Documentation
¶
Index ¶
- func IsModuleAddress(addr string) bool
- func IsResourceAddress(addr string) bool
- type CheckResult
- type FileRange
- type Finding
- type ModuleCallSignature
- type ModuleSnapshot
- type MovedBlock
- type OutputSignature
- type ProviderRequirement
- type ResourceSignature
- type Severity
- type Summary
- type ValidationBlock
- type VariableSignature
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func IsModuleAddress ¶
IsModuleAddress returns true if the address refers to a module (module.name format)
func IsResourceAddress ¶
IsResourceAddress returns true if the address refers to a resource (type.name format)
Types ¶
type CheckResult ¶
type CheckResult struct {
// OldPath is the path to the old configuration
OldPath string `json:"old_path"`
// NewPath is the path to the new configuration
NewPath string `json:"new_path"`
// Findings is the list of all findings
Findings []*Finding `json:"findings"`
// Summary contains counts by severity
Summary Summary `json:"summary"`
// Result is PASS or FAIL based on the policy
Result string `json:"result"`
// FailOn is the severity threshold used for the result
FailOn Severity `json:"fail_on"`
}
CheckResult represents the result of running a check
func NewCheckResult ¶
func NewCheckResult(oldPath, newPath string, failOn Severity) *CheckResult
NewCheckResult creates a new CheckResult
func (*CheckResult) AddFinding ¶
func (r *CheckResult) AddFinding(f *Finding)
AddFinding adds a finding to the result
func (*CheckResult) Compute ¶
func (r *CheckResult) Compute()
Compute calculates the summary and result
type FileRange ¶
type FileRange struct {
Filename string `json:"filename"`
Line int `json:"line"`
Column int `json:"column,omitempty"`
EndLine int `json:"end_line,omitempty"`
EndColumn int `json:"end_column,omitempty"`
}
FileRange represents a location in a source file
type Finding ¶
type Finding struct {
// RuleID is the unique identifier for the rule (e.g., "BC001")
RuleID string `json:"rule_id"`
// RuleName is the human-readable rule name (e.g., "required-input-added")
RuleName string `json:"rule_name"`
// Severity is the severity level of this finding
Severity Severity `json:"severity"`
// Message is a short description of the finding
Message string `json:"message"`
// Detail provides additional context about the finding
Detail string `json:"detail,omitempty"`
// OldLocation is the source location in the old config (nil if not applicable)
OldLocation *FileRange `json:"old_location,omitempty"`
// NewLocation is the source location in the new config (nil if not applicable)
NewLocation *FileRange `json:"new_location,omitempty"`
// Ignored indicates if this finding was suppressed by an annotation
Ignored bool `json:"ignored"`
// IgnoreReason is the reason provided in the ignore annotation
IgnoreReason string `json:"ignore_reason,omitempty"`
// Metadata contains rule-specific metadata for advanced processing
// Used by rename detection rules to store old/new names for suppression logic
Metadata map[string]string `json:"metadata,omitempty"`
// Remediation provides guidance on how to fix this issue
// Only populated when --include-remediation flag is set
Remediation string `json:"remediation,omitempty"`
}
Finding represents a single rule violation or observation
func NewFinding ¶
NewFinding creates a new Finding with the given parameters
func (*Finding) WithDetail ¶
WithDetail sets the detail field and returns the finding for chaining
func (*Finding) WithMetadata ¶
WithMetadata sets metadata and returns the finding for chaining
func (*Finding) WithNewLocation ¶
WithNewLocation sets the new location and returns the finding for chaining
func (*Finding) WithOldLocation ¶
WithOldLocation sets the old location and returns the finding for chaining
func (*Finding) WithRemediation ¶
WithRemediation sets the remediation text and returns the finding for chaining
type ModuleCallSignature ¶
type ModuleCallSignature struct {
// Name is the module call name
Name string `json:"name"`
// Source is the module source
Source string `json:"source"`
// Version is the module version constraint
Version string `json:"version,omitempty"`
// Address is the full module address (e.g., "module.vpc")
Address string `json:"address"`
// DeclRange is the source location of the declaration
DeclRange FileRange `json:"pos"`
}
ModuleCallSignature represents the signature of a Terraform module call
type ModuleSnapshot ¶
type ModuleSnapshot struct {
// Path is the directory path of the module
Path string `json:"path"`
// Variables maps variable names to their signatures
Variables map[string]*VariableSignature `json:"variables"`
// Outputs maps output names to their signatures
Outputs map[string]*OutputSignature `json:"outputs"`
// Resources maps resource addresses (type.name) to their signatures
Resources map[string]*ResourceSignature `json:"resources"`
// Modules maps module call names to their signatures
Modules map[string]*ModuleCallSignature `json:"modules"`
// MovedBlocks contains all moved block declarations
MovedBlocks []*MovedBlock `json:"moved_blocks"`
// RequiredVersion is the terraform.required_version constraint
RequiredVersion string `json:"required_version,omitempty"`
// RequiredProviders maps provider names to their requirements
RequiredProviders map[string]*ProviderRequirement `json:"required_providers,omitempty"`
}
ModuleSnapshot represents the extracted signature of a Terraform module
func NewModuleSnapshot ¶
func NewModuleSnapshot(path string) *ModuleSnapshot
NewModuleSnapshot creates a new empty ModuleSnapshot
type MovedBlock ¶
type MovedBlock struct {
// From is the source address
From string `json:"from"`
// To is the destination address
To string `json:"to"`
// DeclRange is the source location of the declaration
DeclRange FileRange `json:"pos"`
}
MovedBlock represents a Terraform moved block
type OutputSignature ¶
type OutputSignature struct {
// Name is the output name
Name string `json:"name"`
// Description is the output description
Description string `json:"description,omitempty"`
// Sensitive indicates if the output is marked sensitive
Sensitive bool `json:"sensitive,omitempty"`
// DeclRange is the source location of the declaration
DeclRange FileRange `json:"pos"`
}
OutputSignature represents the signature of a Terraform output
type ProviderRequirement ¶
type ProviderRequirement struct {
// Source is the provider source (e.g., "hashicorp/aws")
Source string `json:"source,omitempty"`
// Version is the version constraint
Version string `json:"version,omitempty"`
}
ProviderRequirement represents a provider version requirement
type ResourceSignature ¶
type ResourceSignature struct {
// Type is the resource type (e.g., "aws_s3_bucket")
Type string `json:"type"`
// Name is the resource name (e.g., "main")
Name string `json:"name"`
// Address is the full resource address (e.g., "aws_s3_bucket.main")
Address string `json:"address"`
// DeclRange is the source location of the declaration
DeclRange FileRange `json:"pos"`
}
ResourceSignature represents the signature of a Terraform resource
type Severity ¶
type Severity int
Severity represents the severity level of a finding
func ParseSeverity ¶
ParseSeverity parses a string into a Severity
func (Severity) MarshalJSON ¶
MarshalJSON implements json.Marshaler
func (*Severity) UnmarshalJSON ¶
UnmarshalJSON implements json.Unmarshaler
type Summary ¶
type Summary struct {
Error int `json:"error"`
Warning int `json:"warning"`
Notice int `json:"notice"`
Ignored int `json:"ignored"`
Total int `json:"total"`
}
Summary contains counts of findings by severity
type ValidationBlock ¶
type ValidationBlock struct {
// Condition is the raw condition expression as a string
Condition string `json:"condition"`
// ErrorMessage is the error message shown when validation fails
ErrorMessage string `json:"error_message,omitempty"`
}
ValidationBlock represents a validation block on a variable
type VariableSignature ¶
type VariableSignature struct {
// Name is the variable name
Name string `json:"name"`
// Type is the normalized type expression (e.g., "string", "list(string)")
Type string `json:"type,omitempty"`
// Default is the JSON-serialized default value, nil if no default
Default interface{} `json:"default,omitempty"`
// Description is the variable description
Description string `json:"description,omitempty"`
// Sensitive indicates if the variable is marked sensitive
Sensitive bool `json:"sensitive,omitempty"`
// Nullable indicates if the variable accepts null values.
// nil means unspecified (defaults to true in Terraform 1.1+)
// Pointer is used to distinguish unset from explicit false.
Nullable *bool `json:"nullable,omitempty"`
// Required is true if the variable has no default value
Required bool `json:"required"`
// ValidationCount is the number of validation blocks on this variable
ValidationCount int `json:"validation_count,omitempty"`
// Validations contains the validation blocks for this variable
Validations []ValidationBlock `json:"validations,omitempty"`
// DeclRange is the source location of the declaration
DeclRange FileRange `json:"pos"`
}
VariableSignature represents the signature of a Terraform variable
func (*VariableSignature) HasDefault ¶
func (v *VariableSignature) HasDefault() bool
HasDefault returns true if the variable has a default value
func (*VariableSignature) IsNullable ¶
func (v *VariableSignature) IsNullable() bool
IsNullable returns the effective nullable value. Returns true if Nullable is nil (Terraform 1.1+ default) or explicitly true.
Source Files
Click to show internal directories.
Click to hide internal directories.