policy

package

v0.8.0 Latest Latest Go to latest Published: May 20, 2026 License: MIT Imports: 5 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/kontext-security/kontext-cli

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
func PolicyHash(cfg Config, rulePack string) string
type Config
- func DefaultConfig() Config
- func (c Config) Validate() error
type Decision
type Engine
- func NewEngine(pack RulePack) Engine
- func (e Engine) Evaluate(event risk.RiskEvent, cfg Config) Result
type Profile
type Result
type Rule
type RuleCategory
type RulePack
- func DefaultRulePack() RulePack
type Stage

Constants ¶

View Source

const (
	DefaultPolicyVersion = "guard-policy-v1"
	DefaultRulePackID    = "guard-default"
)

Variables ¶

This section is empty.

Functions ¶

func PolicyHash ¶ added in v0.8.0

func PolicyHash(cfg Config, rulePack string) string

Types ¶

type Config ¶

type Config struct {
	Version            string  `json:"version"`
	Profile            Profile `json:"profile"`
	RulePack           string  `json:"rule_pack"`
	NonBypassableRules *bool   `json:"non_bypassable_rules,omitempty"`
}

func DefaultConfig ¶

func DefaultConfig() Config

func (Config) Validate ¶

func (c Config) Validate() error

type Decision ¶

type Decision string

const (
	DecisionAllow Decision = "allow"
	DecisionDeny  Decision = "deny"
)

type Engine ¶

type Engine struct {
	// contains filtered or unexported fields
}

func NewEngine ¶

func NewEngine(pack RulePack) Engine

func (Engine) Evaluate ¶

func (e Engine) Evaluate(event risk.RiskEvent, cfg Config) Result

type Profile ¶

type Profile string

const (
	ProfileRelaxed  Profile = "relaxed"
	ProfileBalanced Profile = "balanced"
	ProfileStrict   Profile = "strict"
)

type Result ¶

type Result struct {
	Decision       Decision     `json:"decision"`
	Stage          Stage        `json:"stage"`
	Matched        bool         `json:"matched"`
	RuleID         string       `json:"rule_id,omitempty"`
	Category       RuleCategory `json:"category,omitempty"`
	Profile        Profile      `json:"profile"`
	PolicyVersion  string       `json:"policy_version"`
	PolicyHash     string       `json:"policy_hash"`
	RulePack       string       `json:"rule_pack"`
	ReasonCode     string       `json:"reason_code"`
	Reason         string       `json:"reason"`
	NonBypassable  bool         `json:"non_bypassable"`
	MatchedSignals []string     `json:"matched_signals,omitempty"`
}

type Rule ¶

type Rule struct {
	ID             string
	Category       RuleCategory
	ReasonCode     string
	Reason         string
	NonBypassable  bool
	MatchedSignals []string
	When           func(risk.RiskEvent) bool
}

type RuleCategory ¶

type RuleCategory string

const (
	CategoryCredentialAccess              RuleCategory = "credential_access"
	CategoryDirectInfraAPIWithCredentials RuleCategory = "direct_infra_api_with_credentials"
	CategoryDestructivePersistentResource RuleCategory = "destructive_persistent_resource"
	CategoryProductionMutation            RuleCategory = "production_mutation"
	CategoryUnknownHighRiskCommand        RuleCategory = "unknown_high_risk_command"
	CategoryManagedTool                   RuleCategory = "managed_tool"
	CategorySourceControlWrite            RuleCategory = "source_control_write"
	CategoryProviderAPICall               RuleCategory = "provider_api_call"
)

type RulePack ¶

type RulePack struct {
	ID      string
	Version string
	Rules   []Rule
}

func DefaultRulePack ¶

func DefaultRulePack() RulePack

type Stage ¶

type Stage string

const (
	StageDeterministic Stage = "deterministic"
)

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL