Documentation
¶
Overview ¶
Package security implements the opt-in deterministic security gate (spec 05). It scans the operator's own tracked files for accidentally committed secrets, prompt-injection payloads, and typosquatted dependencies. Every scanner is a pure function of tracked file contents + embedded rule data + the allowlist: no network, no LLM, stable finding order (R7).
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func GateFindings ¶
GateFindings projects an analysis Result to gate findings: allowlisted and off findings drop out; error/warn map to gate severities.
Types ¶
type Finding ¶
type Finding struct {
Scanner string `json:"scanner"`
Rule string `json:"rule"`
File string `json:"file"`
Line int `json:"line"`
Fingerprint string `json:"fingerprint"`
Excerpt string `json:"excerpt"`
// Severity is filled by the gate from config; empty until resolved.
Severity string `json:"severity,omitempty"`
// Allowlisted is set by the gate when an allow.json entry suppresses the
// finding. Recorded (not dropped) so reports show what was waived (R6).
Allowlisted bool `json:"allowlisted,omitempty"`
}
Finding is one scanner hit before severity resolution. Fingerprint pins the finding to (rule + path + matched content) so a reasoned allowlist entry survives the match moving lines but is invalidated by editing the match (R2). Excerpt is always redacted — a secrets scanner that prints secrets into CI logs creates the leak it exists to prevent (R1).
type Gate ¶
type Gate struct {
// contains filtered or unexported fields
}
Gate is the opt-in security gate registered by `check --security`. It scans tracked files and resolves per-scanner severity from config.
func New ¶
func New(cfg core.SecurityConfig) Gate
New builds the gate with the resolved per-scanner severity config.
type Result ¶
type Result struct {
Findings []Finding
}
Result is the full analysis: every scanner finding with severity resolved and allowlist status stamped. Consumed by the gate (for pass/fail) and by the caller (for recording under state.security).
type Scanner ¶
type Scanner interface {
Name() string
Scan(files []TrackedFile) []Finding
}
Scanner is the pure contract every detector satisfies. Scan must return findings in a stable order for identical input.
type TrackedFile ¶
TrackedFile is one working-tree file the gate feeds to scanners. Path is the repo-relative slash path (git ls-files semantics); Content is the raw bytes.