Documentation
¶
Overview ¶
Package security provides security impact scoring for configuration changes.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type ChangeInput ¶
type ChangeInput struct {
Type string // "added", "removed", "modified", "reordered"
Section string // "firewall", "system", "nat", etc.
Path string // Configuration path
Description string
SecurityImpact string // Existing impact from analyzer (preserved if non-empty)
}
ChangeInput is the minimal change information needed for security scoring. This avoids an import cycle with the parent diff package.
type Pattern ¶
type Pattern struct {
Name string
Description string
Section string // Section to match (empty = any)
PathRegex *regexp.Regexp // Path regex to match (nil = any)
ChangeType string // Change type to match (empty = any)
Impact string // Impact level: "high", "medium", "low"
}
Pattern defines a security impact matching rule.
func DefaultPatterns ¶
func DefaultPatterns() []Pattern
DefaultPatterns returns the built-in security impact patterns. These augment the context-specific scoring in the analyzer (e.g., isPermissiveRule) by providing pattern-based scoring for changes that lack explicit SecurityImpact.
type RiskItem ¶
type RiskItem struct {
Path string `json:"path"`
Description string `json:"description"`
Impact string `json:"impact"`
}
RiskItem describes a single high-priority risk.
type RiskSummary ¶
type RiskSummary struct {
Score int `json:"score"`
High int `json:"high"`
Medium int `json:"medium"`
Low int `json:"low"`
TopRisks []RiskItem `json:"top_risks,omitempty"`
}
RiskSummary contains aggregate security risk information for a set of changes.
func SummarizeScored ¶ added in v1.5.0
func SummarizeScored(risks []ScoredRisk) RiskSummary
SummarizeScored aggregates already-scored risks into a RiskSummary. Unlike ScoreAll it performs no pattern matching and does not rescore inputs — it simply tallies High/Medium/Low counts, running score, and top risks from the Impact field on each ScoredRisk.
func (*RiskSummary) HasRisks ¶
func (r *RiskSummary) HasRisks() bool
HasRisks returns true if any security impacts were detected.
type ScoredRisk ¶ added in v1.5.0
type ScoredRisk struct {
Path string
Description string
Impact string // Pre-computed impact (see Scorer.Score)
}
ScoredRisk is the minimal, already-scored view of a change used to build a RiskSummary without re-running pattern matching. Callers that have already populated SecurityImpact (for example the diff engine's per-change loop) can pass their existing values directly, avoiding a second []ChangeInput allocation per Compare.
type Scorer ¶
type Scorer struct {
// contains filtered or unexported fields
}
Scorer evaluates security impact of configuration changes.
func NewScorer ¶
func NewScorer() *Scorer
NewScorer creates a Scorer with the default security patterns.
func NewScorerWithPatterns ¶
NewScorerWithPatterns creates a Scorer with custom patterns.
func (*Scorer) Score ¶
func (s *Scorer) Score(change ChangeInput) string
Score evaluates a single change and returns the highest applicable security impact. If the change already has a SecurityImpact set (from analyzer domain logic), it is preserved. Otherwise, the scorer applies pattern-based matching.
func (*Scorer) ScoreAll ¶
func (s *Scorer) ScoreAll(changes []ChangeInput) RiskSummary
ScoreAll computes an aggregate risk summary for a set of changes.
Each change is (re-)scored via Score before aggregation. When the caller has already populated SecurityImpact on each change (the typical path inside the diff engine), prefer SummarizeScored to skip the redundant pattern match.
Source Files