Documentation
¶
Overview ¶
Package security is the deterministic security-gate suite (V8/P4.2). Every scanner here is a pure function over file contents: stdlib only, no network, no LLM, no embedded CVE database. The binary never judges code quality — it makes skipping the deterministic checks impossible. Heuristic scanners default to advisory severity (plan risk 2: a noisy gate that gets disabled is worse than a modest one); allowlists carry mandatory reasons.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func SortFindings ¶
func SortFindings(f []Finding)
SortFindings orders findings deterministically (invariant 6/7): by file, then line, then scanner, then rule. Callers render in this order so output is byte-stable across runs.
Types ¶
type AllowEntry ¶
AllowEntry is one allowlisted value and the mandatory justification for it.
type Allowlist ¶
type Allowlist struct {
// contains filtered or unexported fields
}
Allowlist is the parsed, validated set of allowlisted secret values.
func ParseAllowlist ¶
ParseAllowlist parses and validates the allow.json bytes. An absent file is represented by empty input (nil/zero-length) → an empty allowlist, no error. Every present entry must have a non-empty value and a non-empty reason.
func (Allowlist) Allows ¶
Allows reports whether value is allowlisted (exact match or substring of a finding). The zero Allowlist allows nothing.
func (Allowlist) Entries ¶
func (a Allowlist) Entries() []AllowEntry
Entries exposes the validated entries (for reporting/introspection).
type ChangedFile ¶
ChangedFile is one file's content presented to the scanners. Path is repo-relative; Content is the full file text. Scanners never read the disk — the caller supplies contents so scanning is pure and testable.
type Config ¶
Config selects which scanners run and at what severity. An empty string / "off" disables a scanner; "warn" is advisory; "error" blocks. The zero value runs nothing, so a repo that never opts in is unaffected (invariant 9).
type Finding ¶
type Finding struct {
Scanner string `json:"scanner"`
File string `json:"file"`
Line int `json:"line"`
Rule string `json:"rule"`
Message string `json:"message"`
Severity Severity `json:"severity"`
}
Finding is one deterministic security observation. Line is 1-indexed; 0 means the finding is file-scoped (no single line).
func Scan ¶
func Scan(cfg Config, files []ChangedFile, allow Allowlist) []Finding
Scan runs every enabled scanner over the changed files and returns the merged, deterministically-sorted findings. allow is the secrets allowlist (entries with mandatory reasons); pass nil for none.
func ScanInjection ¶
func ScanInjection(files []ChangedFile) []Finding
ScanInjection returns injection findings across the changed files. Pure over the supplied contents.
func ScanSecrets ¶
func ScanSecrets(files []ChangedFile, allow Allowlist) []Finding
ScanSecrets returns secret findings across the changed files. Pure over the supplied contents; allowlisted values (matched by exact substring, reason mandatory) are suppressed.
func ScanSlopsquat ¶
func ScanSlopsquat(files []ChangedFile) []Finding
ScanSlopsquat parses each recognized manifest in files and reports declared dependency names that are a near-miss of a popular package. Pure over the supplied contents.