56f9d1f2a71ad30b68969cc1cfcf6e4fdce09a172c7b4ff8629
- Sigstore transparency entry: 1271681399
- Sigstore integration time: Apr 10, 2026
Source repository:
- Permalink: lpasquali/rune-audit@a882a153d620d223a6b2b4946d9619f88fcd7189
- Branch / Tag: refs/tags/v0.0.0a1
- Owner: https://github.com/lpasquali
- Access: public
Publication detail:
- Token Issuer: https://token.actions.githubusercontent.com
- Runner Environment: github-hosted
- Publication workflow: publish-pypi.yml@a882a153d620d223a6b2b4946d9619f88fcd7189
- Trigger Event: push

File details

Details for the file rune_audit-0.0.0a1-py3-none-any.whl.

File metadata

Download URL: rune_audit-0.0.0a1-py3-none-any.whl
Upload date: Apr 10, 2026
Size: 99.1 kB
Tags: Python 3
Uploaded using Trusted Publishing? Yes
Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for rune_audit-0.0.0a1-py3-none-any.whl
Algorithm	Hash digest
SHA256	`6a263e054f8621c18942cf927e0e046eaf07a96131887acf904f947c441010cf`
MD5	`6cdca3f887963de640cf25ff05b171cf`
BLAKE2b-256	`8c24b91aa18f43105b68cfb9d69d5451cfb68a41447a62ffbedbdec721b44733`

See more details on using hashes here.

Provenance

The following attestation bundles were made for rune_audit-0.0.0a1-py3-none-any.whl:

Publisher: publish-pypi.yml on lpasquali/rune-audit

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Statement:
- Statement type: https://in-toto.io/Statement/v1
- Predicate type: https://docs.pypi.org/attestations/publish/v1
- Subject name: rune_audit-0.0.0a1-py3-none-any.whl
- Subject digest: 6a263e054f8621c18942cf927e0e046eaf07a96131887acf904f947c441010cf
- Sigstore transparency entry: 1271681450
- Sigstore integration time: Apr 10, 2026
Source repository:
- Permalink: lpasquali/rune-audit@a882a153d620d223a6b2b4946d9619f88fcd7189
- Branch / Tag: refs/tags/v0.0.0a1
- Owner: https://github.com/lpasquali
- Access: public
Publication detail:
- Token Issuer: https://token.actions.githubusercontent.com
- Runner Environment: github-hosted
- Publication workflow: publish-pypi.yml@a882a153d620d223a6b2b4946d9619f88fcd7189
- Trigger Event: push

rune-audit 0.0.0a1

Navigation

Verified details

Project links

GitHub Statistics

Maintainers

Unverified details

Project links

Meta

Classifiers

Project description

rune-audit

Architecture

Installation

Quick Start

External OSS projects (compliance-config & packs)

Supported Evidence Types

Configuration

Compliance Context

Documentation

License

Project details

Verified details

Project links

GitHub Statistics

Maintainers

Unverified details

Project links

Meta

Classifiers

Release history Release notifications | RSS feed

Download files

Source Distribution

Built Distribution

File details

File metadata

File hashes

Provenance

File details

File metadata

File hashes

Provenance