Documentation
¶
Index ¶
- Constants
- func ComputeSpecificity(path *SeverityPath) int
- func CountWildcards(path *SeverityPath) int
- func DefaultPolicyYAML() string
- func IsValidWorkflowMode(s WorkflowMode) bool
- func MatchesPattern(pattern, value string) bool
- func ParseExpectedFailurePath(path string) error
- func SetRootPolicy(ctx context.Context, p *CompiledPolicy, rawYAML string, ...) context.Context
- func SetWorkflowModeOverride(ctx context.Context, mode WorkflowMode) context.Context
- func ToYAML(p *CompiledPolicy) (string, error)
- func ValidateOverrides(overrides map[string][]PolicyOverride, source string) error
- func ValidatePattern(pattern string) error
- type CheckCategoryMap
- type CompiledPolicy
- func Compile(p *Policy) (*CompiledPolicy, error)
- func DefaultPolicy() *CompiledPolicy
- func GetRootPolicy(ctx context.Context) (*CompiledPolicy, string, map[string][]PolicyOverride, bool)
- func LoadFromBytes(data []byte, source string) (*CompiledPolicy, error)
- func Resolve(policyOverride, repoPolicy, policyDefault *CompiledPolicy) *CompiledPolicy
- type DepthRange
- type EvaluationContext
- type EvaluationResult
- func Evaluate(override *Policy, storedPolicyJSON string, policyDefault *Policy, ...) (*EvaluationResult, error)
- func EvaluateCompiled(policy *CompiledPolicy, v *violations.ViolationsResult, source string, ...) (*EvaluationResult, error)
- func EvaluateWithContext(ctx policyContext, v *violations.ViolationsResult, source string, ...) (*EvaluationResult, error)
- func NewFailedResult(source string, policyError string) *EvaluationResult
- type EvaluationSummary
- type ExpectedFailureV2
- type Finding
- type FindingKind
- type LoadResult
- type PathTarget
- type Policy
- type PolicyBreakdown
- type PolicyOverride
- type PolicyStrategy
- type PolicySummary
- type Severity
- type SeverityPath
- type SeverityResult
- type SeverityRule
- type SeverityValue
- type WorkflowConfig
- type WorkflowMode
Constants ¶
const CurrentVersion = 2
const PolicyFileName = ".risk-guard.yml"
Variables ¶
This section is empty.
Functions ¶
func ComputeSpecificity ¶
func ComputeSpecificity(path *SeverityPath) int
func CountWildcards ¶
func CountWildcards(path *SeverityPath) int
func DefaultPolicyYAML ¶
func DefaultPolicyYAML() string
func IsValidWorkflowMode ¶ added in v0.0.3
func IsValidWorkflowMode(s WorkflowMode) bool
IsValidWorkflowMode reports whether s names one of the three accepted modes. LoadFullFromBytes does not enforce this (the field is a typed alias of string, so YAML accepts any value); callers that need strict validation — the CLI, policy_loader — must check separately.
func MatchesPattern ¶
func SetRootPolicy ¶ added in v0.0.3
func SetRootPolicy(ctx context.Context, p *CompiledPolicy, rawYAML string, overrides map[string][]PolicyOverride) context.Context
func SetWorkflowModeOverride ¶ added in v0.0.3
func SetWorkflowModeOverride(ctx context.Context, mode WorkflowMode) context.Context
func ToYAML ¶
func ToYAML(p *CompiledPolicy) (string, error)
func ValidateOverrides ¶ added in v0.1.2
func ValidateOverrides(overrides map[string][]PolicyOverride, source string) error
ValidateOverrides checks an override table for valid keys, required fields, and precedence values. Exported so built-in override tables loaded outside the .risk-guard.yml path (e.g. the CLI's embedded known_overrides.yml) can enforce the same rules instead of bypassing validation.
func ValidatePattern ¶
Types ¶
type CheckCategoryMap ¶
type CheckCategoryMap map[string][]category.RiskCategory
type CompiledPolicy ¶
type CompiledPolicy struct {
Rules []SeverityRule
ExpectedFailures map[string]ExpectedFailureV2
ExpectedWarnings map[string]ExpectedFailureV2
Workflow *WorkflowConfig
}
CompiledPolicy is the internal indexed representation. API clients should use Policy.
func Compile ¶
func Compile(p *Policy) (*CompiledPolicy, error)
func DefaultPolicy ¶
func DefaultPolicy() *CompiledPolicy
func GetRootPolicy ¶ added in v0.0.3
func GetRootPolicy(ctx context.Context) (*CompiledPolicy, string, map[string][]PolicyOverride, bool)
GetRootPolicy returns the caller-supplied policy. ok=false means no override was set and policy_loader should use its existing on-disk logic (gated by input.Trusted).
func LoadFromBytes ¶
func LoadFromBytes(data []byte, source string) (*CompiledPolicy, error)
func Resolve ¶
func Resolve(policyOverride, repoPolicy, policyDefault *CompiledPolicy) *CompiledPolicy
func (*CompiledPolicy) Clone ¶
func (p *CompiledPolicy) Clone() *CompiledPolicy
type DepthRange ¶
func (*DepthRange) Contains ¶
func (r *DepthRange) Contains(depth int) bool
type EvaluationContext ¶
type EvaluationResult ¶
type EvaluationResult struct {
Status string `json:"status"`
Source string `json:"source"`
WorkflowMode WorkflowMode `json:"workflow_mode,omitempty"`
Error string `json:"error,omitempty"`
Policies *PolicyBreakdown `json:"policies"`
Findings []Finding `json:"findings"`
Summary EvaluationSummary `json:"summary"`
}
func Evaluate ¶
func Evaluate( override *Policy, storedPolicyJSON string, policyDefault *Policy, v *violations.ViolationsResult, source string, evaluationTime time.Time, categoryMap CheckCategoryMap, ) (*EvaluationResult, error)
func EvaluateCompiled ¶
func EvaluateCompiled( policy *CompiledPolicy, v *violations.ViolationsResult, source string, evaluationTime time.Time, categoryMap CheckCategoryMap, rawYAML string, ) (*EvaluationResult, error)
func EvaluateWithContext ¶
func EvaluateWithContext( ctx policyContext, v *violations.ViolationsResult, source string, evaluationTime time.Time, categoryMap CheckCategoryMap, ) (*EvaluationResult, error)
func NewFailedResult ¶
func NewFailedResult(source string, policyError string) *EvaluationResult
type EvaluationSummary ¶
type EvaluationSummary struct {
TotalPackages int `json:"total_packages"`
UnblockedPackages int `json:"unblocked_packages"`
// Deprecated: Use UnblockedPackages instead.
ChecksPassed int `json:"checks_passed"`
Blocking int `json:"blocking"`
Warning int `json:"warning"`
Acknowledged int `json:"acknowledged"`
Expired int `json:"expired"`
Ignored int `json:"ignored"`
}
type ExpectedFailureV2 ¶
type ExpectedFailureV2 struct {
Checks []string `json:"checks,omitempty" jsonschema:"description=Check codes to acknowledge for this entity"`
Reason string `json:"reason" jsonschema:"description=Why this violation is acceptable"`
Expires *time.Time `json:"expires,omitempty" jsonschema:"description=Expiration date for acknowledgment"`
ApprovedBy string `json:"approved_by,omitempty" jsonschema:"description=Who approved this exception"`
}
type Finding ¶
type Finding struct {
Kind FindingKind `json:"kind"`
Package string `json:"package"`
Check string `json:"check"`
Categories []string `json:"categories,omitempty"`
Rationale string `json:"rationale"`
Evidence []string `json:"evidence,omitempty"`
DependencyPath []string `json:"dependency_path"`
RootLocation *models.LocationInfo `json:"root_loc,omitempty"`
Dev bool `json:"dev,omitempty"`
Note string `json:"note,omitempty"`
MatchedRule string `json:"matched_rule,omitempty"`
}
type FindingKind ¶
type FindingKind string
const ( FindingBlocking FindingKind = "blocking" FindingWarning FindingKind = "warning" FindingAcknowledged FindingKind = "acknowledged" FindingExpired FindingKind = "expired" FindingIgnored FindingKind = "ignored" )
type LoadResult ¶
type LoadResult struct {
Policy *CompiledPolicy
Overrides map[string][]PolicyOverride
}
func LoadFullFromBytes ¶
func LoadFullFromBytes(data []byte, source string) (*LoadResult, error)
type PathTarget ¶
type Policy ¶
type Policy struct {
Version int `json:"version" jsonschema:"enum=2,description=Policy file version (must be 2)"`
Workflow *WorkflowConfig `json:"workflow,omitempty" jsonschema:"description=Workflow behavior configuration"`
Severity map[string]SeverityValue `` /* 388-byte string literal not displayed */
ExpectedFailures map[string]ExpectedFailureV2 `` /* 344-byte string literal not displayed */
ExpectedWarnings map[string]ExpectedFailureV2 `` /* 400-byte string literal not displayed */
Overrides map[string][]PolicyOverride `` /* 187-byte string literal not displayed */
}
func ToPolicy ¶
func ToPolicy(p *CompiledPolicy) *Policy
type PolicyBreakdown ¶
type PolicyBreakdown struct {
Strategy PolicyStrategy `json:"strategy"`
Repo *PolicySummary `json:"repo"`
Default *PolicySummary `json:"default"`
Applied *PolicySummary `json:"applied"`
}
type PolicyOverride ¶
type PolicyOverride struct {
Path string `json:"path" jsonschema:"description=Dot-separated path to override (e.g. output.source_url)"`
Value any `json:"value" jsonschema:"description=Value to set at the path"`
Reason string `json:"reason" jsonschema:"description=E&O required: explanation for the override"`
// Precedence controls when the override applies. "force" (the default when
// empty) always sets the value — a deliberate correction. "fallback" sets the
// value only when the field resolved no value from metadata, so it gap-fills
// without clobbering a package's own declaration.
Precedence string `` /* 163-byte string literal not displayed */
}
type PolicyStrategy ¶
type PolicyStrategy string
const ( PolicyStrategyMerged PolicyStrategy = "merged" PolicyStrategyOverride PolicyStrategy = "override" PolicyStrategyDefaultOnly PolicyStrategy = "default_only" )
type PolicySummary ¶
type SeverityPath ¶
type SeverityPath struct {
SourcePath *string
Ecosystem *string
DepthRange *DepthRange
Env *bool
Target PathTarget
}
func ParseSeverityPath ¶
func ParseSeverityPath(path string) (*SeverityPath, error)
type SeverityResult ¶
func (*SeverityResult) IsBlocking ¶
func (s *SeverityResult) IsBlocking() bool
func (*SeverityResult) ShouldIgnore ¶
func (s *SeverityResult) ShouldIgnore() bool
type SeverityRule ¶
type SeverityRule struct {
Path SeverityPath
Value SeverityValue
Specificity int
WildcardCount int
IsOverlay bool
IsOverride bool
}
func (*SeverityRule) Matches ¶
func (r *SeverityRule) Matches(ctx EvaluationContext) bool
func (*SeverityRule) Resolve ¶
func (r *SeverityRule) Resolve(evalTime time.Time) SeverityResult
type SeverityValue ¶
type SeverityValue struct {
Severity Severity `json:"severity" jsonschema:"enum=blocking,enum=warning,enum=ignore"`
Reason string `json:"reason,omitempty"`
BlockingAfter *time.Time `json:"blocking_after,omitempty" jsonschema:"description=Date after which severity escalates to blocking"`
}
func (*SeverityValue) UnmarshalJSON ¶
func (v *SeverityValue) UnmarshalJSON(data []byte) error
type WorkflowConfig ¶
type WorkflowConfig struct {
Mode WorkflowMode `` /* 402-byte string literal not displayed */
}
type WorkflowMode ¶
type WorkflowMode string
const ( WorkflowModeActive WorkflowMode = "active" WorkflowModeNoFail WorkflowMode = "no-fail" WorkflowModeSilent WorkflowMode = "silent" WorkflowModeDisabled WorkflowMode = "disabled" )
func GetWorkflowModeOverride ¶ added in v0.0.3
func GetWorkflowModeOverride(ctx context.Context) (WorkflowMode, bool)
GetWorkflowModeOverride returns the override and whether one was set. An empty WorkflowMode return with ok=false means callers should fall back to the file-derived mode.