ast

package
v1.0.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 25, 2025 License: MIT Imports: 10 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type ASTAnalyzer 

type ASTAnalyzer struct {
	// contains filtered or unexported fields
}

ASTAnalyzer provides AST-based analysis capabilities

func NewASTAnalyzer 

func NewASTAnalyzer() *ASTAnalyzer

NewASTAnalyzer creates a new AST analyzer with default configuration

func NewASTAnalyzerWithConfig 

func NewASTAnalyzerWithConfig(config *ASTConfig) *ASTAnalyzer

NewASTAnalyzerWithConfig creates a new AST analyzer with custom configuration

func (*ASTAnalyzer) AnalyzeDataFlow 

func (a *ASTAnalyzer) AnalyzeDataFlow(workflow *WorkflowAST) ([]*DataFlow, error)

AnalyzeDataFlow performs data flow analysis and returns tainted flows

func (*ASTAnalyzer) AnalyzeReachability 

func (a *ASTAnalyzer) AnalyzeReachability(workflow *WorkflowAST) map[string]bool

AnalyzeReachability performs reachability analysis on the workflow

func (*ASTAnalyzer) AnalyzeWorkflowComprehensive 

func (a *ASTAnalyzer) AnalyzeWorkflowComprehensive(workflow *WorkflowAST) (*ComprehensiveAnalysisResult, error)

AnalyzeWorkflowComprehensive performs comprehensive analysis including all P1 enhancements

func (*ASTAnalyzer) GetReachabilityReport 

func (a *ASTAnalyzer) GetReachabilityReport() *ReachabilityReport

GetReachabilityReport returns the reachability analysis report

func (*ASTAnalyzer) GetTotalNodes 

func (a *ASTAnalyzer) GetTotalNodes() int

GetTotalNodes returns the total number of nodes in the call graph

func (*ASTAnalyzer) ParseWorkflow 

func (a *ASTAnalyzer) ParseWorkflow(workflow interface{}) (*WorkflowAST, error)

ParseWorkflow parses a workflow into AST representation

func (*ASTAnalyzer) Reset 

func (a *ASTAnalyzer) Reset()

Reset clears all analysis state for reuse between workflows

type ASTConfig 

type ASTConfig struct {
	EnableActionAnalysis       bool
	EnableShellAnalysis        bool
	EnableAdvancedReachability bool
	TrustMarketplaceActions    bool
	MaxComplexityThreshold     int
	EnableContextAnalysis      bool
}

ASTConfig contains configuration for AST analysis

func DefaultASTConfig 

func DefaultASTConfig() *ASTConfig

DefaultASTConfig returns default configuration for AST analysis

type ActionAnalysis 

type ActionAnalysis struct {
	ActionName    string
	Step          *StepNode
	Metadata      *ActionMetadata
	Risks         []string
	DataFlowRisks []string
}

ActionAnalysis contains the results of analyzing an action

type ActionAnalyzer 

type ActionAnalyzer struct {
	// contains filtered or unexported fields
}

ActionAnalyzer provides analysis capabilities for GitHub Actions

func NewActionAnalyzer 

func NewActionAnalyzer() *ActionAnalyzer

NewActionAnalyzer creates a new action analyzer with built-in knowledge

func (*ActionAnalyzer) AnalyzeAction 

func (aa *ActionAnalyzer) AnalyzeAction(step *StepNode) (*ActionAnalysis, error)

AnalyzeAction analyzes a specific action usage in a step

type ActionMetadata 

type ActionMetadata struct {
	Name             string
	Source           string // "marketplace", "custom", "local"
	TrustedVendor    bool   // Whether this is from a trusted vendor
	DataFlowRisks    []string
	Permissions      []string
	OutputPatterns   []string
	InputPatterns    []string
	ShellAccess      bool
	NetworkAccess    bool
	FileSystemAccess bool
	Secrets          []string // Secrets this action typically uses
}

ActionMetadata contains information about an action's behavior

type ActionReference 

type ActionReference struct {
	Owner      string
	Repository string
	Path       string // For actions in subdirectories
	Ref        string // Version, tag, or commit
	IsLocal    bool   // Whether it's a local action (./path)
	IsDocker   bool   // Whether it's a Docker action (docker://)
}

ActionReference represents a parsed action reference

type AnalysisContext 

type AnalysisContext struct {
	WorkflowPath     string
	Platform         string
	ProjectMetadata  map[string]interface{}
	SecurityContext  *SecurityContext
	PerformanceHints *PerformanceHints
	UserConfig       map[string]interface{}
}

AnalysisContext provides context for analyzer plugins

type AnalyzerPlugin 

type AnalyzerPlugin interface {
	Plugin
	Analyze(workflow *WorkflowAST, context *AnalysisContext) (*PluginResult, error)
	GetAnalysisType() string
	GetPriority() int
}

