Initial commit

scripts/vendor_compliance_assets.sh

@@ -0,0 +1,52 @@
+#!/usr/bin/env bash
+# Shallow-clone NIST macos_security and Lynis into applepy/data/ for bundled / PyInstaller builds.
+# Preserves applepy/data/{macos_security,lynis}/README.md and .gitignore (excluded from rsync).
+set -euo pipefail
+ROOT="$(cd "$(dirname "$0")/.." && pwd)"
+MACP="${ROOT}/applepy/data/macos_security"
+LYNP="${ROOT}/applepy/data/lynis"
+TMP="${TMPDIR:-/tmp}/applepy-vendor-$$"
+cleanup() { rm -rf "${TMP}"; }
+trap cleanup EXIT
+mkdir -p "${TMP}"
+
+refresh="${REFRESH:-0}"
+
+clone_mscp() {
+  if [[ -f "${MACP}/scripts/generate_guidance.py" ]] && [[ "${refresh}" != "1" ]]; then
+    echo "macos_security already present under applepy/data/macos_security (set REFRESH=1 to re-fetch)"
+    return 0
+  fi
+  mkdir -p "${MACP}"
+  git clone --depth 1 "https://github.com/usnistgov/macos_security.git" "${TMP}/macos_security"
+  rsync -a --delete \
+    --exclude README.md --exclude .gitignore \
+    "${TMP}/macos_security/" "${MACP}/"
+  echo "Vendored macos_security -> ${MACP}"
+}
+
+clone_lynis() {
+  if [[ -f "${LYNP}/lynis" ]] && [[ "${refresh}" != "1" ]]; then
+    echo "Lynis already present under applepy/data/lynis (set REFRESH=1 to re-fetch)"
+    return 0
+  fi
+  mkdir -p "${LYNP}"
+  git clone --depth 1 "https://github.com/cisofy/lynis.git" "${TMP}/lynis"
+  rsync -a --delete \
+    --exclude README.md --exclude .gitignore \
+    "${TMP}/lynis/" "${LYNP}/"
+  echo "Vendored Lynis -> ${LYNP}"
+}
+
+case "${1:-all}" in
+  mscp|macos_security) clone_mscp ;;
+  lynis) clone_lynis ;;
+  all)
+    clone_mscp
+    clone_lynis
+    ;;
+  *)
+    echo "Usage: $0 [all|mscp|lynis]" >&2
+    exit 2
+    ;;
+esac