Documentation
¶
Index ¶
- Constants
- func ExtractCpanVersion(rest string) string
- func GetFiles(dir string) ([]string, error)
- func GetGithubBody(token, url string) (interface{}, error)
- func GetGithubBodyWithCache(token, url string, cache *Cache) (interface{}, error)
- func GetLatestPackageVersion(eco, pkg string) (string, error)
- func GetLatestProviderVersion(namespace, providerType string) (string, error)
- func GetLatestRelease(action string, gitHubToken string) (interface{}, error)
- func GetLatestTag(action string, gitHubToken string) (interface{}, error)
- func GetMetaCPANVersion(module string) (string, error)
- func GetReleases(action string, gitHubToken string, days *uint) (map[string]interface{}, error)
- func GetStringValue(block *hclwrite.Block, attribute string) string
- func GetTerraformFiles(directory string) ([]string, error)
- func GetVersion(block *hclwrite.Block) string
- func HasKubeResource(content []byte) bool
- func IsOK(rawURL string) (bool, error)
- func IsSHAPinnedRef(ref string) bool
- func ResolveActionSHA(action, tag, token string) (string, error)
- func ResolveGitLabComponentLatest(name, token string) (sha, tag string, err error)
- func ResolveGitLabComponentSHA(name, version, token string) (string, error)
- func ResolveImageDigest(image string, dockerfileStyle bool, githubToken string) (string, error)
- func ResolveLatestSHA(ownerRepo, token string) (sha, tag string, err error)
- func ResolveTagSHA(action, tag, token string) (string, error)
- type AuditScore
- type Cache
- type CacheEntry
- type Check
- type CheckOutcome
- type ConfigFile
- type DepRef
- type DockerImageAnalysis
- type DockerfileAnalysis
- type Flags
- func (f *Flags) Action(action string) error
- func (f *Flags) Audit() error
- func (f *Flags) CreateLocalPR(dir string) (string, bool, error)
- func (f *Flags) GetComposeFiles() []string
- func (f *Flags) GetDockerfiles() []string
- func (f *Flags) GetGHA() []string
- func (f *Flags) GetGithubHash(newModule string, tag string) (string, error)
- func (f *Flags) GetGithubLatestHash(newModule string) (string, string, error)
- func (f *Flags) GetGitlabFiles() []string
- func (f *Flags) GetHook() (*string, error)
- func (f *Flags) GetKubeFiles() []string
- func (f *Flags) GetProviderFiles() ([]string, error)
- func (f *Flags) GetTF() ([]string, error)
- func (f *Flags) GetType(module string) (string, error)
- func (f *Flags) InitializeCache() error
- func (f *Flags) ListProvidersInDirectory() ([]ProviderInfo, error)
- func (f *Flags) UpdateCompose(file string) error
- func (f *Flags) UpdateCpanfile() error
- func (f *Flags) UpdateDockerfile(file string) error
- func (f *Flags) UpdateDockerfiles() error
- func (f *Flags) UpdateGHA(file string) error
- func (f *Flags) UpdateGHAS() error
- func (f *Flags) UpdateGithubSource(version string, newModule string) (string, string, error)
- func (f *Flags) UpdateGitlab() error
- func (f *Flags) UpdateHooks() error
- func (f *Flags) UpdateKube(file string) error
- func (f *Flags) UpdateKubes() error
- func (f *Flags) UpdateModule(file string) error
- func (f *Flags) UpdateModules() error
- func (f *Flags) UpdateProvider(file string) error
- func (f *Flags) UpdateProviders() error
- func (f *Flags) UpdateSource(module string, moduleType string, version string) (string, string, error)
- func (f *Flags) UpdateSubmodules() error
- func (f *Flags) WithSubDir(version string, newModule string, subdir string) (string, string, error)
- type GhatConfig
- type GitlabCIAnalysis
- type GitlabImageAnalysis
- type GitlabJobAnalysis
- type Hook
- type ImageReference
- type InputUpgrade
- type JobAnalysis
- type ManifestKind
- type OrgFlags
- type PreCommitAnalysis
- type PreCommitRepoAnalysis
- type ProviderInfo
- type ProviderVersion
- type ProviderVersionsResponse
- type RateLimitError
- type Registry
- type Repo
- type RepoResult
- type StepAnalysis
- type Submodule
- type Substitution
- type URLFormatError
- type WorkflowAnalysis
Constants ¶
const ( ActionSwipe = "swipe" ActionSwot = "swot" ActionSift = "sift" ActionStun = "stun" ActionShake = "shake" ActionKube = "kube" ActionDock = "dock" ActionSweep = "sweep" ActionSub = "sub" ActionAudit = "audit" )
const ( SourceGo = "go" SourceGHA = "gha" SourcePreCommit = "pre-commit" SourceTerraform = "terraform" )
const ( SourceNpm = "npm" SourcePypi = "pypi" SourceCargo = "cargo" SourceGem = "gem" )
const ( PreCommitConfigFile = ".pre-commit-config.yaml" GitHubPrefix = "https://github.com/" FilePermissions = 0666 )
Add constants for repeated values
const (
CpanfileName = "cpanfile"
)
const GitModulesFile = ".gitmodules"
const SourceCompose = "compose"
const SourceCpanfile = "cpanfile"
const SourceDockerfile = "dockerfile"
const SourceGitLab = "gitlab"
const SourceGitLabComponent = "gitlab-component"
const SourceKube = "kube"
const (
SuppressAnnotation = "# ghat:suppress"
)
Variables ¶
This section is empty.
Functions ¶
func ExtractCpanVersion ¶ added in v0.1.44
ExtractCpanVersion parses the version string out of a cpanfile dep's trailing argument (the rest capture group from cpanRequireRE). ", '2.2015'" → "2.2015"; ", '>= 1.6'" → ">= 1.6"; "" → ""
func GetGithubBody ¶
GetGithubBody fetches data from GitHub API (existing function, keep as-is for compatibility)
func GetGithubBodyWithCache ¶ added in v0.1.14
GetGithubBodyWithCache fetches data from GitHub API with caching support
func GetLatestPackageVersion ¶ added in v0.1.43
GetLatestPackageVersion fetches the newest published version of pkg from its ecosystem's public registry. Returns the raw version string as the registry reports it (e.g. "4.18.2" for npm, "v0.22.0" for Go modules).
func GetLatestProviderVersion ¶ added in v0.1.35
GetLatestProviderVersion queries the Terraform Registry API for the latest stable version of a provider. namespace is e.g. "hashicorp", providerType is e.g. "aws".
func GetLatestRelease ¶
func GetLatestTag ¶
func GetMetaCPANVersion ¶ added in v0.1.44
GetMetaCPANVersion returns the latest published version of a CPAN module.
func GetReleases ¶
GetReleases fetches releases from GitHub with rate limit handling
func GetTerraformFiles ¶ added in v0.1.15
GetTerraformFiles returns all .tf files in the entries
func GetVersion ¶
func HasKubeResource ¶ added in v0.1.35
HasKubeResource reports whether content contains at least one recognised Kubernetes resource (apiVersion + known workload kind).
func IsSHAPinnedRef ¶ added in v0.1.32
IsSHAPinnedRef reports whether a raw ref value is pinned to an immutable commit SHA. It accepts both a bare 40-char hex SHA and the "sha # tag" comment format that ghat writes when pinning.
func ResolveActionSHA ¶ added in v0.1.35
ResolveActionSHA resolves action@tag to its commit SHA via the GitHub API, dereferencing annotated tag objects. action is "owner/repo" (or "owner/repo/subdir" — the subdir is stripped). Exported for the LSP server's pin-to-SHA code action.
func ResolveGitLabComponentLatest ¶ added in v0.1.42
ResolveGitLabComponentLatest resolves the latest release tag of a GitLab CI component project and returns its commit SHA and tag name. It queries the releases API first (which respects release ordering), then falls back to the repository tags API.
func ResolveGitLabComponentSHA ¶ added in v0.1.41
ResolveGitLabComponentSHA resolves a GitLab CI component reference tag to its underlying commit SHA via the GitLab project tags API. name is the component path like "gitlab.com/components/opentofu/full-pipeline" and version is the tag like "0.1.0".
func ResolveImageDigest ¶ added in v0.1.35
ResolveImageDigest resolves a container image reference to a pinned form by performing a registry HEAD via go-containerregistry (keychain auth, with a ghcr.io override when githubToken is set). When dockerfileStyle is true the result is `image:tag@sha256:…` (valid FROM syntax); otherwise it is `image@sha256:… # tag` (YAML comment form used by GitLab CI / Kubernetes).
func ResolveLatestSHA ¶ added in v0.1.35
ResolveLatestSHA returns the latest tag name and its commit SHA for a GitHub repo identified by "owner/repo". Used by the LSP to implement update-to-latest for GHA actions and pre-commit repos.
func ResolveTagSHA ¶ added in v0.1.35
ResolveTagSHA resolves a GHA action owner/repo and tag to the commit SHA. action is "owner/repo" (e.g. "actions/checkout"), tag is the ref (e.g. "v4").
Types ¶
type AuditScore ¶ added in v0.1.35
type AuditScore struct {
Bucket string // "ok", "RISK", or "STALE"
Checks []Check // per-check results
Unpinned []string // workflow refs that are not SHA-pinned
}
AuditScore summarises the supply-chain score for a single dependency.
func AuditOne ¶ added in v0.1.35
func AuditOne(eco, name, version, token string, c *Cache) (AuditScore, error)
AuditOne scores a single dependency identified by its ecosystem, name, and (optional) version. It makes GitHub API calls; token may be empty for public repos (rate limits apply). c may be nil.
type Cache ¶ added in v0.1.14
type Cache struct {
// contains filtered or unexported fields
}
Cache handles caching of GitHub API responses
func NewCache ¶ added in v0.1.14
NewCache creates a new cache instance ttl is the time-to-live for cached entries (e.g., 24 hours)
func (*Cache) ClearExpired ¶ added in v0.1.14
ClearExpired removes expired cache entries
func (*Cache) Get ¶ added in v0.1.14
Get retrieves a cached response Returns the cached data and true if found and not expired, otherwise nil and false
type CacheEntry ¶ added in v0.1.14
type CacheEntry struct {
Data interface{} `json:"data"`
ExpiresAt time.Time `json:"expires_at"`
URL string `json:"url"`
}
CacheEntry represents a cached API response
type Check ¶ added in v0.1.35
type Check struct {
Name string
Outcome CheckOutcome
Detail string
}
Check is an exported audit check result for a single supply-chain dimension.
type CheckOutcome ¶ added in v0.1.35
type CheckOutcome int
CheckOutcome is the result of a single audit check.
const ( CheckPass CheckOutcome = iota CheckFail CheckSkip )
type ConfigFile ¶
type DepRef ¶ added in v0.1.35
type DepRef struct {
Ecosystem string // one of the Source* constants
Name string // e.g. "actions/checkout", "lodash", "requests"
Version string // e.g. "v4", "^1.0.0", "==2.31.0"
Line int // 1-indexed line of the name/source declaration
VersionLine int // 1-indexed line of the version attribute when separate (0 = same as Line)
}
DepRef is a single dependency reference extracted from a manifest file, with the 1-indexed line number of its declaration.
func ParseManifest ¶ added in v0.1.35
func ParseManifest(kind ManifestKind, content []byte) []DepRef
ParseManifest parses a manifest file's raw bytes and returns the dependency references it contains. No network calls are made.
type DockerImageAnalysis ¶ added in v0.1.35
type DockerImageAnalysis struct {
// Raw is the image reference as written, e.g. "golang:1.21" or
// "golang:1.21@sha256:abc…".
Raw string
// Resolved is Raw with ARG defaults expanded, e.g. "golang:1.21" when
// Raw was "golang:${GO}" and ARG GO=1.21 preceded it.
Resolved string
// Image is the repository portion after ARG expansion, without tag/digest.
Image string
// Tag is the tag portion after ARG expansion, or "" when none was given.
Tag string
// IsDigestPinned is true when the reference contains "@sha256:".
IsDigestPinned bool
// Suppressed is true when the FROM line carries # ghat:suppress.
Suppressed bool
// Line is the 1-indexed source line of the FROM directive.
Line int
}
DockerImageAnalysis describes a single FROM directive.
type DockerfileAnalysis ¶ added in v0.1.35
type DockerfileAnalysis struct {
Images []DockerImageAnalysis
}
DockerfileAnalysis is the result of static-only analysis of a Dockerfile. No registry lookups are made.
func AnalyzeDockerfile ¶ added in v0.1.35
func AnalyzeDockerfile(content []byte) DockerfileAnalysis
AnalyzeDockerfile performs static analysis on Dockerfile content. ARG defaults declared above each FROM are expanded so that `ARG GO=1.21` / `FROM golang:${GO}` is correctly classified.
type Flags ¶
type Flags struct {
// Existing fields
DryRun bool
Update bool
File string
Directory string
GitHubToken string
Stable *uint
Entries []string // For tracking entries
Days *uint // Days parameter
ContinueOnError bool // Continue on error flag
Deep bool
Sources []string
// New cache fields
Cache *Cache
CacheEnabled bool
CacheTTL time.Duration
Silent bool // suppress diff output (used by org bulk mode)
PinOnly bool // pin current tag to SHA without checking for upgrades
Substitutions []Substitution
InputUpgrades []InputUpgrade
OpenPR bool
AutoMerge bool
Branch string
PRToken string
}
Flags represents command-line flags and configuration
func NewFlags ¶ added in v0.1.14
func NewFlags() *Flags
NewFlags creates a new Flags instance with default cache settings
func (*Flags) CreateLocalPR ¶ added in v0.1.31
CreateLocalPR checks for git changes in dir, then commits them to a branch and opens a PR. Returns (prURL, changed, error). If no changes, changed is false. If OpenPR is false, changed is still reported but no branch/PR is created.
func (*Flags) GetComposeFiles ¶ added in v0.1.19
GetComposeFiles returns all Docker Compose files from the scanned entries.
func (*Flags) GetDockerfiles ¶ added in v0.1.19
GetDockerfiles returns all Dockerfile paths from the scanned entries.
func (*Flags) GetGithubHash ¶
func (*Flags) GetGithubLatestHash ¶
func (*Flags) GetGitlabFiles ¶ added in v0.1.15
GetGitlabFiles finds GitLab CI files in the entries
func (*Flags) GetKubeFiles ¶ added in v0.1.18
GetKubeFiles returns all Kubernetes manifest files from the scanned entries.
func (*Flags) GetProviderFiles ¶ added in v0.1.15
GetProviderFiles finds Terraform files that likely contain provider definitions
func (*Flags) InitializeCache ¶ added in v0.1.14
InitializeCache initializes the cache based on flags
func (*Flags) ListProvidersInDirectory ¶ added in v0.1.15
func (f *Flags) ListProvidersInDirectory() ([]ProviderInfo, error)
ListProvidersInDirectory lists all providers found in Terraform files
func (*Flags) UpdateCompose ¶ added in v0.1.19
UpdateCompose pins image references in a Docker Compose file to SHA digests.
func (*Flags) UpdateCpanfile ¶ added in v0.1.24
func (*Flags) UpdateDockerfile ¶ added in v0.1.19
UpdateDockerfile pins FROM image references in a single Dockerfile to SHA digests. Output format: FROM image:tag@sha256:digest (valid Docker syntax, tag preserved inline).
func (*Flags) UpdateDockerfiles ¶ added in v0.1.19
UpdateDockerfiles pins FROM image references in all Dockerfiles found in the entries.
func (*Flags) UpdateGHAS ¶
func (*Flags) UpdateGithubSource ¶
func (*Flags) UpdateGitlab ¶ added in v0.1.15
func (*Flags) UpdateHooks ¶
func (*Flags) UpdateKube ¶ added in v0.1.18
UpdateKube pins container image references in a single Kubernetes manifest file.
func (*Flags) UpdateKubes ¶ added in v0.1.18
UpdateKubes pins all Kubernetes manifests and Docker Compose files found in the scanned entries.
func (*Flags) UpdateModule ¶
func (*Flags) UpdateModules ¶
func (*Flags) UpdateProvider ¶ added in v0.1.15
UpdateProvider updates providers in a single Terraform file
func (*Flags) UpdateProviders ¶ added in v0.1.15
UpdateProviders updates all Terraform providers in the directory
func (*Flags) UpdateSource ¶
func (*Flags) UpdateSubmodules ¶ added in v0.1.24
type GhatConfig ¶ added in v0.1.24
type GhatConfig struct {
Substitutions []Substitution `yaml:"substitutions"`
InputUpgrades []InputUpgrade `yaml:"input_upgrades"`
}
func LoadConfig ¶ added in v0.1.24
func LoadConfig(dir string) GhatConfig
LoadConfig merges built-in substitutions.yml, ~/.ghat.yml (global), and <dir>/.ghat.yml (local). Later entries win on duplicate From values.
type GitlabCIAnalysis ¶ added in v0.1.34
type GitlabCIAnalysis struct {
// Jobs is the ordered list of job definitions found in the file, sorted
// by job name for deterministic output.
Jobs []GitlabJobAnalysis
}
GitlabCIAnalysis is the result of static-only analysis of a .gitlab-ci.yml file. No network calls are made; results depend only on the content supplied.
func AnalyzeGitlabCI ¶ added in v0.1.34
func AnalyzeGitlabCI(content []byte) GitlabCIAnalysis
AnalyzeGitlabCI performs static-only analysis of a .gitlab-ci.yml file. No network calls are made; all analysis is performed on the supplied content.
The function returns metadata about each job: timeout declaration, allow_failure setting, and container image digest-pinning status.
type GitlabImageAnalysis ¶ added in v0.1.34
type GitlabImageAnalysis struct {
// Name is the image reference exactly as written in the YAML
// (before any comment stripping), e.g. "golang:1.21" or
// "gcr.io/project/app@sha256:abc123 # v1.6.0".
Name string
// IsDigestPinned is true when the image reference contains "@sha256:".
IsDigestPinned bool
// IsSuppressed is true when the image line carries a # ghat:suppress
// annotation in the source file.
IsSuppressed bool
// Line is the 1-indexed source line of the image: declaration. 0 when unknown.
Line int
}
GitlabImageAnalysis describes a container image used in a GitLab CI job.
type GitlabJobAnalysis ¶ added in v0.1.34
type GitlabJobAnalysis struct {
// Name is the job key in the YAML.
Name string
// HasTimeout is true when the job declares a timeout: field.
HasTimeout bool
// AllowFailure is true when allow_failure: true is set, or when
// allow_failure: is an object (partial failure via exit_codes).
AllowFailure bool
// Images is the list of container images declared for this job.
Images []GitlabImageAnalysis
// Line is the 1-indexed source line of the job key. 0 when unknown.
Line int
}
GitlabJobAnalysis describes a single job in .gitlab-ci.yml.
type Hook ¶
type Hook struct {
ID string `yaml:"id"`
Name string `yaml:"name,omitempty"`
Entry string `yaml:"entry,omitempty"`
Language string `yaml:"language,omitempty"`
Files string `yaml:"files,omitempty"`
Exclude string `yaml:"exclude,omitempty"`
Types []string `yaml:"types,omitempty"`
TypesOr []string `yaml:"types_or,omitempty"`
ExcludeTypes []string `yaml:"exclude_types,omitempty"`
AlwaysRun *bool `yaml:"always_run,omitempty"`
FailFast *bool `yaml:"fail_fast,omitempty"`
Verbose *bool `yaml:"verbose,omitempty"`
PassFilenames *bool `yaml:"pass_filenames,omitempty"`
RequireSerial *bool `yaml:"require_serial,omitempty"`
Description string `yaml:"description,omitempty"`
LanguageVersion string `yaml:"language_version,omitempty"`
MinimumPrecommitVersion string `yaml:"minimum_pre_commit_version,omitempty"`
Args []string `yaml:"args,omitempty"`
Stages []string `yaml:"stages,omitempty"`
}
type ImageReference ¶ added in v0.1.15
type ImageReference struct {
Registry string
Repository string
Tag string
Digest string
Original string
TagImplicit bool // true when no tag was written in the source (defaulted to latest)
}
ImageReference represents a container image reference
type InputUpgrade ¶ added in v0.1.24
type InputUpgrade struct {
Action string `yaml:"action"` // e.g. "golangci/golangci-lint-action"
Input string `yaml:"input"` // e.g. "version"
FromPattern string `yaml:"from_pattern"` // regex matched against the current value
To string `yaml:"to"` // literal version or "latest:owner/repo"
}
InputUpgrade rewrites a `with:` input when an action is pinned to a new major version that drops support for the old input value. To may be a literal version ("v2.12.1") or "latest:owner/repo" to fetch the current latest release from the GitHub API at run time.
type JobAnalysis ¶ added in v0.1.32
type JobAnalysis struct {
// Name is the job key in the YAML, e.g. "build" or "deploy".
Name string
// HasTimeout is true when timeout-minutes: is declared on the job.
HasTimeout bool
TimeoutMinutes int
// IsReusable is true when the job delegates entirely to a reusable
// workflow via a job-level `uses:` key. GitHub does not support
// timeout-minutes on such jobs; the timeout lives inside the called
// workflow.
IsReusable bool
// RunsOn is the normalised runner label(s) for the job. For a single
// string label this is just that string; for a list of labels the
// values are joined with commas.
RunsOn string
// HasPermissions is true when the job declares its own permissions: block.
HasPermissions bool
// Permissions maps each GitHub Actions permission scope to its value
// (e.g. "contents" → "read"). When permissions: write-all is set the
// map has a single "_all" key with value "write-all".
Permissions map[string]string
// Line is the 1-indexed source line of the job key. 0 when unknown.
Line int
}
JobAnalysis describes a single job in the workflow.
type ManifestKind ¶ added in v0.1.35
type ManifestKind int
ManifestKind identifies the type of dependency manifest.
const ( ManifestGHA ManifestKind = iota ManifestGoMod ManifestNPM ManifestPyPI ManifestCargo ManifestGem ManifestPreCommit ManifestCpanfile ManifestDockerfile ManifestGitLab ManifestKube ManifestCompose ManifestTerraform )
type OrgFlags ¶ added in v0.1.24
type OrgFlags struct {
Provider string // "github" (default) or "gitlab"
BaseURL string // self-hosted API root, e.g. https://gitlab.example.com
Owner string
Repos []string // explicit list; if set, Owner/Limit are ignored
Token string // PAT for Provider (clone/push/PR)
GitHubToken string // separate PAT for api.github.com lookups during the sweep
Branch string
Offset int
Limit int
DryRun bool
OpenPR bool
AutoMerge bool
Threshold int // pause when fewer than this many API requests remain
}
func (*OrgFlags) RunBulk ¶ added in v0.1.24
func (o *OrgFlags) RunBulk() ([]RepoResult, error)
type PreCommitAnalysis ¶ added in v0.1.35
type PreCommitAnalysis struct {
Repos []PreCommitRepoAnalysis
}
PreCommitAnalysis is the result of static-only analysis of a .pre-commit-config.yaml file. No network calls are made.
func AnalyzePreCommit ¶ added in v0.1.35
func AnalyzePreCommit(content []byte) PreCommitAnalysis
AnalyzePreCommit performs static analysis on a .pre-commit-config.yaml file. Parsing mirrors rewritePreCommitRevs in pre-commit.go (line-based) so the pinned/suppressed verdict is identical to what `ghat sift` would act on.
type PreCommitRepoAnalysis ¶ added in v0.1.35
type PreCommitRepoAnalysis struct {
// Repo is the repository URL as written, e.g.
// "https://github.com/pre-commit/pre-commit-hooks".
Repo string
// Rev is the raw rev: value as written.
Rev string
// IsSHAPinned is true when Rev is a 40-char hex SHA (bare or "sha # tag").
IsSHAPinned bool
// Suppressed is true when either the repo: or rev: line carries
// # ghat:suppress.
Suppressed bool
// Line is the 1-indexed source line of the `rev:` key.
Line int
}
PreCommitRepoAnalysis describes a single `- repo:` entry.
type ProviderInfo ¶ added in v0.1.15
type ProviderInfo struct {
Name string
Source string
Namespace string
Type string
CurrentVersion string
LatestVersion string
}
ProviderInfo holds information about a provider
type ProviderVersion ¶ added in v0.1.15
type ProviderVersion struct {
Version string `json:"version"`
Protocols []string `json:"protocols"`
Platforms []struct {
OS string `json:"os"`
Arch string `json:"arch"`
} `json:"platforms"`
}
ProviderVersion represents a Terraform provider version from the registry
type ProviderVersionsResponse ¶ added in v0.1.15
type ProviderVersionsResponse struct {
Versions []ProviderVersion `json:"versions"`
}
ProviderVersionsResponse represents the API response from Terraform Registry
type RateLimitError ¶ added in v0.1.14
RateLimitError represents a rate limit error
func (*RateLimitError) Error ¶ added in v0.1.14
func (e *RateLimitError) Error() string
type RepoResult ¶ added in v0.1.24
type StepAnalysis ¶ added in v0.1.32
type StepAnalysis struct {
// Action is the action reference without the @ref part, e.g.
// "actions/checkout" or "aws-actions/configure-aws-credentials".
Action string
// Ref is the raw ref as written in the YAML, e.g. "v4" or the ghat
// pinned format "abc1234… # v4".
Ref string
// IsSHAPinned is true when Ref is anchored to an immutable 40-char
// commit SHA (bare or in the "sha # tag" comment format).
IsSHAPinned bool
// SHA is the extracted commit SHA when IsSHAPinned is true.
SHA string
// Tag is the human-readable tag associated with SHA (from the
// "sha # tag" comment), or the raw floating tag when not yet pinned.
Tag string
// Suppressed is true when the uses: line carries a # ghat:suppress
// annotation — the step is intentionally exempt from pinning.
Suppressed bool
// ExposesSecretInEnv is true when the step's env: block contains a
// ${{ secrets.* }} expression, leaking secret values into the process
// environment where they are visible to child processes and debug logs.
ExposesSecretInEnv bool
// Line is the 1-indexed source line of the `uses:` key. 0 when unknown.
Line int
}
StepAnalysis describes a single external uses: step.
type Substitution ¶ added in v0.1.24
type URLFormatError ¶ added in v0.1.10
type URLFormatError struct {
// contains filtered or unexported fields
}
func (URLFormatError) Error ¶ added in v0.1.10
func (e URLFormatError) Error() string
type WorkflowAnalysis ¶ added in v0.1.32
type WorkflowAnalysis struct {
// HasPermissions is true when the workflow declares a top-level
// permissions: block (any value, including write-all).
HasPermissions bool
// IsWriteAll is true when permissions: write-all is set, granting the
// GITHUB_TOKEN full repository write access to every job.
IsWriteAll bool
// HasDangerousTrigger is true when a dangerous trigger combination is
// detected:
// - pull_request_target with a checkout of the PR head, OR
// - github.event.* interpolated directly into a run: shell block.
HasDangerousTrigger bool
DangerousTriggerDesc string
// HasConcurrency is true when the workflow declares a top-level
// concurrency: block, preventing parallel runs from corrupting state.
HasConcurrency bool
// Line numbers (1-indexed) for the constructs above. 0 when absent.
PermissionsLine int
WriteAllLine int
DangerousTriggerLine int
// JobsLine is the line of the top-level `jobs:` key, used by editors
// as an insert anchor for a permissions: block.
JobsLine int
// Steps is the ordered list of external uses: action references found in
// the workflow. Local paths, docker:// refs, and reusable workflow calls
// are excluded.
Steps []StepAnalysis
// Jobs is the per-job analysis, sorted by job name.
Jobs []JobAnalysis
}
WorkflowAnalysis is the result of static-only analysis of a single GitHub Actions workflow file. No network calls are made; results depend only on the file content supplied.
func AnalyzeWorkflow ¶ added in v0.1.32
func AnalyzeWorkflow(filename string, content []byte) WorkflowAnalysis
AnalyzeWorkflow performs static analysis on the content of a GitHub Actions workflow file. filename is used only for descriptive fields in the result; no I/O is performed and no network calls are made.
The function reuses the regexes and helpers already present in this package (permsRe, writeAllRe, prTargetRe, checkoutPRRe, runInjectRe, parsePinnedRef, parseSuppression) so the analysis stays in sync with ghat's own checks.
Source Files
¶
- action.go
- analysis.go
- analysis_dockerfile.go
- analysis_gitlab.go
- analysis_precommit.go
- audit.go
- audit_checks.go
- audit_ecosystems.go
- audit_one.go
- audit_runinstalls.go
- cache.go
- config.go
- cpanfile.go
- diff.go
- dock.go
- error.go
- filter.go
- flags.go
- gha.go
- gitlab.go
- host.go
- kube.go
- manifest.go
- modules.go
- org.go
- pre-commit.go
- providers.go
- registry.go
- submodule.go
- suppress.go
- types.go