AnalyzerPlugin interface for custom analyzers

type BottleneckAnalysis 

type BottleneckAnalysis struct {
	SlowestComponent        string
	SlowestComponentTime    time.Duration
	MemoryIntensiveStage    string
	MostFrequentError       string
	OptimizationSuggestions []string
}

BottleneckAnalysis identifies performance bottlenecks

type Cache 

type Cache struct {
	// contains filtered or unexported fields
}

Cache provides thread-safe caching for analysis results

func NewCache 

func NewCache(config *CacheConfig) *Cache

NewCache creates a new cache with the given configuration

func (*Cache) Clear 

func (c *Cache) Clear()

Clear removes all entries from the cache

func (*Cache) Get 

func (c *Cache) Get(key CacheKey) (interface{}, bool)

Get retrieves a cached result by key

func (*Cache) Put 

func (c *Cache) Put(key CacheKey, result interface{})

Put stores a result in the cache

func (*Cache) Stats 

func (c *Cache) Stats() CacheStats

Stats returns cache statistics

type CacheConfig 

type CacheConfig struct {
	MaxSizeMB   int           // Maximum cache size in MB
	MaxEntries  int           // Maximum number of cache entries
	TTL         time.Duration // Time to live for entries
	CleanupFreq time.Duration // Frequency of cache cleanup
}

CacheConfig configures cache behavior

func DefaultCacheConfig 

func DefaultCacheConfig() *CacheConfig

DefaultCacheConfig returns sensible default cache configuration

type CacheKey 

type CacheKey struct {
	WorkflowHash string
	ConfigHash   string
	AnalysisType string
	Version      string
}

CacheKey represents a unique identifier for cached analysis results

func GenerateWorkflowKey 

func GenerateWorkflowKey(workflowContent string, config *ASTConfig, analysisType string) CacheKey

GenerateWorkflowKey creates a cache key for workflow analysis

func (CacheKey) String 

func (ck CacheKey) String() string

String returns a string representation of the cache key

type CacheStats 

type CacheStats struct {
	Entries      int     `json:"entries"`
	CurrentSize  int64   `json:"current_size_bytes"`
	MaxSize      int64   `json:"max_size_bytes"`
	HitCount     int64   `json:"hit_count"`
	MissCount    int64   `json:"miss_count"`
	HitRate      float64 `json:"hit_rate_percent"`
	UsagePercent float64 `json:"usage_percent"`
}

CacheStats provides cache performance statistics

type CachedAnalyzer 

type CachedAnalyzer struct {
	// contains filtered or unexported fields
}

CachedAnalyzer wraps an AST analyzer with caching capabilities

func NewCachedAnalyzer 

func NewCachedAnalyzer(analyzer *ASTAnalyzer, cacheConfig *CacheConfig) *CachedAnalyzer

NewCachedAnalyzer creates a new cached analyzer

func (*CachedAnalyzer) AnalyzeWorkflow 

func (ca *CachedAnalyzer) AnalyzeWorkflow(workflowContent string, config *ASTConfig) (*ComprehensiveAnalysisResult, error)

AnalyzeWorkflow performs cached workflow analysis

func (*CachedAnalyzer) ClearCache 

func (ca *CachedAnalyzer) ClearCache()

ClearCache clears the analysis cache

func (*CachedAnalyzer) GetCacheStats 

func (ca *CachedAnalyzer) GetCacheStats() CacheStats

GetCacheStats returns cache statistics

func (*CachedAnalyzer) GetMetrics 

func (ca *CachedAnalyzer) GetMetrics() *Metrics

GetMetrics returns performance metrics

type CachedResult 

type CachedResult struct {
	Key         CacheKey
	Result      interface{}
	CreatedAt   time.Time
	AccessedAt  time.Time
	AccessCount int64
	Size        int64 // Estimated size in bytes
}

CachedResult represents a cached analysis result with metadata

type CallGraph 

type CallGraph struct {
	// contains filtered or unexported fields
}

CallGraph tracks relationships between workflow components

func NewCallGraph 

func NewCallGraph() *CallGraph

NewCallGraph creates a new call graph analyzer

func (*CallGraph) BuildCallGraph 

func (cg *CallGraph) BuildCallGraph(workflow *WorkflowAST) error

BuildCallGraph constructs the call graph from workflow AST

func (*CallGraph) FindPaths 

func (cg *CallGraph) FindPaths(fromID, toID string, maxDepth int) [][]string

FindPaths finds all paths between two nodes

func (*CallGraph) GetAllEdges 

func (cg *CallGraph) GetAllEdges() map[string][]string

GetAllEdges returns all edges

func (*CallGraph) GetEdges 

func (cg *CallGraph) GetEdges(fromID string) []string

GetEdges returns all edges from a node

func (*CallGraph) GetNode 

func (cg *CallGraph) GetNode(id string) (*CallNode, bool)

GetNode returns a node by ID

func (*CallGraph) GetNodeCount 

func (cg *CallGraph) GetNodeCount() int

GetNodeCount returns the total number of nodes

func (*CallGraph) GetNodes 

func (cg *CallGraph) GetNodes() map[string]*CallNode

GetNodes returns all nodes

func (*CallGraph) GetReverseDependencies 

func (cg *CallGraph) GetReverseDependencies(nodeID string) []string

GetReverseDependencies returns all nodes that depend on the given node

func (*CallGraph) IsReachable 

func (cg *CallGraph) IsReachable(fromID, toID string) bool

IsReachable checks if there's a path from one node to another

func (*CallGraph) Reset 

func (cg *CallGraph) Reset()

Reset clears all graph data for reuse

type CallNode 

type CallNode struct {
	ID       string
	Type     string // "job", "step", "action", "workflow", "trigger"
	Name     string
	Platform string
	Metadata map[string]interface{}
}

CallNode represents a node in the call graph

type CommandSegment 

type CommandSegment struct {
	Command     string
	Arguments   []string
	Environment map[string]string
	Dangerous   bool
	Category    string // "network", "file", "system", "data"
}

CommandSegment represents a single command in a pipeline

type CommandSubstitution 

type CommandSubstitution struct {
	Command   string
	Context   string // Where it's used
	Dangerous bool
}

CommandSubstitution represents command substitution $(command) or `command`

type ComplexityMetrics 

type ComplexityMetrics struct {
	AverageJobCount            float64
	AverageStepCount           float64
	AverageConditionComplexity float64
	MaxCallGraphDepth          int
	AverageDataFlowCount       float64
}

ComplexityMetrics tracks analysis complexity patterns

type ComponentMetrics 

type ComponentMetrics struct {
	Name              string
	TotalExecutions   int64
	TotalTime         time.Duration
	AverageTime       time.Duration
	MinTime           time.Duration
	MaxTime           time.Duration
	ErrorCount        int64
	LastExecutionTime time.Time
}

ComponentMetrics tracks performance of individual analysis components

type ComprehensiveAnalysisResult 

type ComprehensiveAnalysisResult struct {
	ReachabilityAnalysis map[string]bool
	DataFlows            []*DataFlow
	ActionAnalyses       []*ActionAnalysis
	ShellAnalyses        []*ShellCommand
	SecurityRisks        []string
	ComplexConditions    []*ConditionAnalyzer
}

ComprehensiveAnalysisResult contains all analysis results

func (*ComprehensiveAnalysisResult) GetSecurityMetrics 

func (car *ComprehensiveAnalysisResult) GetSecurityMetrics() *SecurityMetrics

GetSecurityMetrics returns security metrics from the analysis

type ConditionAnalyzer 

type ConditionAnalyzer struct {
	Expression        string
	Variables         []string
	Secrets           []string
	Github            []string // github.* context
	Inputs            []string // inputs.* context
	Env               []string // env.* context
	Vars              []string // vars.* context
	Steps             []string // steps.* context
	Jobs              []string // jobs.* context
	Needs             []string // needs.* context
	Matrix            []string // matrix.* context
	Always            bool     // always() function used
	Failure           bool     // failure() function used
	Success           bool     // success() function used
	Cancelled         bool     // cancelled() function used
	StaticEval        *bool    // static evaluation result if determinable
	ContextDependency bool     // depends on runtime context
	Complexity        int      // complexity score for the condition
	Operators         []string // logical operators used
	Functions         []string // functions called in condition
}

ConditionAnalyzer analyzes conditional expressions in workflows

func (*ConditionAnalyzer) AnalyzeConditionComplexity 

func (ca *ConditionAnalyzer) AnalyzeConditionComplexity() map[string]interface{}

AnalyzeConditionComplexity analyzes the complexity of conditional expressions

type DataFlow 

type DataFlow struct {
	SourceID string
	SinkID   string
	Path     []string // Nodes the data flows through
	Tainted  bool
	Severity string // "LOW", "MEDIUM", "HIGH", "CRITICAL"
	Risk     string // Description of the risk
}

