policy

package
v0.1.4 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 7, 2026 License: MIT Imports: 14 Imported by: 0

Documentation

Index

Constants

View Source
const CurrentVersion = 2
View Source
const PolicyFileName = ".risk-guard.yml"

Variables

This section is empty.

Functions

func ComputeSpecificity

func ComputeSpecificity(path *SeverityPath) int

func CountWildcards

func CountWildcards(path *SeverityPath) int

func DefaultPolicyYAML

func DefaultPolicyYAML() string

func IsValidWorkflowMode added in v0.0.3

func IsValidWorkflowMode(s WorkflowMode) bool

IsValidWorkflowMode reports whether s names one of the three accepted modes. LoadFullFromBytes does not enforce this (the field is a typed alias of string, so YAML accepts any value); callers that need strict validation — the CLI, policy_loader — must check separately.

func MatchesPattern

func MatchesPattern(pattern, value string) bool

func ParseExpectedFailurePath

func ParseExpectedFailurePath(path string) error

func SetRootPolicy added in v0.0.3

func SetRootPolicy(ctx context.Context, p *CompiledPolicy, rawYAML string, overrides map[string][]PolicyOverride) context.Context

func SetWorkflowModeOverride added in v0.0.3

func SetWorkflowModeOverride(ctx context.Context, mode WorkflowMode) context.Context

func ToYAML

func ToYAML(p *CompiledPolicy) (string, error)

func ValidateOverrides added in v0.1.2

func ValidateOverrides(overrides map[string][]PolicyOverride, source string) error

ValidateOverrides checks an override table for valid keys, required fields, and precedence values. Exported so built-in override tables loaded outside the .risk-guard.yml path (e.g. the CLI's embedded known_overrides.yml) can enforce the same rules instead of bypassing validation.

func ValidatePattern

func ValidatePattern(pattern string) error

Types

type CheckCategoryMap

type CheckCategoryMap map[string][]category.RiskCategory

type CompiledPolicy

type CompiledPolicy struct {
	Rules            []SeverityRule
	ExpectedFailures map[string]ExpectedFailureV2
	ExpectedWarnings map[string]ExpectedFailureV2
	Workflow         *WorkflowConfig
}

CompiledPolicy is the internal indexed representation. API clients should use Policy.

func Compile

func Compile(p *Policy) (*CompiledPolicy, error)

func DefaultPolicy

func DefaultPolicy() *CompiledPolicy

func GetRootPolicy added in v0.0.3

func GetRootPolicy(ctx context.Context) (*CompiledPolicy, string, map[string][]PolicyOverride, bool)

GetRootPolicy returns the caller-supplied policy. ok=false means no override was set and policy_loader should use its existing on-disk logic (gated by input.Trusted).

func LoadFromBytes

func LoadFromBytes(data []byte, source string) (*CompiledPolicy, error)

func Resolve

func Resolve(policyOverride, repoPolicy, policyDefault *CompiledPolicy) *CompiledPolicy

func (*CompiledPolicy) Clone

func (p *CompiledPolicy) Clone() *CompiledPolicy

type DepthRange

type DepthRange struct {
	Min int
	Max int // -1 = infinity
}

func (*DepthRange) Contains

func (r *DepthRange) Contains(depth int) bool

type EvaluationContext

type EvaluationContext struct {
	SourcePath     string
	Ecosystem      string
	Depth          int
	Dev            bool
	CheckCode      string
	Categories     []category.RiskCategory
	EvaluationTime time.Time
}

type EvaluationResult

type EvaluationResult struct {
	Status       string            `json:"status"`
	Source       string            `json:"source"`
	WorkflowMode WorkflowMode      `json:"workflow_mode,omitempty"`
	Error        string            `json:"error,omitempty"`
	Policies     *PolicyBreakdown  `json:"policies"`
	Findings     []Finding         `json:"findings"`
	Summary      EvaluationSummary `json:"summary"`
}

func Evaluate

func Evaluate(
	override *Policy,
	storedPolicyJSON string,
	policyDefault *Policy,
	v *violations.ViolationsResult,
	source string,
	evaluationTime time.Time,
	categoryMap CheckCategoryMap,
) (*EvaluationResult, error)

func EvaluateCompiled

func EvaluateCompiled(
	policy *CompiledPolicy,
	v *violations.ViolationsResult,
	source string,
	evaluationTime time.Time,
	categoryMap CheckCategoryMap,
	rawYAML string,
) (*EvaluationResult, error)

func EvaluateWithContext

func EvaluateWithContext(
	ctx policyContext,
	v *violations.ViolationsResult,
	source string,
	evaluationTime time.Time,
	categoryMap CheckCategoryMap,
) (*EvaluationResult, error)

func NewFailedResult

func NewFailedResult(source string, policyError string) *EvaluationResult

type EvaluationSummary

type EvaluationSummary struct {
	TotalPackages     int `json:"total_packages"`
	UnblockedPackages int `json:"unblocked_packages"`
	// Deprecated: Use UnblockedPackages instead.
	ChecksPassed int `json:"checks_passed"`
	Blocking     int `json:"blocking"`
	Warning      int `json:"warning"`
	Acknowledged int `json:"acknowledged"`
	Expired      int `json:"expired"`
	Ignored      int `json:"ignored"`
}

type ExpectedFailureV2

type ExpectedFailureV2 struct {
	Checks     []string   `json:"checks,omitempty" jsonschema:"description=Check codes to acknowledge for this entity"`
	Reason     string     `json:"reason" jsonschema:"description=Why this violation is acceptable"`
	Expires    *time.Time `json:"expires,omitempty" jsonschema:"description=Expiration date for acknowledgment"`
	ApprovedBy string     `json:"approved_by,omitempty" jsonschema:"description=Who approved this exception"`
}

type Finding

type Finding struct {
	Kind           FindingKind          `json:"kind"`
	Package        string               `json:"package"`
	Check          string               `json:"check"`
	Categories     []string             `json:"categories,omitempty"`
	Rationale      string               `json:"rationale"`
	Evidence       []string             `json:"evidence,omitempty"`
	DependencyPath []string             `json:"dependency_path"`
	RootLocation   *models.LocationInfo `json:"root_loc,omitempty"`
	Dev            bool                 `json:"dev,omitempty"`
	Note           string               `json:"note,omitempty"`
	MatchedRule    string               `json:"matched_rule,omitempty"`
}

type FindingKind

type FindingKind string
const (
	FindingBlocking     FindingKind = "blocking"
	FindingWarning      FindingKind = "warning"
	FindingAcknowledged FindingKind = "acknowledged"
	FindingExpired      FindingKind = "expired"
	FindingIgnored      FindingKind = "ignored"
)

type LoadResult

type LoadResult struct {
	Policy    *CompiledPolicy
	Overrides map[string][]PolicyOverride
}

func LoadFullFromBytes

func LoadFullFromBytes(data []byte, source string) (*LoadResult, error)

type PathTarget

type PathTarget struct {
	IsCategory bool
	Name       string
}

type Policy

type Policy struct {
	Version          int                          `json:"version" jsonschema:"enum=2,description=Policy file version (must be 2)"`
	Workflow         *WorkflowConfig              `json:"workflow,omitempty" jsonschema:"description=Workflow behavior configuration"`
	Severity         map[string]SeverityValue     `` /* 388-byte string literal not displayed */
	ExpectedFailures map[string]ExpectedFailureV2 `` /* 344-byte string literal not displayed */
	ExpectedWarnings map[string]ExpectedFailureV2 `` /* 400-byte string literal not displayed */
	Overrides        map[string][]PolicyOverride  `` /* 187-byte string literal not displayed */
}

func ToPolicy

func ToPolicy(p *CompiledPolicy) *Policy

type PolicyBreakdown

type PolicyBreakdown struct {
	Strategy PolicyStrategy `json:"strategy"`
	Repo     *PolicySummary `json:"repo"`
	Default  *PolicySummary `json:"default"`
	Applied  *PolicySummary `json:"applied"`
}

type PolicyOverride

type PolicyOverride struct {
	Path   string `json:"path" jsonschema:"description=Dot-separated path to override (e.g. output.source_url)"`
	Value  any    `json:"value" jsonschema:"description=Value to set at the path"`
	Reason string `json:"reason" jsonschema:"description=E&O required: explanation for the override"`
	// Precedence controls when the override applies. "force" (the default when
	// empty) always sets the value — a deliberate correction. "fallback" sets the
	// value only when the field resolved no value from metadata, so it gap-fills
	// without clobbering a package's own declaration.
	Precedence string `` /* 163-byte string literal not displayed */
}

type PolicyStrategy

type PolicyStrategy string
const (
	PolicyStrategyMerged      PolicyStrategy = "merged"
	PolicyStrategyOverride    PolicyStrategy = "override"
	PolicyStrategyDefaultOnly PolicyStrategy = "default_only"
)

type PolicySummary

type PolicySummary struct {
	Version   int    `json:"version"`
	RuleCount int    `json:"rule_count"`
	RawYAML   string `json:"raw_yaml,omitempty"`
}

type Severity

type Severity string
const (
	SeverityBlocking Severity = "blocking"
	SeverityWarning  Severity = "warning"
	SeverityIgnore   Severity = "ignore"
)

func (Severity) Validate

func (s Severity) Validate() error

type SeverityPath

type SeverityPath struct {
	SourcePath *string
	Ecosystem  *string
	DepthRange *DepthRange
	Env        *bool
	Target     PathTarget
}

func ParseSeverityPath

func ParseSeverityPath(path string) (*SeverityPath, error)

type SeverityResult

type SeverityResult struct {
	Severity    Severity
	Note        string
	MatchedRule string
}

func (*SeverityResult) IsBlocking

func (s *SeverityResult) IsBlocking() bool

func (*SeverityResult) ShouldIgnore

func (s *SeverityResult) ShouldIgnore() bool

type SeverityRule

type SeverityRule struct {
	Path          SeverityPath
	Value         SeverityValue
	Specificity   int
	WildcardCount int
	IsOverlay     bool
	IsOverride    bool
}

func (*SeverityRule) Matches

func (r *SeverityRule) Matches(ctx EvaluationContext) bool

func (*SeverityRule) Resolve

func (r *SeverityRule) Resolve(evalTime time.Time) SeverityResult

type SeverityValue

type SeverityValue struct {
	Severity      Severity   `json:"severity" jsonschema:"enum=blocking,enum=warning,enum=ignore"`
	Reason        string     `json:"reason,omitempty"`
	BlockingAfter *time.Time `json:"blocking_after,omitempty" jsonschema:"description=Date after which severity escalates to blocking"`
}

func (*SeverityValue) UnmarshalJSON

func (v *SeverityValue) UnmarshalJSON(data []byte) error

type WorkflowConfig

type WorkflowConfig struct {
	Mode WorkflowMode `` /* 402-byte string literal not displayed */
}

type WorkflowMode

type WorkflowMode string
const (
	WorkflowModeActive   WorkflowMode = "active"
	WorkflowModeNoFail   WorkflowMode = "no-fail"
	WorkflowModeSilent   WorkflowMode = "silent"
	WorkflowModeDisabled WorkflowMode = "disabled"
)

func GetWorkflowModeOverride added in v0.0.3

func GetWorkflowModeOverride(ctx context.Context) (WorkflowMode, bool)

GetWorkflowModeOverride returns the override and whether one was set. An empty WorkflowMode return with ok=false means callers should fall back to the file-derived mode.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL