audit

package
v0.22.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 2, 2026 License: MIT Imports: 4 Imported by: 0

Documentation

Overview

Package audit provides pre-push vulnerability and secret scanning. It uses Trivy for CVE/vulnerability scanning and Gitleaks for secret detection. Tools are run natively if available on the host; otherwise they fall back to an ephemeral container mount — no user installation required.

Index

Constants

This section is empty.

Variables

View Source 
var ErrVMNotRunning = fmt.Errorf("podman VM is not running")

ErrVMNotRunning is returned when the container runtime is present but the underlying VM (podman machine) is not started.

View Source 
var Gitleaks = Tool{
	Name:            "Gitleaks",
	BinaryName:      "gitleaks",
	Image:           "docker.io/zricethezav/gitleaks:latest",
	NetworkIsolated: true,
	BuildArgs: func(cwd, format string) []string {
		args := []string{"detect", "--source", cwd, "--no-git", "--exit-code", "1"}
		if format == "json" {
			args = append(args, "--report-format", "json", "--report-path", "/dev/stdout")
		}
		return args
	},
	ContainerArgs: func(cwd, format string) []string {
		args := []string{"detect", "--source", "/scan", "--no-git", "--exit-code", "1"}
		if format == "json" {
			args = append(args, "--report-format", "json", "--report-path", "/dev/stdout")
		}
		return args
	},
}

Gitleaks scans git history and working tree for leaked secrets. NetworkIsolated = true: Gitleaks needs no network access — pure local filesystem scan.

View Source 
var Trivy = Tool{
	Name:            "Trivy",
	BinaryName:      "trivy",
	Image:           "ghcr.io/aquasecurity/trivy:latest",
	NetworkIsolated: false,
	BuildArgs: func(cwd, format string) []string {
		args := []string{"fs", "--exit-code", "1", "--no-progress"}
		if format == "json" {
			args = append(args, "--format", "json")
		} else {
			args = append(args, "--format", "table")
		}
		args = append(args, cwd)
		return args
	},
	ContainerArgs: func(cwd, format string) []string {

		args := []string{"fs", "--exit-code", "1", "--no-progress"}
		if format == "json" {
			args = append(args, "--format", "json")
		} else {
			args = append(args, "--format", "table")
		}
		args = append(args, "/scan")
		return args
	},
}

Trivy scans for CVEs in OS packages and language dependencies. NetworkIsolated = false: Trivy needs internet access to download/update its CVE database.

Functions

func InstallPrePushHook 

func InstallPrePushHook(cwd string) error

InstallPrePushHook writes a git pre-push hook to .git/hooks/pre-push.

func Run 

func Run(t Tool, cwd, runtime, format string) (string, bool, error)

Run executes the tool against the given directory, returning combined output and any error. exitCode 1 from the scanner is treated as "found issues".

Types

type Tool 

type Tool struct {
	Name            string
	BinaryName      string                            // binary to look for in $PATH
	Image           string                            // fallback container image
	NetworkIsolated bool                              // true = run container with --network none
	BuildArgs       func(cwd, format string) []string // args for native execution
	ContainerArgs   func(cwd, format string) []string // args for container execution
}

Tool represents a single audit tool.

type ToolMode 

type ToolMode int

ToolMode describes how an audit tool should be executed. 

const (
	ModeNative    ToolMode = iota // Run the binary directly from $PATH
	ModeContainer                 // Run via podman/docker with cwd mounted read-only
)

func Detect 

func Detect(t Tool) (ToolMode, string)

Detect returns the execution mode for a tool — native if the binary is in $PATH, container otherwise. It also returns which runtime to use.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.