Documentation
¶
Index ¶
- type ContextAnalyzer
- func (ca *ContextAnalyzer) AdjustSeverity(ruleID string, baseSeverity string, ctx *WorkflowContext) string
- func (ca *ContextAnalyzer) Analyze(workflow *parser.Workflow) *WorkflowContext
- func (ca *ContextAnalyzer) GetRecommendations(ctx *WorkflowContext) []string
- func (ca *ContextAnalyzer) GetRiskScore(ctx *WorkflowContext) int
- func (ca *ContextAnalyzer) ShouldSuppress(ruleID string, ctx *WorkflowContext) bool
- type IntentDetector
- type PermissionAnalyzer
- func (a *PermissionAnalyzer) AnalyzeNeeds(workflow *parser.Workflow) PermissionNeeds
- func (a *PermissionAnalyzer) GetGrantedPermissions(workflow *parser.Workflow) map[string]string
- func (a *PermissionAnalyzer) HasSufficientPermissions(needs PermissionNeeds, granted map[string]string) bool
- func (a *PermissionAnalyzer) ShouldHaveExplicitPermissions(workflow *parser.Workflow, intent WorkflowIntent) bool
- type PermissionNeeds
- type TriggerAnalyzer
- func (a *TriggerAnalyzer) AnalyzeRisk(workflow *parser.Workflow) TriggerRisk
- func (a *TriggerAnalyzer) GetTriggerType(workflow *parser.Workflow) string
- func (a *TriggerAnalyzer) HasUntrustedInput(workflow *parser.Workflow) bool
- func (a *TriggerAnalyzer) IsTrustedTrigger(workflow *parser.Workflow) bool
- func (a *TriggerAnalyzer) RequiresCredentialProtection(workflow *parser.Workflow) bool
- type TriggerRisk
- type WorkflowContext
- type WorkflowIntent
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type ContextAnalyzer ¶
type ContextAnalyzer struct {
// contains filtered or unexported fields
}
ContextAnalyzer provides comprehensive workflow context analysis
func NewContextAnalyzer ¶
func NewContextAnalyzer() *ContextAnalyzer
NewContextAnalyzer creates a new context analyzer
func (*ContextAnalyzer) AdjustSeverity ¶
func (ca *ContextAnalyzer) AdjustSeverity(ruleID string, baseSeverity string, ctx *WorkflowContext) string
AdjustSeverity adjusts finding severity based on workflow context
func (*ContextAnalyzer) Analyze ¶
func (ca *ContextAnalyzer) Analyze(workflow *parser.Workflow) *WorkflowContext
Analyze performs comprehensive context analysis on a workflow
func (*ContextAnalyzer) GetRecommendations ¶
func (ca *ContextAnalyzer) GetRecommendations(ctx *WorkflowContext) []string
GetRecommendations provides context-aware recommendations
func (*ContextAnalyzer) GetRiskScore ¶
func (ca *ContextAnalyzer) GetRiskScore(ctx *WorkflowContext) int
GetRiskScore calculates a numeric risk score (0-100) for a workflow
func (*ContextAnalyzer) ShouldSuppress ¶
func (ca *ContextAnalyzer) ShouldSuppress(ruleID string, ctx *WorkflowContext) bool
ShouldSuppress determines if a finding should be suppressed
type IntentDetector ¶
type IntentDetector struct {
// contains filtered or unexported fields
}
IntentDetector analyzes workflows to determine their purpose
func NewIntentDetector ¶
func NewIntentDetector() *IntentDetector
NewIntentDetector creates a new intent detector
func (*IntentDetector) DetectIntent ¶
func (d *IntentDetector) DetectIntent(workflow *parser.Workflow) WorkflowIntent
DetectIntent analyzes a workflow to determine its purpose
type PermissionAnalyzer ¶
type PermissionAnalyzer struct{}
PermissionAnalyzer analyzes workflows to determine actual permission needs
func NewPermissionAnalyzer ¶
func NewPermissionAnalyzer() *PermissionAnalyzer
NewPermissionAnalyzer creates a new permission analyzer
func (*PermissionAnalyzer) AnalyzeNeeds ¶
func (a *PermissionAnalyzer) AnalyzeNeeds(workflow *parser.Workflow) PermissionNeeds
AnalyzeNeeds determines what permissions a workflow actually needs
func (*PermissionAnalyzer) GetGrantedPermissions ¶
func (a *PermissionAnalyzer) GetGrantedPermissions(workflow *parser.Workflow) map[string]string
GetGrantedPermissions extracts permissions granted in the workflow
func (*PermissionAnalyzer) HasSufficientPermissions ¶
func (a *PermissionAnalyzer) HasSufficientPermissions(needs PermissionNeeds, granted map[string]string) bool
HasSufficientPermissions checks if granted permissions satisfy needs
func (*PermissionAnalyzer) ShouldHaveExplicitPermissions ¶
func (a *PermissionAnalyzer) ShouldHaveExplicitPermissions(workflow *parser.Workflow, intent WorkflowIntent) bool
ShouldHaveExplicitPermissions returns true if workflow should declare permissions
type PermissionNeeds ¶
type PermissionNeeds struct {
Contents bool // Read/write repository contents
PullRequests bool // Create/update pull requests
Issues bool // Create/update issues
Packages bool // Publish packages
Deployments bool // Create deployments
Checks bool // Create/update checks
Statuses bool // Create/update statuses
Actions bool // Manage Actions
SecurityEvents bool // Manage security events
}
PermissionNeeds represents which permissions a workflow actually needs
func (*PermissionNeeds) IsEmpty ¶
func (p *PermissionNeeds) IsEmpty() bool
IsEmpty returns true if no permissions are needed
type TriggerAnalyzer ¶
type TriggerAnalyzer struct{}
TriggerAnalyzer analyzes workflow triggers to assess risk
func NewTriggerAnalyzer ¶
func NewTriggerAnalyzer() *TriggerAnalyzer
NewTriggerAnalyzer creates a new trigger analyzer
func (*TriggerAnalyzer) AnalyzeRisk ¶
func (a *TriggerAnalyzer) AnalyzeRisk(workflow *parser.Workflow) TriggerRisk
AnalyzeRisk determines the risk level of a workflow's triggers
func (*TriggerAnalyzer) GetTriggerType ¶
func (a *TriggerAnalyzer) GetTriggerType(workflow *parser.Workflow) string
GetTriggerType returns a human-readable description of the trigger type
func (*TriggerAnalyzer) HasUntrustedInput ¶
func (a *TriggerAnalyzer) HasUntrustedInput(workflow *parser.Workflow) bool
HasUntrustedInput returns true if the workflow trigger accepts untrusted input
func (*TriggerAnalyzer) IsTrustedTrigger ¶
func (a *TriggerAnalyzer) IsTrustedTrigger(workflow *parser.Workflow) bool
IsTrustedTrigger returns true if the trigger is from trusted sources only
func (*TriggerAnalyzer) RequiresCredentialProtection ¶
func (a *TriggerAnalyzer) RequiresCredentialProtection(workflow *parser.Workflow) bool
RequiresCredentialProtection returns true if the workflow should use persist-credentials: false
type TriggerRisk ¶
type TriggerRisk int
TriggerRisk represents the risk level of a workflow trigger
const ( // RiskUnknown - Cannot determine risk RiskUnknown TriggerRisk = iota // RiskLow - Low risk triggers (schedule, workflow_dispatch with auth) RiskLow // RiskMedium - Medium risk triggers (push to protected branches) RiskMedium // RiskHigh - High risk triggers (pull_request, issue_comment) RiskHigh // RiskCritical - Critical risk triggers (pull_request_target, public events) RiskCritical )
func (TriggerRisk) String ¶
func (t TriggerRisk) String() string
String returns the string representation of TriggerRisk
type WorkflowContext ¶
type WorkflowContext struct {
Intent WorkflowIntent
TriggerRisk TriggerRisk
PermissionNeeds PermissionNeeds
GrantedPerms map[string]string
HasUntrustedInput bool
IsTrusted bool
}
WorkflowContext holds contextual information about a workflow
type WorkflowIntent ¶
type WorkflowIntent int
WorkflowIntent represents the detected purpose of a workflow
const ( // IntentUnknown - Cannot determine intent IntentUnknown WorkflowIntent = iota // IntentReadOnly - Read-only operations (tests, linting, checks) IntentReadOnly // IntentReadWrite - Modifies code or creates artifacts IntentReadWrite // IntentDeploy - Deploys applications or services IntentDeploy // IntentRelease - Creates releases, publishes packages IntentRelease )
func (WorkflowIntent) IsCritical ¶
func (w WorkflowIntent) IsCritical() bool
IsCritical returns true if the workflow is deployment or release
func (WorkflowIntent) IsReadOnly ¶
func (w WorkflowIntent) IsReadOnly() bool
IsReadOnly returns true if the workflow is read-only
func (WorkflowIntent) RequiresStrictSecurity ¶
func (w WorkflowIntent) RequiresStrictSecurity() bool
RequiresStrictSecurity returns true if the workflow needs strict security
func (WorkflowIntent) String ¶
func (w WorkflowIntent) String() string
String returns the string representation of WorkflowIntent
Source Files