Directories
¶
| Path | Synopsis |
|---|---|
|
Package baseline reads and writes the baseline file that the v0.6 drift workflow compares against.
|
Package baseline reads and writes the baseline file that the v0.6 drift workflow compares against. |
|
checks
|
|
|
aws
Package aws holds the AWS check implementations.
|
Package aws holds the AWS check implementations. |
|
digitalocean
Package digitalocean holds the DigitalOcean check implementations.
|
Package digitalocean holds the DigitalOcean check implementations. |
|
gcp
Package gcp holds the GCP check implementations.
|
Package gcp holds the GCP check implementations. |
|
hetzner
Package hetzner holds Hetzner Cloud check implementations.
|
Package hetzner holds Hetzner Cloud check implementations. |
|
k8s
Package k8s holds the Kubernetes check catalog.
|
Package k8s holds the Kubernetes check catalog. |
|
linux
Package linux holds the Linux check implementations.
|
Package linux holds the Linux check implementations. |
|
Package cli contains the cobra command tree for the compliancekit binary.
|
Package cli contains the cobra command tree for the compliancekit binary. |
|
collectors
|
|
|
aws
Package aws is the AWS Collector.
|
Package aws is the AWS Collector. |
|
cloudcommon
Package cloudcommon contains the cross-cloud abstractions every cloud collector reuses: account/region resource attribution helpers, the per-cloud Resource ID convention, and the per-cloud Region listing protocol.
|
Package cloudcommon contains the cross-cloud abstractions every cloud collector reuses: account/region resource attribution helpers, the per-cloud Resource ID convention, and the per-cloud Region listing protocol. |
|
digitalocean
Package digitalocean is the DigitalOcean Collector.
|
Package digitalocean is the DigitalOcean Collector. |
|
gcp
Package gcp is the Google Cloud Platform Collector.
|
Package gcp is the Google Cloud Platform Collector. |
|
hetzner
Package hetzner is the Hetzner Cloud Collector.
|
Package hetzner is the Hetzner Cloud Collector. |
|
k8s
Package k8s is the Kubernetes collector.
|
Package k8s is the Kubernetes collector. |
|
linux
Package linux is the Linux SSH collector (v0.2+).
|
Package linux is the Linux SSH collector (v0.2+). |
|
Package config defines the parsed shape of compliancekit.yaml and the loader that populates it.
|
Package config defines the parsed shape of compliancekit.yaml and the loader that populates it. |
|
Package diff classifies a current scan's findings against a previously captured baseline.
|
Package diff classifies a current scan's findings against a previously captured baseline. |
|
Package engine orchestrates a scan: it runs Collectors to populate the ResourceGraph, then drives the check Registry to produce Findings.
|
Package engine orchestrates a scan: it runs Collectors to populate the ResourceGraph, then drives the check Registry to produce Findings. |
|
Package evidence assembles an audit-ready folder from a set of scan findings.
|
Package evidence assembles an audit-ready folder from a set of scan findings. |
|
Package frameworks loads compliance framework definitions from embedded YAML files and exposes them for the reporters and the `checks list` / `checks show` commands.
|
Package frameworks loads compliance framework definitions from embedded YAML files and exposes them for the reporters and the `checks list` / `checks show` commands. |
|
Package i18n is the v1.10+ runtime translation surface.
|
Package i18n is the v1.10+ runtime translation surface. |
|
Package ingest reads findings produced by external security tools (Trivy, Checkov, KICS, AWS Security Hub, GCP SCC, Defender, …) and projects them onto compliancekit's resource graph + framework catalog.
|
Package ingest reads findings produced by external security tools (Trivy, Checkov, KICS, AWS Security Hub, GCP SCC, Defender, …) and projects them onto compliancekit's resource graph + framework catalog. |
|
checkov
Package checkov implements a native-JSON ingest adapter for Checkov (bridgecrewio/checkov) output.
|
Package checkov implements a native-JSON ingest adapter for Checkov (bridgecrewio/checkov) output. |
|
gitleaks
Package gitleaks implements a native-JSON ingest adapter for gitleaks (gitleaks/gitleaks) output.
|
Package gitleaks implements a native-JSON ingest adapter for gitleaks (gitleaks/gitleaks) output. |
|
grype
Package grype implements a native-JSON ingest adapter for Anchore Grype (anchore/grype) output.
|
Package grype implements a native-JSON ingest adapter for Anchore Grype (anchore/grype) output. |
|
ocsf
Package ocsf implements the OCSF (Open Cybersecurity Schema Framework) v1.x ingest adapter for compliancekit.
|
Package ocsf implements the OCSF (Open Cybersecurity Schema Framework) v1.x ingest adapter for compliancekit. |
|
oscal
Package oscal implements the OSCAL (Open Security Controls Assessment Language) Catalog ingest adapter for compliancekit.
|
Package oscal implements the OSCAL (Open Security Controls Assessment Language) Catalog ingest adapter for compliancekit. |
|
sarif
Package sarif implements the SARIF 2.1.0 ingest adapter for compliancekit.
|
Package sarif implements the SARIF 2.1.0 ingest adapter for compliancekit. |
|
trivy
Package trivy implements a native-JSON ingest adapter for Trivy (aquasecurity/trivy) output.
|
Package trivy implements a native-JSON ingest adapter for Trivy (aquasecurity/trivy) output. |
|
Package notify dispatches compliancekit Findings to operator- configured channels (Slack, Discord, Teams, email, generic webhook, GitHub PR comments, Jira, PagerDuty) per the v0.17 milestone.
|
Package notify dispatches compliancekit Findings to operator- configured channels (Slack, Discord, Teams, email, generic webhook, GitHub PR comments, Jira, PagerDuty) per the v0.17 milestone. |
|
Package operator implements the v1.15 phase 3 K8s operator.
|
Package operator implements the v1.15 phase 3 K8s operator. |
|
Package policy implements the Rego-backed Check evaluator and the loader that turns `internal/policies/*.rego` files into entries in the compliancekit.Check registry.
|
Package policy implements the Rego-backed Check evaluator and the loader that turns `internal/policies/*.rego` files into entries in the compliancekit.Check registry. |
|
Package profile is the v0.6 named-subset-of-checks abstraction.
|
Package profile is the v0.6 named-subset-of-checks abstraction. |
|
Package remediate generates structured fix-it artifacts (Terraform blocks, kubectl patches, cloud-CLI commands, Ansible plays, Helm overlays, bash one-liners) from compliancekit Findings.
|
Package remediate generates structured fix-it artifacts (Terraform blocks, kubectl patches, cloud-CLI commands, Ansible plays, Helm overlays, bash one-liners) from compliancekit Findings. |
|
ansible
Package ansible implements remediate.Strategy renderers for the FormatAnsible output.
|
Package ansible implements remediate.Strategy renderers for the FormatAnsible output. |
|
awscli
Package awscli implements remediate.Strategy renderers for the FormatAWSCLI output.
|
Package awscli implements remediate.Strategy renderers for the FormatAWSCLI output. |
|
azcli
Package azcli implements remediate.Strategy renderers for the FormatAzureCLI output.
|
Package azcli implements remediate.Strategy renderers for the FormatAzureCLI output. |
|
bash
Package bash implements remediate.Strategy renderers for the FormatBash output.
|
Package bash implements remediate.Strategy renderers for the FormatBash output. |
|
doctl
Package doctl implements remediate.Strategy renderers for the FormatDoctl output.
|
Package doctl implements remediate.Strategy renderers for the FormatDoctl output. |
|
gcloud
Package gcloud implements remediate.Strategy renderers for the FormatGCloud output.
|
Package gcloud implements remediate.Strategy renderers for the FormatGCloud output. |
|
hcloud
Package hcloud implements remediate.Strategy renderers for the FormatHcloud output.
|
Package hcloud implements remediate.Strategy renderers for the FormatHcloud output. |
|
helm
Package helm implements remediate.Strategy renderers for the FormatHelm output.
|
Package helm implements remediate.Strategy renderers for the FormatHelm output. |
|
kubectl
Package kubectl implements remediate.Strategy renderers for the FormatKubectl output.
|
Package kubectl implements remediate.Strategy renderers for the FormatKubectl output. |
|
poam
Package poam emits OSCAL v1.1.2 Plan of Action & Milestones (POA&M) JSON for findings whose remediation classifies as manual — either because no strategy is registered, or because the registered strategy declared RiskManual.
|
Package poam emits OSCAL v1.1.2 Plan of Action & Milestones (POA&M) JSON for findings whose remediation classifies as manual — either because no strategy is registered, or because the registered strategy declared RiskManual. |
|
render
Package render holds small shared helpers strategy packages use to emit safe, well-formatted snippet content.
|
Package render holds small shared helpers strategy packages use to emit safe, well-formatted snippet content. |
|
runbook
Package runbook writes the operator-facing artifacts of v0.15's remediation flow:
|
Package runbook writes the operator-facing artifacts of v0.15's remediation flow: |
|
terraform
Package terraform implements remediate.Strategy renderers for the FormatTerraform output.
|
Package terraform implements remediate.Strategy renderers for the FormatTerraform output. |
|
tickets
Package tickets files external tickets (Jira, Linear) for findings whose remediation is manual.
|
Package tickets files external tickets (Jira, Linear) for findings whose remediation is manual. |
|
Package report extends the v1.2 vanilla-SVG drawers with the v1.14 chart kit: heatmap, treemap, sankey, radar.
|
Package report extends the v1.2 vanilla-SVG drawers with the v1.14 chart kit: heatmap, treemap, sankey, radar. |
|
Package rules is the daemon-side workflow automation engine.
|
Package rules is the daemon-side workflow automation engine. |
|
actions
Package actions ships the built-in action library for the v1.9 rules engine.
|
Package actions ships the built-in action library for the v1.9 rules engine. |
|
approvals
Package approvals owns the v1.9 phase 5 multi-approver waiver flow.
|
Package approvals owns the v1.9 phase 5 multi-approver waiver flow. |
|
conditions
Package conditions ships the built-in condition library for the v1.9 rules engine.
|
Package conditions ships the built-in condition library for the v1.9 rules engine. |
|
expiry
Package expiry runs the v1.9 phase 6 waiver-expiry automation loop.
|
Package expiry runs the v1.9 phase 6 waiver-expiry automation loop. |
|
Package score computes the 0-100 hardening score the v0.6 milestone adds as the headline metric.
|
Package score computes the 0-100 hardening score the v0.6 milestone adds as the headline metric. |
|
Package server is the v1.3 serve-mode HTTP daemon.
|
Package server is the v1.3 serve-mode HTTP daemon. |
|
api
Package api implements the v1.3+ REST API.
|
Package api implements the v1.3+ REST API. |
|
assets
Package assets embeds the compiled UI bundle (Tailwind output + vendored htmx, Alpine, Preline) produced by `make ui`.
|
Package assets embeds the compiled UI bundle (Tailwind output + vendored htmx, Alpine, Preline) produced by `make ui`. |
|
auth
Package auth handles every authentication concern for the v1.3 serve-mode daemon: bcrypt password hashing, DB-backed sessions, double-submit-cookie CSRF protection, and the chi middleware that gates non-public routes.
|
Package auth handles every authentication concern for the v1.3 serve-mode daemon: bcrypt password hashing, DB-backed sessions, double-submit-cookie CSRF protection, and the chi middleware that gates non-public routes. |
|
backups
Package backups owns the v1.12 phase 8 backup/restore workflow.
|
Package backups owns the v1.12 phase 8 backup/restore workflow. |
|
collab
Package collab owns the v1.8 collaboration data layer that doesn't fit into the comments package: per-finding assignees, per-resource owners, and resource follower opt-ins.
|
Package collab owns the v1.8 collaboration data layer that doesn't fit into the comments package: per-finding assignees, per-resource owners, and resource follower opt-ins. |
|
comments
Package comments owns the goldmark+bluemonday pipeline that turns operator-authored markdown into the sanitized HTML cached in the comments table.
|
Package comments owns the goldmark+bluemonday pipeline that turns operator-authored markdown into the sanitized HTML cached in the comments table. |
|
compress
Package compress is the v1.11 phase 4 HTTP-compression middleware.
|
Package compress is the v1.11 phase 4 HTTP-compression middleware. |
|
dashboards
Package dashboards is the v1.14 reporting-renaissance persistence layer.
|
Package dashboards is the v1.14 reporting-renaissance persistence layer. |
|
etag
Package etag is the v1.11 phase 5 HTTP caching middleware.
|
Package etag is the v1.11 phase 5 HTTP caching middleware. |
|
events
Package events is the v1.6 SSE event bus the daemon uses to push live state changes to subscribed UI / TUI / API clients without polling.
|
Package events is the v1.6 SSE event bus the daemon uses to push live state changes to subscribed UI / TUI / API clients without polling. |
|
leader
Package leader implements pg_advisory_lock-based leader election for the v1.15 phase 4 HA Postgres mode.
|
Package leader implements pg_advisory_lock-based leader election for the v1.15 phase 4 HA Postgres mode. |
|
logs
Package logs is the v1.6 phase 6 in-UI log tail.
|
Package logs is the v1.6 phase 6 in-UI log tail. |
|
plugins
Package plugins owns the v1.13 daemon-side plugin runtime: filesystem discovery, manifest parsing, cosign signature verification, sandbox dial-time egress enforcement, and hot-reload of Rego packs.
|
Package plugins owns the v1.13 daemon-side plugin runtime: filesystem discovery, manifest parsing, cosign signature verification, sandbox dial-time egress enforcement, and hot-reload of Rego packs. |
|
push
Package push implements VAPID-encrypted Web Push delivery for v1.16 phase 4.
|
Package push implements VAPID-encrypted Web Push delivery for v1.16 phase 4. |
|
rbac
Package rbac is the v1.12 phase 0 daemon-side persistence + lookup layer for the role/permission grid defined in pkg/compliancekit/rbac.
|
Package rbac is the v1.12 phase 0 daemon-side persistence + lookup layer for the role/permission grid defined in pkg/compliancekit/rbac. |
|
respcache
Package respcache is the v1.11 phase 6 in-memory LRU for hot list responses.
|
Package respcache is the v1.11 phase 6 in-memory LRU for hot list responses. |
|
scim
Package scim implements a minimal SCIM 2.0 (RFC 7643 / 7644) server for v1.12 phase 4.
|
Package scim implements a minimal SCIM 2.0 (RFC 7643 / 7644) server for v1.12 phase 4. |
|
search
Package search hosts the v1.19 phase 5 global search index — an in-memory, periodically-rebuilt index spanning findings, resources, scans, users, waivers, settings, and docs.
|
Package search hosts the v1.19 phase 5 global search index — an in-memory, periodically-rebuilt index spanning findings, resources, scans, users, waivers, settings, and docs. |
|
slowlog
Package slowlog is the v1.11 phase 7 query-budget + slow-query log.
|
Package slowlog is the v1.11 phase 7 query-budget + slow-query log. |
|
store
Package store is the persistent-state layer for compliancekit's serve-mode daemon.
|
Package store is the persistent-state layer for compliancekit's serve-mode daemon. |
|
ui
Package ui mounts the v1.3 minimal UI shell on the daemon's chi router.
|
Package ui mounts the v1.3 minimal UI shell on the daemon's chi router. |
|
ui/design
Package design hosts the v1.18 design-system contract per ADR-017.
|
Package design hosts the v1.18 design-system contract per ADR-017. |
|
webhook
Package webhook handles inbound webhook receivers — GitHub PR / push events + operator-defined generic webhooks.
|
Package webhook handles inbound webhook receivers — GitHub PR / push events + operator-defined generic webhooks. |
|
worker
Package worker is the v1.3 background job runner.
|
Package worker is the v1.3 background job runner. |
|
Package tui is the v1.7 Bubble Tea terminal client.
|
Package tui is the v1.7 Bubble Tea terminal client. |
|
Package ui owns the terminal styling primitives shared across every compliancekit subcommand: the severity-and-status color palette, the status glyph set, the TTY/NO_COLOR detector, and a thin Styler over lipgloss that subcommands ask for their colors instead of hand-coding ANSI escapes.
|
Package ui owns the terminal styling primitives shared across every compliancekit subcommand: the severity-and-status color palette, the status glyph set, the TTY/NO_COLOR detector, and a thin Styler over lipgloss that subcommands ask for their colors instead of hand-coding ANSI escapes. |
|
Package waivers implements compliancekit's v0.18 muting layer: explicit, time-bounded, auditable acknowledgements that a specific (check, resource) pair is non-compliant by deliberate operator choice rather than oversight.
|
Package waivers implements compliancekit's v0.18 muting layer: explicit, time-bounded, auditable acknowledgements that a specific (check, resource) pair is non-compliant by deliberate operator choice rather than oversight. |
|
Package warehouse implements v1.17 data-warehouse bridges.
|
Package warehouse implements v1.17 data-warehouse bridges. |
Click to show internal directories.
Click to hide internal directories.