depaudit

package
v0.9.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 9, 2026 License: Apache-2.0 Imports: 14 Imported by: 0

Documentation

Overview

Package depaudit is AgentGuard's dependency safety auditor.

It answers one question across every ecosystem the project ships (Go module, Python SDK, TypeScript SDK): is each dependency on a *safe* version? "Safe" is defined deliberately loosely so the gate does not become busywork that fails the build every time an upstream cuts a routine release:

A dependency is SAFE if it is on the latest version, OR it is behind the
latest version but the gap introduces no known security vulnerability and
no known performance regression. Being merely "behind" is fine.

A dependency is UNSAFE only when its current version is hit by a known
security vulnerability or a known performance regression that an available
upgrade would resolve. That — and only that — fails the gate.

The list of "known" issues lives in advisories.json (embedded below), a curated registry maintained from govulncheck / pip-audit / npm audit output and from upstream release notes / benchmark evidence for performance regressions (for which no automated database exists). See advisories.md.

This package is intentionally stdlib-only and has zero production import surface: it is a CI/dev tool, not part of the <3ms hot path.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func RepoRoot

func RepoRoot() (string, error)

RepoRoot walks up from the current working directory to the module root (the directory holding go.mod). Tests run in the package directory, so the manifests we audit live a couple of levels up.

Types

type Advisory

type Advisory struct {
	ID        string         `json:"id"`
	Ecosystem string         `json:"ecosystem"` // go | python | npm
	Package   string         `json:"package"`
	Kind      Kind           `json:"kind"`
	Summary   string         `json:"summary"`
	Reference string         `json:"reference"`
	Affected  []VersionRange `json:"affected"`
}

Advisory is one known security or performance issue affecting a package.

type Dependency

type Dependency struct {
	Ecosystem string // go | python | npm
	Name      string
	// Current is an exact version (Go pins, npm lockfile-resolved) or a PEP 508 /
	// npm version constraint when no exact version is available (Python extras).
	Current    string
	Constraint bool   // true when Current is a range, not an exact version
	Scope      string // direct | indirect | dev | optional:<extra> | build
}

Dependency is one audited package across any ecosystem.

func CollectDependencies

func CollectDependencies(root string) ([]Dependency, error)

CollectDependencies parses every manifest under root into a flat list.

type Finding

type Finding struct {
	Dependency
	Latest     string    // best-effort; populated only when online lookup is enabled
	Safe       bool      // false ⇒ fails the gate
	Reason     string    // human-readable explanation for the report
	Advisory   *Advisory // the matched registry advisory when Safe is false
	Source     string    // what flagged it: "registry" | "osv.dev"
	Reference  string    // advisory URL for the report
	OSVChecked bool      // true ⇒ current version was cross-checked live against OSV.dev
	// contains filtered or unexported fields
}

Finding is the per-dependency audit verdict.

func Evaluate

func Evaluate(deps []Dependency, reg *Registry, fetchLatest bool) []Finding

Evaluate is the backward-compatible entry point: registry-only verdict with an optional best-effort latest-version lookup for the report.

func EvaluateWithOptions

func EvaluateWithOptions(deps []Dependency, reg *Registry, opts Options) []Finding

EvaluateWithOptions produces a Finding for each dependency. The verdict is the union of two sources:

  1. The curated registry (always, offline) — covers performance regressions, which no database tracks, plus any manually-pinned advisory.
  2. OSV.dev (when Options.CheckOSV, online) — the authoritative, always-current security database, queried per exact pinned version across Go/PyPI/npm.

OSV only ever *adds* findings; a network failure degrades to registry-only without erroring, so the gate cannot flake red on an OSV outage. Latest is fetched only when Options.FetchLatest and never affects Safe.

type Kind

type Kind string

Kind classifies why an upgrade matters. Only these two kinds fail the gate.

const (
	KindSecurity    Kind = "security"
	KindPerformance Kind = "performance"
)

type Options

type Options struct {
	// FetchLatest populates Finding.Latest via the ecosystem registries
	// (informational only — never affects the Safe verdict).
	FetchLatest bool
	// CheckOSV cross-checks each exact-version dependency against the live
	// OSV.dev database. This is what makes "behind but safe" a *verified*
	// statement about the gap's security content rather than an assumption.
	CheckOSV bool
}

Options controls how Evaluate runs.

type Registry

type Registry struct {
	Advisories []Advisory `json:"advisories"`
}

Registry is the parsed advisories.json.

func LoadRegistry

func LoadRegistry() (*Registry, error)

LoadRegistry parses the embedded advisory registry.

type VersionRange

type VersionRange struct {
	Introduced string `json:"introduced"`
	Fixed      string `json:"fixed"`
}

VersionRange is an OSV-style affected interval: [Introduced, Fixed). Introduced "0" (or "") means "from the beginning". Fixed "" means no fixed release exists yet — in that case an upgrade would NOT resolve the issue, so per the contract it does not fail the gate (it is surfaced as a note).

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL