rules

package
v0.0.4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 31, 2025 License: MIT Imports: 10 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type AdvancedSupplyChainAnalyzer added in v0.0.4 

type AdvancedSupplyChainAnalyzer struct {
	// contains filtered or unexported fields
}

AdvancedSupplyChainAnalyzer provides comprehensive supply chain security analysis

func NewAdvancedSupplyChainAnalyzer added in v0.0.4 

func NewAdvancedSupplyChainAnalyzer() *AdvancedSupplyChainAnalyzer

NewAdvancedSupplyChainAnalyzer creates a new advanced analyzer

type Category 

type Category string

Category represents the category of a security rule 

const (
	MaliciousPattern    Category = "MALICIOUS_PATTERN"
	Misconfiguration    Category = "MISCONFIGURATION"
	SecretExposure      Category = "SECRET_EXPOSURE"
	ShellObfuscation    Category = "SHELL_OBFUSCATION"
	PolicyViolation     Category = "POLICY_VIOLATION"
	SupplyChain         Category = "SUPPLY_CHAIN"
	InjectionAttack     Category = "INJECTION_ATTACK"
	SecretsExposure     Category = "SECRETS_EXPOSURE"
	AccessControl       Category = "ACCESS_CONTROL"
	PrivilegeEscalation Category = "PRIVILEGE_ESCALATION"
	DataExposure        Category = "DATA_EXPOSURE"
)

type ConfigInterface 

type ConfigInterface interface {
	IsRuleEnabled(ruleID string) bool
	ShouldIgnoreForRule(ruleID, text, filePath string) bool
	ShouldIgnoreSecret(text, context string) bool
}

ConfigInterface defines the interface for configuration

type Finding 

type Finding struct {
	RuleID      string
	RuleName    string
	Description string
	Severity    Severity
	Category    Category
	FilePath    string
	JobName     string
	StepName    string
	Evidence    string
	Remediation string
	LineNumber  int    // Line number where the issue was found
	GitHubURL   string // Direct GitHub URL to the line (for remote repositories)
	GitLabURL   string // Direct GitLab URL to the line (for remote repositories)
}

Finding represents a detected security issue

func CheckAdvancedPrivilegeAnalysis added in v0.0.4 

func CheckAdvancedPrivilegeAnalysis(workflow parser.WorkflowFile) []Finding

CheckAdvancedPrivilegeAnalysis performs advanced workflow privilege analysis

func CheckAllRules added in v0.0.4 

func CheckAllRules(workflow parser.WorkflowFile) []Finding

CheckAllRules runs all security rule checks

func CheckInjectionVulnerabilities added in v0.0.4 

func CheckInjectionVulnerabilities(workflow parser.WorkflowFile) []Finding

CheckInjectionVulnerabilities is the main entry point for injection vulnerability checks

func CheckSelfHostedRunnerSecurity added in v0.0.4 

func CheckSelfHostedRunnerSecurity(workflow parser.WorkflowFile) []Finding

CheckSelfHostedRunnerSecurity performs comprehensive self-hosted runner security analysis

func CheckShellInjectionVulnerabilities added in v0.0.4 

func CheckShellInjectionVulnerabilities(workflow parser.WorkflowFile) []Finding

CheckShellInjectionVulnerabilities is the main entry point for shell injection checks

func CheckSupplyChainVulnerabilities added in v0.0.4 

func CheckSupplyChainVulnerabilities(workflow parser.WorkflowFile) []Finding

CheckSupplyChainVulnerabilities checks for supply chain security issues

type InjectionPatterns added in v0.0.4 

type InjectionPatterns struct {
	GitHub []string
	GitLab []string
	Azure  []string
	Tekton []string
}

InjectionPatterns contains regex patterns for detecting injection vulnerabilities

func GetInjectionPatterns added in v0.0.4 

func GetInjectionPatterns() InjectionPatterns

GetInjectionPatterns returns patterns for detecting user-controlled input injection

type Platform added in v0.0.4 

type Platform string

Platform represents the CI/CD platform a rule applies to 

const (
	PlatformAll    Platform = "ALL"    // Rule applies to all platforms
	PlatformGitHub Platform = "GITHUB" // Rule applies only to GitHub Actions
	PlatformGitLab Platform = "GITLAB" // Rule applies only to GitLab CI
)

func StringToPlatform added in v0.0.4 

func StringToPlatform(platformStr string) Platform

StringToPlatform converts platform string constants to Platform enum

type Rule 

type Rule struct {
	ID          string
	Name        string
	Description string
	Severity    Severity
	Category    Category
	Platform    Platform // Platform compatibility for this rule
	Check       func(workflow parser.WorkflowFile) []Finding
}

Rule represents a security rule to check in a workflow

func FilterRulesByPlatform added in v0.0.4 

func FilterRulesByPlatform(rules []Rule, targetPlatform Platform) []Rule

FilterRulesByPlatform filters rules based on target platform compatibility

func StandardRules 

func StandardRules() []Rule

StandardRules returns the list of built-in security rules

type RuleEngine 

type RuleEngine struct {
	// contains filtered or unexported fields
}

RuleEngine handles rule execution with configuration support

func NewRuleEngine 

func NewRuleEngine(config ConfigInterface) *RuleEngine

NewRuleEngine creates a new rule engine with configuration

func (*RuleEngine) ExecuteRules 

func (re *RuleEngine) ExecuteRules(workflow parser.WorkflowFile, rules []Rule) []Finding

ExecuteRules runs rules against a workflow with configuration filtering

type Severity 

type Severity string

Severity represents the severity level of a finding 

const (
	Critical Severity = "CRITICAL"
	High     Severity = "HIGH"
	Medium   Severity = "MEDIUM"
	Low      Severity = "LOW"
	Info     Severity = "INFO"
)

type VersionPinningAnalysis added in v0.0.4 

type VersionPinningAnalysis struct {
	Risk        string
	Description string
	Remediation string
	Version     string
	VersionType string
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.