Documentation
¶
Overview ¶
Package audit provides pre-push vulnerability and secret scanning. It uses Trivy for CVE/vulnerability scanning and Gitleaks for secret detection. Tools are run natively if available on the host; otherwise they fall back to an ephemeral container mount — no user installation required.
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ErrVMNotRunning = fmt.Errorf("podman VM is not running")
ErrVMNotRunning is returned when the container runtime is present but the underlying VM (podman machine) is not started.
var Gitleaks = Tool{ Name: "Gitleaks", BinaryName: "gitleaks", Image: "docker.io/zricethezav/gitleaks:latest", NetworkIsolated: true, BuildArgs: func(cwd, format string) []string { args := []string{"detect", "--source", cwd, "--no-git", "--exit-code", "1"} if format == "json" { args = append(args, "--report-format", "json", "--report-path", "/dev/stdout") } return args }, ContainerArgs: func(cwd, format string) []string { args := []string{"detect", "--source", "/scan", "--no-git", "--exit-code", "1"} if format == "json" { args = append(args, "--report-format", "json", "--report-path", "/dev/stdout") } return args }, }
Gitleaks scans git history and working tree for leaked secrets. NetworkIsolated = true: Gitleaks needs no network access — pure local filesystem scan.
var Trivy = Tool{ Name: "Trivy", BinaryName: "trivy", Image: "ghcr.io/aquasecurity/trivy:latest", NetworkIsolated: false, BuildArgs: func(cwd, format string) []string { args := []string{"fs", "--exit-code", "1", "--no-progress"} if format == "json" { args = append(args, "--format", "json") } else { args = append(args, "--format", "table") } ignorePath := cwd + "/.trivyignore" if _, err := os.Stat(ignorePath); err == nil { args = append(args, "--ignorefile", ignorePath) } args = append(args, cwd) return args }, ContainerArgs: func(cwd, format string) []string { args := []string{"fs", "--exit-code", "1", "--no-progress"} if format == "json" { args = append(args, "--format", "json") } else { args = append(args, "--format", "table") } ignorePath := cwd + "/.trivyignore" if _, err := os.Stat(ignorePath); err == nil { args = append(args, "--ignorefile", "/scan/.trivyignore") } args = append(args, "/scan") return args }, }
Trivy scans for CVEs in OS packages and language dependencies. NetworkIsolated = false: Trivy needs internet access to download/update its CVE database.
Functions ¶
func InstallPrePushHook ¶
InstallPrePushHook writes a git pre-push hook to .git/hooks/pre-push.
Types ¶
type Tool ¶
type Tool struct {
Name string
BinaryName string // binary to look for in $PATH
Image string // fallback container image
NetworkIsolated bool // true = run container with --network none
BuildArgs func(cwd, format string) []string // args for native execution
ContainerArgs func(cwd, format string) []string // args for container execution
}
Tool represents a single audit tool.
Source Files