rules

package

v1.0.4 Latest Latest Go to latest Published: Dec 26, 2025 License: Apache-2.0 Imports: 13 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/harekrishnarai/flowlyt

Links

Documentation ¶

Index ¶

type AdvancedSupplyChainAnalyzer
- func NewAdvancedSupplyChainAnalyzer() *AdvancedSupplyChainAnalyzer
type Category
type ConfigInterface
type Finding
type InjectionPatterns
- func GetInjectionPatterns() InjectionPatterns
type Platform
- func StringToPlatform(platformStr string) Platform
type Rule
- func FilterRulesByPlatform(rules []Rule, targetPlatform Platform) []Rule
- func StandardRules() []Rule
type RuleEngine
- func NewRuleEngine(config ConfigInterface) *RuleEngine
- func (re *RuleEngine) ExecuteRules(workflow parser.WorkflowFile, rules []Rule) []Finding
type Severity
type VersionPinningAnalysis

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type AdvancedSupplyChainAnalyzer ¶ added in v0.0.4

type AdvancedSupplyChainAnalyzer struct {
	// contains filtered or unexported fields
}

AdvancedSupplyChainAnalyzer provides comprehensive supply chain security analysis

func NewAdvancedSupplyChainAnalyzer ¶ added in v0.0.4

func NewAdvancedSupplyChainAnalyzer() *AdvancedSupplyChainAnalyzer

NewAdvancedSupplyChainAnalyzer creates a new advanced analyzer

type Category ¶

type Category string

Category represents the category of a security rule

const (
	MaliciousPattern    Category = "MALICIOUS_PATTERN"
	Misconfiguration    Category = "MISCONFIGURATION"
	SecretExposure      Category = "SECRET_EXPOSURE"
	ShellObfuscation    Category = "SHELL_OBFUSCATION"
	PolicyViolation     Category = "POLICY_VIOLATION"
	SupplyChain         Category = "SUPPLY_CHAIN"
	InjectionAttack     Category = "INJECTION_ATTACK"
	SecretsExposure     Category = "SECRETS_EXPOSURE"
	AccessControl       Category = "ACCESS_CONTROL"
	PrivilegeEscalation Category = "PRIVILEGE_ESCALATION"
	DataExposure        Category = "DATA_EXPOSURE"
)

type ConfigInterface ¶

type ConfigInterface interface {
	IsRuleEnabled(ruleID string) bool
	ShouldIgnoreForRule(ruleID, text, filePath string) bool
	ShouldIgnoreSecret(text, context string) bool
}

ConfigInterface defines the interface for configuration

type Finding ¶

type Finding struct {
	RuleID      string
	RuleName    string
	Description string
	Severity    Severity
	Category    Category
	FilePath    string
	JobName     string
	StepName    string
	Evidence    string
	Remediation string
	LineNumber  int    // Line number where the issue was found
	GitHubURL   string // Direct GitHub URL to the line (for remote repositories)
	GitLabURL   string // Direct GitLab URL to the line (for remote repositories)

	// Context fields for better AI analysis
	Trigger     string `json:"trigger,omitempty"`      // Workflow trigger (e.g., "push", "pull_request", "workflow_dispatch")
	RunnerType  string `json:"runner_type,omitempty"`  // Runner type (e.g., "ubuntu-latest", "self-hosted", "windows-latest")
	FileContext string `json:"file_context,omitempty"` // File context (e.g., "production", "test", "example", "template")

	// AI verification fields
	AIVerified            bool    `json:"ai_verified,omitempty"`              // Whether AI analysis was performed
	AILikelyFalsePositive *bool   `json:"ai_likely_false_positive,omitempty"` // AI assessment (nil if not analyzed)
	AIConfidence          float64 `json:"ai_confidence,omitempty"`            // AI confidence level (0.0 to 1.0)
	AIReasoning           string  `json:"ai_reasoning,omitempty"`             // AI explanation
	AISuggestedSeverity   string  `json:"ai_suggested_severity,omitempty"`    // AI suggested severity if different
	AIError               string  `json:"ai_error,omitempty"`                 // AI analysis error if any
}

Finding represents a detected security issue

func CheckAdvancedPrivilegeAnalysis ¶ added in v0.0.4

func CheckAdvancedPrivilegeAnalysis(workflow parser.WorkflowFile) []Finding

CheckAdvancedPrivilegeAnalysis performs advanced workflow privilege analysis

func CheckAllRules ¶ added in v0.0.4

func CheckAllRules(workflow parser.WorkflowFile) []Finding

CheckAllRules runs all security rule checks

func CheckInjectionVulnerabilities ¶ added in v0.0.4

func CheckInjectionVulnerabilities(workflow parser.WorkflowFile) []Finding

CheckInjectionVulnerabilities is the main entry point for injection vulnerability checks

func CheckSelfHostedRunnerSecurity ¶ added in v0.0.4

func CheckSelfHostedRunnerSecurity(workflow parser.WorkflowFile) []Finding

CheckSelfHostedRunnerSecurity performs comprehensive self-hosted runner security analysis

func CheckShellInjectionVulnerabilities ¶ added in v0.0.4

func CheckShellInjectionVulnerabilities(workflow parser.WorkflowFile) []Finding

CheckShellInjectionVulnerabilities is the main entry point for shell injection checks

func CheckSupplyChainVulnerabilities ¶ added in v0.0.4

func CheckSupplyChainVulnerabilities(workflow parser.WorkflowFile) []Finding

CheckSupplyChainVulnerabilities checks for supply chain security issues

type InjectionPatterns ¶ added in v0.0.4

type InjectionPatterns struct {
	GitHub []string
	GitLab []string
	Azure  []string
	Tekton []string
}

InjectionPatterns contains regex patterns for detecting injection vulnerabilities

func GetInjectionPatterns ¶ added in v0.0.4

func GetInjectionPatterns() InjectionPatterns

GetInjectionPatterns returns patterns for detecting user-controlled input injection

type Platform ¶ added in v0.0.4

type Platform string

Platform represents the CI/CD platform a rule applies to

const (
	PlatformAll    Platform = "ALL"    // Rule applies to all platforms
	PlatformGitHub Platform = "GITHUB" // Rule applies only to GitHub Actions
	PlatformGitLab Platform = "GITLAB" // Rule applies only to GitLab CI
)

func StringToPlatform ¶ added in v0.0.4

func StringToPlatform(platformStr string) Platform

StringToPlatform converts platform string constants to Platform enum

type Rule ¶

type Rule struct {
	ID          string
	Name        string
	Description string
	Severity    Severity
	Category    Category
	Platform    Platform // Platform compatibility for this rule
	Check       func(workflow parser.WorkflowFile) []Finding
}

Rule represents a security rule to check in a workflow

func FilterRulesByPlatform ¶ added in v0.0.4

func FilterRulesByPlatform(rules []Rule, targetPlatform Platform) []Rule

FilterRulesByPlatform filters rules based on target platform compatibility

func StandardRules ¶

func StandardRules() []Rule

StandardRules returns the list of built-in security rules

type RuleEngine ¶

type RuleEngine struct {
	// contains filtered or unexported fields
}

RuleEngine handles rule execution with configuration support

func NewRuleEngine ¶

func NewRuleEngine(config ConfigInterface) *RuleEngine

NewRuleEngine creates a new rule engine with configuration

func (*RuleEngine) ExecuteRules ¶

func (re *RuleEngine) ExecuteRules(workflow parser.WorkflowFile, rules []Rule) []Finding

ExecuteRules runs rules against a workflow with configuration filtering

type Severity ¶

type Severity string

Severity represents the severity level of a finding

const (
	Critical Severity = "CRITICAL"
	High     Severity = "HIGH"
	Medium   Severity = "MEDIUM"
	Low      Severity = "LOW"
	Info     Severity = "INFO"
)

type VersionPinningAnalysis ¶ added in v0.0.4

type VersionPinningAnalysis struct {
	Risk        string
	Description string
	Remediation string
	Version     string
	VersionType string
}

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL