scanner

package

v0.0.1-rc5 Latest Latest Go to latest Published: Apr 28, 2026 License: MIT Imports: 13 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/JoshuaMart/websec0

Links

Open Source Insights

Documentation ¶

Overview ¶

Package scanner orchestrates the execution of all registered checks against a Target.

Index ¶

Variables
type Event
type EventKind
type Manager
- func NewManager(store storage.ScanStore, registry *checks.Registry, cfg ManagerConfig, ...) *Manager
- func (m *Manager) CreateScan(ctx context.Context, target *checks.Target, scanTimeout time.Duration) (*storage.Scan, error)
- func (m *Manager) Subscribe(id string) (<-chan Event, func(), error)
type ManagerConfig
type Progress
type Runner
- func NewRunner(registry *checks.Registry, cfg RunnerConfig) *Runner
- func (r *Runner) Run(ctx context.Context, target *checks.Target, sub Subscriber, ...) ([]checks.Finding, error)
type RunnerConfig
type Subscriber

Constants ¶

This section is empty.

Variables ¶

View Source

var ErrNotFound = errors.New("scanner: scan not found")

ErrNotFound is returned when a scan id is unknown to the Manager. Note it is distinct from storage.ErrNotFound to keep concerns decoupled.

Functions ¶

This section is empty.

Types ¶

type Event ¶

type Event struct {
	Kind     EventKind       `json:"-"`
	Progress *Progress       `json:"progress,omitempty"`
	Finding  *checks.Finding `json:"finding,omitempty"`
	Grade    string          `json:"grade,omitempty"`
	Score    int             `json:"score,omitempty"`
	Error    string          `json:"error,omitempty"`
}

Event is the structured payload pushed to subscribers.

type EventKind ¶

type EventKind string

EventKind enumerates the asynchronous events emitted during a scan. Mirrors the SSE event names defined in SPECIFICATIONS.md §5.6.

const (
	EventProgress  EventKind = "progress"
	EventFinding   EventKind = "finding"
	EventCompleted EventKind = "completed"
	EventFailed    EventKind = "failed"
)

type Manager ¶

type Manager struct {
	// contains filtered or unexported fields
}

Manager owns the asynchronous lifecycle of scans: creation, kickoff in a background goroutine, store updates, and event broadcasting to SSE subscribers.

func NewManager ¶

func NewManager(
	store storage.ScanStore,
	registry *checks.Registry,
	cfg ManagerConfig,
	logger *slog.Logger,
) *Manager

NewManager returns a Manager wired to the given store, registry, and config. logger may be nil to disable structured logging.

func (*Manager) CreateScan ¶

func (m *Manager) CreateScan(ctx context.Context, target *checks.Target, scanTimeout time.Duration) (*storage.Scan, error)

CreateScan persists a new Scan in StatusQueued, kicks off a goroutine that performs the work, and returns the freshly minted record. The caller is responsible for echoing the appropriate 202 / Location response to the HTTP client.

func (m *Manager) Subscribe(id string) (<-chan Event, func(), error)

Subscribe returns a channel that receives events for the given scan id, plus a cancel func the caller must invoke when done. Returns ErrNotFound if the scan is unknown or already finalised.

type ManagerConfig ¶

type ManagerConfig struct {
	MaxConcurrentScans         int
	MaxConcurrentChecksPerScan int
	PerCheckTimeout            time.Duration
	PerScanTimeout             time.Duration
	StorageTTL                 time.Duration
}

ManagerConfig holds the knobs that map onto the YAML scanner config.

type Progress ¶

type Progress struct {
	Total        int    `json:"total"`
	Completed    int    `json:"completed"`
	CurrentPhase string `json:"current_phase,omitempty"`
}

Progress is the live counter pair surfaced via SSE and on GET /api/v1/scans/{guid}.

type Runner ¶

type Runner struct {
	// contains filtered or unexported fields
}

Runner orchestrates a set of Checks against a single Target.

func NewRunner ¶

func NewRunner(registry *checks.Registry, cfg RunnerConfig) *Runner

NewRunner returns a Runner that pulls checks from registry. registry must not be nil.

func (*Runner) Run ¶

func (r *Runner) Run(
	ctx context.Context,
	target *checks.Target,
	sub Subscriber,
	globalSem *semaphore.Weighted,
) ([]checks.Finding, error)

Run executes all registered checks against target and streams events to sub. It returns the full slice of findings in completion order. The returned error is non-nil only on context cancellation; per-check failures are reported as Findings with Status=error.

globalSem, if non-nil, must be acquired (weight 1) before the scan can start — this is the process-wide concurrency cap.

type RunnerConfig ¶

type RunnerConfig struct {
	// MaxConcurrent caps the number of checks running in parallel inside
	// a single scan. Defaults to 10.
	MaxConcurrent int
	// PerCheckTimeout is the wall-clock budget for any single check.
	// Defaults to 8s.
	PerCheckTimeout time.Duration
}

RunnerConfig parameterises Run. Zero values fall back to safe defaults matching SPECIFICATIONS.md §4.5.

type Subscriber ¶

type Subscriber interface {
	Send(Event)
}

Subscriber receives events as the scan progresses. Send is best-effort: the runner never blocks on a slow subscriber, it drops events instead.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
cookies Package cookies implements the cookie-hardening family of checks.	Package cookies implements the cookie-hardening family of checks.
dns Package dns implements the DNS-hardening family of WebSec0 checks (DNSSEC presence, CAA, AAAA/IPv6, wildcard, dangling CNAME, NS diversity, TTL hygiene).	Package dns implements the DNS-hardening family of WebSec0 checks (DNSSEC presence, CAA, AAAA/IPv6, wildcard, dangling CNAME, NS diversity, TTL hygiene).
email Package email implements the email-security family (SPF, DKIM, DMARC, MTA-STS, TLS-RPT, BIMI).	Package email implements the email-security family (SPF, DKIM, DMARC, MTA-STS, TLS-RPT, BIMI).
headers Package headers implements the HTTP-headers family of WebSec0 checks.	Package headers implements the HTTP-headers family of WebSec0 checks.
http Package http implements the Web/Custom family of WebSec0 checks (HTTP/2-3, mixed content, dangerous methods, CORS, 404 hygiene, compression, robots.txt, change-password well-known, SRI).	Package http implements the Web/Custom family of WebSec0 checks (HTTP/2-3, mixed content, dangerous methods, CORS, 404 hygiene, compression, robots.txt, change-password well-known, SRI).
safety Package safety implements WebSec0's anti-SSRF defences: hostname / IP blocklists, DNS-rebinding-resistant resolution (pin-and-recheck), and a custom net.Dialer that re-validates every outbound connection at the syscall level.	Package safety implements WebSec0's anti-SSRF defences: hostname / IP blocklists, DNS-rebinding-resistant resolution (pin-and-recheck), and a custom net.Dialer that re-validates every outbound connection at the syscall level.
tls Package tls implements the TLS family of WebSec0 checks: modern handshake (TLS 1.2 and 1.3 via crypto/tls), certificate validation, HSTS, and the HTTP→HTTPS redirect probe.	Package tls implements the TLS family of WebSec0 checks: modern handshake (TLS 1.2 and 1.3 via crypto/tls), certificate validation, HSTS, and the HTTP→HTTPS redirect probe.
probes Package probes implements raw-socket TLS probes for legacy protocols.	Package probes implements raw-socket TLS probes for legacy protocols.
wellknown Package wellknown implements checks for files published under the /.well-known/ URI namespace (RFC 8615), starting with security.txt (RFC 9116).	Package wellknown implements checks for files published under the /.well-known/ URI namespace (RFC 8615), starting with security.txt (RFC 9116).

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL