Documentation
¶
Overview ¶
Package scanprofile defines the ScanProfile domain entity for reusable scan configurations.
Index ¶
- type Filter
- type FindingCounts
- type GateBreach
- type Intensity
- type QualityGate
- type QualityGateResult
- type Repository
- type ScanProfile
- func (p *ScanProfile) BelongsToTenant(tenantID shared.ID) bool
- func (p *ScanProfile) CanDelete() error
- func (p *ScanProfile) CanManage(tenantID shared.ID) error
- func (p *ScanProfile) Clone(newName string, createdBy *shared.ID) (*ScanProfile, error)
- func (p *ScanProfile) DisableTool(tool string) error
- func (p *ScanProfile) EnableTool(tool string, config ToolConfig) error
- func (p *ScanProfile) GetEnabledTools() []string
- func (p *ScanProfile) GetToolConfig(tool string) (ToolConfig, bool)
- func (p *ScanProfile) HasTool(tool string) bool
- func (p *ScanProfile) IsSystemProfile() bool
- func (p *ScanProfile) SetAsDefault()
- func (p *ScanProfile) UnsetDefault()
- func (p *ScanProfile) Update(name string, description string, toolsConfig map[string]ToolConfig, ...) error
- func (p *ScanProfile) UpdateQualityGate(gate QualityGate) error
- type Severity
- type TemplateMode
- type ToolConfig
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Filter ¶
type Filter struct {
TenantID *shared.ID
IsDefault *bool
IsSystem *bool
Tags []string
Search string
}
Filter represents filter options for listing scan profiles.
type FindingCounts ¶
type FindingCounts struct {
Critical int `json:"critical"`
High int `json:"high"`
Medium int `json:"medium"`
Low int `json:"low"`
Info int `json:"info"`
Total int `json:"total"`
}
FindingCounts holds the count of findings by severity.
type GateBreach ¶
type GateBreach struct {
Metric string `json:"metric"` // "critical", "high", "medium", "total"
Limit int `json:"limit"`
Actual int `json:"actual"`
}
GateBreach represents a single threshold violation.
type QualityGate ¶
type QualityGate struct {
Enabled bool `json:"enabled"`
FailOnCritical bool `json:"fail_on_critical"` // Fail immediately if any critical finding
FailOnHigh bool `json:"fail_on_high"` // Fail immediately if any high finding
MaxCritical int `json:"max_critical"` // Maximum allowed critical findings (-1 = unlimited)
MaxHigh int `json:"max_high"` // Maximum allowed high findings (-1 = unlimited)
MaxMedium int `json:"max_medium"` // Maximum allowed medium findings (-1 = unlimited)
MaxTotal int `json:"max_total"` // Maximum allowed total findings (-1 = unlimited)
NewFindingsOnly bool `json:"new_findings_only,omitempty"` // Only count new findings (not in baseline)
BaselineBranch string `json:"baseline_branch,omitempty"` // Branch to compare against for new findings
}
QualityGate defines thresholds for CI/CD pass/fail decisions. When enabled, scan results are evaluated against these thresholds to determine if the scan passes quality requirements.
func NewQualityGate ¶
func NewQualityGate() QualityGate
NewQualityGate creates a QualityGate with default values (disabled).
func (*QualityGate) Evaluate ¶
func (g *QualityGate) Evaluate(counts FindingCounts) *QualityGateResult
Evaluate checks if the given finding counts pass the quality gate. Returns a QualityGateResult with pass/fail status and any breaches.
type QualityGateResult ¶
type QualityGateResult struct {
Passed bool `json:"passed"`
Reason string `json:"reason,omitempty"`
Breaches []GateBreach `json:"breaches,omitempty"`
Counts FindingCounts `json:"counts"`
}
QualityGateResult represents the result of evaluating findings against a quality gate.
type Repository ¶
type Repository interface {
// Create creates a new scan profile.
Create(ctx context.Context, profile *ScanProfile) error
// GetByID retrieves a scan profile by ID.
GetByID(ctx context.Context, id shared.ID) (*ScanProfile, error)
// GetByTenantAndID retrieves a scan profile by tenant and ID.
GetByTenantAndID(ctx context.Context, tenantID, id shared.ID) (*ScanProfile, error)
// GetAccessibleByID retrieves a scan profile by ID if accessible to the tenant.
// Accessible profiles are: own tenant profiles OR system profiles (tenant_id IS NULL).
