Documentation
¶
Overview ¶
Package security is a generated GoMock package.
Index ¶
- Constants
- func NewFindingsCache(opts ...FindingsCacheOption) *findingsCache
- type AWSSecurityTagMapping
- type ArtifactLocation
- type CVSSScore
- type CodeChange
- type ComplianceControl
- type ComplianceReport
- type ComplianceStandard
- type ComponentMapper
- type ComponentMapping
- type Driver
- type Finding
- type FindingAnalyzer
- type FindingFetcher
- type FindingsCacheOption
- type Inspector2API
- type Invocation
- type Location
- type LogicalLocation
- type MappingConfidence
- type MockInspector2API
- type MockInspector2APIMockRecorder
- type MockOrganizationsAPI
- type MockOrganizationsAPIMockRecorder
- type MockSecurityHubAPI
- func (m *MockSecurityHubAPI) EXPECT() *MockSecurityHubAPIMockRecorder
- func (m *MockSecurityHubAPI) GetEnabledStandards(ctx context.Context, params *securityhub.GetEnabledStandardsInput, ...) (*securityhub.GetEnabledStandardsOutput, error)
- func (m *MockSecurityHubAPI) GetFindings(ctx context.Context, params *securityhub.GetFindingsInput, ...) (*securityhub.GetFindingsOutput, error)
- func (m *MockSecurityHubAPI) ListSecurityControlDefinitions(ctx context.Context, params *securityhub.ListSecurityControlDefinitionsInput, ...) (*securityhub.ListSecurityControlDefinitionsOutput, error)
- type MockSecurityHubAPIMockRecorder
- func (mr *MockSecurityHubAPIMockRecorder) GetEnabledStandards(ctx, params any, optFns ...any) *gomock.Call
- func (mr *MockSecurityHubAPIMockRecorder) GetFindings(ctx, params any, optFns ...any) *gomock.Call
- func (mr *MockSecurityHubAPIMockRecorder) ListSecurityControlDefinitions(ctx, params any, optFns ...any) *gomock.Call
- type MockTaggingAPI
- type MockTaggingAPIMockRecorder
- type MultiformatText
- type OCSFAccount
- type OCSFAffectedPackage
- type OCSFCVE
- type OCSFCVSS
- type OCSFCWE
- type OCSFCloud
- type OCSFEPSS
- type OCSFEnrichment
- type OCSFEvent
- type OCSFFindingInfo
- type OCSFKeyValue
- type OCSFMetadata
- type OCSFProduct
- type OCSFRemediation
- type OCSFResource
- type OCSFVuln
- type OrganizationsAPI
- type OutputFormat
- type PhysicalLocation
- type QueryOptions
- type Region
- type Relationship
- type Remediation
- type Report
- type ReportInvocation
- type ReportRenderer
- type ReportingDescriptor
- type ReportingDescriptorReference
- type Result
- type Rule
- type RuleConfig
- type Run
- type SARIFLog
- type SecurityHubAPI
- type Severity
- type Source
- type SourceLifecycle
- type SourceRemediation
- type SourceSeverity
- type SourceTimestamps
- type TaggingAPI
- type Tool
- type ToolComponent
- type ToolComponentReference
- type VulnerabilityDetails
- type VulnerablePackage
Constants ¶
const MaxFindingsForLookup = 500
MaxFindingsForLookup is the default max findings when looking up a specific finding by ID.
Variables ¶
This section is empty.
Functions ¶
func NewFindingsCache ¶
func NewFindingsCache(opts ...FindingsCacheOption) *findingsCache
NewFindingsCache creates a new findings cache with the given options.
Types ¶
type AWSSecurityTagMapping ¶
type AWSSecurityTagMapping = schema.AWSSecurityTagMapping
AWSSecurityTagMapping is re-exported from schema for use in reports.
type ArtifactLocation ¶
type ArtifactLocation struct {
URI string `json:"uri,omitempty"`
URIBaseID string `json:"uriBaseId,omitempty"`
}
ArtifactLocation is a URI reference for a file in the repository.
type CVSSScore ¶
type CVSSScore struct {
BaseScore float64 `json:"base_score,omitempty" yaml:"base_score,omitempty"`
Vector string `json:"vector,omitempty" yaml:"vector,omitempty"`
Source string `json:"source,omitempty" yaml:"source,omitempty"`
Version string `json:"version,omitempty" yaml:"version,omitempty"`
}
CVSSScore captures source CVSS score details.
type CodeChange ¶
type CodeChange struct {
FilePath string `json:"file_path" yaml:"file_path"`
Line int `json:"line,omitempty" yaml:"line,omitempty"`
Before string `json:"before" yaml:"before"`
After string `json:"after" yaml:"after"`
}
CodeChange represents a specific code change in a Terraform file.
type ComplianceControl ¶
type ComplianceControl struct {
ControlID string `json:"control_id" yaml:"control_id"`
Title string `json:"title" yaml:"title"`
Severity Severity `json:"severity" yaml:"severity"`
Component string `json:"component,omitempty" yaml:"component,omitempty"`
Stack string `json:"stack,omitempty" yaml:"stack,omitempty"`
Remediation *Remediation `json:"remediation,omitempty" yaml:"remediation,omitempty"`
}
ComplianceControl represents a single compliance control and its status.
