Documentation
¶
Index ¶
- Constants
- func GetFiles(dir string) ([]string, error)
- func GetGithubBody(token, url string) (interface{}, error)
- func GetGithubBodyWithCache(token, url string, cache *Cache) (interface{}, error)
- func GetLatestRelease(action string, gitHubToken string) (interface{}, error)
- func GetLatestTag(action string, gitHubToken string) (interface{}, error)
- func GetReleases(action string, gitHubToken string, days *uint) (map[string]interface{}, error)
- func GetStringValue(block *hclwrite.Block, attribute string) string
- func GetTerraformFiles(directory string) ([]string, error)
- func GetVersion(block *hclwrite.Block) string
- func IsOK(rawURL string) (bool, error)
- func IsSHAPinnedRef(ref string) bool
- type Cache
- type CacheEntry
- type ConfigFile
- type Flags
- func (f *Flags) Action(action string) error
- func (f *Flags) Audit() error
- func (f *Flags) CreateLocalPR(dir string) (string, bool, error)
- func (f *Flags) GetComposeFiles() []string
- func (f *Flags) GetDockerfiles() []string
- func (f *Flags) GetGHA() []string
- func (f *Flags) GetGithubHash(newModule string, tag string) (string, error)
- func (f *Flags) GetGithubLatestHash(newModule string) (string, string, error)
- func (f *Flags) GetGitlabFiles() []string
- func (f *Flags) GetHook() (*string, error)
- func (f *Flags) GetKubeFiles() []string
- func (f *Flags) GetProviderFiles() ([]string, error)
- func (f *Flags) GetTF() ([]string, error)
- func (f *Flags) GetType(module string) (string, error)
- func (f *Flags) InitializeCache() error
- func (f *Flags) ListProvidersInDirectory() ([]ProviderInfo, error)
- func (f *Flags) UpdateCompose(file string) error
- func (f *Flags) UpdateCpanfile() error
- func (f *Flags) UpdateDockerfile(file string) error
- func (f *Flags) UpdateDockerfiles() error
- func (f *Flags) UpdateGHA(file string) error
- func (f *Flags) UpdateGHAS() error
- func (f *Flags) UpdateGithubSource(version string, newModule string) (string, string, error)
- func (f *Flags) UpdateGitlab() error
- func (f *Flags) UpdateHooks() error
- func (f *Flags) UpdateKube(file string) error
- func (f *Flags) UpdateKubes() error
- func (f *Flags) UpdateModule(file string) error
- func (f *Flags) UpdateModules() error
- func (f *Flags) UpdateProvider(file string) error
- func (f *Flags) UpdateProviders() error
- func (f *Flags) UpdateSource(module string, moduleType string, version string) (string, string, error)
- func (f *Flags) UpdateSubmodules() error
- func (f *Flags) WithSubDir(version string, newModule string, subdir string) (string, string, error)
- type GhatConfig
- type GitlabCIAnalysis
- type GitlabImageAnalysis
- type GitlabJobAnalysis
- type Hook
- type ImageReference
- type InputUpgrade
- type JobAnalysis
- type OrgFlags
- type ProviderInfo
- type ProviderVersion
- type ProviderVersionsResponse
- type RateLimitError
- type Registry
- type Repo
- type RepoResult
- type StepAnalysis
- type Submodule
- type Substitution
- type URLFormatError
- type WorkflowAnalysis
Constants ¶
const ( ActionSwipe = "swipe" ActionSwot = "swot" ActionSift = "sift" ActionStun = "stun" ActionShake = "shake" ActionKube = "kube" ActionDock = "dock" ActionSweep = "sweep" ActionSub = "sub" ActionAudit = "audit" )
const ( SourceGo = "go" SourceGHA = "gha" SourcePreCommit = "pre-commit" SourceTerraform = "terraform" )
const ( SourceNpm = "npm" SourcePypi = "pypi" SourceCargo = "cargo" SourceGem = "gem" )
const ( PreCommitConfigFile = ".pre-commit-config.yaml" GitHubPrefix = "https://github.com/" FilePermissions = 0666 )
Add constants for repeated values
const (
CpanfileName = "cpanfile"
)
const GitModulesFile = ".gitmodules"
const (
SuppressAnnotation = "# ghat:suppress"
)
Variables ¶
This section is empty.
Functions ¶
func GetGithubBody ¶
GetGithubBody fetches data from GitHub API (existing function, keep as-is for compatibility)
func GetGithubBodyWithCache ¶ added in v0.1.14
GetGithubBodyWithCache fetches data from GitHub API with caching support
func GetLatestRelease ¶
func GetLatestTag ¶
func GetReleases ¶
GetReleases fetches releases from GitHub with rate limit handling
func GetTerraformFiles ¶ added in v0.1.15
GetTerraformFiles returns all .tf files in the entries
func GetVersion ¶
func IsSHAPinnedRef ¶ added in v0.1.32
IsSHAPinnedRef reports whether a raw ref value is pinned to an immutable commit SHA. It accepts both a bare 40-char hex SHA and the "sha # tag" comment format that ghat writes when pinning.
Types ¶
type Cache ¶ added in v0.1.14
type Cache struct {
// contains filtered or unexported fields
}
Cache handles caching of GitHub API responses
func NewCache ¶ added in v0.1.14
NewCache creates a new cache instance ttl is the time-to-live for cached entries (e.g., 24 hours)
func (*Cache) ClearExpired ¶ added in v0.1.14
ClearExpired removes expired cache entries
func (*Cache) Get ¶ added in v0.1.14
Get retrieves a cached response Returns the cached data and true if found and not expired, otherwise nil and false
type CacheEntry ¶ added in v0.1.14
type CacheEntry struct {
Data interface{} `json:"data"`
ExpiresAt time.Time `json:"expires_at"`
URL string `json:"url"`
}
CacheEntry represents a cached API response
type ConfigFile ¶
type Flags ¶
type Flags struct {
// Existing fields
DryRun bool
Update bool
File string
Directory string
GitHubToken string
Stable *uint
Entries []string // For tracking entries
Days *uint // Days parameter
ContinueOnError bool // Continue on error flag
Deep bool
Sources []string
// New cache fields
Cache *Cache
CacheEnabled bool
CacheTTL time.Duration
Silent bool // suppress diff output (used by org bulk mode)
PinOnly bool // pin current tag to SHA without checking for upgrades
Substitutions []Substitution
InputUpgrades []InputUpgrade
OpenPR bool
AutoMerge bool
Branch string
PRToken string
}
Flags represents command-line flags and configuration
func NewFlags ¶ added in v0.1.14
func NewFlags() *Flags
NewFlags creates a new Flags instance with default cache settings
func (*Flags) CreateLocalPR ¶ added in v0.1.31
CreateLocalPR checks for git changes in dir, then commits them to a branch and opens a PR. Returns (prURL, changed, error). If no changes, changed is false. If OpenPR is false, changed is still reported but no branch/PR is created.
func (*Flags) GetComposeFiles ¶ added in v0.1.19
GetComposeFiles returns all Docker Compose files from the scanned entries.
func (*Flags) GetDockerfiles ¶ added in v0.1.19
GetDockerfiles returns all Dockerfile paths from the scanned entries.
func (*Flags) GetGithubHash ¶
func (*Flags) GetGithubLatestHash ¶
func (*Flags) GetGitlabFiles ¶ added in v0.1.15
GetGitlabFiles finds GitLab CI files in the entries
func (*Flags) GetKubeFiles ¶ added in v0.1.18
GetKubeFiles returns all Kubernetes manifest files from the scanned entries.
