cmd

package
v0.4.8 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 16, 2026 License: MPL-2.0 Imports: 44 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var (
	Version   = "dev"
	Commit    = "none"
	BuildDate = "unknown"
)

Functions

func Execute

func Execute()

Types

type ComplianceError added in v0.1.65

type ComplianceError struct {
	Compliance float64
	Threshold  float64
}

ComplianceError is returned when the deprecated --threshold gate is active and the measured percentage of passing controls falls below it. It maps to the same exit code 1 as ScoreGateError and disappears with --threshold.

func (*ComplianceError) Error added in v0.1.65

func (e *ComplianceError) Error() string

type DegradedError added in v0.3.51

type DegradedError struct {
	Count int
}

DegradedError is returned when --fail-warnings is set and the run produced one or more "could not verify" warnings — e.g. a known-CVE check skipped because an action's pinned commit could not be resolved to a version (tag list blocked by an org IP allow list, rate limit, or network). The run itself completed; some data could not be checked. It maps to exit code 3 (runtime / data condition), distinct from a gate failure (1) and a configuration error (2), so strict CI can tell "we could not fully verify" apart from "a real control failed".

func (*DegradedError) Error added in v0.3.51

func (e *DegradedError) Error() string

type IncompleteDataError added in v0.3.57

type IncompleteDataError struct {
	Reasons []string
}

IncompleteDataError is returned when a run is data-collection-degraded: a GitLab merged-CI fetch failed, or some GitHub workflow files / the branch-protection fetch could not be retrieved. The analysis ran on partial data, so Plumber withholds the verdict — the score banner in the terminal, badge/MR updates — and fails the run rather than pass an incomplete scan. Artifacts are still written but stamped degraded (#220). Maps to exit code 3, the same "could not fully verify" lane as DegradedError, distinct from a real gate failure (1) and a configuration error (2).

func (*IncompleteDataError) Error added in v0.3.57

func (e *IncompleteDataError) Error() string

type ScoreGateError added in v0.4.0

type ScoreGateError struct {
	Points    float64
	MinPoints float64
	// PointsGate reports whether the points gate was the one that failed;
	// otherwise the letter gate did.
	PointsGate bool
	Letter     string
	MinLetter  string
	// NoControls marks a run where zero controls were evaluated: a
	// .plumber.yaml that only configures the other provider, all controls
	// disabled, a skip-all filter, or — on GitLab, whose compliance zeroes
	// the control count on a missing/invalid CI — a project with no usable
	// CI configuration. Zero findings then means "nothing was checked",
	// not "clean", so the gate fails. On GitHub, a repository with no (or
	// unparseable) workflows keeps its control count and passes on a clean
	// score — the pre-0.4.0 behavior, restored on purpose so fleet
	// scanners don't fail on CI-less repositories.
	NoControls bool
}

ScoreGateError is returned when analysis completes successfully but the Plumber Score falls below the configured gate (--min-points and/or --min-score).

It is distinct from a generic runtime error so that callers (e.g. Execute) can map it to a dedicated exit code:

0 – analysis passed (score gate met)
1 – gate failure (score below --min-points / --min-score)
2 – runtime / configuration error

func (*ScoreGateError) Error added in v0.4.0

func (e *ScoreGateError) Error() string

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL