codesecurity

package
v0.0.17 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 10, 2026 License: Apache-2.0 Imports: 15 Imported by: 0

Documentation

Overview

Package codesecurity parses the Code Security YAML sast subset used by SAIST so local datadog-saist runs can honor the same repo config files as code-workload-runner (dd-source).

Index

Constants

This section is empty.

Variables

View Source 
var ErrUnsupportedSchemaVersion = errors.New(
	"unsupported schema-version: SAIST YAML narrowing supports v1.x (major 1) only; " +
		"parity with dd-source saconfig parseV1",
)

ErrUnsupportedSchemaVersion is returned when schema-version is set but not a supported v1.x value.

Functions

func ApplyGlobalPathFiltersToFileRuleMapping 

func ApplyGlobalPathFiltersToFileRuleMapping(
	fileRuleMapping map[string][]string,
	global *YamlGlobalConfig,
) map[string][]string

ApplyGlobalPathFiltersToFileRuleMapping drops file keys that violate sast.global-config paths.

func ApplyRuleConfigFilters 

func ApplyRuleConfigFilters(
	fileRuleMapping map[string][]string,
	ruleConfigs map[string]YamlRuleConfig,
) map[string][]string

ApplyRuleConfigFilters applies rule-level only-paths / ignore-paths to a file→rules map.

func BuildRulesetToRuleIDs 

func BuildRulesetToRuleIDs(rules []api.AiPrompt) map[string][]string

BuildRulesetToRuleIDs groups API rule IDs by derived ruleset name (language-ai_sast).

func EnabledSaistRulesetNames 

func EnabledSaistRulesetNames(s *Sast, rulesetToRules map[string][]string) map[string]bool

EnabledSaistRulesetNames mirrors code-workload-runner enabledSaistRulesetNames for the sast block.

func ExtractLanguageFromRuleID 

func ExtractLanguageFromRuleID(ruleID string) string

ExtractLanguageFromRuleID returns the language segment from a rule id (e.g. datadog/go-sqli -> go).

func FilterRuleConfigsToParentRuleset 

func FilterRuleConfigsToParentRuleset(
	rulesetName string,
	ruleConfigs map[string]YamlRuleConfig,
	rulesetToRules map[string][]string,
) (filtered map[string]YamlRuleConfig, skipped []string)

FilterRuleConfigsToParentRuleset keeps only rule IDs that belong to rulesetName (GetRulesForRuleset).

func FilterRulesByEnabledRulesets 

func FilterRulesByEnabledRulesets(rules []api.AiPrompt, enabled map[string]bool, rulesetToRules map[string][]string) []api.AiPrompt

FilterRulesByEnabledRulesets keeps rules whose id belongs to an enabled ruleset.

func FilterRulesBySastConfig added in v0.0.9 

func FilterRulesBySastConfig(
	rules []api.AiPrompt,
	s *Sast,
	rulesetToRules map[string][]string,
) (enabled map[string]bool, filtered []api.AiPrompt, fallbackUsed bool)

FilterRulesBySastConfig applies SAIST ruleset filtering. When the filtered result is empty and the config does not represent an explicit AI SAST disablement, it falls back to all rules so that repositories using legacy or classic-SA-only configs still receive AI SAST coverage.

The third return value is true when the fallback was applied. Callers should log this so that unexpected no-coverage situations are visible in local runs.

func ForEachRulesetConfigPathFilter 

func ForEachRulesetConfigPathFilter(
	ctx context.Context,
	rulesetConfigs map[string]YamlRulesetConfig,
	enabledRulesets map[string]bool,
	rulesetToRules map[string][]string,
	apply func(map[string]YamlRuleConfig),
)

ForEachRulesetConfigPathFilter applies ruleset-level and scoped rule-level path configs for enabled rulesets.

func GetRulesForRuleset 

func GetRulesForRuleset(rulesetToRules map[string][]string, name string) []string

GetRulesForRuleset returns rule IDs for a ruleset, or nil if unknown.

func IsExplicitAISastDisablement added in v0.0.9 

func IsExplicitAISastDisablement(s *Sast) bool

IsExplicitAISastDisablement reports whether the sast config deliberately opted out of AI SAST scanning. This is true only when use-default-rulesets is false AND use-rulesets is absent or empty — meaning the user actively disabled all SAST rule coverage.

Every other zero-rule outcome (legacy static-analysis configs, SCA-only configs, configs that list only classic SA rulesets) falls back to the default AI SAST rule set so that repositories without AI SAST awareness still receive coverage.

func IsValidRuleset 

func IsValidRuleset(rulesetToRules map[string][]string, name string) bool

IsValidRuleset reports whether name is a known ruleset for the current rule set.

func MatchFilesToRules 

func MatchFilesToRules(files []SourceFile, rules []api.AiPrompt) map[string][]string

MatchFilesToRules maps each file to applicable rule IDs (glob + FileSearchKeywords), aligned with code-workload-runner matchFilesToRules: keywords use stripped/lowercased code like filtering.ShouldAnalyze.

func ReadLocalConfigBytes 

func ReadLocalConfigBytes(directory string) ([]byte, error)

ReadLocalConfigBytes reads the first existing local config file in directory, or nil if none.

func RulesetNameForLanguage 

func RulesetNameForLanguage(langKey string) string

RulesetNameForLanguage returns the SAIST ruleset name for a language key (e.g. go -> go-ai_sast).

Types

type File 

type File struct {
	SchemaVersion string `yaml:"schema-version"`
	Sast          *Sast  `yaml:"sast,omitempty"`
}

File represents the parts of a v1 Code Security file we need for SAIST scoping.

func LoadLocalFile 

func LoadLocalFile(directory string) (*File, string, error)

LoadLocalFile reads and parses the first existing local Code Security file in directory. Returns the parsed config, the basename of the file used (e.g. code-security.datadog.yaml), and an error. If no candidate file exists, or the file is empty, returns nil, "", nil. If parsing fails, returns nil, basename, err.

func ParseConfigFile 

func ParseConfigFile(content string) (*File, error)

ParseConfigFile decodes YAML into File. KnownFields(false) ignores extra top-level keys (sca, secrets, …) so real v1 repo files decode; unknown keys do not change behavior of modeled fields.

type Sast 

type Sast struct {
	UseDefaultRulesets *bool                         `yaml:"use-default-rulesets,omitempty"`
	UseRulesets        *[]string                     `yaml:"use-rulesets,omitempty"`
	IgnoreRulesets     *[]string                     `yaml:"ignore-rulesets,omitempty"`
	RulesetConfigs     *map[string]YamlRulesetConfig `yaml:"ruleset-configs,omitempty"`
	GlobalConfig       *YamlGlobalConfig             `yaml:"global-config,omitempty"`
}

Sast mirrors saconfig.YamlSastConfigV1_0 path-related fields.

type SourceFile 

type SourceFile struct {
	RelPath string
	AbsPath string
	Lang    model.Language
}

SourceFile is minimal file metadata for rule matching (mirrors analysis.fileMeta fields used here).

type YamlGlobalConfig 

type YamlGlobalConfig struct {
	OnlyPaths   *[]string `yaml:"only-paths,omitempty"`
	IgnorePaths *[]string `yaml:"ignore-paths,omitempty"`
}

YamlGlobalConfig mirrors saconfig.YamlGlobalConfigV1_0 (path fields only).

type YamlRuleConfig 

type YamlRuleConfig struct {
	OnlyPaths   *[]string `yaml:"only-paths,omitempty"`
	IgnorePaths *[]string `yaml:"ignore-paths,omitempty"`
}

YamlRuleConfig mirrors saconfig.YamlRuleConfigV1_0 (path fields only).

type YamlRulesetConfig 

type YamlRulesetConfig struct {
	OnlyPaths   *[]string                  `yaml:"only-paths,omitempty"`
	IgnorePaths *[]string                  `yaml:"ignore-paths,omitempty"`
	RuleConfigs *map[string]YamlRuleConfig `yaml:"rule-configs,omitempty"`
}

YamlRulesetConfig mirrors saconfig.YamlRulesetConfigV1_0 (path fields only).

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.