func (*Flags) GetProviderFiles ¶ added in v0.1.15
GetProviderFiles finds Terraform files that likely contain provider definitions
func (*Flags) InitializeCache ¶ added in v0.1.14
InitializeCache initializes the cache based on flags
func (*Flags) ListProvidersInDirectory ¶ added in v0.1.15
func (f *Flags) ListProvidersInDirectory() ([]ProviderInfo, error)
ListProvidersInDirectory lists all providers found in Terraform files
func (*Flags) UpdateCompose ¶ added in v0.1.19
UpdateCompose pins image references in a Docker Compose file to SHA digests.
func (*Flags) UpdateCpanfile ¶ added in v0.1.24
func (*Flags) UpdateDockerfile ¶ added in v0.1.19
UpdateDockerfile pins FROM image references in a single Dockerfile to SHA digests. Output format: FROM image:tag@sha256:digest (valid Docker syntax, tag preserved inline).
func (*Flags) UpdateDockerfiles ¶ added in v0.1.19
UpdateDockerfiles pins FROM image references in all Dockerfiles found in the entries.
func (*Flags) UpdateGHAS ¶
func (*Flags) UpdateGithubSource ¶
func (*Flags) UpdateGitlab ¶ added in v0.1.15
func (*Flags) UpdateHooks ¶
func (*Flags) UpdateKube ¶ added in v0.1.18
UpdateKube pins container image references in a single Kubernetes manifest file.
func (*Flags) UpdateKubes ¶ added in v0.1.18
UpdateKubes pins all Kubernetes manifests and Docker Compose files found in the scanned entries.
func (*Flags) UpdateModule ¶
func (*Flags) UpdateModules ¶
func (*Flags) UpdateProvider ¶ added in v0.1.15
UpdateProvider updates providers in a single Terraform file
func (*Flags) UpdateProviders ¶ added in v0.1.15
UpdateProviders updates all Terraform providers in the directory
func (*Flags) UpdateSource ¶
func (*Flags) UpdateSubmodules ¶ added in v0.1.24
type GhatConfig ¶ added in v0.1.24
type GhatConfig struct {
Substitutions []Substitution `yaml:"substitutions"`
InputUpgrades []InputUpgrade `yaml:"input_upgrades"`
}
func LoadConfig ¶ added in v0.1.24
func LoadConfig(dir string) GhatConfig
LoadConfig merges built-in substitutions.yml, ~/.ghat.yml (global), and <dir>/.ghat.yml (local). Later entries win on duplicate From values.
type GitlabCIAnalysis ¶ added in v0.1.34
type GitlabCIAnalysis struct {
// Jobs is the ordered list of job definitions found in the file, sorted
// by job name for deterministic output.
Jobs []GitlabJobAnalysis
}
GitlabCIAnalysis is the result of static-only analysis of a .gitlab-ci.yml file. No network calls are made; results depend only on the content supplied.
func AnalyzeGitlabCI ¶ added in v0.1.34
func AnalyzeGitlabCI(content []byte) GitlabCIAnalysis
AnalyzeGitlabCI performs static-only analysis of a .gitlab-ci.yml file. No network calls are made; all analysis is performed on the supplied content.
The function returns metadata about each job: timeout declaration, allow_failure setting, and container image digest-pinning status.
type GitlabImageAnalysis ¶ added in v0.1.34
type GitlabImageAnalysis struct {
// Name is the image reference exactly as written in the YAML
// (before any comment stripping), e.g. "golang:1.21" or
// "gcr.io/project/app@sha256:abc123 # v1.6.0".
Name string
// IsDigestPinned is true when the image reference contains "@sha256:".
IsDigestPinned bool
// IsSuppressed is true when the image line carries a # ghat:suppress
// annotation in the source file.
IsSuppressed bool
}
GitlabImageAnalysis describes a container image used in a GitLab CI job.
type GitlabJobAnalysis ¶ added in v0.1.34
type GitlabJobAnalysis struct {
// Name is the job key in the YAML.
Name string
// HasTimeout is true when the job declares a timeout: field.
HasTimeout bool
// AllowFailure is true when allow_failure: true is set, or when
// allow_failure: is an object (partial failure via exit_codes).
AllowFailure bool
// Images is the list of container images declared for this job.
Images []GitlabImageAnalysis
}
GitlabJobAnalysis describes a single job in .gitlab-ci.yml.
type Hook ¶
type Hook struct {
ID string `yaml:"id"`
Name string `yaml:"name,omitempty"`
Entry string `yaml:"entry,omitempty"`
Language string `yaml:"language,omitempty"`
Files string `yaml:"files,omitempty"`
Exclude string `yaml:"exclude,omitempty"`
Types []string `yaml:"types,omitempty"`
TypesOr []string `yaml:"types_or,omitempty"`
ExcludeTypes []string `yaml:"exclude_types,omitempty"`
AlwaysRun *bool `yaml:"always_run,omitempty"`
FailFast *bool `yaml:"fail_fast,omitempty"`
Verbose *bool `yaml:"verbose,omitempty"`
PassFilenames *bool `yaml:"pass_filenames,omitempty"`
RequireSerial *bool `yaml:"require_serial,omitempty"`
Description string `yaml:"description,omitempty"`
LanguageVersion string `yaml:"language_version,omitempty"`
MinimumPrecommitVersion string `yaml:"minimum_pre_commit_version,omitempty"`
Args []string `yaml:"args,omitempty"`
Stages []string `yaml:"stages,omitempty"`
}
type ImageReference ¶ added in v0.1.15
type ImageReference struct {
Registry string
Repository string
Tag string
Digest string
Original string
TagImplicit bool // true when no tag was written in the source (defaulted to latest)
}
ImageReference represents a container image reference
type InputUpgrade ¶ added in v0.1.24
type InputUpgrade struct {
Action string `yaml:"action"` // e.g. "golangci/golangci-lint-action"
Input string `yaml:"input"` // e.g. "version"
FromPattern string `yaml:"from_pattern"` // regex matched against the current value
To string `yaml:"to"` // literal version or "latest:owner/repo"
}
InputUpgrade rewrites a `with:` input when an action is pinned to a new major version that drops support for the old input value. To may be a literal version ("v2.12.1") or "latest:owner/repo" to fetch the current latest release from the GitHub API at run time.
type JobAnalysis ¶ added in v0.1.32
type JobAnalysis struct {
// Name is the job key in the YAML, e.g. "build" or "deploy".
Name string
// HasTimeout is true when timeout-minutes: is declared on the job.
HasTimeout bool
TimeoutMinutes int
// IsReusable is true when the job delegates entirely to a reusable
// workflow via a job-level `uses:` key. GitHub does not support
// timeout-minutes on such jobs; the timeout lives inside the called
// workflow.
IsReusable bool
// RunsOn is the normalised runner label(s) for the job. For a single
// string label this is just that string; for a list of labels the
// values are joined with commas.
RunsOn string
// HasPermissions is true when the job declares its own permissions: block.
HasPermissions bool
// Permissions maps each GitHub Actions permission scope to its value
// (e.g. "contents" → "read"). When permissions: write-all is set the
// map has a single "_all" key with value "write-all".
Permissions map[string]string
}
JobAnalysis describes a single job in the workflow.
