Documentation
¶
Overview ¶
Package gorisk exposes gorisk's risk analysis capabilities as a stable public API. Types in this package have semver stability guarantees; internal packages may change freely.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type CapabilityDetector ¶
type CapabilityDetector interface {
// Language returns the identifier for which this detector applies, e.g. "python".
Language() string
// DetectFile scans a single source file and returns a map of capability
// names (e.g. "exec", "network") to confidence values in [0,1].
DetectFile(path string) (map[string]float64, error)
}
CapabilityDetector is the interface that gorisk plugin authors implement to extend capability detection to new languages or frameworks.
The gorisk plugin system uses Go's plugin package (go build -buildmode=plugin). Plugins must export a symbol named "CapabilityDetector" that implements this interface.
type Finding ¶
type Finding struct {
Package string `json:"package"`
Module string `json:"module,omitempty"`
Capabilities []string `json:"capabilities,omitempty"`
Risk RiskLevel `json:"risk"`
Score float64 `json:"score"`
}
Finding holds the capability risk result for a single package.
type Policy ¶
type Policy struct {
Version int `json:"version,omitempty"`
FailOn string `json:"fail_on,omitempty"`
DenyCapabilities []string `json:"deny_capabilities,omitempty"`
AllowExceptions []PolicyException `json:"allow_exceptions,omitempty"`
ExcludePackages []string `json:"exclude_packages,omitempty"`
ConfidenceThreshold float64 `json:"confidence_threshold,omitempty"`
MaxDepDepth int `json:"max_dep_depth,omitempty"`
}
Policy configures scan behaviour and enforcement rules. The zero value is valid and uses safe defaults (fail_on: "high").
func DefaultPolicy ¶
func DefaultPolicy() Policy
DefaultPolicy returns a Policy with recommended defaults.
func LoadPolicy ¶
LoadPolicy reads and parses a policy JSON file. Returns DefaultPolicy() and a non-nil error if the file cannot be read or parsed.
type PolicyException ¶
type PolicyException struct {
Package string `json:"package"`
Capabilities []string `json:"capabilities,omitempty"`
Taint []string `json:"taint,omitempty"`
Expires string `json:"expires,omitempty"`
}
PolicyException allows a specific package+capability combination to be excluded from policy enforcement.
type RiskScorer ¶
type RiskScorer interface {
// Name returns a short identifier for this scorer, used in diagnostics.
Name() string
// Score returns an additional risk score contribution (0–20) for the
// given package. Contributions are capped and summed into the final score.
Score(pkg string, caps []string) float64
}
RiskScorer allows plugins to contribute additional scoring signals beyond gorisk's built-in multi-engine additive scorer.
Plugins must export a symbol named "RiskScorer" that implements this interface.
type ScanOptions ¶
type ScanOptions struct {
// Dir is the project root to scan. Defaults to os.Getwd().
Dir string
// Lang is the language hint: "auto", "go", "node", "python", etc.
// Defaults to "auto".
Lang string
// Policy drives enforcement. Defaults to DefaultPolicy().
Policy Policy
}
ScanOptions configures a Scanner invocation.
type ScanResult ¶
type ScanResult struct {
SchemaVersion string `json:"schema_version"`
Passed bool `json:"passed"`
FailReason string `json:"fail_reason,omitempty"`
Findings []Finding `json:"findings,omitempty"`
TaintFlows []TaintFinding `json:"taint_flows,omitempty"`
}
ScanResult is the top-level output of a Scanner.Scan() call.
type Scanner ¶
type Scanner struct {
// contains filtered or unexported fields
}
Scanner analyses a project directory for dependency risk.
func NewScanner ¶
func NewScanner(opts ScanOptions) *Scanner
NewScanner returns a Scanner configured with opts. Missing fields in opts are filled with safe defaults.
func (*Scanner) Scan ¶
func (s *Scanner) Scan() (*ScanResult, error)
Scan performs the full risk analysis pipeline and returns a ScanResult.
type TaintFinding ¶
type TaintFinding struct {
Package string `json:"package"`
Module string `json:"module,omitempty"`
Source string `json:"source"`
Sink string `json:"sink"`
Risk RiskLevel `json:"risk"`
Note string `json:"note,omitempty"`
Confidence float64 `json:"confidence"`
}
TaintFinding records a source→sink data-flow risk path.
Source Files