DataFlow represents a flow of data from source to sink

type DataFlowAnalyzer 

type DataFlowAnalyzer struct {
	// contains filtered or unexported fields
}

DataFlowAnalyzer tracks data flow through the workflow

func NewDataFlowAnalyzer 

func NewDataFlowAnalyzer() *DataFlowAnalyzer

NewDataFlowAnalyzer creates a new data flow analyzer

func (*DataFlowAnalyzer) AnalyzeDataFlow 

func (dfa *DataFlowAnalyzer) AnalyzeDataFlow(workflow *WorkflowAST) error

AnalyzeDataFlow performs data flow analysis on the workflow

func (*DataFlowAnalyzer) AnalyzeDataFlowWithCallGraph 

func (dfa *DataFlowAnalyzer) AnalyzeDataFlowWithCallGraph(workflow *WorkflowAST, callGraph *CallGraph) error

AnalyzeDataFlowWithCallGraph performs analysis using call graph for accuracy

func (*DataFlowAnalyzer) GetAllFlows 

func (dfa *DataFlowAnalyzer) GetAllFlows() []*DataFlow

GetAllFlows returns all detected data flows

func (*DataFlowAnalyzer) GetFlowsBySeverity 

func (dfa *DataFlowAnalyzer) GetFlowsBySeverity(minSeverity string) []*DataFlow

GetFlowsBySeverity returns flows filtered by minimum severity

func (*DataFlowAnalyzer) GetTaintedFlows 

func (dfa *DataFlowAnalyzer) GetTaintedFlows() []*DataFlow

GetTaintedFlows returns all data flows involving tainted data

func (*DataFlowAnalyzer) Reset 

func (dfa *DataFlowAnalyzer) Reset()

Reset clears all analysis data for reuse

type DataFlowGraph 

type DataFlowGraph struct {
	// contains filtered or unexported fields
}

DataFlowGraph represents the workflow structure as a directed graph

type DataSink 

type DataSink struct {
	ID        string
	Type      string // "output", "log", "network", "file", "env", "action_input"
	Name      string
	NodeID    string
	Sensitive bool   // Whether this sink could leak sensitive data
	Command   string // The command or action that creates this sink
}

DataSink represents a destination for data in the workflow

type DataSource 

type DataSource struct {
	ID      string
	Type    string // "input", "secret", "env", "output", "artifact", "github_context"
	Name    string
	NodeID  string
	Tainted bool   // Whether this source contains sensitive data
	Origin  string // Where the data originally comes from
	Value   string // The actual value or reference
}

DataSource represents a source of data in the workflow

type EnvNode 

type EnvNode struct {
	Name    string `yaml:"-"`
	Value   string `yaml:",inline"`
	Tainted bool   `yaml:"-"`
	Source  string `yaml:"-"`
}

EnvNode represents environment variables

type ExtensionRegistry 

type ExtensionRegistry struct {
	// contains filtered or unexported fields
}

ExtensionRegistry manages plugin registration and discovery

func NewExtensionRegistry 

func NewExtensionRegistry() *ExtensionRegistry

NewExtensionRegistry creates a new extension registry

func (*ExtensionRegistry) GetActivePlugins 

func (er *ExtensionRegistry) GetActivePlugins() map[string]Plugin

GetActivePlugins returns all active plugins

func (*ExtensionRegistry) GetRegisteredPlugins 

func (er *ExtensionRegistry) GetRegisteredPlugins() map[string]*PluginRegistration

GetRegisteredPlugins returns all registered plugins

func (*ExtensionRegistry) LoadPlugin 

func (er *ExtensionRegistry) LoadPlugin(name string) (Plugin, error)

LoadPlugin loads and activates a registered plugin

func (*ExtensionRegistry) RegisterPlugin 

func (er *ExtensionRegistry) RegisterPlugin(name string, constructor func() Plugin, config interface{}) error

RegisterPlugin registers a plugin with the registry

func (*ExtensionRegistry) UnloadPlugin 

func (er *ExtensionRegistry) UnloadPlugin(name string) error

UnloadPlugin unloads an active plugin

type JobNode 

type JobNode struct {
	ID          string            `yaml:"-"`
	Name        string            `yaml:"name"`
	Steps       []*StepNode       `yaml:"steps"`
	Needs       []string          `yaml:"needs"`
	If          string            `yaml:"if"`
	Environment string            `yaml:"environment"`
	Permissions map[string]string `yaml:"permissions"`
	Secrets     []string          `yaml:"-"` // Extracted from steps
	Variables   map[string]string `yaml:"env"`
	RunsOn      string            `yaml:"runs-on"`
	Reachable   bool              `yaml:"-"` // Will be set by reachability analysis
}

JobNode represents a job in the workflow with its dependencies

type LifecycleEvent 

type LifecycleEvent string

LifecycleEvent represents different phases of analysis 

const (
	BeforeAnalysis   LifecycleEvent = "before_analysis"
	AfterAnalysis    LifecycleEvent = "after_analysis"
	BeforeValidation LifecycleEvent = "before_validation"
	AfterValidation  LifecycleEvent = "after_validation"
	OnError          LifecycleEvent = "on_error"
	OnComplete       LifecycleEvent = "on_complete"
)

type LifecycleHook 

type LifecycleHook func(event LifecycleEvent, data interface{}) error

LifecycleHook function for lifecycle events

type Location 

type Location struct {
	File    string `json:"file"`
	Line    int    `json:"line"`
	Column  int    `json:"column"`
	JobID   string `json:"job_id,omitempty"`
	StepID  string `json:"step_id,omitempty"`
	Context string `json:"context,omitempty"`
}

Location represents the location of an issue

type Metrics 

type Metrics struct {
	// contains filtered or unexported fields
}

Metrics provides observability into AST analysis performance

func (*Metrics) GetCacheHitRate 

func (m *Metrics) GetCacheHitRate() float64

GetCacheHitRate returns the cache hit rate as a percentage

func (*Metrics) GetErrorRate 

func (m *Metrics) GetErrorRate() float64

GetErrorRate returns the error rate as a percentage

func (*Metrics) GetThroughput 

func (m *Metrics) GetThroughput() float64

GetThroughput returns analyses per second

type MetricsCollector 

type MetricsCollector struct {
	// contains filtered or unexported fields
}

MetricsCollector provides centralized metrics collection

func NewMetricsCollector 

func NewMetricsCollector() *MetricsCollector

NewMetricsCollector creates a new metrics collector

func (*MetricsCollector) Disable 

func (mc *MetricsCollector) Disable()

Disable turns off metrics collection

func (*MetricsCollector) Enable 

func (mc *MetricsCollector) Enable()

Enable turns on metrics collection

func (*MetricsCollector) GenerateReport 

func (mc *MetricsCollector) GenerateReport() *PerformanceReport

GenerateReport creates a comprehensive performance report

func (*MetricsCollector) GetMetrics 

func (mc *MetricsCollector) GetMetrics() *Metrics

GetMetrics returns a copy of current metrics

func (*MetricsCollector) RecordAnalysis 

func (mc *MetricsCollector) RecordAnalysis(parseTime, analysisTime time.Duration, workflowSize string, err error)

RecordAnalysis records a complete analysis execution

func (*MetricsCollector) RecordCacheHit 

func (mc *MetricsCollector) RecordCacheHit()

RecordCacheHit records a cache hit

func (*MetricsCollector) RecordCacheMiss 

func (mc *MetricsCollector) RecordCacheMiss()

RecordCacheMiss records a cache miss

func (*MetricsCollector) RecordComponentExecution 

func (mc *MetricsCollector) RecordComponentExecution(componentName string, duration time.Duration, err error)

RecordComponentExecution records execution of individual components

func (*MetricsCollector) UpdateComplexityMetrics 

func (mc *MetricsCollector) UpdateComplexityMetrics(jobCount, stepCount int, conditionComplexity float64, callGraphDepth int, dataFlowCount int)

UpdateComplexityMetrics updates complexity-related metrics

type MiddlewareFunc 

type MiddlewareFunc func(*WorkflowAST) (*WorkflowAST, error)

MiddlewareFunc represents the next middleware in the chain

type MiddlewarePlugin 

type MiddlewarePlugin interface {
	Plugin
	Process(workflow *WorkflowAST, next MiddlewareFunc) (*WorkflowAST, error)
	GetOrder() int
}

MiddlewarePlugin interface for analysis pipeline middleware

type PerformanceHints 

type PerformanceHints struct {
	MaxAnalysisTime   int64
	MemoryLimitMB     int64
	PreferredCaching  bool
	ParallelExecution bool
}

PerformanceHints provides optimization hints

type PerformanceProfile 

type PerformanceProfile struct {
	WorkflowSizeDistribution map[string]int64 // small, medium, large
	ComplexityMetrics        ComplexityMetrics
	ResourceUsage            ResourceUsage
	BottleneckAnalysis       BottleneckAnalysis
}

PerformanceProfile tracks detailed performance characteristics

type PerformanceReport 

type PerformanceReport struct {
	GeneratedAt     time.Time     `json:"generated_at"`
	UpTime          time.Duration `json:"uptime"`
	TotalAnalyses   int64         `json:"total_analyses"`
	Metrics         *Metrics      `json:"metrics"`
	Recommendations []string      `json:"recommendations"`
}

PerformanceReport provides a comprehensive analysis performance overview

type Pipe 

type Pipe struct {
	LeftCommand  string
	RightCommand string
	DataFlow     bool // Whether sensitive data flows through the pipe
}

Pipe represents a pipe between commands

type Plugin 

type Plugin interface {
	GetInfo() *PluginInfo
	Initialize(config interface{}) error
	Cleanup() error
	Validate() error
}

Plugin base interface for all plugins

type PluginConfig 

type PluginConfig struct {
	EnablePlugins      bool
	PluginTimeout      int64 // seconds
	MaxPluginMemoryMB  int64
	AllowedPluginTypes []string
	SecurityPolicy     PluginSecurityPolicy
}

PluginConfig configures plugin behavior

func DefaultPluginConfig 

func DefaultPluginConfig() *PluginConfig

DefaultPluginConfig returns default plugin configuration

type PluginInfo 

type PluginInfo struct {
	Name         string                 `json:"name"`
	Version      string                 `json:"version"`
	Author       string                 `json:"author"`
	Description  string                 `json:"description"`
	Homepage     string                 `json:"homepage"`
	License      string                 `json:"license"`
	Tags         []string               `json:"tags"`
	Dependencies []string               `json:"dependencies"`
	Metadata     map[string]interface{} `json:"metadata"`
}

PluginInfo contains metadata about a plugin

type PluginManager 

type PluginManager struct {
	// contains filtered or unexported fields
}

PluginManager manages analyzer plugins and extensions

func NewPluginManager 

func NewPluginManager(config *PluginConfig) *PluginManager

NewPluginManager creates a new plugin manager

func (*PluginManager) AddLifecycleHook 

func (pm *PluginManager) AddLifecycleHook(event LifecycleEvent, hook LifecycleHook)

AddLifecycleHook adds a hook for lifecycle events

func (*PluginManager) Cleanup 

func (pm *PluginManager) Cleanup() error

Cleanup cleans up all plugins

func (*PluginManager) EvaluateRules 

func (pm *PluginManager) EvaluateRules(workflow *WorkflowAST, context *RuleContext) ([]*RuleResult, error)

EvaluateRules runs all registered rule plugins

func (*PluginManager) GenerateReports 

func (pm *PluginManager) GenerateReports(results *ComprehensiveAnalysisResult, config *ReportConfig) (map[string][]byte, error)

GenerateReports generates reports using all registered reporters

func (*PluginManager) GetPluginInfo 

func (pm *PluginManager) GetPluginInfo() map[string]*PluginInfo

GetPluginInfo returns information about all registered plugins

func (*PluginManager) ProcessMiddleware 

func (pm *PluginManager) ProcessMiddleware(workflow *WorkflowAST) (*WorkflowAST, error)

ProcessMiddleware runs workflow through middleware pipeline

func (*PluginManager) RegisterAnalyzer 

func (pm *PluginManager) RegisterAnalyzer(name string, analyzer AnalyzerPlugin) error

RegisterAnalyzer registers an analyzer plugin

func (*PluginManager) RegisterMiddleware 

func (pm *PluginManager) RegisterMiddleware(middleware MiddlewarePlugin) error

RegisterMiddleware registers a middleware plugin

func (*PluginManager) RegisterReporter 

func (pm *PluginManager) RegisterReporter(name string, reporter ReporterPlugin) error

RegisterReporter registers a reporter plugin

func (*PluginManager) RegisterRule 

func (pm *PluginManager) RegisterRule(name string, rule RulePlugin) error

RegisterRule registers a rule plugin

func (*PluginManager) RunAnalyzers 

func (pm *PluginManager) RunAnalyzers(workflow *WorkflowAST, context *AnalysisContext) ([]*PluginResult, error)

RunAnalyzers executes all registered analyzer plugins

func (*PluginManager) TriggerLifecycleEvent 

func (pm *PluginManager) TriggerLifecycleEvent(event LifecycleEvent, data interface{}) error

TriggerLifecycleEvent triggers all hooks for a specific event

type PluginRegistration 

type PluginRegistration struct {
	Info        *PluginInfo
	Constructor func() Plugin
	Config      interface{}
	Enabled     bool
}

PluginRegistration contains plugin registration information

type PluginResult 

type PluginResult struct {
	PluginName    string                 `json:"plugin_name"`
	AnalysisType  string                 `json:"analysis_type"`
	Findings      []*SecurityFinding     `json:"findings"`
	Metrics       map[string]interface{} `json:"metrics"`
	Metadata      map[string]interface{} `json:"metadata"`
	ExecutionTime int64                  `json:"execution_time_ms"`
	Success       bool                   `json:"success"`
	Errors        []string               `json:"errors,omitempty"`
}

PluginResult represents the result of a plugin analysis

type PluginSecurityPolicy 

type PluginSecurityPolicy struct {
	AllowFileAccess    bool
	AllowNetworkAccess bool
	AllowedDomains     []string
	RestrictedCommands []string
	MaxExecutionTime   int64 // seconds
}

PluginSecurityPolicy defines security constraints for plugins

type ReachabilityAnalyzer 

type ReachabilityAnalyzer struct {
	// contains filtered or unexported fields
}

ReachabilityAnalyzer determines which parts of the workflow are reachable

func NewReachabilityAnalyzer 

func NewReachabilityAnalyzer(cg *CallGraph) *ReachabilityAnalyzer

NewReachabilityAnalyzer creates a new reachability analyzer

func (*ReachabilityAnalyzer) AnalyzeReachability 

func (ra *ReachabilityAnalyzer) AnalyzeReachability(workflow *WorkflowAST, entryPoints []string) map[string]bool

AnalyzeReachability performs reachability analysis on the workflow

func (*ReachabilityAnalyzer) GetConditionAnalysis 

func (ra *ReachabilityAnalyzer) GetConditionAnalysis(nodeID string) *ConditionAnalyzer

GetConditionAnalysis returns the condition analysis for a node

func (*ReachabilityAnalyzer) GetReachabilityReport 

func (ra *ReachabilityAnalyzer) GetReachabilityReport() *ReachabilityReport

GetReachabilityReport generates a detailed reachability report

func (*ReachabilityAnalyzer) GetReachableNodes 

func (ra *ReachabilityAnalyzer) GetReachableNodes() map[string]bool

GetReachableNodes returns all reachable nodes

func (*ReachabilityAnalyzer) GetUnreachableNodes 

func (ra *ReachabilityAnalyzer) GetUnreachableNodes() []string

GetUnreachableNodes returns nodes that are defined but not reachable

func (*ReachabilityAnalyzer) IsReachable 

func (ra *ReachabilityAnalyzer) IsReachable(nodeID string) bool

IsReachable checks if a specific node is reachable

func (*ReachabilityAnalyzer) Reset 

func (ra *ReachabilityAnalyzer) Reset()

Reset clears all analysis data for reuse

type ReachabilityReport 

type ReachabilityReport struct {
	TotalNodes       int
	ReachableNodes   int
	UnreachableNodes []string
	ConditionalNodes map[string]*ConditionAnalyzer
}

ReachabilityReport contains detailed reachability analysis results

func (*ReachabilityReport) GetConditionalNodesCount 

func (rr *ReachabilityReport) GetConditionalNodesCount() int

GetConditionalNodesCount returns the number of nodes with conditions

func (*ReachabilityReport) GetReachabilityPercentage 

func (rr *ReachabilityReport) GetReachabilityPercentage() float64

GetReachabilityPercentage calculates the percentage of reachable nodes

func (*ReachabilityReport) GetStaticallyFalseConditions 

func (rr *ReachabilityReport) GetStaticallyFalseConditions() []string

GetStaticallyFalseConditions returns nodes with statically false conditions

func (*ReachabilityReport) HasUnreachableCode 

func (rr *ReachabilityReport) HasUnreachableCode() bool

HasUnreachableCode returns true if there are unreachable nodes

type Redirection 

type Redirection struct {
	Type   string // "input", "output", "append", "error"
	Source string
	Target string
	Risky  bool
}

Redirection represents input/output redirection

type Remediation 

type Remediation struct {
	Summary     string   `json:"summary"`
	Description string   `json:"description"`
	Steps       []string `json:"steps"`
	Examples    []string `json:"examples"`
	Links       []string `json:"links"`
}

Remediation provides guidance on fixing issues

type ReportConfig 

type ReportConfig struct {
	Format         string                 `json:"format"`
	IncludeMetrics bool                   `json:"include_metrics"`
	FilterSeverity []string               `json:"filter_severity"`
	GroupBy        string                 `json:"group_by"`
	Template       string                 `json:"template,omitempty"`
	OutputPath     string                 `json:"output_path,omitempty"`
	CustomFields   map[string]interface{} `json:"custom_fields"`
}

ReportConfig configures report generation

type ReporterPlugin 

type ReporterPlugin interface {
	Plugin
	GenerateReport(results *ComprehensiveAnalysisResult, config *ReportConfig) ([]byte, error)
	GetFormat() string
	GetMimeType() string
}

ReporterPlugin interface for custom output formats

type ResourceUsage 

type ResourceUsage struct {
	AverageMemoryMB   float64
	PeakMemoryMB      uint64
	AverageCPUPercent float64
	GCPauseTimeMS     float64
	AllocationsPerSec float64
}

ResourceUsage tracks resource consumption

type RuleContext 

type RuleContext struct {
	WorkflowAST   *WorkflowAST
	CurrentJob    *JobNode
	CurrentStep   *StepNode
	ParentNodes   []interface{}
	GlobalContext map[string]interface{}
}