type OrgFlags ¶ added in v0.1.24
type OrgFlags struct {
Provider string // "github" (default) or "gitlab"
BaseURL string // self-hosted API root, e.g. https://gitlab.example.com
Owner string
Repos []string // explicit list; if set, Owner/Limit are ignored
Token string // PAT for Provider (clone/push/PR)
GitHubToken string // separate PAT for api.github.com lookups during the sweep
Branch string
Offset int
Limit int
DryRun bool
OpenPR bool
AutoMerge bool
Threshold int // pause when fewer than this many API requests remain
}
func (*OrgFlags) RunBulk ¶ added in v0.1.24
func (o *OrgFlags) RunBulk() ([]RepoResult, error)
type ProviderInfo ¶ added in v0.1.15
type ProviderInfo struct {
Name string
Source string
Namespace string
Type string
CurrentVersion string
LatestVersion string
}
ProviderInfo holds information about a provider
type ProviderVersion ¶ added in v0.1.15
type ProviderVersion struct {
Version string `json:"version"`
Protocols []string `json:"protocols"`
Platforms []struct {
OS string `json:"os"`
Arch string `json:"arch"`
} `json:"platforms"`
}
ProviderVersion represents a Terraform provider version from the registry
type ProviderVersionsResponse ¶ added in v0.1.15
type ProviderVersionsResponse struct {
Versions []ProviderVersion `json:"versions"`
}
ProviderVersionsResponse represents the API response from Terraform Registry
type RateLimitError ¶ added in v0.1.14
RateLimitError represents a rate limit error
func (*RateLimitError) Error ¶ added in v0.1.14
func (e *RateLimitError) Error() string
type RepoResult ¶ added in v0.1.24
type StepAnalysis ¶ added in v0.1.32
type StepAnalysis struct {
// Action is the action reference without the @ref part, e.g.
// "actions/checkout" or "aws-actions/configure-aws-credentials".
Action string
// Ref is the raw ref as written in the YAML, e.g. "v4" or the ghat
// pinned format "abc1234… # v4".
Ref string
// IsSHAPinned is true when Ref is anchored to an immutable 40-char
// commit SHA (bare or in the "sha # tag" comment format).
IsSHAPinned bool
// SHA is the extracted commit SHA when IsSHAPinned is true.
SHA string
// Tag is the human-readable tag associated with SHA (from the
// "sha # tag" comment), or the raw floating tag when not yet pinned.
Tag string
// Suppressed is true when the uses: line carries a # ghat:suppress
// annotation — the step is intentionally exempt from pinning.
Suppressed bool
// ExposesSecretInEnv is true when the step's env: block contains a
// ${{ secrets.* }} expression, leaking secret values into the process
// environment where they are visible to child processes and debug logs.
ExposesSecretInEnv bool
}
StepAnalysis describes a single external uses: step.
type Substitution ¶ added in v0.1.24
type URLFormatError ¶ added in v0.1.10
type URLFormatError struct {
// contains filtered or unexported fields
}
func (URLFormatError) Error ¶ added in v0.1.10
func (e URLFormatError) Error() string
type WorkflowAnalysis ¶ added in v0.1.32
type WorkflowAnalysis struct {
// HasPermissions is true when the workflow declares a top-level
// permissions: block (any value, including write-all).
HasPermissions bool
// IsWriteAll is true when permissions: write-all is set, granting the
// GITHUB_TOKEN full repository write access to every job.
IsWriteAll bool
// HasDangerousTrigger is true when a dangerous trigger combination is
// detected:
// - pull_request_target with a checkout of the PR head, OR
// - github.event.* interpolated directly into a run: shell block.
HasDangerousTrigger bool
DangerousTriggerDesc string
// HasConcurrency is true when the workflow declares a top-level
// concurrency: block, preventing parallel runs from corrupting state.
HasConcurrency bool
// Steps is the ordered list of external uses: action references found in
// the workflow. Local paths, docker:// refs, and reusable workflow calls
// are excluded.
Steps []StepAnalysis
// Jobs is the per-job analysis, sorted by job name.
Jobs []JobAnalysis
}
WorkflowAnalysis is the result of static-only analysis of a single GitHub Actions workflow file. No network calls are made; results depend only on the file content supplied.
func AnalyzeWorkflow ¶ added in v0.1.32
func AnalyzeWorkflow(filename string, content []byte) WorkflowAnalysis
AnalyzeWorkflow performs static analysis on the content of a GitHub Actions workflow file. filename is used only for descriptive fields in the result; no I/O is performed and no network calls are made.
The function reuses the regexes and helpers already present in this package (permsRe, writeAllRe, prTargetRe, checkoutPRRe, runInjectRe, parsePinnedRef, parseSuppression) so the analysis stays in sync with ghat's own checks.
Source Files