risk

package
v1.6.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 5, 2026 License: Apache-2.0 Imports: 21 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	ActionPathTypeAIAssistedWorkflow    = "ai_assisted_workflow"
	ActionPathTypeAgentFramework        = "agent_framework"
	ActionPathTypeAutomationBot         = "automation_bot"
	ActionPathTypeCICDWorkflow          = "ci_cd_workflow"
	ActionPathTypeLegacyScript          = "legacy_script"
	ActionPathTypePlainSourceCode       = "plain_source_code"
	ActionPathTypeUnknownExecutablePath = "unknown_executable_path"
)
View Source 
const (
	AutonomyTier0SafeMetadata                 = "tier_0_safe_metadata"
	AutonomyTier1LowRiskInternal              = "tier_1_low_risk_internal"
	AutonomyTier2AppCodeOwnerReview           = "tier_2_app_code_owner_review"
	AutonomyTier3SensitiveCodeOrInfra         = "tier_3_sensitive_code_or_infra"
	AutonomyTier4ProdPrivilegedCustomerImpact = "tier_4_prod_privileged_or_customer_impacting"
	DelegationReadinessSafeToDelegate         = "safe_to_delegate"
	DelegationReadinessReviewRequired         = "review_required"
	DelegationReadinessApprovalRequired       = "approval_required"
	DelegationReadinessProofRequired          = "proof_required"
	DelegationReadinessReadyForControl        = "ready_for_control"
	DelegationReadinessBlocked                = "blocked"
	DelegationReadinessBlockedByContradiction = "blocked_by_contradiction"
	RecommendedControlAllow                   = "allow"
	RecommendedControlOwnerReview             = "owner_review"
	RecommendedControlSecurityReview          = "security_review"
	RecommendedControlApprovalRequired        = "approval_required"
	RecommendedControlJITCredentialRequired   = "jit_credential_required" // #nosec G101 -- deterministic control enum label, not credential material.
	RecommendedControlProofRequired           = "proof_required"
	RecommendedControlBlockStandingCredential = "block_standing_credential"
	RecommendedControlBlock                   = "block"
	ActionContractReadinessDraft              = "draft"
	ActionContractReadinessNeedsOwner         = "needs_owner"
	ActionContractReadinessNeedsApproval      = "needs_approval_evidence"
	ActionContractReadinessReadyForReportOnly = "ready_for_report_only"
	ActionContractReadinessReadyForControl    = "ready_for_control"
	ActionContractReadinessBlockedContradict  = "blocked_by_contradiction"
	GovernedPathLabelToday                    = "today_path"
	GovernedPathLabelRecommended              = "recommended_governed_path"
)
View Source 
const (
	ControlStateSafeByDefault  = "safe_by_default"
	ControlStateApprovalNeeded = "approval_required"
	ControlStateBlockRecommend = "block_recommended"
	ControlStateEvidenceNeeded = "evidence_required"
	ControlStateInventoryOnly  = "inventory_only"

	RiskZoneCodingHelp     = "coding_help"
	RiskZoneRepoWrite      = "repo_write"
	RiskZoneCredential     = "credential_bearing" // #nosec G101 -- Deterministic risk-zone label, not credential material.
	RiskZoneCICD           = "ci_cd"
	RiskZoneIAC            = "iac"
	RiskZoneRelease        = "release"
	RiskZoneProductionData = "production_data"
	RiskZoneExternalEgress = "external_egress"

	ReviewBurdenLow      = "low"
	ReviewBurdenMedium   = "medium"
	ReviewBurdenHigh     = "high"
	ReviewBurdenCritical = "critical"

	ConfidenceLaneConfirmedActionPath     = "confirmed_action_path"
	ConfidenceLaneLikelyActionPath        = "likely_action_path"
	ConfidenceLaneSemanticReviewCandidate = "semantic_review_candidate"
	ConfidenceLaneContextOnly             = "context_only"

	EmptyStateEligible        = "eligible"
	EmptyStateNotEligible     = "not_eligible"
	EmptyStateCoverageReduced = "coverage_reduced"
)
View Source 
const (
	ClosureSeverityCritical = "critical"
	ClosureSeverityHigh     = "high"
	ClosureSeverityMedium   = "medium"
	ClosureSeverityLow      = "low"

	ClosureRequirementAssignOwner               = "assign_owner"
	ClosureRequirementAttachApproval            = "attach_approval"
	ClosureRequirementAttachPolicyReference     = "attach_policy_reference"
	ClosureRequirementAttachProof               = "attach_proof"
	ClosureRequirementCollectRuntimeEvidence    = "collect_runtime_evidence"
	ClosureRequirementExpandScanCoverage        = "expand_scan_coverage"
	ClosureRequirementProvideProviderExport     = "provide_provider_export"
	ClosureRequirementProveDeploymentConstraint = "prove_deployment_constraint"
	ClosureRequirementProveJITCredential        = "prove_jit_credential" // #nosec G101 -- deterministic requirement label, not credential material.
	ClosureRequirementRefreshExpiredEvidence    = "refresh_expired_evidence"
	ClosureRequirementResolveContradiction      = "resolve_contradiction"
	ClosureRequirementAcceptInternalTooling     = "accept_declared_internal_tooling"
	ClosureRequirementDefendRiskClassification  = "defend_risk_classification"

	CompletenessAxisDiscovery = "discovery"
	CompletenessAxisAuthority = "authority"
	CompletenessAxisBlast     = "blast_radius"
	CompletenessAxisControl   = "control"
	CompletenessAxisRuntime   = "runtime_evidence"
	CompletenessAxisProof     = "proof"

	EvidenceCompletenessStrong       = "strong_evidence"
	EvidenceCompletenessPartial      = "partial_evidence"
	EvidenceCompletenessInsufficient = "insufficient_evidence"
)
View Source 
const (
	ControlResolutionStateDetectedControl          = "detected_control"
	ControlResolutionStateDeclaredControl          = "declared_control"
	ControlResolutionStateExternalControlReference = "external_control_reference"
	ControlResolutionStateNoVisibleControl         = "no_visible_control"
	ControlResolutionStateNotApplicable            = "not_applicable"
	ControlResolutionStateContradictoryControl     = "contradictory_control"

	EvidenceStateVerified      = "verified"
	EvidenceStateDeclared      = "declared"
	EvidenceStateInferred      = "inferred"
	EvidenceStateUnknown       = "unknown"
	EvidenceStateContradictory = "contradictory"
)
View Source 
const (
	GaitStatusPresent       = "present"
	GaitStatusMissing       = "missing"
	GaitStatusStale         = "stale"
	GaitStatusConflict      = "conflict"
	GaitStatusNotApplicable = "not_applicable"

	RuntimeEvidenceAbsenceNotCollected    = "not_collected"
	RuntimeEvidenceAbsenceNotApplicable   = "not_applicable"
	RuntimeEvidenceAbsenceMissingRequired = "missing_required"
	RuntimeEvidenceAbsenceMissingForClaim = "missing_for_control_claim"
)
View Source 
const (
	InventoryRiskProductionBacked = "production_backed"
	InventoryRiskWriteCapable     = "write_capable"
	InventoryRiskCredentialAccess = "credential_access" // #nosec G101 -- deterministic enum label, not credential material.
	InventoryRiskVisibilityOnly   = "visibility_only"
	InventoryRiskDependencyOnly   = "dependency_only"

	ControlPriorityControlFirst     = "control_first"
	ControlPriorityReviewQueue      = "review_queue"
	ControlPriorityInventoryHygiene = "inventory_hygiene"

	RiskTierCritical = "critical"
	RiskTierHigh     = "high"
	RiskTierMedium   = "medium"
	RiskTierLow      = "low"
)
View Source 
const (
	PolicyCoverageStatusNone          = "none"
	PolicyCoverageStatusDeclared      = "declared"
	PolicyCoverageStatusMatched       = "matched"
	PolicyCoverageStatusRuntimeProven = "runtime_proven"
	PolicyCoverageStatusStale         = "stale"
	PolicyCoverageStatusConflict      = "conflict"
)
View Source 
const (
	TargetClassProductionImpacting   = "production_impacting"
	TargetClassReleaseAdjacent       = "release_adjacent"
	TargetClassCustomerDataAdjacent  = "customer_data_adjacent"
	TargetClassInternalTooling       = "internal_tooling"
	TargetClassDeveloperProductivity = "developer_productivity"
	TargetClassTestDemoSandbox       = "test_demo_sandbox"
	TargetClassUnknown               = "unknown"
)
View Source 
const (
	HighStakesPresetReleaseAutomation     = "release_automation"
	HighStakesPresetProductionPath        = "production_path"
	HighStakesPresetCredentialAutomation  = "credential_bearing_automation" // #nosec G101 -- Deterministic high-stakes preset label, not credential material.
	HighStakesPresetInfrastructureAsCode  = "infrastructure_as_code"
	HighStakesPresetIdentityAuthCode      = "identity_auth_code"
	HighStakesPresetPackagePublishing     = "package_publishing"
	HighStakesPresetPaymentFlow           = "payment_flow"
	HighStakesPresetRegulatedCustomerFlow = "regulated_customer_workflow"
	HighStakesPresetExternalEgress        = "external_egress"
	HighStakesPresetMCPToolConfig         = "mcp_tool_config"
	HighStakesPresetMutableEndpoint       = "mutable_endpoint"

	ProductionContextCorrelated   = "correlated"
	ProductionContextAppendixOnly = "appendix_only"
)

Variables

This section is empty.

Functions

func ApplyGovernFirstProfile added in v1.1.0 

func ApplyGovernFirstProfile(profileName string, paths []ActionPath) ([]ActionPath, *ActionPathToControlFirst)

func BuildActionPaths added in v1.0.11 

func BuildActionPaths(attackPaths []riskattack.ScoredPath, inventory *agginventory.Inventory) ([]ActionPath, *ActionPathToControlFirst)

func BuildControlPathGraph added in v1.3.0 

func BuildControlPathGraph(paths []ActionPath) *aggattack.ControlPathGraph

func BuildIdentityActionTargets added in v1.1.0 

func BuildIdentityActionTargets(paths []ActionPath) (*IdentityActionTarget, *IdentityActionTarget)

func BuildWorkflowChains added in v1.6.0 

func BuildWorkflowChains(paths []ActionPath, graph *aggattack.ControlPathGraph) *agentresolver.WorkflowChainArtifact

func BuyerActionContractReadinessLabel added in v1.6.0 

func BuyerActionContractReadinessLabel(value string) string

func BuyerAutonomyTierLabel added in v1.6.0 

func BuyerAutonomyTierLabel(tier string) string

func BuyerAutonomyTierShortLabel added in v1.6.0 

func BuyerAutonomyTierShortLabel(tier string) string

func BuyerControlResolutionLabel added in v1.6.0 

func BuyerControlResolutionLabel(state string) string

func BuyerDelegationReadinessLabel added in v1.6.0 

func BuyerDelegationReadinessLabel(state string) string

func BuyerEvidenceCompletenessLabel added in v1.6.0 

func BuyerEvidenceCompletenessLabel(completeness *EvidenceCompleteness) string

func BuyerEvidenceCompletenessSummaryLabel added in v1.6.0 

func BuyerEvidenceCompletenessSummaryLabel(summary *EvidenceCompletenessSummary) string

func BuyerEvidenceStateLabel added in v1.6.0 

func BuyerEvidenceStateLabel(kind, state string) string

func BuyerPublicEvidenceLabel added in v1.6.0 

func BuyerPublicEvidenceLabel(label string) string

func BuyerRecommendedControlLabel added in v1.6.0 

func BuyerRecommendedControlLabel(value string) string

func BuyerRuntimeEvidenceLabel added in v1.6.0 

func BuyerRuntimeEvidenceLabel(state string, absenceStatus string, coverage *GaitCoverage) string

func ClosureCriteriaText added in v1.6.0 

func ClosureCriteriaText(requirements []ClosureRequirement, fallback string) string

func GaitCoverageHasStatus added in v1.6.0 

func GaitCoverageHasStatus(coverage *GaitCoverage, want string) bool

func IncrementAutonomyTierCounts added in v1.6.0 

func IncrementAutonomyTierCounts(counts *AutonomyTierCounts, tier string)

func IncrementDelegationReadinessCounts added in v1.6.0 

func IncrementDelegationReadinessCounts(counts *DelegationReadinessCounts, state string)

func IncrementRecommendedControlCounts added in v1.6.0 

func IncrementRecommendedControlCounts(counts *RecommendedControlCounts, value string)

func RemediationForActionPath added in v1.4.0 

func RemediationForActionPath(path ActionPath) string

func RuntimeEvidenceAbsenceStatus added in v1.6.0 

func RuntimeEvidenceAbsenceStatus(path ActionPath) string

func ValidActionContractReadinessState added in v1.6.0 

func ValidActionContractReadinessState(value string) bool

func ValidActionPathType added in v1.6.0 

func ValidActionPathType(value string) bool

func ValidAutonomyTier added in v1.6.0 

func ValidAutonomyTier(value string) bool

func ValidControlResolutionState added in v1.6.0 

func ValidControlResolutionState(value string) bool

func ValidDelegationReadinessState added in v1.6.0 

func ValidDelegationReadinessState(value string) bool

func ValidEvidenceState added in v1.6.0 

func ValidEvidenceState(value string) bool

func ValidRecommendedControl added in v1.6.0 

func ValidRecommendedControl(value string) bool

func ValidRuntimeEvidenceAbsenceStatus added in v1.6.0 

func ValidRuntimeEvidenceAbsenceStatus(value string) bool

func ValidTargetClass added in v1.6.0 

func ValidTargetClass(value string) bool

Types

type ActionLineage added in v1.5.0 

type ActionLineage struct {
	Segments []ActionLineageSegment `json:"segments,omitempty"`
}

func CloneActionLineage added in v1.5.0 

func CloneActionLineage(in *ActionLineage) *ActionLineage

type ActionLineageSegment added in v1.5.0 

type ActionLineageSegment struct {
	SegmentID    string   `json:"segment_id"`
	Kind         string   `json:"kind"`
	Label        string   `json:"label,omitempty"`
	Status       string   `json:"status,omitempty"`
	NodeIDs      []string `json:"node_ids,omitempty"`
	EdgeIDs      []string `json:"edge_ids,omitempty"`
	EvidenceRefs []string `json:"evidence_refs,omitempty"`
}

type ActionPath added in v1.0.11 

type ActionPath struct {
	PathID                              string                                  `json:"path_id"`
	Org                                 string                                  `json:"org"`
	Repo                                string                                  `json:"repo"`
	AgentID                             string                                  `json:"agent_id,omitempty"`
	ToolFamilyID                        string                                  `json:"tool_family_id,omitempty"`
	ToolInstanceID                      string                                  `json:"tool_instance_id,omitempty"`
	ToolType                            string                                  `json:"tool_type"`
	Location                            string                                  `json:"location,omitempty"`
	LocationRange                       *model.LocationRange                    `json:"location_range,omitempty"`
	Purpose                             string                                  `json:"purpose,omitempty"`
	PurposeSource                       string                                  `json:"purpose_source,omitempty"`
	PurposeConfidence                   string                                  `json:"purpose_confidence,omitempty"`
	Version                             string                                  `json:"version,omitempty"`
	VersionSource                       string                                  `json:"version_source,omitempty"`
	ConfigFingerprint                   string                                  `json:"config_fingerprint,omitempty"`
	ConfigSource                        string                                  `json:"config_source,omitempty"`
	WriteCapable                        bool                                    `json:"write_capable"`
	OperationalOwner                    string                                  `json:"operational_owner,omitempty"`
	OwnerSource                         string                                  `json:"owner_source,omitempty"`
	OwnershipStatus                     string                                  `json:"ownership_status,omitempty"`
	OwnershipState                      string                                  `json:"ownership_state,omitempty"`
	OwnershipConfidence                 float64                                 `json:"ownership_confidence,omitempty"`
	OwnershipEvidence                   []string                                `json:"ownership_evidence_basis,omitempty"`
	OwnershipConflicts                  []string                                `json:"ownership_conflicts,omitempty"`
	EvidenceDecisions                   []evidencepolicy.Decision               `json:"evidence_decisions,omitempty"`
	Contradictions                      []evidencepolicy.Contradiction          `json:"contradictions,omitempty"`
	ControlResolutionState              string                                  `json:"control_resolution_state,omitempty"`
	BoundaryLabel                       string                                  `json:"boundary_label,omitempty"`
	ControlResolutionReasons            []string                                `json:"control_resolution_reasons,omitempty"`
	ControlEvidenceRefs                 []string                                `json:"control_evidence_refs,omitempty"`
	ConstraintEvidenceClasses           []string                                `json:"constraint_evidence_classes,omitempty"`
	ConstraintEvidenceRefs              []string                                `json:"constraint_evidence_refs,omitempty"`
	ConstraintEvidenceStatus            string                                  `json:"constraint_evidence_status,omitempty"`
	ApprovalEvidenceState               string                                  `json:"approval_evidence_state,omitempty"`
	OwnerEvidenceState                  string                                  `json:"owner_evidence_state,omitempty"`
	ProofEvidenceState                  string                                  `json:"proof_evidence_state,omitempty"`
	RuntimeEvidenceState                string                                  `json:"runtime_evidence_state,omitempty"`
	TargetEvidenceState                 string                                  `json:"target_evidence_state,omitempty"`
	CredentialEvidenceState             string                                  `json:"credential_evidence_state,omitempty"`
	TargetClass                         string                                  `json:"target_class,omitempty"`
	TargetClassReasons                  []string                                `json:"target_class_reasons,omitempty"`
	TargetClassEvidenceRefs             []string                                `json:"target_class_evidence_refs,omitempty"`
	ActionPathType                      string                                  `json:"action_path_type,omitempty"`
	ActionPathTypeReasons               []string                                `json:"action_path_type_reasons,omitempty"`
	ActionPathTypeEvidenceRefs          []string                                `json:"action_path_type_evidence_refs,omitempty"`
	ApprovalGapReasons                  []string                                `json:"approval_gap_reasons,omitempty"`
	WritePathClasses                    []string                                `json:"write_path_classes,omitempty"`
	ActionClasses                       []string                                `json:"action_classes,omitempty"`
	ActionReasons                       []string                                `json:"action_reasons,omitempty"`
	MutableEndpointSemantics            []agginventory.MutableEndpointSemantic  `json:"mutable_endpoint_semantics,omitempty"`
	PullRequestWrite                    bool                                    `json:"pull_request_write,omitempty"`
	MergeExecute                        bool                                    `json:"merge_execute,omitempty"`
	DeployWrite                         bool                                    `json:"deploy_write,omitempty"`
	DeliveryChainStatus                 string                                  `json:"delivery_chain_status,omitempty"`
	ProductionTargetStatus              string                                  `json:"production_target_status,omitempty"`
	ProductionWrite                     bool                                    `json:"production_write"`
	ApprovalGap                         bool                                    `json:"approval_gap"`
	SecurityVisibilityStatus            string                                  `json:"security_visibility_status,omitempty"`
	CredentialAccess                    bool                                    `json:"credential_access"`
	Credentials                         []*agginventory.CredentialProvenance    `json:"credentials,omitempty"`
	CredentialProvenance                *agginventory.CredentialProvenance      `json:"credential_provenance,omitempty"`
	CredentialAuthority                 *agginventory.CredentialAuthority       `json:"credential_authority,omitempty"`
	AuthorityBindings                   []*agginventory.AuthorityBinding        `json:"authority_bindings,omitempty"`
	PathContext                         *agginventory.PathContext               `json:"path_context,omitempty"`
	TrustDepth                          *agginventory.TrustDepth                `json:"trust_depth,omitempty"`
	DeploymentStatus                    string                                  `json:"deployment_status,omitempty"`
	WorkflowTriggerClass                string                                  `json:"workflow_trigger_class,omitempty"`
	ExecutionIdentity                   string                                  `json:"execution_identity,omitempty"`
	ExecutionIdentityType               string                                  `json:"execution_identity_type,omitempty"`
	ExecutionIdentitySource             string                                  `json:"execution_identity_source,omitempty"`
	ExecutionIdentityStatus             string                                  `json:"execution_identity_status,omitempty"`
	ExecutionIdentityRationale          string                                  `json:"execution_identity_rationale,omitempty"`
	BusinessStateSurface                string                                  `json:"business_state_surface,omitempty"`
	SharedExecutionIdentity             bool                                    `json:"shared_execution_identity,omitempty"`
	StandingPrivilege                   bool                                    `json:"standing_privilege,omitempty"`
	StandingPrivilegeReasons            []string                                `json:"standing_privilege_reasons,omitempty"`
	ControlState                        string                                  `json:"control_state,omitempty"`
	ControlStateReasons                 []string                                `json:"control_state_reasons,omitempty"`
	RiskZone                            string                                  `json:"risk_zone,omitempty"`
	RiskZoneReasons                     []string                                `json:"risk_zone_reasons,omitempty"`
	ReviewBurden                        string                                  `json:"review_burden,omitempty"`
	ReviewBurdenReasons                 []string                                `json:"review_burden_reasons,omitempty"`
	ConfidenceLane                      string                                  `json:"confidence_lane,omitempty"`
	ConfidenceLaneReasons               []string                                `json:"confidence_lane_reasons,omitempty"`
	PolicyCoverageStatus                string                                  `json:"policy_coverage_status,omitempty"`
	PolicyRefs                          []string                                `json:"policy_refs,omitempty"`
	PolicyMissingReasons                []string                                `json:"policy_missing_reasons,omitempty"`
	PolicyStatusReasons                 []string                                `json:"policy_status_reasons,omitempty"`
	PolicyConfidence                    string                                  `json:"policy_confidence,omitempty"`
	PolicyEvidenceRefs                  []string                                `json:"policy_evidence_refs,omitempty"`
	GaitCoverage                        *GaitCoverage                           `json:"gait_coverage,omitempty"`
	IntroducedBy                        *attribution.Result                     `json:"introduced_by,omitempty"`
	InventoryRisk                       string                                  `json:"inventory_risk,omitempty"`
	ControlPriority                     string                                  `json:"control_priority,omitempty"`
	RiskTier                            string                                  `json:"risk_tier,omitempty"`
	AutonomyTier                        string                                  `json:"autonomy_tier,omitempty"`
	AutonomyTierReasons                 []string                                `json:"autonomy_tier_reasons,omitempty"`
	AutonomyTierEvidenceRefs            []string                                `json:"autonomy_tier_evidence_refs,omitempty"`
	DelegationReadinessState            string                                  `json:"delegation_readiness_state,omitempty"`
	DelegationReadinessReasons          []string                                `json:"delegation_readiness_reasons,omitempty"`
	RecommendedControl                  string                                  `json:"recommended_control,omitempty"`
	RecommendedControlReasons           []string                                `json:"recommended_control_reasons,omitempty"`
	RiskClassificationValidationReasons []string                                `json:"risk_classification_validation_reasons,omitempty"`
	RiskClassificationValidationRefs    []string                                `json:"risk_classification_validation_refs,omitempty"`
	RecommendedActionContract           *RecommendedActionContract              `json:"recommended_action_contract,omitempty"`
	TodayPath                           *GovernedPathView                       `json:"today_path,omitempty"`
	RecommendedGovernedPath             *GovernedPathView                       `json:"recommended_governed_path,omitempty"`
	HighStakesPresets                   []HighStakesPreset                      `json:"high_stakes_presets,omitempty"`
	ProductionContext                   *ProductionContext                      `json:"production_context,omitempty"`
	EvidencePacketStatus                string                                  `json:"evidence_packet_status,omitempty"`
	EvidencePacketResult                string                                  `json:"evidence_packet_result,omitempty"`
	EvidencePacketMissingEvidenceState  string                                  `json:"evidence_packet_missing_evidence_state,omitempty"`
	EvidencePacketRefs                  []string                                `json:"evidence_packet_refs,omitempty"`
	AttackPathScore                     float64                                 `json:"attack_path_score"`
	RiskScore                           float64                                 `json:"risk_score"`
	RecommendedAction                   string                                  `json:"recommended_action"`
	AttackPathRefs                      []string                                `json:"attack_path_refs,omitempty"`
	SourceFindingKeys                   []string                                `json:"source_finding_keys,omitempty"`
	WorkflowChainRefs                   []string                                `json:"workflow_chain_refs,omitempty"`
	MatchedProductionTargets            []string                                `json:"matched_production_targets,omitempty"`
	GovernanceControls                  []agginventory.GovernanceControlMapping `json:"governance_controls,omitempty"`
	ClosureRequirements                 []ClosureRequirement                    `json:"closure_requirements,omitempty"`
	EvidenceCompleteness                *EvidenceCompleteness                   `json:"evidence_completeness,omitempty"`
	ActionLineage                       *ActionLineage                          `json:"action_lineage,omitempty"`
}

func DecorateActionLineage added in v1.5.0 

func DecorateActionLineage(paths []ActionPath, graph *aggattack.ControlPathGraph) []ActionPath

func DecorateActionPaths added in v1.1.0 

func DecorateActionPaths(paths []ActionPath) []ActionPath

func DecorateControlMetadata added in v1.6.0 

func DecorateControlMetadata(paths []ActionPath, repoContexts map[string]attribution.Context) []ActionPath

func DecorateEvidenceContext added in v1.6.0 

func DecorateEvidenceContext(paths []ActionPath, report *scanquality.Report) []ActionPath

func DecorateIntroducedBy added in v1.3.0 

func DecorateIntroducedBy(paths []ActionPath, repoContexts map[string]attribution.Context) []ActionPath

func DecoratePolicyCoverage added in v1.3.0 

func DecoratePolicyCoverage(paths []ActionPath, findings []model.Finding) []ActionPath

func DecorateWorkflowChainRefs added in v1.6.0 

func DecorateWorkflowChainRefs(paths []ActionPath, artifact *agentresolver.WorkflowChainArtifact) []ActionPath

func LinkAttackPaths added in v1.4.0 

func LinkAttackPaths(paths []ActionPath, attackPaths []riskattack.ScoredPath) []ActionPath

func ProjectActionPath added in v1.5.0 

func ProjectActionPath(path ActionPath) ActionPath

func ProjectActionPaths added in v1.5.0 

func ProjectActionPaths(paths []ActionPath) []ActionPath

func ProjectBuyerFacingActionPath added in v1.4.0 

func ProjectBuyerFacingActionPath(path ActionPath) ActionPath

type ActionPathSummary added in v1.0.11 

type ActionPathSummary struct {
	TotalPaths                   int                       `json:"total_paths"`
	WriteCapablePaths            int                       `json:"write_capable_paths"`
	CredentialAccessPaths        int                       `json:"credential_access_paths"`
	StandingPrivilegePaths       int                       `json:"standing_privilege_paths"`
	ProductionTargetBackedPaths  int                       `json:"production_target_backed_paths"`
	ControlFirstPaths            int                       `json:"control_first_paths"`
	GovernFirstPaths             int                       `json:"govern_first_paths"`
	DetectedControlPaths         int                       `json:"detected_control_paths,omitempty"`
	DeclaredControlPaths         int                       `json:"declared_control_paths,omitempty"`
	ExternalControlPaths         int                       `json:"external_control_reference_paths,omitempty"`
	ContradictoryControlPaths    int                       `json:"contradictory_control_paths,omitempty"`
	ControlEvidenceUnknownPaths  int                       `json:"control_evidence_unknown_paths,omitempty"`
	ApprovalEvidenceUnknownPaths int                       `json:"approval_evidence_unknown_paths,omitempty"`
	OwnerEvidenceUnknownPaths    int                       `json:"owner_evidence_unknown_paths,omitempty"`
	ProofEvidenceUnknownPaths    int                       `json:"proof_evidence_unknown_paths,omitempty"`
	MissingApprovalPaths         int                       `json:"missing_approval_paths"`
	MissingPolicyPaths           int                       `json:"missing_policy_paths"`
	MissingProofPaths            int                       `json:"missing_proof_paths"`
	UnresolvedOwnerPaths         int                       `json:"unresolved_owner_paths"`
	HighReviewBurdenPaths        int                       `json:"high_review_burden_paths"`
	ConfirmedActionPaths         int                       `json:"confirmed_action_paths"`
	LikelyActionPaths            int                       `json:"likely_action_paths"`
	SemanticReviewCandidatePaths int                       `json:"semantic_review_candidate_paths"`
	ContextOnlyPaths             int                       `json:"context_only_paths"`
	AutonomyTiers                AutonomyTierCounts        `json:"autonomy_tiers"`
	DelegationReadiness          DelegationReadinessCounts `json:"delegation_readiness"`
	RecommendedControls          RecommendedControlCounts  `json:"recommended_controls"`
	EmptyStateStatus             string                    `json:"empty_state_status,omitempty"`
	EmptyStateReasons            []string                  `json:"empty_state_reasons,omitempty"`
}

func SummarizeActionPaths added in v1.5.0 

func SummarizeActionPaths(paths []ActionPath, opts ActionPathSummaryOptions) ActionPathSummary

type ActionPathSummaryOptions added in v1.5.0 

type ActionPathSummaryOptions struct {
	ScanCoverageReduced bool
}

type ActionPathToControlFirst added in v1.0.11 

type ActionPathToControlFirst struct {
	Summary ActionPathSummary `json:"summary"`
	Path    ActionPath        `json:"path"`
}

func BuildActionPathChoice added in v1.5.0 

func BuildActionPathChoice(paths []ActionPath) *ActionPathToControlFirst

type AutonomyTierCounts added in v1.6.0 

type AutonomyTierCounts struct {
	Tier0SafeMetadata                 int `json:"tier_0_safe_metadata"`
	Tier1LowRiskInternal              int `json:"tier_1_low_risk_internal"`
	Tier2AppCodeOwnerReview           int `json:"tier_2_app_code_owner_review"`
	Tier3SensitiveCodeOrInfra         int `json:"tier_3_sensitive_code_or_infra"`
	Tier4ProdPrivilegedCustomerImpact int `json:"tier_4_prod_privileged_or_customer_impacting"`
}

type ClosureRequirement added in v1.6.0 

type ClosureRequirement struct {
	ID                      string   `json:"id"`
	Severity                string   `json:"severity"`
	RequirementType         string   `json:"requirement_type"`
	CurrentEvidenceState    string   `json:"current_evidence_state,omitempty"`
	RequiredEvidence        string   `json:"required_evidence"`
	AcceptableSourceClasses []string `json:"acceptable_source_classes,omitempty"`
	FreshnessRequirement    string   `json:"freshness_requirement,omitempty"`
	Examples                []string `json:"examples,omitempty"`
	ClosureRefs             []string `json:"closure_refs,omitempty"`
	ReasonCodes             []string `json:"reason_codes,omitempty"`
	Guidance                string   `json:"guidance"`
}

func CloneClosureRequirements added in v1.6.0 

func CloneClosureRequirements(in []ClosureRequirement) []ClosureRequirement

type DelegationReadinessCounts added in v1.6.0 

type DelegationReadinessCounts struct {
	SafeToDelegate      int `json:"safe_to_delegate"`
	ReviewRequired      int `json:"review_required"`
	ApprovalRequired    int `json:"approval_required"`
	ProofRequired       int `json:"proof_required"`
	ReadyForControl     int `json:"ready_for_control"`
	Blocked             int `json:"blocked"`
	BlockedByContradict int `json:"blocked_by_contradiction"`
}

type EvidenceCompleteness added in v1.6.0 

type EvidenceCompleteness struct {
	TotalScore             int                             `json:"total_score"`
	Label                  string                          `json:"label"`
	AxisScores             []EvidenceCompletenessAxisScore `json:"axis_scores"`
	EvidenceGaps           []string                        `json:"evidence_gaps,omitempty"`
	UnsupportedSurfaces    []string                        `json:"unsupported_surfaces,omitempty"`
	FreshnessPenalties     []string                        `json:"freshness_penalties,omitempty"`
	ContradictionPenalties []string                        `json:"contradiction_penalties,omitempty"`
	Reasons                []string                        `json:"reasons,omitempty"`
}

func CloneEvidenceCompleteness added in v1.6.0 

func CloneEvidenceCompleteness(in *EvidenceCompleteness) *EvidenceCompleteness

type EvidenceCompletenessAxisScore added in v1.6.0 

type EvidenceCompletenessAxisScore struct {
	Axis    string   `json:"axis"`
	Score   int      `json:"score"`
	Reasons []string `json:"reasons,omitempty"`
}

type EvidenceCompletenessSummary added in v1.6.0 

type EvidenceCompletenessSummary struct {
	PathCount                int                             `json:"path_count"`
	AverageTotalScore        int                             `json:"average_total_score"`
	Label                    string                          `json:"label"`
	LowEvidencePathCount     int                             `json:"low_evidence_path_count,omitempty"`
	ReducedCoveragePathCount int                             `json:"reduced_coverage_path_count,omitempty"`
	AxisScores               []EvidenceCompletenessAxisScore `json:"axis_scores,omitempty"`
	Reasons                  []string                        `json:"reasons,omitempty"`
}

func BuildEvidenceCompletenessSummary added in v1.6.0 

func BuildEvidenceCompletenessSummary(paths []ActionPath) *EvidenceCompletenessSummary

func CloneEvidenceCompletenessSummary added in v1.6.0 

func CloneEvidenceCompletenessSummary(in *EvidenceCompletenessSummary) *EvidenceCompletenessSummary

type ExposureGroup added in v1.1.0 

type ExposureGroup struct {
	GroupID                  string   `json:"group_id"`
	Org                      string   `json:"org"`
	Repos                    []string `json:"repos"`
	ToolTypes                []string `json:"tool_types"`
	ExecutionIdentity        string   `json:"execution_identity,omitempty"`
	ExecutionIdentityType    string   `json:"execution_identity_type,omitempty"`
	ExecutionIdentityStatus  string   `json:"execution_identity_status,omitempty"`
	DeliveryChainStatus      string   `json:"delivery_chain_status,omitempty"`
	WorkflowTriggerClass     string   `json:"workflow_trigger_class,omitempty"`
	BusinessStateSurface     string   `json:"business_state_surface,omitempty"`
	RecommendedAction        string   `json:"recommended_action"`
	SharedExecutionIdentity  bool     `json:"shared_execution_identity"`
	StandingPrivilege        bool     `json:"standing_privilege"`
	PathCount                int      `json:"path_count"`
	WriteCapablePathCount    int      `json:"write_capable_path_count"`
	ProductionWritePathCount int      `json:"production_write_path_count"`
	PathIDs                  []string `json:"path_ids"`
	ExampleRepo              string   `json:"example_repo,omitempty"`
	ExampleLocation          string   `json:"example_location,omitempty"`
}

func BuildExposureGroups added in v1.1.0 

func BuildExposureGroups(paths []ActionPath) []ExposureGroup

type GaitCoverage added in v1.4.0 

type GaitCoverage struct {
	PolicyDecision    GaitCoverageDetail `json:"policy_decision"`
	Approval          GaitCoverageDetail `json:"approval"`
	JITCredential     GaitCoverageDetail `json:"jit_credential"`
	FreezeWindow      GaitCoverageDetail `json:"freeze_window"`
	KillSwitch        GaitCoverageDetail `json:"kill_switch"`
	ActionOutcome     GaitCoverageDetail `json:"action_outcome"`
	ProofVerification GaitCoverageDetail `json:"proof_verification"`
}

func CloneGaitCoverage added in v1.4.0 

func CloneGaitCoverage(in *GaitCoverage) *GaitCoverage

func MergeGaitCoverage added in v1.4.0 

func MergeGaitCoverage(current, incoming *GaitCoverage) *GaitCoverage

type GaitCoverageDetail added in v1.4.0 

type GaitCoverageDetail struct {
	Status       string   `json:"status"`
	Reasons      []string `json:"reasons,omitempty"`
	EvidenceRefs []string `json:"evidence_refs,omitempty"`
}

type GovernedPathView added in v1.6.0 

type GovernedPathView struct {
	Label                    string   `json:"label,omitempty"`
	Summary                  string   `json:"summary,omitempty"`
	AutonomyTier             string   `json:"autonomy_tier,omitempty"`
	DelegationReadinessState string   `json:"delegation_readiness_state,omitempty"`
	RecommendedControl       string   `json:"recommended_control,omitempty"`
	CredentialMode           string   `json:"credential_mode,omitempty"`
	ApprovalEvidenceState    string   `json:"approval_evidence_state,omitempty"`
	ProofEvidenceState       string   `json:"proof_evidence_state,omitempty"`
	OutcomeEvidenceState     string   `json:"outcome_evidence_state,omitempty"`
	PathType                 string   `json:"path_type,omitempty"`
	TargetClass              string   `json:"target_class,omitempty"`
	ReasonCodes              []string `json:"reason_codes,omitempty"`
}

func CloneGovernedPathView added in v1.6.0 

func CloneGovernedPathView(in *GovernedPathView) *GovernedPathView

type HighStakesPreset added in v1.6.0 

type HighStakesPreset struct {
	Preset       string   `json:"preset,omitempty"`
	ReasonCodes  []string `json:"reason_codes,omitempty"`
	EvidenceRefs []string `json:"evidence_refs,omitempty"`
}

func CloneHighStakesPresets added in v1.6.0 

func CloneHighStakesPresets(in []HighStakesPreset) []HighStakesPreset

type IdentityActionTarget added in v1.1.0 

type IdentityActionTarget struct {
	ExecutionIdentity            string   `json:"execution_identity,omitempty"`
	ExecutionIdentityType        string   `json:"execution_identity_type,omitempty"`
	ExecutionIdentitySource      string   `json:"execution_identity_source,omitempty"`
	RepoCount                    int      `json:"repo_count"`
	PathCount                    int      `json:"path_count"`
	WriteCapablePathCount        int      `json:"write_capable_path_count"`
	HighImpactPathCount          int      `json:"high_impact_path_count"`
	UnknownToSecurityPathCount   int      `json:"unknown_to_security_path_count"`
	UnresolvedOwnershipPathCount int      `json:"unresolved_ownership_path_count"`
	SharedExecutionIdentity      bool     `json:"shared_execution_identity"`
	StandingPrivilege            bool     `json:"standing_privilege"`
	Rationale                    []string `json:"rationale,omitempty"`
}

type IdentityExposureSummary added in v1.1.0 

type IdentityExposureSummary struct {
	TotalNonHumanIdentitiesObserved      int `json:"total_non_human_identities_observed"`
	IdentitiesBackingWriteCapablePaths   int `json:"identities_backing_write_capable_paths"`
	IdentitiesBackingDeployCapablePaths  int `json:"identities_backing_deploy_capable_paths"`
	IdentitiesWithUnresolvedOwnership    int `json:"identities_with_unresolved_ownership"`
	IdentitiesWithUnknownExecutionLinked int `json:"identities_with_unknown_execution_correlation"`
}

func BuildIdentityExposureSummary added in v1.1.0 

func BuildIdentityExposureSummary(paths []ActionPath, inventory *agginventory.Inventory) *IdentityExposureSummary

type OwnerlessExposure added in v1.1.0 

type OwnerlessExposure struct {
	ExplicitOwnerPaths   int `json:"explicit_owner_paths"`
	InferredOwnerPaths   int `json:"inferred_owner_paths"`
	UnresolvedOwnerPaths int `json:"unresolved_owner_paths"`
	ConflictOwnerPaths   int `json:"conflict_owner_paths"`
}

func BuildOwnerlessExposure added in v1.1.0 

func BuildOwnerlessExposure(paths []ActionPath) *OwnerlessExposure

type ProductionContext added in v1.6.0 

type ProductionContext struct {
	Status                    string   `json:"status,omitempty"`
	SurfaceLabel              string   `json:"surface_label,omitempty"`
	ToolType                  string   `json:"tool_type,omitempty"`
	Owner                     string   `json:"owner,omitempty"`
	CredentialMode            string   `json:"credential_mode,omitempty"`
	DeploymentStatus          string   `json:"deployment_status,omitempty"`
	ActionClasses             []string `json:"action_classes,omitempty"`
	PathType                  string   `json:"path_type,omitempty"`
	TargetClass               string   `json:"target_class,omitempty"`
	MutableEndpointOperations []string `json:"mutable_endpoint_operations,omitempty"`
	EvidenceRefs              []string `json:"evidence_refs,omitempty"`
	ReasonCodes               []string `json:"reason_codes,omitempty"`
}

func CloneProductionContext added in v1.6.0 

func CloneProductionContext(in *ProductionContext) *ProductionContext

type RecommendedActionContract added in v1.6.0 

type RecommendedActionContract struct {
	PathSummary              string   `json:"path_summary,omitempty"`
	AllowedAction            string   `json:"allowed_action,omitempty"`
	RequiredAuthority        string   `json:"required_authority,omitempty"`
	RequiredReview           string   `json:"required_review,omitempty"`
	RequiredApproval         string   `json:"required_approval,omitempty"`
	RequiredProof            string   `json:"required_proof,omitempty"`
	AllowedAutonomyTier      string   `json:"allowed_autonomy_tier,omitempty"`
	ValidationStep           string   `json:"validation_step,omitempty"`
	DefaultPosture           string   `json:"default_posture,omitempty"`
	DelegationReadinessState string   `json:"delegation_readiness_state,omitempty"`
	ApprovalEvidenceState    string   `json:"approval_evidence_state,omitempty"`
	OwnerEvidenceState       string   `json:"owner_evidence_state,omitempty"`
	ProofEvidenceState       string   `json:"proof_evidence_state,omitempty"`
	OutcomeEvidenceState     string   `json:"outcome_evidence_state,omitempty"`
	ContractReadinessState   string   `json:"contract_readiness_state,omitempty"`
	ReportOnly               bool     `json:"report_only,omitempty"`
	ReasonCodes              []string `json:"reason_codes,omitempty"`
}

func CloneRecommendedActionContract added in v1.6.0 

func CloneRecommendedActionContract(in *RecommendedActionContract) *RecommendedActionContract

type RecommendedControlCounts added in v1.6.0 

type RecommendedControlCounts struct {
	Allow                   int `json:"allow"`
	OwnerReview             int `json:"owner_review"`
	SecurityReview          int `json:"security_review"`
	ApprovalRequired        int `json:"approval_required"`
	JITCredentialRequired   int `json:"jit_credential_required"`
	ProofRequired           int `json:"proof_required"`
	BlockStandingCredential int `json:"block_standing_credential"`
	Block                   int `json:"block"`
}

type RepoAggregate 

type RepoAggregate struct {
	Org      string  `json:"org"`
	Repo     string  `json:"repo"`
	Score    float64 `json:"combined_risk_score"`
	Autonomy string  `json:"highest_autonomy"`
}

type Report 

type Report struct {
	GeneratedAt              string                               `json:"generated_at"`
	TopN                     []ScoredFinding                      `json:"top_findings"`
	Ranked                   []ScoredFinding                      `json:"ranked_findings"`
	Repos                    []RepoAggregate                      `json:"repo_risk"`
	AttackPaths              []riskattack.ScoredPath              `json:"attack_paths,omitempty"`
	TopAttackPaths           []riskattack.ScoredPath              `json:"top_attack_paths,omitempty"`
	ActionPaths              []ActionPath                         `json:"action_paths,omitempty"`
	ActionPathToControlFirst *ActionPathToControlFirst            `json:"action_path_to_control_first,omitempty"`
	ControlPathGraph         *aggattack.ControlPathGraph          `json:"control_path_graph,omitempty"`
	WorkflowChains           *agentresolver.WorkflowChainArtifact `json:"workflow_chains,omitempty"`
}

func Score 

func Score(findings []model.Finding, topN int, now time.Time) Report

type ScoredFinding 

type ScoredFinding struct {
	CanonicalKey  string        `json:"canonical_key"`
	Score         float64       `json:"risk_score"`
	BlastRadius   float64       `json:"blast_radius"`
	Privilege     float64       `json:"privilege_level"`
	TrustDeficit  float64       `json:"trust_deficit"`
	EndpointClass string        `json:"endpoint_class"`
	DataClass     string        `json:"data_class"`
	AutonomyLevel string        `json:"autonomy_level"`
	Reasons       []string      `json:"reasons"`
	Finding       model.Finding `json:"finding"`
}

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.