security

package
v0.3.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 8, 2026 License: MIT Imports: 14 Imported by: 0

Documentation

Overview

Package security implements the opt-in deterministic security gate (spec 05). It scans the operator's own tracked files for accidentally committed secrets, prompt-injection payloads, and typosquatted dependencies. Every scanner is a pure function of tracked file contents + embedded rule data + the allowlist: no network, no LLM, stable finding order (R7).

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func GateFindings

func GateFindings(result Result) []gates.Finding

GateFindings projects an analysis Result to gate findings: allowlisted and off findings drop out; error/warn map to gate severities.

Types

type Finding

type Finding struct {
	Scanner     string `json:"scanner"`
	Rule        string `json:"rule"`
	File        string `json:"file"`
	Line        int    `json:"line"`
	Fingerprint string `json:"fingerprint"`
	Excerpt     string `json:"excerpt"`
	// Severity is filled by the gate from config; empty until resolved.
	Severity string `json:"severity,omitempty"`
	// Allowlisted is set by the gate when an allow.json entry suppresses the
	// finding. Recorded (not dropped) so reports show what was waived (R6).
	Allowlisted bool `json:"allowlisted,omitempty"`
}

Finding is one scanner hit before severity resolution. Fingerprint pins the finding to (rule + path + matched content) so a reasoned allowlist entry survives the match moving lines but is invalidated by editing the match (R2). Excerpt is always redacted — a secrets scanner that prints secrets into CI logs creates the leak it exists to prevent (R1).

type Gate

type Gate struct {
	// contains filtered or unexported fields
}

Gate is the opt-in security gate registered by `check --security`. It scans tracked files and resolves per-scanner severity from config.

func New

func New(cfg core.SecurityConfig) Gate

New builds the gate with the resolved per-scanner severity config.

func (Gate) Name

func (Gate) Name() string

func (Gate) Run

func (g Gate) Run(ctx gates.CheckCtx) []gates.Finding

Run enumerates tracked files under ctx.Root and returns gate findings. Error findings fail the gate; warn findings print but pass; off scanners are skipped (R5). Allowlisted findings are suppressed from the gate result (recorded separately by the caller for reports, R6).

type Result

type Result struct {
	Findings []Finding
}

Result is the full analysis: every scanner finding with severity resolved and allowlist status stamped. Consumed by the gate (for pass/fail) and by the caller (for recording under state.security).

func Analyze

func Analyze(root string, cfg core.SecurityConfig) Result

Analyze runs every non-off scanner over the tracked working tree and returns findings with severity + allowlist status resolved. A load error in the allowlist fails closed (its error finding is included at error severity).

type Scanner

type Scanner interface {
	Name() string
	Scan(files []TrackedFile) []Finding
}

Scanner is the pure contract every detector satisfies. Scan must return findings in a stable order for identical input.

type TrackedFile

type TrackedFile struct {
	Path    string
	Content []byte
}

TrackedFile is one working-tree file the gate feeds to scanners. Path is the repo-relative slash path (git ls-files semantics); Content is the raw bytes.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL