Documentation
¶
Overview ¶
Package analyzer orchestrates concurrent package analysis: a bounded worker pool fans out over the dependency list, each worker fetches the artifact from its registry and runs every heuristic, and results stream back over a channel as they complete.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Analyzer ¶
type Analyzer struct {
// contains filtered or unexported fields
}
Analyzer holds the registry clients and rule set for a run.
type Ecosystem ¶
type Ecosystem string
Ecosystem identifies the package registry a dependency belongs to.
type Finding ¶
type Finding struct {
RuleID string `json:"rule_id"`
Severity Severity `json:"severity"`
Title string `json:"title"`
// Detail explains why this matters, referencing real attack patterns.
Detail string `json:"detail"`
// File is the path inside the package archive where the signal was found
// (empty for metadata findings).
File string `json:"file,omitempty"`
// Evidence is a short redacted excerpt of the matching content.
Evidence string `json:"evidence,omitempty"`
}
Finding is a single suspicious signal detected in a package.
type Options ¶
type Options struct {
Workers int // 0 = auto (2×CPU, capped at 16)
PackageTimeout time.Duration // per-package budget, 0 = 90s
// Suppress filters findings accepted in a baseline file. Suppressed
// findings are dropped from the verdict but counted in Result.Suppressed.
Suppress func(Package, Finding) bool
}
Options tunes a scan run.
type Package ¶
type Package struct {
Ecosystem Ecosystem `json:"ecosystem"`
Name string `json:"name"`
Version string `json:"version"`
// Source is where the dependency was discovered (lockfile path or "cli").
Source string `json:"source,omitempty"`
}
Package is a single dependency to analyze.
type Result ¶
type Result struct {
Package Package `json:"package"`
Risk RiskLevel `json:"risk"`
Score int `json:"score"`
Findings []Finding `json:"findings,omitempty"`
Err string `json:"error,omitempty"`
Elapsed time.Duration `json:"-"`
DurationMS int64 `json:"duration_ms"`
// FilesScanned is how many files inside the archive were inspected.
FilesScanned int `json:"files_scanned"`
// Suppressed counts findings accepted by the baseline file.
Suppressed int `json:"suppressed,omitempty"`
}
Result is the full analysis outcome for one package.
type RiskLevel ¶
type RiskLevel int
RiskLevel is the aggregated verdict for a package.
func (RiskLevel) MarshalJSON ¶
MarshalJSON renders risk levels as their human-readable names.
type Rule ¶
Rule is re-declared here (structurally identical to heuristics.Rule) so the analyzer does not import the heuristics package — keeping the dependency arrow pointing in one direction: cli → analyzer ← heuristics.
type Severity ¶
type Severity int
Severity ranks how dangerous a finding is.
func (Severity) MarshalJSON ¶
MarshalJSON renders severities as their human-readable names — JSON consumers should never need to know internal ordinal values.