type ComplianceReport ¶
type ComplianceReport struct {
GeneratedAt time.Time `json:"generated_at" yaml:"generated_at"`
Stack string `json:"stack,omitempty" yaml:"stack,omitempty"`
Framework string `json:"framework" yaml:"framework"`
FrameworkTitle string `json:"framework_title" yaml:"framework_title"`
TotalControls int `json:"total_controls" yaml:"total_controls"`
PassingControls int `json:"passing_controls" yaml:"passing_controls"`
FailingControls int `json:"failing_controls" yaml:"failing_controls"`
ScorePercent float64 `json:"score_percent" yaml:"score_percent"`
FailingDetails []ComplianceControl `json:"failing_details" yaml:"failing_details"`
}
ComplianceReport represents a compliance posture report for a specific framework.
type ComplianceStandard ¶
type ComplianceStandard struct {
ID string `json:"id,omitempty" yaml:"id,omitempty"`
Name string `json:"name,omitempty" yaml:"name,omitempty"`
Version string `json:"version,omitempty" yaml:"version,omitempty"`
}
ComplianceStandard captures a source framework/control reference.
type ComponentMapper ¶
type ComponentMapper interface {
// MapFinding attempts to map a finding's resource to an Atmos component/stack.
// It tries Path A (tag-based) first, then falls back to Path B (heuristic pipeline).
MapFinding(ctx context.Context, finding *Finding) (*ComponentMapping, error)
// MapFindings maps multiple findings in batch, optimizing for shared lookups.
MapFindings(ctx context.Context, findings []Finding) ([]Finding, error)
}
ComponentMapper maps AWS resources from security findings to Atmos components and stacks.
func NewComponentMapper ¶
func NewComponentMapper(atmosConfig *schema.AtmosConfiguration, authCtx *schema.AWSAuthContext) ComponentMapper
NewComponentMapper creates a ComponentMapper that uses both tag-based and heuristic strategies. If authCtx is non-nil, AWS clients will use Atmos Auth credentials.
type ComponentMapping ¶
type ComponentMapping struct {
Stack string `json:"stack" yaml:"stack"`
Component string `json:"component" yaml:"component"`
ComponentPath string `json:"component_path" yaml:"component_path"`
Workspace string `json:"workspace,omitempty" yaml:"workspace,omitempty"`
Mapped bool `json:"mapped" yaml:"mapped"`
Confidence MappingConfidence `json:"confidence" yaml:"confidence"`
Method string `json:"method" yaml:"method"` // How the mapping was determined (e.g., "tag", "state", "naming", "ai").
}
ComponentMapping represents the resolved mapping from a finding to an Atmos component/stack.
type Driver ¶
type Driver struct {
Name string `json:"name"`
Version string `json:"version,omitempty"`
SemanticVersion string `json:"semanticVersion,omitempty"`
InformationURI string `json:"informationUri,omitempty"`
Rules []Rule `json:"rules,omitempty"`
}
Driver is the primary analysis tool.
type Finding ¶
type Finding struct {
ID string `json:"id" yaml:"id"`
Title string `json:"title" yaml:"title"`
Description string `json:"description" yaml:"description"`
Severity Severity `json:"severity" yaml:"severity"`
Source Source `json:"source" yaml:"source"`
SourceSeverity *SourceSeverity `json:"source_severity,omitempty" yaml:"source_severity,omitempty"`
SourceLifecycle *SourceLifecycle `json:"source_lifecycle,omitempty" yaml:"source_lifecycle,omitempty"`
SourceTimestamps *SourceTimestamps `json:"source_timestamps,omitempty" yaml:"source_timestamps,omitempty"`
SourceRemediation *SourceRemediation `json:"source_remediation,omitempty" yaml:"source_remediation,omitempty"`
SourceURL string `json:"source_url,omitempty" yaml:"source_url,omitempty"`
ComplianceStandard string `json:"compliance_standard,omitempty" yaml:"compliance_standard,omitempty"`
ComplianceStandards []ComplianceStandard `json:"compliance_standards,omitempty" yaml:"compliance_standards,omitempty"`
SecurityControlID string `json:"security_control_id,omitempty" yaml:"security_control_id,omitempty"` // Per-control ID (e.g., "EC2.18") for compliance deduplication.
ResourceARN string `json:"resource_arn" yaml:"resource_arn"`
ResourceType string `json:"resource_type" yaml:"resource_type"`
ResourceTags map[string]string `json:"resource_tags,omitempty" yaml:"resource_tags,omitempty"` // Tags from the Security Hub finding (no extra API call needed).
AccountID string `json:"account_id" yaml:"account_id"`
Region string `json:"region" yaml:"region"`
CreatedAt time.Time `json:"created_at" yaml:"created_at"`
UpdatedAt time.Time `json:"updated_at" yaml:"updated_at"`
Vulnerability *VulnerabilityDetails `json:"vulnerability,omitempty" yaml:"vulnerability,omitempty"`
Mapping *ComponentMapping `json:"mapping,omitempty" yaml:"mapping,omitempty"`
Remediation *Remediation `json:"remediation,omitempty" yaml:"remediation,omitempty"`
}
Finding represents a normalized security finding from any AWS security service.
type FindingAnalyzer ¶
type FindingAnalyzer interface {
// AnalyzeFinding analyzes a single finding with component context.
AnalyzeFinding(ctx context.Context, finding *Finding, componentSource string, stackConfig string) (*Remediation, error)
// AnalyzeFindings analyzes multiple findings in batch, grouping by component.
AnalyzeFindings(ctx context.Context, findings []Finding) ([]Finding, error)
}
FindingAnalyzer provides AI-powered analysis of security findings.
func NewFindingAnalyzer ¶
func NewFindingAnalyzer(ctx context.Context, atmosConfig *schema.AtmosConfiguration, toolRegistry *tools.Registry, toolExecutor *tools.Executor) (FindingAnalyzer, error)
NewFindingAnalyzer creates a FindingAnalyzer backed by the configured AI provider. If toolRegistry and toolExecutor are provided, API providers use multi-turn tool analysis. CLI providers always fall back to single-prompt mode with pre-fetched context.
type FindingFetcher ¶
type FindingFetcher interface {
// FetchFindings retrieves findings matching the given options.
FetchFindings(ctx context.Context, opts *QueryOptions) ([]Finding, error)
// FetchComplianceStatus retrieves compliance status for a specific framework.
FetchComplianceStatus(ctx context.Context, framework string, stack string) (*ComplianceReport, error)
}
FindingFetcher retrieves security findings from AWS security services.
func NewFindingFetcher ¶
func NewFindingFetcher(atmosConfig *schema.AtmosConfiguration, authCtx *schema.AWSAuthContext) FindingFetcher
NewFindingFetcher creates a FindingFetcher based on the configured security sources. If authCtx is non-nil, AWS clients will use Atmos Auth credentials.
type FindingsCacheOption ¶
type FindingsCacheOption func(*findingsCache)
FindingsCacheOption is a functional option for configuring the findings cache.
func WithCacheTTL ¶
func WithCacheTTL(ttl time.Duration) FindingsCacheOption
WithCacheTTL sets a custom TTL for cache entries.
type Inspector2API ¶
type Inspector2API interface {
ListFindings(ctx context.Context, params *inspector2.ListFindingsInput, optFns ...func(*inspector2.Options)) (*inspector2.ListFindingsOutput, error)
}
Inspector2API defines the subset of Amazon Inspector2 API used by this package.
type Invocation ¶
type Invocation struct {
CommandLine string `json:"commandLine,omitempty"`
Arguments []string `json:"arguments,omitempty"`
StartTimeUTC string `json:"startTimeUtc,omitempty"`
EndTimeUTC string `json:"endTimeUtc,omitempty"`
ExitCode int `json:"exitCode"`
ExitCodeDescription string `json:"exitCodeDescription,omitempty"`
WorkingDirectory *ArtifactLocation `json:"workingDirectory,omitempty"`
ExecutionSuccessful bool `json:"executionSuccessful"`
Properties map[string]any `json:"properties,omitempty"`
}
Invocation records how the CLI was executed for audit evidence.
type Location ¶
type Location struct {
PhysicalLocation *PhysicalLocation `json:"physicalLocation,omitempty"`
LogicalLocations []LogicalLocation `json:"logicalLocations,omitempty"`
Message *MultiformatText `json:"message,omitempty"`
}
Location identifies where a result occurred.
type LogicalLocation ¶
type LogicalLocation struct {
Name string `json:"name,omitempty"`
FullyQualifiedName string `json:"fullyQualifiedName,omitempty"`
Kind string `json:"kind,omitempty"`
}
LogicalLocation references a non-file entity (e.g., an AWS resource ARN).
type MappingConfidence ¶
type MappingConfidence string
MappingConfidence represents how confident the finding-to-code mapping is.
const ( ConfidenceExact MappingConfidence = "exact" // Tag-based (Path A). ConfidenceHigh MappingConfidence = "high" // Terraform state match. ConfidenceMedium MappingConfidence = "medium" // Naming convention match. ConfidenceLow MappingConfidence = "low" // Resource type + AI inference. ConfidenceNone MappingConfidence = "none" // No match found. )
type MockInspector2API ¶
type MockInspector2API struct {
// contains filtered or unexported fields
}
MockInspector2API is a mock of Inspector2API interface.
func NewMockInspector2API ¶
func NewMockInspector2API(ctrl *gomock.Controller) *MockInspector2API
NewMockInspector2API creates a new mock instance.
func (*MockInspector2API) EXPECT ¶
func (m *MockInspector2API) EXPECT() *MockInspector2APIMockRecorder
EXPECT returns an object that allows the caller to indicate expected use.
func (*MockInspector2API) ListFindings ¶
func (m *MockInspector2API) ListFindings(ctx context.Context, params *inspector2.ListFindingsInput, optFns ...func(*inspector2.Options)) (*inspector2.ListFindingsOutput, error)
ListFindings mocks base method.
type MockInspector2APIMockRecorder ¶
type MockInspector2APIMockRecorder struct {
// contains filtered or unexported fields
}
MockInspector2APIMockRecorder is the mock recorder for MockInspector2API.
func (*MockInspector2APIMockRecorder) ListFindings ¶
func (mr *MockInspector2APIMockRecorder) ListFindings(ctx, params any, optFns ...any) *gomock.Call
ListFindings indicates an expected call of ListFindings.
type MockOrganizationsAPI ¶
type MockOrganizationsAPI struct {
// contains filtered or unexported fields
}
MockOrganizationsAPI is a mock of OrganizationsAPI interface.
func NewMockOrganizationsAPI ¶
func NewMockOrganizationsAPI(ctrl *gomock.Controller) *MockOrganizationsAPI
NewMockOrganizationsAPI creates a new mock instance.
func (*MockOrganizationsAPI) DescribeAccount ¶
func (m *MockOrganizationsAPI) DescribeAccount(ctx context.Context, params *organizations.DescribeAccountInput, optFns ...func(*organizations.Options)) (*organizations.DescribeAccountOutput, error)
DescribeAccount mocks base method.
func (*MockOrganizationsAPI) EXPECT ¶
func (m *MockOrganizationsAPI) EXPECT() *MockOrganizationsAPIMockRecorder
EXPECT returns an object that allows the caller to indicate expected use.
type MockOrganizationsAPIMockRecorder ¶
type MockOrganizationsAPIMockRecorder struct {
// contains filtered or unexported fields
}
MockOrganizationsAPIMockRecorder is the mock recorder for MockOrganizationsAPI.
func (*MockOrganizationsAPIMockRecorder) DescribeAccount ¶
func (mr *MockOrganizationsAPIMockRecorder) DescribeAccount(ctx, params any, optFns ...any) *gomock.Call
DescribeAccount indicates an expected call of DescribeAccount.
type MockSecurityHubAPI ¶
type MockSecurityHubAPI struct {
// contains filtered or unexported fields
}
MockSecurityHubAPI is a mock of SecurityHubAPI interface.
func NewMockSecurityHubAPI ¶
func NewMockSecurityHubAPI(ctrl *gomock.Controller) *MockSecurityHubAPI
NewMockSecurityHubAPI creates a new mock instance.
func (*MockSecurityHubAPI) EXPECT ¶
func (m *MockSecurityHubAPI) EXPECT() *MockSecurityHubAPIMockRecorder
EXPECT returns an object that allows the caller to indicate expected use.
func (*MockSecurityHubAPI) GetEnabledStandards ¶
func (m *MockSecurityHubAPI) GetEnabledStandards(ctx context.Context, params *securityhub.GetEnabledStandardsInput, optFns ...func(*securityhub.Options)) (*securityhub.GetEnabledStandardsOutput, error)
GetEnabledStandards mocks base method.
func (*MockSecurityHubAPI) GetFindings ¶
func (m *MockSecurityHubAPI) GetFindings(ctx context.Context, params *securityhub.GetFindingsInput, optFns ...func(*securityhub.Options)) (*securityhub.GetFindingsOutput, error)
GetFindings mocks base method.
func (*MockSecurityHubAPI) ListSecurityControlDefinitions ¶
func (m *MockSecurityHubAPI) ListSecurityControlDefinitions(ctx context.Context, params *securityhub.ListSecurityControlDefinitionsInput, optFns ...func(*securityhub.Options)) (*securityhub.ListSecurityControlDefinitionsOutput, error)
ListSecurityControlDefinitions mocks base method.
type MockSecurityHubAPIMockRecorder ¶
type MockSecurityHubAPIMockRecorder struct {
// contains filtered or unexported fields
}
MockSecurityHubAPIMockRecorder is the mock recorder for MockSecurityHubAPI.
func (*MockSecurityHubAPIMockRecorder) GetEnabledStandards ¶
func (mr *MockSecurityHubAPIMockRecorder) GetEnabledStandards(ctx, params any, optFns ...any) *gomock.Call
GetEnabledStandards indicates an expected call of GetEnabledStandards.
func (*MockSecurityHubAPIMockRecorder) GetFindings ¶
func (mr *MockSecurityHubAPIMockRecorder) GetFindings(ctx, params any, optFns ...any) *gomock.Call
GetFindings indicates an expected call of GetFindings.
func (*MockSecurityHubAPIMockRecorder) ListSecurityControlDefinitions ¶
func (mr *MockSecurityHubAPIMockRecorder) ListSecurityControlDefinitions(ctx, params any, optFns ...any) *gomock.Call
ListSecurityControlDefinitions indicates an expected call of ListSecurityControlDefinitions.
type MockTaggingAPI ¶
type MockTaggingAPI struct {
// contains filtered or unexported fields
}
MockTaggingAPI is a mock of TaggingAPI interface.
func NewMockTaggingAPI ¶
func NewMockTaggingAPI(ctrl *gomock.Controller) *MockTaggingAPI
NewMockTaggingAPI creates a new mock instance.
func (*MockTaggingAPI) EXPECT ¶
func (m *MockTaggingAPI) EXPECT() *MockTaggingAPIMockRecorder
EXPECT returns an object that allows the caller to indicate expected use.
func (*MockTaggingAPI) GetResources ¶
func (m *MockTaggingAPI) GetResources(ctx context.Context, params *resourcegroupstaggingapi.GetResourcesInput, optFns ...func(*resourcegroupstaggingapi.Options)) (*resourcegroupstaggingapi.GetResourcesOutput, error)
GetResources mocks base method.
type MockTaggingAPIMockRecorder ¶
type MockTaggingAPIMockRecorder struct {
// contains filtered or unexported fields
}
MockTaggingAPIMockRecorder is the mock recorder for MockTaggingAPI.
func (*MockTaggingAPIMockRecorder) GetResources ¶
func (mr *MockTaggingAPIMockRecorder) GetResources(ctx, params any, optFns ...any) *gomock.Call
GetResources indicates an expected call of GetResources.
type MultiformatText ¶
type MultiformatText struct {
Text string `json:"text,omitempty"`
Markdown string `json:"markdown,omitempty"`
}
MultiformatText is a SARIF message/description container.
type OCSFAccount ¶
OCSFAccount identifies a cloud account.
type OCSFAffectedPackage ¶
type OCSFAffectedPackage struct {
Name string `json:"name"`
Version string `json:"version"`
FixedInVersion string `json:"fixed_in_version,omitempty"`
PackageManager string `json:"package_manager,omitempty"`
Path string `json:"path,omitempty"`
Remediation string `json:"remediation,omitempty"`
}
OCSFAffectedPackage describes a vulnerable software package.
type OCSFCVE ¶
type OCSFCVE struct {
UID string `json:"uid"`
Desc string `json:"desc,omitempty"`
Title string `json:"title,omitempty"`
CWEUID string `json:"cwe_uid,omitempty"`
CVSS []OCSFCVSS `json:"cvss,omitempty"`
EPSS *OCSFEPSS `json:"epss,omitempty"`
References []string `json:"references,omitempty"`
}
OCSFCVE captures CVE detail including CVSS scores and EPSS probability.
type OCSFCVSS ¶
type OCSFCVSS struct {
BaseScore float64 `json:"base_score"`
Version string `json:"version"`
VectorString string `json:"vector_string,omitempty"`
}
OCSFCVSS is a single CVSS score.
type OCSFCWE ¶
type OCSFCWE struct {
UID string `json:"uid"`
Caption string `json:"caption,omitempty"`
SrcURL string `json:"src_url,omitempty"`
}
OCSFCWE captures a CWE classification.
type OCSFCloud ¶
type OCSFCloud struct {
Provider string `json:"provider"`
Region string `json:"region,omitempty"`
Account *OCSFAccount `json:"account,omitempty"`
}
OCSFCloud describes the cloud environment the finding originated in.
type OCSFEPSS ¶
type OCSFEPSS struct {
Score string `json:"score"`
}
OCSFEPSS is the EPSS probability for a CVE. OCSF 1.4.0 schemas the score as a string (https://schema.ocsf.io/1.4.0/objects/epss); we honor the spec even though the value is a float, so we format on the way out.
type OCSFEnrichment ¶
type OCSFEnrichment struct {
Name string `json:"name"`
Value string `json:"value"`
Data any `json:"data"`
Type string `json:"type,omitempty"`
Provider string `json:"provider,omitempty"`
}
OCSFEnrichment is an Atmos extension carried under the OCSF enrichments[] array. The schema requires name, value, and data — we set data to the same (string-coerced) value, which keeps consumers that ignore data correct and gives structured consumers a useful payload.
type OCSFEvent ¶
type OCSFEvent struct {
ActivityID int `json:"activity_id"`
ActivityName string `json:"activity_name,omitempty"`
CategoryUID int `json:"category_uid"`
CategoryName string `json:"category_name,omitempty"`
ClassUID int `json:"class_uid"`
ClassName string `json:"class_name,omitempty"`
TypeUID int `json:"type_uid"`
TypeName string `json:"type_name,omitempty"`
Severity string `json:"severity,omitempty"`
SeverityID int `json:"severity_id"`
Status string `json:"status,omitempty"`
StatusID int `json:"status_id,omitempty"`
StatusCode string `json:"status_code,omitempty"`
StatusDetail string `json:"status_detail,omitempty"`
Time int64 `json:"time"`
StartTime int64 `json:"start_time,omitempty"`
EndTime int64 `json:"end_time,omitempty"`
ModifiedTime int64 `json:"modified_time,omitempty"`
Metadata OCSFMetadata `json:"metadata"`
FindingInfo OCSFFindingInfo `json:"finding_info"`
Cloud OCSFCloud `json:"cloud"`
Resources []OCSFResource `json:"resources,omitempty"`
Vulnerabilities []OCSFVuln `json:"vulnerabilities,omitempty"`
Remediation *OCSFRemediation `json:"remediation,omitempty"`
Enrichments []OCSFEnrichment `json:"enrichments,omitempty"`
Unmapped map[string]any `json:"unmapped,omitempty"`
}
OCSFEvent is one top-level OCSF Detection Finding event.
func BuildOCSFEvents ¶
BuildOCSFEvents converts a security Report into OCSF 1.4.0 Detection Finding events. Findings are sorted with the same deterministic ordering SARIF uses so output is byte-stable for the same input report.
type OCSFFindingInfo ¶
type OCSFFindingInfo struct {
UID string `json:"uid"`
Title string `json:"title,omitempty"`
Desc string `json:"desc,omitempty"`
SrcURL string `json:"src_url,omitempty"`
ProductUID string `json:"product_uid,omitempty"`
Types []string `json:"types,omitempty"`
Tags []OCSFKeyValue `json:"tags,omitempty"`
}
OCSFFindingInfo describes the finding itself. ProductUID identifies the upstream AWS service that detected the finding (security-hub, config, inspector, guardduty, macie, access-analyzer) — orthogonal to metadata.product which identifies atmos as the event producer.
type OCSFKeyValue ¶
OCSFKeyValue mirrors the OCSF key_value_object pattern used by tags.
type OCSFMetadata ¶
type OCSFMetadata struct {
Version string `json:"version"`
Product OCSFProduct `json:"product"`
CorrelationUID string `json:"correlation_uid,omitempty"`
Profiles []string `json:"profiles,omitempty"`
}
OCSFMetadata identifies the producer and the batch.
type OCSFProduct ¶
type OCSFProduct struct {
Name string `json:"name,omitempty"`
VendorName string `json:"vendor_name,omitempty"`
Version string `json:"version,omitempty"`
URLString string `json:"url_string,omitempty"`
}
OCSFProduct identifies the tool that produced the finding.
type OCSFRemediation ¶
type OCSFRemediation struct {
Desc string `json:"desc"`
References []string `json:"references,omitempty"`
}
OCSFRemediation carries native remediation guidance.
type OCSFResource ¶
type OCSFResource struct {
UID string `json:"uid,omitempty"`
Type string `json:"type,omitempty"`
Region string `json:"region,omitempty"`
Tags []OCSFKeyValue `json:"tags,omitempty"`
Labels []string `json:"labels,omitempty"`
}
OCSFResource describes an affected resource.
type OCSFVuln ¶
type OCSFVuln struct {
Desc string `json:"desc,omitempty"`
Title string `json:"title,omitempty"`
Severity string `json:"severity,omitempty"`
IsFixAvailable *bool `json:"is_fix_available,omitempty"`
FixAvailable *bool `json:"fix_available,omitempty"`
CVE *OCSFCVE `json:"cve,omitempty"`
CWE *OCSFCWE `json:"cwe,omitempty"`
AffectedPackages []OCSFAffectedPackage `json:"affected_packages,omitempty"`
References []string `json:"references,omitempty"`
}
OCSFVuln models the OCSF Vulnerability object. The OCSF schema requires exactly one of cve/cwe/advisory — we prefer cve when available, otherwise cwe, otherwise we omit the whole vulnerabilities[] entry.
type OrganizationsAPI ¶
type OrganizationsAPI interface {
DescribeAccount(ctx context.Context, params *organizations.DescribeAccountInput, optFns ...func(*organizations.Options)) (*organizations.DescribeAccountOutput, error)
}
OrganizationsAPI defines the subset of AWS Organizations API used for account name lookup.
type OutputFormat ¶
type OutputFormat string
OutputFormat represents the desired output format.
const ( FormatMarkdown OutputFormat = "markdown" FormatJSON OutputFormat = "json" FormatYAML OutputFormat = "yaml" FormatCSV OutputFormat = "csv" FormatSARIF OutputFormat = "sarif" FormatOCSF OutputFormat = "ocsf" )
func ParseOutputFormat ¶
func ParseOutputFormat(format string) (OutputFormat, error)
ParseOutputFormat validates a format string and returns the corresponding OutputFormat.
type PhysicalLocation ¶
type PhysicalLocation struct {
ArtifactLocation *ArtifactLocation `json:"artifactLocation,omitempty"`
Region *Region `json:"region,omitempty"`
}
PhysicalLocation points at a file (and optional region).
type QueryOptions ¶
type QueryOptions struct {
Stack string
Component string
Severity []Severity
Source Source
Framework string
MaxFindings int
Region string
NoAI bool
}
QueryOptions contains the filter options for fetching security findings.
type Region ¶
type Region struct {
StartLine int `json:"startLine,omitempty"`
}
Region is a sub-range within an artifact.
type Relationship ¶
type Relationship struct {
Target ReportingDescriptorReference `json:"target"`
Kinds []string `json:"kinds,omitempty"`
}
Relationship links a rule to a taxonomy item.
type Remediation ¶
type Remediation struct {
Description string `json:"description" yaml:"description"` // Brief summary of the remediation.
RootCause string `json:"root_cause,omitempty" yaml:"root_cause,omitempty"` // Why this finding exists in the infrastructure.
Steps []string `json:"steps,omitempty" yaml:"steps,omitempty"` // Ordered remediation steps.
CodeChanges []CodeChange `json:"code_changes,omitempty" yaml:"code_changes,omitempty"` // Specific Terraform/HCL changes.
StackChanges string `json:"stack_changes,omitempty" yaml:"stack_changes,omitempty"` // Specific stack YAML changes.
DeployCommand string `json:"deploy_command,omitempty" yaml:"deploy_command,omitempty"` // atmos terraform apply <component> -s <stack>.
RiskLevel string `json:"risk_level,omitempty" yaml:"risk_level,omitempty"` // low, medium, high.
References []string `json:"references,omitempty" yaml:"references,omitempty"` // AWS docs, CIS benchmarks, etc.
}
Remediation contains AI-generated remediation details for a finding. This is the output contract — every AI provider must populate these fields following the same structure, ensuring consistent and reproducible output.
type Report ¶
type Report struct {
GeneratedAt time.Time `json:"generated_at" yaml:"generated_at"`
Stack string `json:"stack,omitempty" yaml:"stack,omitempty"`
Component string `json:"component,omitempty" yaml:"component,omitempty"`
TotalFindings int `json:"total_findings" yaml:"total_findings"`
SeverityCounts map[Severity]int `json:"severity_counts" yaml:"severity_counts"`
Findings []Finding `json:"findings" yaml:"findings"`
MappedCount int `json:"mapped_count" yaml:"mapped_count"`
UnmappedCount int `json:"unmapped_count" yaml:"unmapped_count"`
TagMapping *AWSSecurityTagMapping `json:"-" yaml:"-"` // Display-only: configured tag keys for unmapped findings message.
GroupFindings bool `json:"-" yaml:"-"` // Display-only: group duplicate findings in Markdown output.
Invocation *ReportInvocation `json:"-" yaml:"-"`
}
Report represents a complete security or compliance analysis report.
type ReportInvocation ¶
type ReportInvocation struct {
CommandLine string
Arguments []string
StartTimeUTC time.Time
EndTimeUTC time.Time
ExitCode int
ExitCodeDescription string
WorkingDirectory string
ExecutionSuccessful bool
AccountsScanned []string
RegionsScanned []string
StacksScanned []string
}
ReportInvocation captures audit details for a CLI run.
type ReportRenderer ¶
type ReportRenderer interface {
// RenderSecurityReport renders a security findings report.
RenderSecurityReport(w io.Writer, report *Report) error
// RenderComplianceReport renders a compliance posture report.
RenderComplianceReport(w io.Writer, report *ComplianceReport) error
}
ReportRenderer renders security and compliance reports in various formats.
func NewReportRenderer ¶
func NewReportRenderer(format OutputFormat) ReportRenderer
NewReportRenderer creates a renderer for the given output format.
type ReportingDescriptor ¶
type ReportingDescriptor struct {
ID string `json:"id"`
Name string `json:"name,omitempty"`
ShortDescription *MultiformatText `json:"shortDescription,omitempty"`
FullDescription *MultiformatText `json:"fullDescription,omitempty"`
}
ReportingDescriptor describes a rule or taxonomy item.
type ReportingDescriptorReference ¶
type ReportingDescriptorReference struct {
ID string `json:"id,omitempty"`
ToolComponent *ToolComponentReference `json:"toolComponent,omitempty"`
}
ReportingDescriptorReference references a rule or taxonomy descriptor.
type Result ¶
type Result struct {
RuleID string `json:"ruleId"`
RuleIndex *int `json:"ruleIndex,omitempty"`
Level string `json:"level,omitempty"`
Kind string `json:"kind,omitempty"`
Message MultiformatText `json:"message"`
Locations []Location `json:"locations,omitempty"`
Taxa []ReportingDescriptorReference `json:"taxa,omitempty"`
HostedViewerURI string `json:"hostedViewerUri,omitempty"`
Fingerprints map[string]string `json:"fingerprints,omitempty"`
Properties map[string]any `json:"properties,omitempty"`
}
Result is a single finding occurrence.
type Rule ¶
type Rule struct {
ID string `json:"id"`
Name string `json:"name,omitempty"`
ShortDescription *MultiformatText `json:"shortDescription,omitempty"`
FullDescription *MultiformatText `json:"fullDescription,omitempty"`
Help *MultiformatText `json:"help,omitempty"`
HelpURI string `json:"helpUri,omitempty"`
DefaultConfig *RuleConfig `json:"defaultConfiguration,omitempty"`
Relationships []Relationship `json:"relationships,omitempty"`
Properties map[string]any `json:"properties,omitempty"`
}
Rule describes a class of finding (one entry per unique finding title).
type RuleConfig ¶
type RuleConfig struct {
Level string `json:"level,omitempty"`
}
RuleConfig sets per-rule defaults such as level.
type Run ¶
type Run struct {
Tool Tool `json:"tool"`
Invocations []Invocation `json:"invocations,omitempty"`
OriginalURIBaseIDs map[string]ArtifactLocation `json:"originalUriBaseIds,omitempty"`
Taxonomies []ToolComponent `json:"taxonomies,omitempty"`
Results []Result `json:"results"`
}
Run captures the output of a single tool invocation.
type SARIFLog ¶
type SARIFLog struct {
Schema string `json:"$schema,omitempty"`
Version string `json:"version"`
Runs []Run `json:"runs"`
}
SARIFLog is the top-level SARIF document.
func BuildSARIFLog ¶
BuildSARIFLog converts a security Report into a SARIF 2.1.0 log. The mapping is stable: rules are derived from unique finding titles, results are emitted in a deterministic order so output is reproducible across runs.
type SecurityHubAPI ¶
type SecurityHubAPI interface {
GetFindings(ctx context.Context, params *securityhub.GetFindingsInput, optFns ...func(*securityhub.Options)) (*securityhub.GetFindingsOutput, error)
GetEnabledStandards(ctx context.Context, params *securityhub.GetEnabledStandardsInput, optFns ...func(*securityhub.Options)) (*securityhub.GetEnabledStandardsOutput, error)
ListSecurityControlDefinitions(ctx context.Context, params *securityhub.ListSecurityControlDefinitionsInput, optFns ...func(*securityhub.Options)) (*securityhub.ListSecurityControlDefinitionsOutput, error)
}
SecurityHubAPI defines the subset of AWS Security Hub API used by this package.
type Source ¶
type Source string
Source represents the AWS security service that generated a finding.
type SourceLifecycle ¶
type SourceLifecycle struct {
WorkflowStatus string `json:"workflow_status,omitempty" yaml:"workflow_status,omitempty"`
RecordState string `json:"record_state,omitempty" yaml:"record_state,omitempty"`
ComplianceStatus string `json:"compliance_status,omitempty" yaml:"compliance_status,omitempty"`
InspectorStatus string `json:"inspector_status,omitempty" yaml:"inspector_status,omitempty"`
}
SourceLifecycle preserves raw lifecycle state from AWS source feeds.
type SourceRemediation ¶
type SourceRemediation struct {
Text string `json:"text,omitempty" yaml:"text,omitempty"`
URL string `json:"url,omitempty" yaml:"url,omitempty"`
}
SourceRemediation preserves remediation guidance supplied by AWS.
type SourceSeverity ¶
type SourceSeverity struct {
Score *float64 `json:"score,omitempty" yaml:"score,omitempty"`
Label string `json:"label,omitempty" yaml:"label,omitempty"`
}
SourceSeverity preserves raw severity values from AWS source feeds.
type SourceTimestamps ¶
type SourceTimestamps struct {
FirstObservedAt *time.Time `json:"first_observed_at,omitempty" yaml:"first_observed_at,omitempty"`
LastObservedAt *time.Time `json:"last_observed_at,omitempty" yaml:"last_observed_at,omitempty"`
UpdatedAt *time.Time `json:"updated_at,omitempty" yaml:"updated_at,omitempty"`
CreatedAt *time.Time `json:"created_at,omitempty" yaml:"created_at,omitempty"`
}
SourceTimestamps preserves AWS source-feed timestamps separately from report upload time.
type TaggingAPI ¶
type TaggingAPI interface {
GetResources(ctx context.Context, params *resourcegroupstaggingapi.GetResourcesInput, optFns ...func(*resourcegroupstaggingapi.Options)) (*resourcegroupstaggingapi.GetResourcesOutput, error)
}
TaggingAPI defines the subset of AWS Resource Groups Tagging API used by this package.
type Tool ¶
type Tool struct {
Driver Driver `json:"driver"`
}
Tool describes the analysis tool that produced the run.
type ToolComponent ¶
type ToolComponent struct {
Name string `json:"name"`
Version string `json:"version,omitempty"`
InformationURI string `json:"informationUri,omitempty"`
GUID string `json:"guid,omitempty"`
Taxa []ReportingDescriptor `json:"taxa,omitempty"`
}
ToolComponent describes a SARIF tool extension or taxonomy.
type ToolComponentReference ¶
type ToolComponentReference struct {
Index int `json:"index"`
}
ToolComponentReference references a SARIF tool component by run-level index.
type VulnerabilityDetails ¶
type VulnerabilityDetails struct {
ID string `json:"id,omitempty" yaml:"id,omitempty"`
CVEID string `json:"cve_id,omitempty" yaml:"cve_id,omitempty"`
CWEIDs []string `json:"cwe_ids,omitempty" yaml:"cwe_ids,omitempty"`
EPSSScore float64 `json:"epss_score,omitempty" yaml:"epss_score,omitempty"`
PackageName string `json:"package_name,omitempty" yaml:"package_name,omitempty"`
PackageVersion string `json:"package_version,omitempty" yaml:"package_version,omitempty"`
FixedInVersion string `json:"fixed_in_version,omitempty" yaml:"fixed_in_version,omitempty"`
Packages []VulnerablePackage `json:"packages,omitempty" yaml:"packages,omitempty"`
ReferenceURLs []string `json:"reference_urls,omitempty" yaml:"reference_urls,omitempty"`
CVSS []CVSSScore `json:"cvss,omitempty" yaml:"cvss,omitempty"`
}
VulnerabilityDetails preserves structured package vulnerability data from AWS.
type VulnerablePackage ¶
type VulnerablePackage struct {
Name string `json:"name,omitempty" yaml:"name,omitempty"`
Version string `json:"version,omitempty" yaml:"version,omitempty"`
FixedInVersion string `json:"fixed_in_version,omitempty" yaml:"fixed_in_version,omitempty"`
PackageManager string `json:"package_manager,omitempty" yaml:"package_manager,omitempty"`
Remediation string `json:"remediation,omitempty" yaml:"remediation,omitempty"`
FilePath string `json:"file_path,omitempty" yaml:"file_path,omitempty"`
}
VulnerablePackage captures an affected package and available fix.
Source Files