RuleContext provides context for rule evaluation

type RulePlugin 

type RulePlugin interface {
	Plugin
	Evaluate(node interface{}, context *RuleContext) (*RuleResult, error)
	GetRuleID() string
	GetSeverity() string
	GetCategory() string
}

RulePlugin interface for custom security rules

type RuleResult 

type RuleResult struct {
	RuleID      string                 `json:"rule_id"`
	Passed      bool                   `json:"passed"`
	Severity    string                 `json:"severity"`
	Message     string                 `json:"message"`
	Location    *Location              `json:"location,omitempty"`
	Remediation *Remediation           `json:"remediation,omitempty"`
	Metadata    map[string]interface{} `json:"metadata"`
}

RuleResult represents the result of a rule evaluation

type SecretNode 

type SecretNode struct {
	Name        string `yaml:"-"`
	Value       string `yaml:",inline"`
	Required    bool   `yaml:"required"`
	Description string `yaml:"description"`
}

SecretNode represents secrets

type SecurityContext 

type SecurityContext struct {
	TrustedDomains     []string
	AllowedActions     []string
	SecurityLevel      string
	ComplianceProfiles []string
}

SecurityContext provides security-related context

type SecurityFinding 

type SecurityFinding struct {
	ID          string       `json:"id"`
	Title       string       `json:"title"`
	Description string       `json:"description"`
	Severity    string       `json:"severity"`
	Category    string       `json:"category"`
	Location    *Location    `json:"location"`
	Remediation *Remediation `json:"remediation"`
	References  []string     `json:"references"`
	CWE         []string     `json:"cwe,omitempty"`
	OWASP       []string     `json:"owasp,omitempty"`
}

SecurityFinding represents a security issue found by analysis

type SecurityMetrics 

type SecurityMetrics struct {
	TotalRisks         int
	HighRiskActions    int
	UntrustedActions   int
	DangerousCommands  int
	ComplexConditions  int
	SensitiveDataFlows int
}

SecurityMetrics contains security-related metrics

type ShellAnalyzer 

type ShellAnalyzer struct {
	// contains filtered or unexported fields
}

ShellAnalyzer provides enhanced shell command analysis

func NewShellAnalyzer 

func NewShellAnalyzer() *ShellAnalyzer

NewShellAnalyzer creates a new enhanced shell analyzer

func (*ShellAnalyzer) AnalyzeShellCommand 

func (sa *ShellAnalyzer) AnalyzeShellCommand(command string, context map[string]string) (*ShellCommand, error)

AnalyzeShellCommand performs comprehensive analysis of a shell command

type ShellCommand 

type ShellCommand struct {
	OriginalCommand string
	ParsedCommands  []*CommandSegment
	Variables       []*VariableReference
	Redirections    []*Redirection
	Pipes           []*Pipe
	Substitutions   []*CommandSubstitution
	SecurityRisks   []string
	DataFlowRisks   []string
}

ShellCommand represents a parsed shell command with its components

type SinkInfo 

type SinkInfo struct {
	// contains filtered or unexported fields
}

SinkInfo contains sink and path information

type StepNode 

type StepNode struct {
	ID          string            `yaml:"id"`
	Name        string            `yaml:"name"`
	Uses        string            `yaml:"uses"`
	With        map[string]string `yaml:"with"`
	Run         string            `yaml:"run"`
	Env         map[string]string `yaml:"env"`
	If          string            `yaml:"if"`
	Shell       string            `yaml:"shell"`
	WorkingDir  string            `yaml:"working-directory"`
	Outputs     []string          `yaml:"-"` // Extracted from analysis
	Inputs      []string          `yaml:"-"` // Extracted from analysis
	Reachable   bool              `yaml:"-"`
	DataSources []string          `yaml:"-"` // Where data comes from
	DataSinks   []string          `yaml:"-"` // Where data goes to
}

StepNode represents individual steps with data flow information

type TriggerNode 

type TriggerNode struct {
	Event     string                 `yaml:"-"`
	Config    map[string]interface{} `yaml:",inline"`
	Reachable bool                   `yaml:"-"`
}

TriggerNode represents workflow triggers

type VariableReference 

type VariableReference struct {
	Name      string
	Value     string
	Source    string // "env", "github", "secret", "input"
	Sensitive bool
	Usage     string // "read", "write", "expand"
}

VariableReference represents a variable used in the command

type WorkflowAST 

type WorkflowAST struct {
	Jobs     map[string]*JobNode    `yaml:"jobs"`
	Triggers []*TriggerNode         `yaml:"on"`
	Env      map[string]*EnvNode    `yaml:"env"`
	Secrets  map[string]*SecretNode `yaml:"secrets"`
	Platform string                 // "github" or "gitlab"
}

WorkflowAST represents the parsed structure of a CI/CD workflow

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.