Documentation
¶
Index ¶
- Constants
- func ApplyGovernFirstProfile(profileName string, paths []ActionPath) ([]ActionPath, *ActionPathToControlFirst)
- func BuildActionPaths(attackPaths []riskattack.ScoredPath, inventory *agginventory.Inventory) ([]ActionPath, *ActionPathToControlFirst)
- func BuildControlPathGraph(paths []ActionPath) *aggattack.ControlPathGraph
- func BuildIdentityActionTargets(paths []ActionPath) (*IdentityActionTarget, *IdentityActionTarget)
- func RemediationForActionPath(path ActionPath) string
- type ActionLineage
- type ActionLineageSegment
- type ActionPath
- func DecorateActionLineage(paths []ActionPath, graph *aggattack.ControlPathGraph) []ActionPath
- func DecorateActionPaths(paths []ActionPath) []ActionPath
- func DecorateIntroducedBy(paths []ActionPath, repoContexts map[string]attribution.Context) []ActionPath
- func DecoratePolicyCoverage(paths []ActionPath, findings []model.Finding) []ActionPath
- func LinkAttackPaths(paths []ActionPath, attackPaths []riskattack.ScoredPath) []ActionPath
- func ProjectActionPath(path ActionPath) ActionPath
- func ProjectActionPaths(paths []ActionPath) []ActionPath
- func ProjectBuyerFacingActionPath(path ActionPath) ActionPath
- type ActionPathSummary
- type ActionPathSummaryOptions
- type ActionPathToControlFirst
- type ExposureGroup
- type GaitCoverage
- type GaitCoverageDetail
- type IdentityActionTarget
- type IdentityExposureSummary
- type OwnerlessExposure
- type RepoAggregate
- type Report
- type ScoredFinding
Constants ¶
View Source
const ( ControlStateSafeByDefault = "safe_by_default" ControlStateApprovalNeeded = "approval_required" ControlStateBlockRecommend = "block_recommended" ControlStateEvidenceNeeded = "evidence_required" ControlStateInventoryOnly = "inventory_only" RiskZoneCodingHelp = "coding_help" RiskZoneRepoWrite = "repo_write" RiskZoneCredential = "credential_bearing" // #nosec G101 -- Deterministic risk-zone label, not credential material. RiskZoneCICD = "ci_cd" RiskZoneIAC = "iac" RiskZoneRelease = "release" RiskZoneProductionData = "production_data" RiskZoneExternalEgress = "external_egress" ReviewBurdenLow = "low" ReviewBurdenMedium = "medium" ReviewBurdenHigh = "high" ReviewBurdenCritical = "critical" ConfidenceLaneConfirmedActionPath = "confirmed_action_path" ConfidenceLaneLikelyActionPath = "likely_action_path" ConfidenceLaneSemanticReviewCandidate = "semantic_review_candidate" ConfidenceLaneContextOnly = "context_only" EmptyStateEligible = "eligible" EmptyStateNotEligible = "not_eligible" EmptyStateCoverageReduced = "coverage_reduced" )
View Source
const ( GaitStatusPresent = "present" GaitStatusMissing = "missing" GaitStatusStale = "stale" GaitStatusConflict = "conflict" GaitStatusNotApplicable = "not_applicable" )
View Source
const ( InventoryRiskProductionBacked = "production_backed" InventoryRiskWriteCapable = "write_capable" InventoryRiskCredentialAccess = "credential_access" // #nosec G101 -- deterministic enum label, not credential material. InventoryRiskVisibilityOnly = "visibility_only" InventoryRiskDependencyOnly = "dependency_only" ControlPriorityControlFirst = "control_first" ControlPriorityReviewQueue = "review_queue" ControlPriorityInventoryHygiene = "inventory_hygiene" RiskTierCritical = "critical" RiskTierHigh = "high" RiskTierMedium = "medium" RiskTierLow = "low" )
View Source
const ( PolicyCoverageStatusNone = "none" PolicyCoverageStatusDeclared = "declared" PolicyCoverageStatusMatched = "matched" PolicyCoverageStatusRuntimeProven = "runtime_proven" PolicyCoverageStatusStale = "stale" PolicyCoverageStatusConflict = "conflict" )
Variables ¶
This section is empty.
