Documentation
¶
Index ¶
- func SaveConfig(config *Config, filepath string) error
- type ActionsIgnores
- type ComplianceConfig
- type ComplianceControl
- type ComplianceFramework
- type ComplianceReport
- type Config
- type ContactConfig
- type ControlStatus
- type CustomRule
- type CustomRuleEngine
- type EnforcementLevel
- type FalsePositives
- type FrameworkCompliance
- type GlobalIgnores
- type InheritanceConfig
- type OrgConfig
- type Output
- type Policy
- type PolicyContext
- type PolicyEngine
- func (pe *PolicyEngine) EvaluatePolicy(finding rules.Finding, context PolicyContext) PolicyEvaluation
- func (pe *PolicyEngine) GetComplianceReport(findings []rules.Finding, context PolicyContext) ComplianceReport
- func (pe *PolicyEngine) InstantiateTemplate(templateID string, parameters map[string]interface{}) (*CustomRule, error)
- func (pe *PolicyEngine) LoadPolicies(policyFiles []string) error
- func (pe *PolicyEngine) LoadTemplates(templateFiles []string) error
- type PolicyEvaluation
- type PolicyException
- type PolicyMetadata
- type PolicyRule
- type PolicyScope
- type PolicyViolation
- type RuleIgnores
- type RuleTarget
- type RuleTemplate
- type Rules
- type SecretsIgnores
- type TemplateExample
- type TemplateParameter
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func SaveConfig ¶
SaveConfig saves configuration to a file
Types ¶
type ActionsIgnores ¶
type ActionsIgnores struct {
Actions []string `yaml:"actions" json:"actions"` // Specific actions to ignore
Orgs []string `yaml:"orgs" json:"orgs"` // Trusted organizations
}
ActionsIgnores for action-related rules
type ComplianceConfig ¶ added in v0.0.4
type ComplianceConfig struct {
Enabled bool `yaml:"enabled" json:"enabled"`
Frameworks []string `yaml:"frameworks" json:"frameworks"`
ReportPath string `yaml:"report_path,omitempty" json:"report_path,omitempty"`
CustomFrameworks map[string]ComplianceFramework `yaml:"custom_frameworks,omitempty" json:"custom_frameworks,omitempty"`
}
ComplianceConfig configures compliance framework integration
type ComplianceControl ¶ added in v0.0.4
type ComplianceControl struct {
ID string `yaml:"id" json:"id"`
Title string `yaml:"title" json:"title"`
Description string `yaml:"description" json:"description"`
RequiredRules []string `yaml:"required_rules" json:"required_rules"`
Severity string `yaml:"severity" json:"severity"`
}
ComplianceControl maps to specific security controls
type ComplianceFramework ¶ added in v0.0.4
type ComplianceFramework struct {
ID string `yaml:"id" json:"id"`
Name string `yaml:"name" json:"name"`
Version string `yaml:"version" json:"version"`
Description string `yaml:"description" json:"description"`
Controls []ComplianceControl `yaml:"controls" json:"controls"`
URL string `yaml:"url,omitempty" json:"url,omitempty"`
}
ComplianceFramework defines compliance framework requirements
type ComplianceReport ¶ added in v0.0.4
type ComplianceReport struct {
Context PolicyContext `json:"context"`
GeneratedAt time.Time `json:"generated_at"`
Compliant bool `json:"compliant"`
TotalViolations int `json:"total_violations"`
BlockingViolations int `json:"blocking_violations"`
ErrorViolations int `json:"error_violations"`
WarningViolations int `json:"warning_violations"`
Frameworks map[string]FrameworkCompliance `json:"frameworks"`
}
ComplianceReport represents compliance status
type Config ¶
type Config struct {
Version string `yaml:"version" json:"version"`
Rules Rules `yaml:"rules" json:"rules"`
Output Output `yaml:"output" json:"output"`
Policies []Policy `yaml:"policies,omitempty" json:"policies,omitempty"`
Templates []RuleTemplate `yaml:"templates,omitempty" json:"templates,omitempty"`
Compliance ComplianceConfig `yaml:"compliance,omitempty" json:"compliance,omitempty"`
Organization OrgConfig `yaml:"organization,omitempty" json:"organization,omitempty"`
}
Config represents the complete Flowlyt configuration
func LoadConfig ¶
LoadConfig loads configuration from file or returns default
func (*Config) IsRuleEnabled ¶
IsRuleEnabled checks if a rule should be enabled
func (*Config) ShouldIgnoreForRule ¶
ShouldIgnoreForRule checks if a finding should be ignored for a specific rule
func (*Config) ShouldIgnoreGlobal ¶
ShouldIgnoreGlobal checks if a string should be ignored globally
func (*Config) ShouldIgnoreSecret ¶
ShouldIgnoreSecret checks if a secret should be ignored
type ContactConfig ¶ added in v0.0.4
type ContactConfig struct {
SecurityTeam string `yaml:"security_team,omitempty" json:"security_team,omitempty"`
Owners []string `yaml:"owners" json:"owners"`
Escalation string `yaml:"escalation,omitempty" json:"escalation,omitempty"`
}
ContactConfig configures organizational contacts
type ControlStatus ¶ added in v0.0.4
type ControlStatus struct {
ControlID string `json:"control_id"`
Title string `json:"title"`
Compliant bool `json:"compliant"`
Violations []string `json:"violations"`
Severity string `json:"severity"`
}
ControlStatus represents the status of a compliance control
type CustomRule ¶
type CustomRule struct {
ID string `yaml:"id" json:"id"`
Name string `yaml:"name" json:"name"`
Description string `yaml:"description" json:"description"`
Severity string `yaml:"severity" json:"severity"`
Category string `yaml:"category" json:"category"`
Type string `yaml:"type" json:"type"` // "regex", "script", "plugin"
Pattern string `yaml:"pattern,omitempty" json:"pattern,omitempty"`
Patterns []string `yaml:"patterns,omitempty" json:"patterns,omitempty"`
Script string `yaml:"script,omitempty" json:"script,omitempty"`
Config map[string]interface{} `yaml:"config,omitempty" json:"config,omitempty"`
Target RuleTarget `yaml:"target" json:"target"`
Remediation string `yaml:"remediation" json:"remediation"`
}
CustomRule represents a user-defined rule
type CustomRuleEngine ¶
type CustomRuleEngine struct {
// contains filtered or unexported fields
}
CustomRuleEngine handles loading and execution of custom rules
func NewCustomRuleEngine ¶
func NewCustomRuleEngine(config *Config) *CustomRuleEngine
NewCustomRuleEngine creates a new custom rule engine
func (*CustomRuleEngine) LoadCustomRules ¶
func (cre *CustomRuleEngine) LoadCustomRules() ([]rules.Rule, error)
LoadCustomRules converts config custom rules to executable rules
type EnforcementLevel ¶ added in v0.0.4
type EnforcementLevel string
EnforcementLevel defines how strictly a policy is enforced
const ( EnforcementDisabled EnforcementLevel = "disabled" EnforcementWarn EnforcementLevel = "warn" EnforcementError EnforcementLevel = "error" EnforcementBlock EnforcementLevel = "block" )
type FalsePositives ¶
type FalsePositives struct {
Global GlobalIgnores `yaml:"global" json:"global"`
Secrets SecretsIgnores `yaml:"secrets" json:"secrets"`
Actions ActionsIgnores `yaml:"actions" json:"actions"`
Files []string `yaml:"files" json:"files"` // File patterns to ignore
Rules map[string]RuleIgnores `yaml:"rules" json:"rules"` // Per-rule ignores
}
FalsePositives configuration for filtering false positives
type FrameworkCompliance ¶ added in v0.0.4
type FrameworkCompliance struct {
FrameworkID string `json:"framework_id"`
FrameworkName string `json:"framework_name"`
Version string `json:"version"`
Compliant bool `json:"compliant"`
Controls map[string]ControlStatus `json:"controls"`
Score float64 `json:"score"`
}
FrameworkCompliance represents compliance with a specific framework
type GlobalIgnores ¶
type GlobalIgnores struct {
Patterns []string `yaml:"patterns" json:"patterns"`
Strings []string `yaml:"strings" json:"strings"`
}
GlobalIgnores for all rules
type InheritanceConfig ¶ added in v0.0.4
type InheritanceConfig struct {
Enabled bool `yaml:"enabled" json:"enabled"`
ParentConfigs []string `yaml:"parent_configs" json:"parent_configs"`
MergeStrategy string `yaml:"merge_strategy" json:"merge_strategy"` // "override", "merge", "append"
}
InheritanceConfig configures policy inheritance
type OrgConfig ¶ added in v0.0.4
type OrgConfig struct {
Name string `yaml:"name" json:"name"`
PolicyRepo string `yaml:"policy_repo,omitempty" json:"policy_repo,omitempty"`
DefaultPolicies []string `yaml:"default_policies" json:"default_policies"`
Inheritance InheritanceConfig `yaml:"inheritance" json:"inheritance"`
Contacts ContactConfig `yaml:"contacts" json:"contacts"`
}
OrgConfig configures organization-wide settings
type Output ¶
type Output struct {
Format string `yaml:"format" json:"format"` // "cli", "json", "sarif", "junit"
File string `yaml:"file,omitempty" json:"file,omitempty"`
MinSeverity string `yaml:"min_severity" json:"min_severity"`
ShowRemediation bool `yaml:"show_remediation" json:"show_remediation"`
Template string `yaml:"template,omitempty" json:"template,omitempty"`
Fields map[string]bool `yaml:"fields,omitempty" json:"fields,omitempty"`
}
Output configuration
type Policy ¶ added in v0.0.4
type Policy struct {
ID string `yaml:"id" json:"id"`
Name string `yaml:"name" json:"name"`
Description string `yaml:"description" json:"description"`
Version string `yaml:"version" json:"version"`
Enabled bool `yaml:"enabled" json:"enabled"`
Enforcement EnforcementLevel `yaml:"enforcement" json:"enforcement"`
Scope PolicyScope `yaml:"scope" json:"scope"`
Rules []PolicyRule `yaml:"rules" json:"rules"`
Exceptions []PolicyException `yaml:"exceptions" json:"exceptions"`
Metadata PolicyMetadata `yaml:"metadata" json:"metadata"`
Compliance []string `yaml:"compliance" json:"compliance"` // SOX, PCI-DSS, etc.
