Documentation
¶
Overview ¶
Package auditsarif renders gowdk audit findings as SARIF 2.1.0, the format GitHub code scanning ingests. It maps each finding to a result keyed by its stable fingerprint (so an alert tracks across line movement), and each distinct diagnostic code to a reusable rule with explain text, CWE/OWASP taxonomy, and remediation. Waived findings are emitted as suppressed results so a justified suppression stays visible in the security dashboard rather than silently absent.
Index ¶
Constants ¶
const FingerprintKey = "gowdkAuditFingerprint/v1"
FingerprintKey names the partialFingerprints entry carrying the stable finding identity. The /v1 suffix lets the fingerprint algorithm evolve without colliding with historic alert tracking.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type ArtifactLocation ¶
type ArtifactLocation struct {
URI string `json:"uri"`
}
ArtifactLocation is a workspace-relative URI.
type Document ¶
type Document struct {
Schema string `json:"$schema"`
Version string `json:"version"`
Runs []Run `json:"runs"`
}
Document is the root SARIF 2.1.0 log.
type Driver ¶
type Driver struct {
Name string `json:"name"`
Version string `json:"version,omitempty"`
InformationURI string `json:"informationUri,omitempty"`
Rules []Rule `json:"rules"`
}
Driver is the analyzer component and its rule catalog.
type Location ¶
type Location struct {
PhysicalLocation PhysicalLocation `json:"physicalLocation"`
}
Location points at the source artifact and region.
type PhysicalLocation ¶
type PhysicalLocation struct {
ArtifactLocation ArtifactLocation `json:"artifactLocation"`
Region *Region `json:"region,omitempty"`
}
PhysicalLocation is the artifact plus optional region.
type Region ¶
type Region struct {
StartLine int `json:"startLine"`
}
Region is a 1-based line span.
type Result ¶
type Result struct {
RuleID string `json:"ruleId"`
Level string `json:"level"`
Message Message `json:"message"`
Locations []Location `json:"locations,omitempty"`
PartialFingerprints map[string]string `json:"partialFingerprints,omitempty"`
Suppressions []Suppression `json:"suppressions,omitempty"`
Properties map[string]any `json:"properties,omitempty"`
}
Result is one finding instance.
type Rule ¶
type Rule struct {
ID string `json:"id"`
Name string `json:"name,omitempty"`
ShortDescription *Message `json:"shortDescription,omitempty"`
FullDescription *Message `json:"fullDescription,omitempty"`
Help *Message `json:"help,omitempty"`
DefaultConfiguration *RuleConfig `json:"defaultConfiguration,omitempty"`
Properties *RuleProperties `json:"properties,omitempty"`
HelpURI string `json:"helpUri,omitempty"`
}
Rule is the reusable metadata for one diagnostic code.
type RuleConfig ¶
type RuleConfig struct {
Level string `json:"level"`
}
RuleConfig carries the rule's default level.
type RuleProperties ¶
type RuleProperties struct {
Tags []string `json:"tags,omitempty"`
Precision string `json:"precision,omitempty"`
}
RuleProperties carries the security taxonomy GitHub surfaces as tags.
type Suppression ¶
type Suppression struct {
Kind string `json:"kind"`
Justification string `json:"justification,omitempty"`
}
Suppression records a justified waiver so the result stays visible but muted.