audit

package
v0.1.156 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 24, 2026 License: MIT Imports: 6 Imported by: 0

Documentation

Overview

Package audit runs language-specific dependency audits on behalf of codefly Builder agents. Each language has a Scan(ctx, dir) entry point that shells out to the canonical CVE scanner + outdated-dep reporter for that ecosystem and returns structured findings.

The package never fails the agent if a tool is missing — it returns Tool="missing" with empty findings so the CLI can render "[missing govulncheck] go-grpc/api: skipped" instead of erroring.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Result 

type Result struct {
	Findings []*builderv0.AuditFinding
	Outdated []*builderv0.OutdatedDep
	Tool     string
	Language string
}

Result is the language-agnostic shape returned by every Scan* function. Tool identifies what produced it ("govulncheck+go-list-u", "npm-audit+outdated", "pip-audit", "trivy", or "missing").

func Docker 

func Docker(ctx context.Context, image string) (*Result, error)

Docker scans a container image (e.g. postgres:16, redis:7) for known CVEs using trivy. Used by Docker-only agents (postgres, redis, neo4j, temporal, vault) where the codefly service is the official upstream image — there is no application code to scan, just the distribution itself.

trivy must be on PATH; if missing, returns Tool="missing" with no findings (the audit still succeeds).

func Golang 

func Golang(ctx context.Context, dir string, includeOutdated bool) (*Result, error)

Golang scans a Go module rooted at dir.

Vulnerabilities: govulncheck -json ./... (callgraph-aware; only reports vulns the binary can actually reach). Outdated: go list -m -u -json all (returns each module with its current + Update fields).

Both tools are skipped (Tool="missing") if not on PATH so the agent scan still completes — the CLI surfaces the missing-tool warning.

func Node 

func Node(ctx context.Context, dir string, includeOutdated bool) (*Result, error)

Node scans a Node package rooted at dir (must contain package.json + lockfile). Vulnerabilities: `npm audit --json`. Outdated: `npm outdated --json` (returns {} when nothing outdated).

Both commands exit non-zero on findings, which is normal — we still parse the JSON output. Missing tool → Tool="missing".

func Python 

func Python(ctx context.Context, dir string, includeOutdated bool) (*Result, error)

Python scans a Python project rooted at dir. Vulnerabilities: pip-audit -f json. Outdated: pip list --outdated --format json.

Both tools must be on PATH. If either is missing, that scanner is silently skipped — Tool reflects what actually ran.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.