Functions ¶
func ApplyGovernFirstProfile ¶ added in v1.1.0
func ApplyGovernFirstProfile(profileName string, paths []ActionPath) ([]ActionPath, *ActionPathToControlFirst)
func BuildActionPaths ¶ added in v1.0.11
func BuildActionPaths(attackPaths []riskattack.ScoredPath, inventory *agginventory.Inventory) ([]ActionPath, *ActionPathToControlFirst)
func BuildControlPathGraph ¶ added in v1.3.0
func BuildControlPathGraph(paths []ActionPath) *aggattack.ControlPathGraph
func BuildIdentityActionTargets ¶ added in v1.1.0
func BuildIdentityActionTargets(paths []ActionPath) (*IdentityActionTarget, *IdentityActionTarget)
func RemediationForActionPath ¶ added in v1.4.0
func RemediationForActionPath(path ActionPath) string
Types ¶
type ActionLineage ¶ added in v1.5.0
type ActionLineage struct {
Segments []ActionLineageSegment `json:"segments,omitempty"`
}
func CloneActionLineage ¶ added in v1.5.0
func CloneActionLineage(in *ActionLineage) *ActionLineage
type ActionLineageSegment ¶ added in v1.5.0
type ActionLineageSegment struct {
SegmentID string `json:"segment_id"`
Kind string `json:"kind"`
Label string `json:"label,omitempty"`
Status string `json:"status,omitempty"`
NodeIDs []string `json:"node_ids,omitempty"`
EdgeIDs []string `json:"edge_ids,omitempty"`
EvidenceRefs []string `json:"evidence_refs,omitempty"`
}
type ActionPath ¶ added in v1.0.11
type ActionPath struct {
PathID string `json:"path_id"`
Org string `json:"org"`
Repo string `json:"repo"`
AgentID string `json:"agent_id,omitempty"`
ToolFamilyID string `json:"tool_family_id,omitempty"`
ToolInstanceID string `json:"tool_instance_id,omitempty"`
ToolType string `json:"tool_type"`
Location string `json:"location,omitempty"`
LocationRange *model.LocationRange `json:"location_range,omitempty"`
Purpose string `json:"purpose,omitempty"`
PurposeSource string `json:"purpose_source,omitempty"`
PurposeConfidence string `json:"purpose_confidence,omitempty"`
Version string `json:"version,omitempty"`
VersionSource string `json:"version_source,omitempty"`
ConfigFingerprint string `json:"config_fingerprint,omitempty"`
ConfigSource string `json:"config_source,omitempty"`
WriteCapable bool `json:"write_capable"`
OperationalOwner string `json:"operational_owner,omitempty"`
OwnerSource string `json:"owner_source,omitempty"`
OwnershipStatus string `json:"ownership_status,omitempty"`
OwnershipState string `json:"ownership_state,omitempty"`
OwnershipConfidence float64 `json:"ownership_confidence,omitempty"`
OwnershipEvidence []string `json:"ownership_evidence_basis,omitempty"`
OwnershipConflicts []string `json:"ownership_conflicts,omitempty"`
ApprovalGapReasons []string `json:"approval_gap_reasons,omitempty"`
WritePathClasses []string `json:"write_path_classes,omitempty"`
ActionClasses []string `json:"action_classes,omitempty"`
ActionReasons []string `json:"action_reasons,omitempty"`
MutableEndpointSemantics []agginventory.MutableEndpointSemantic `json:"mutable_endpoint_semantics,omitempty"`
PullRequestWrite bool `json:"pull_request_write,omitempty"`
MergeExecute bool `json:"merge_execute,omitempty"`
DeployWrite bool `json:"deploy_write,omitempty"`
DeliveryChainStatus string `json:"delivery_chain_status,omitempty"`
ProductionTargetStatus string `json:"production_target_status,omitempty"`
ProductionWrite bool `json:"production_write"`
ApprovalGap bool `json:"approval_gap"`
SecurityVisibilityStatus string `json:"security_visibility_status,omitempty"`
CredentialAccess bool `json:"credential_access"`
Credentials []*agginventory.CredentialProvenance `json:"credentials,omitempty"`
CredentialProvenance *agginventory.CredentialProvenance `json:"credential_provenance,omitempty"`
CredentialAuthority *agginventory.CredentialAuthority `json:"credential_authority,omitempty"`
PathContext *agginventory.PathContext `json:"path_context,omitempty"`
TrustDepth *agginventory.TrustDepth `json:"trust_depth,omitempty"`
DeploymentStatus string `json:"deployment_status,omitempty"`
WorkflowTriggerClass string `json:"workflow_trigger_class,omitempty"`
ExecutionIdentity string `json:"execution_identity,omitempty"`
ExecutionIdentityType string `json:"execution_identity_type,omitempty"`
ExecutionIdentitySource string `json:"execution_identity_source,omitempty"`
ExecutionIdentityStatus string `json:"execution_identity_status,omitempty"`
ExecutionIdentityRationale string `json:"execution_identity_rationale,omitempty"`
BusinessStateSurface string `json:"business_state_surface,omitempty"`
StandingPrivilege bool `json:"standing_privilege,omitempty"`
StandingPrivilegeReasons []string `json:"standing_privilege_reasons,omitempty"`
ControlState string `json:"control_state,omitempty"`
ControlStateReasons []string `json:"control_state_reasons,omitempty"`
RiskZone string `json:"risk_zone,omitempty"`
RiskZoneReasons []string `json:"risk_zone_reasons,omitempty"`
ReviewBurden string `json:"review_burden,omitempty"`
ReviewBurdenReasons []string `json:"review_burden_reasons,omitempty"`
ConfidenceLane string `json:"confidence_lane,omitempty"`
ConfidenceLaneReasons []string `json:"confidence_lane_reasons,omitempty"`
PolicyCoverageStatus string `json:"policy_coverage_status,omitempty"`
PolicyRefs []string `json:"policy_refs,omitempty"`
PolicyMissingReasons []string `json:"policy_missing_reasons,omitempty"`
PolicyStatusReasons []string `json:"policy_status_reasons,omitempty"`
PolicyConfidence string `json:"policy_confidence,omitempty"`
PolicyEvidenceRefs []string `json:"policy_evidence_refs,omitempty"`
GaitCoverage *GaitCoverage `json:"gait_coverage,omitempty"`
IntroducedBy *attribution.Result `json:"introduced_by,omitempty"`
InventoryRisk string `json:"inventory_risk,omitempty"`
ControlPriority string `json:"control_priority,omitempty"`
RiskTier string `json:"risk_tier,omitempty"`
AttackPathScore float64 `json:"attack_path_score"`
RiskScore float64 `json:"risk_score"`
RecommendedAction string `json:"recommended_action"`
AttackPathRefs []string `json:"attack_path_refs,omitempty"`
SourceFindingKeys []string `json:"source_finding_keys,omitempty"`
MatchedProductionTargets []string `json:"matched_production_targets,omitempty"`
GovernanceControls []agginventory.GovernanceControlMapping `json:"governance_controls,omitempty"`
ActionLineage *ActionLineage `json:"action_lineage,omitempty"`
}
func DecorateActionLineage ¶ added in v1.5.0
func DecorateActionLineage(paths []ActionPath, graph *aggattack.ControlPathGraph) []ActionPath
func DecorateActionPaths ¶ added in v1.1.0
func DecorateActionPaths(paths []ActionPath) []ActionPath
func DecorateIntroducedBy ¶ added in v1.3.0
func DecorateIntroducedBy(paths []ActionPath, repoContexts map[string]attribution.Context) []ActionPath
func DecoratePolicyCoverage ¶ added in v1.3.0
func DecoratePolicyCoverage(paths []ActionPath, findings []model.Finding) []ActionPath
func LinkAttackPaths ¶ added in v1.4.0
func LinkAttackPaths(paths []ActionPath, attackPaths []riskattack.ScoredPath) []ActionPath
func ProjectActionPath ¶ added in v1.5.0
func ProjectActionPath(path ActionPath) ActionPath
func ProjectActionPaths ¶ added in v1.5.0
func ProjectActionPaths(paths []ActionPath) []ActionPath
func ProjectBuyerFacingActionPath ¶ added in v1.4.0
func ProjectBuyerFacingActionPath(path ActionPath) ActionPath
type ActionPathSummary ¶ added in v1.0.11
type ActionPathSummary struct {
TotalPaths int `json:"total_paths"`
WriteCapablePaths int `json:"write_capable_paths"`
CredentialAccessPaths int `json:"credential_access_paths"`
StandingPrivilegePaths int `json:"standing_privilege_paths"`
ProductionTargetBackedPaths int `json:"production_target_backed_paths"`
ControlFirstPaths int `json:"control_first_paths"`
GovernFirstPaths int `json:"govern_first_paths"`
MissingApprovalPaths int `json:"missing_approval_paths"`
MissingPolicyPaths int `json:"missing_policy_paths"`
MissingProofPaths int `json:"missing_proof_paths"`
UnresolvedOwnerPaths int `json:"unresolved_owner_paths"`
HighReviewBurdenPaths int `json:"high_review_burden_paths"`
ConfirmedActionPaths int `json:"confirmed_action_paths"`
LikelyActionPaths int `json:"likely_action_paths"`
SemanticReviewCandidatePaths int `json:"semantic_review_candidate_paths"`
ContextOnlyPaths int `json:"context_only_paths"`
EmptyStateStatus string `json:"empty_state_status,omitempty"`
EmptyStateReasons []string `json:"empty_state_reasons,omitempty"`
}
func SummarizeActionPaths ¶ added in v1.5.0
func SummarizeActionPaths(paths []ActionPath, opts ActionPathSummaryOptions) ActionPathSummary
type ActionPathSummaryOptions ¶ added in v1.5.0
type ActionPathSummaryOptions struct {
ScanCoverageReduced bool
}
type ActionPathToControlFirst ¶ added in v1.0.11
type ActionPathToControlFirst struct {
Summary ActionPathSummary `json:"summary"`
Path ActionPath `json:"path"`
}
func BuildActionPathChoice ¶ added in v1.5.0
func BuildActionPathChoice(paths []ActionPath) *ActionPathToControlFirst
type ExposureGroup ¶ added in v1.1.0
type ExposureGroup struct {
GroupID string `json:"group_id"`
Org string `json:"org"`
Repos []string `json:"repos"`
ToolTypes []string `json:"tool_types"`
ExecutionIdentity string `json:"execution_identity,omitempty"`
ExecutionIdentityType string `json:"execution_identity_type,omitempty"`
ExecutionIdentityStatus string `json:"execution_identity_status,omitempty"`
DeliveryChainStatus string `json:"delivery_chain_status,omitempty"`
WorkflowTriggerClass string `json:"workflow_trigger_class,omitempty"`
BusinessStateSurface string `json:"business_state_surface,omitempty"`
RecommendedAction string `json:"recommended_action"`
StandingPrivilege bool `json:"standing_privilege"`
PathCount int `json:"path_count"`
WriteCapablePathCount int `json:"write_capable_path_count"`
ProductionWritePathCount int `json:"production_write_path_count"`
PathIDs []string `json:"path_ids"`
ExampleRepo string `json:"example_repo,omitempty"`
ExampleLocation string `json:"example_location,omitempty"`
}
func BuildExposureGroups ¶ added in v1.1.0
func BuildExposureGroups(paths []ActionPath) []ExposureGroup
type GaitCoverage ¶ added in v1.4.0
type GaitCoverage struct {
PolicyDecision GaitCoverageDetail `json:"policy_decision"`
Approval GaitCoverageDetail `json:"approval"`
JITCredential GaitCoverageDetail `json:"jit_credential"`
FreezeWindow GaitCoverageDetail `json:"freeze_window"`
KillSwitch GaitCoverageDetail `json:"kill_switch"`
ActionOutcome GaitCoverageDetail `json:"action_outcome"`
ProofVerification GaitCoverageDetail `json:"proof_verification"`
}
func CloneGaitCoverage ¶ added in v1.4.0
func CloneGaitCoverage(in *GaitCoverage) *GaitCoverage
func MergeGaitCoverage ¶ added in v1.4.0
func MergeGaitCoverage(current, incoming *GaitCoverage) *GaitCoverage
type GaitCoverageDetail ¶ added in v1.4.0
type IdentityActionTarget ¶ added in v1.1.0
type IdentityActionTarget struct {
ExecutionIdentity string `json:"execution_identity,omitempty"`
ExecutionIdentityType string `json:"execution_identity_type,omitempty"`
ExecutionIdentitySource string `json:"execution_identity_source,omitempty"`
RepoCount int `json:"repo_count"`
PathCount int `json:"path_count"`
WriteCapablePathCount int `json:"write_capable_path_count"`
HighImpactPathCount int `json:"high_impact_path_count"`
UnknownToSecurityPathCount int `json:"unknown_to_security_path_count"`
UnresolvedOwnershipPathCount int `json:"unresolved_ownership_path_count"`
StandingPrivilege bool `json:"standing_privilege"`
Rationale []string `json:"rationale,omitempty"`
}
type IdentityExposureSummary ¶ added in v1.1.0
type IdentityExposureSummary struct {
TotalNonHumanIdentitiesObserved int `json:"total_non_human_identities_observed"`
IdentitiesBackingWriteCapablePaths int `json:"identities_backing_write_capable_paths"`
IdentitiesBackingDeployCapablePaths int `json:"identities_backing_deploy_capable_paths"`
IdentitiesWithUnresolvedOwnership int `json:"identities_with_unresolved_ownership"`
IdentitiesWithUnknownExecutionLinked int `json:"identities_with_unknown_execution_correlation"`
}
func BuildIdentityExposureSummary ¶ added in v1.1.0
func BuildIdentityExposureSummary(paths []ActionPath, inventory *agginventory.Inventory) *IdentityExposureSummary
type OwnerlessExposure ¶ added in v1.1.0
type OwnerlessExposure struct {
ExplicitOwnerPaths int `json:"explicit_owner_paths"`
InferredOwnerPaths int `json:"inferred_owner_paths"`
UnresolvedOwnerPaths int `json:"unresolved_owner_paths"`
ConflictOwnerPaths int `json:"conflict_owner_paths"`
}
func BuildOwnerlessExposure ¶ added in v1.1.0
func BuildOwnerlessExposure(paths []ActionPath) *OwnerlessExposure
type RepoAggregate ¶
type Report ¶
type Report struct {
GeneratedAt string `json:"generated_at"`
TopN []ScoredFinding `json:"top_findings"`
Ranked []ScoredFinding `json:"ranked_findings"`
Repos []RepoAggregate `json:"repo_risk"`
AttackPaths []riskattack.ScoredPath `json:"attack_paths,omitempty"`
TopAttackPaths []riskattack.ScoredPath `json:"top_attack_paths,omitempty"`
ActionPaths []ActionPath `json:"action_paths,omitempty"`
ActionPathToControlFirst *ActionPathToControlFirst `json:"action_path_to_control_first,omitempty"`
ControlPathGraph *aggattack.ControlPathGraph `json:"control_path_graph,omitempty"`
}
type ScoredFinding ¶
type ScoredFinding struct {
CanonicalKey string `json:"canonical_key"`
Score float64 `json:"risk_score"`
BlastRadius float64 `json:"blast_radius"`
Privilege float64 `json:"privilege_level"`
TrustDeficit float64 `json:"trust_deficit"`
EndpointClass string `json:"endpoint_class"`
DataClass string `json:"data_class"`
AutonomyLevel string `json:"autonomy_level"`
Reasons []string `json:"reasons"`
Finding model.Finding `json:"finding"`
}
Source Files
¶
Directories
Click to show internal directories.
Click to hide internal directories.