}
Policy represents an organization-wide security policy
type PolicyContext ¶ added in v0.0.4
type PolicyContext struct {
Repository string
Organization string
Branch string
Environment string
FilePath string
JobName string
StepName string
EventType string
Metadata map[string]string
}
PolicyContext provides context for policy evaluation
type PolicyEngine ¶ added in v0.0.4
type PolicyEngine struct {
// contains filtered or unexported fields
}
PolicyEngine handles organization-wide policy enforcement
func NewPolicyEngine ¶ added in v0.0.4
func NewPolicyEngine(config *Config) *PolicyEngine
NewPolicyEngine creates a new policy engine
func (*PolicyEngine) EvaluatePolicy ¶ added in v0.0.4
func (pe *PolicyEngine) EvaluatePolicy(finding rules.Finding, context PolicyContext) PolicyEvaluation
EvaluatePolicy evaluates if a finding violates any policies
func (*PolicyEngine) GetComplianceReport ¶ added in v0.0.4
func (pe *PolicyEngine) GetComplianceReport(findings []rules.Finding, context PolicyContext) ComplianceReport
GetComplianceReport generates a compliance report
func (*PolicyEngine) InstantiateTemplate ¶ added in v0.0.4
func (pe *PolicyEngine) InstantiateTemplate(templateID string, parameters map[string]interface{}) (*CustomRule, error)
InstantiateTemplate creates a custom rule from a template
func (*PolicyEngine) LoadPolicies ¶ added in v0.0.4
func (pe *PolicyEngine) LoadPolicies(policyFiles []string) error
LoadPolicies loads policies from configuration
func (*PolicyEngine) LoadTemplates ¶ added in v0.0.4
func (pe *PolicyEngine) LoadTemplates(templateFiles []string) error
LoadTemplates loads rule templates from configuration
type PolicyEvaluation ¶ added in v0.0.4
type PolicyEvaluation struct {
Violations []PolicyViolation `json:"violations"`
Exceptions []PolicyException `json:"exceptions"`
Compliant bool `json:"compliant"`
}
PolicyEvaluation represents the result of policy evaluation
type PolicyException ¶ added in v0.0.4
type PolicyException struct {
ID string `yaml:"id" json:"id"`
Description string `yaml:"description" json:"description"`
RuleID string `yaml:"rule_id" json:"rule_id"`
Scope PolicyScope `yaml:"scope" json:"scope"`
Justification string `yaml:"justification" json:"justification"`
Approver string `yaml:"approver" json:"approver"`
ExpiryDate *time.Time `yaml:"expiry_date,omitempty" json:"expiry_date,omitempty"`
TicketURL string `yaml:"ticket_url,omitempty" json:"ticket_url,omitempty"`
}
PolicyException defines exceptions to policy rules
type PolicyMetadata ¶ added in v0.0.4
type PolicyMetadata struct {
Owner string `yaml:"owner" json:"owner"`
Contact string `yaml:"contact" json:"contact"`
Created time.Time `yaml:"created" json:"created"`
Updated time.Time `yaml:"updated" json:"updated"`
Tags []string `yaml:"tags" json:"tags"`
Labels map[string]string `yaml:"labels" json:"labels"`
DocumentURL string `yaml:"document_url,omitempty" json:"document_url,omitempty"`
}
PolicyMetadata contains policy metadata
type PolicyRule ¶ added in v0.0.4
type PolicyRule struct {
RuleID string `yaml:"rule_id" json:"rule_id"`
Severity string `yaml:"severity,omitempty" json:"severity,omitempty"`
Enforcement EnforcementLevel `yaml:"enforcement,omitempty" json:"enforcement,omitempty"`
Parameters map[string]string `yaml:"parameters,omitempty" json:"parameters,omitempty"`
CustomConfig map[string]interface{} `yaml:"custom_config,omitempty" json:"custom_config,omitempty"`
}
PolicyRule defines a rule within a policy
type PolicyScope ¶ added in v0.0.4
type PolicyScope struct {
Organizations []string `yaml:"organizations" json:"organizations"`
Repositories []string `yaml:"repositories" json:"repositories"`
Teams []string `yaml:"teams" json:"teams"`
Branches []string `yaml:"branches" json:"branches"`
Environments []string `yaml:"environments" json:"environments"`
FilePatterns []string `yaml:"file_patterns" json:"file_patterns"`
Conditions map[string]string `yaml:"conditions" json:"conditions"`
}
PolicyScope defines where a policy applies
type PolicyViolation ¶ added in v0.0.4
type PolicyViolation struct {
PolicyID string `json:"policy_id"`
PolicyName string `json:"policy_name"`
RuleID string `json:"rule_id"`
Enforcement EnforcementLevel `json:"enforcement"`
Severity string `json:"severity"`
Finding rules.Finding `json:"finding"`
Context PolicyContext `json:"context"`
}
PolicyViolation represents a policy violation
type RuleIgnores ¶
type RuleIgnores struct {
Patterns []string `yaml:"patterns" json:"patterns"`
Strings []string `yaml:"strings" json:"strings"`
Files []string `yaml:"files" json:"files"`
}
RuleIgnores for specific rule overrides
type RuleTarget ¶
type RuleTarget struct {
Commands bool `yaml:"commands" json:"commands"` // Check run commands
Actions bool `yaml:"actions" json:"actions"` // Check uses actions
Environment bool `yaml:"environment" json:"environment"` // Check env vars
Permissions bool `yaml:"permissions" json:"permissions"` // Check permissions
Events bool `yaml:"events" json:"events"` // Check workflow events
}
RuleTarget specifies what the rule should check
type RuleTemplate ¶ added in v0.0.4
type RuleTemplate struct {
ID string `yaml:"id" json:"id"`
Name string `yaml:"name" json:"name"`
Description string `yaml:"description" json:"description"`
Category string `yaml:"category" json:"category"`
Severity string `yaml:"severity" json:"severity"`
Parameters map[string]TemplateParameter `yaml:"parameters" json:"parameters"`
BaseRule CustomRule `yaml:"base_rule" json:"base_rule"`
Examples []TemplateExample `yaml:"examples" json:"examples"`
}
RuleTemplate defines reusable rule configurations
type Rules ¶
type Rules struct {
Enabled []string `yaml:"enabled" json:"enabled"`
Disabled []string `yaml:"disabled" json:"disabled"`
CustomRules []CustomRule `yaml:"custom_rules" json:"custom_rules"`
FalsePositives FalsePositives `yaml:"false_positives" json:"false_positives"`
}
Rules configuration for rule management
type SecretsIgnores ¶
type SecretsIgnores struct {
Patterns []string `yaml:"patterns" json:"patterns"`
Strings []string `yaml:"strings" json:"strings"`
Contexts []string `yaml:"contexts" json:"contexts"` // Context patterns like "uses:", "${{ secrets."
}
SecretsIgnores for secret detection
type TemplateExample ¶ added in v0.0.4
type TemplateExample struct {
Name string `yaml:"name" json:"name"`
Description string `yaml:"description" json:"description"`
Parameters map[string]interface{} `yaml:"parameters" json:"parameters"`
Expected string `yaml:"expected" json:"expected"`
}
TemplateExample provides example usage of a template
type TemplateParameter ¶ added in v0.0.4
type TemplateParameter struct {
Type string `yaml:"type" json:"type"` // string, number, boolean, array
Description string `yaml:"description" json:"description"`
Default interface{} `yaml:"default,omitempty" json:"default,omitempty"`
Required bool `yaml:"required" json:"required"`
Validation string `yaml:"validation,omitempty" json:"validation,omitempty"` // regex for validation
}
TemplateParameter defines configurable parameters in templates
Source Files
Click to show internal directories.
Click to hide internal directories.