// Enforces tenant isolation at the SQL layer (defense-in-depth).
GetAccessibleByID(ctx context.Context, tenantID, id shared.ID) (*ScanProfile, error)
// GetByTenantAndName retrieves a scan profile by tenant and name.
GetByTenantAndName(ctx context.Context, tenantID shared.ID, name string) (*ScanProfile, error)
// GetDefaultByTenant retrieves the default scan profile for a tenant.
GetDefaultByTenant(ctx context.Context, tenantID shared.ID) (*ScanProfile, error)
// List lists scan profiles with filters and pagination.
List(ctx context.Context, filter Filter, page pagination.Pagination) (pagination.Result[*ScanProfile], error)
// ListWithSystemProfiles lists tenant profiles AND system profiles.
// Returns both tenant-specific profiles and system profiles (marked with is_system=true).
ListWithSystemProfiles(ctx context.Context, tenantID shared.ID, filter Filter, page pagination.Pagination) (pagination.Result[*ScanProfile], error)
// GetByIDWithSystemFallback retrieves a profile by ID, checking both tenant and system profiles.
// This allows tenants to reference system profiles for use in scans.
GetByIDWithSystemFallback(ctx context.Context, tenantID, id shared.ID) (*ScanProfile, error)
// Update updates a scan profile.
Update(ctx context.Context, profile *ScanProfile) error
// Delete deletes a scan profile.
Delete(ctx context.Context, id shared.ID) error
// ClearDefaultForTenant clears the default flag for all profiles in a tenant.
ClearDefaultForTenant(ctx context.Context, tenantID shared.ID) error
// CountByTenant counts the number of profiles for a tenant.
CountByTenant(ctx context.Context, tenantID shared.ID) (int64, error)
}
Repository defines the interface for scan profile persistence.
type ScanProfile ¶
type ScanProfile struct {
ID shared.ID
TenantID shared.ID
Name string
Description string
IsDefault bool
IsSystem bool
ToolsConfig map[string]ToolConfig
Intensity Intensity
MaxConcurrentScans int
TimeoutSeconds int
Tags []string
Metadata map[string]any
QualityGate QualityGate // Quality gate thresholds for CI/CD pass/fail
CreatedBy *shared.ID
CreatedAt time.Time
UpdatedAt time.Time
}
ScanProfile represents a reusable scan configuration.
func NewScanProfile ¶
func NewScanProfile( tenantID shared.ID, name string, description string, toolsConfig map[string]ToolConfig, intensity Intensity, createdBy *shared.ID, ) (*ScanProfile, error)
NewScanProfile creates a new ScanProfile entity.
func (*ScanProfile) BelongsToTenant ¶
func (p *ScanProfile) BelongsToTenant(tenantID shared.ID) bool
BelongsToTenant checks if this profile belongs to the specified tenant.
func (*ScanProfile) CanDelete ¶
func (p *ScanProfile) CanDelete() error
CanDelete checks if the profile can be deleted.
func (*ScanProfile) CanManage ¶
func (p *ScanProfile) CanManage(tenantID shared.ID) error
CanManage checks if the given tenant can manage (edit/delete) this profile. System profiles cannot be managed; they must be cloned first. Tenants can only manage profiles they own.
func (*ScanProfile) Clone ¶
func (p *ScanProfile) Clone(newName string, createdBy *shared.ID) (*ScanProfile, error)
Clone creates a copy of this profile with a new name.
func (*ScanProfile) DisableTool ¶
func (p *ScanProfile) DisableTool(tool string) error
DisableTool disables a tool.
func (*ScanProfile) EnableTool ¶
func (p *ScanProfile) EnableTool(tool string, config ToolConfig) error
EnableTool enables a tool with the given configuration.
func (*ScanProfile) GetEnabledTools ¶
func (p *ScanProfile) GetEnabledTools() []string
GetEnabledTools returns a list of enabled tool names.
func (*ScanProfile) GetToolConfig ¶
func (p *ScanProfile) GetToolConfig(tool string) (ToolConfig, bool)
GetToolConfig returns the configuration for a specific tool.
func (*ScanProfile) HasTool ¶
func (p *ScanProfile) HasTool(tool string) bool
HasTool checks if a tool is enabled in this profile.
func (*ScanProfile) IsSystemProfile ¶
func (p *ScanProfile) IsSystemProfile() bool
IsSystemProfile returns true if this is a platform-provided system profile.
func (*ScanProfile) SetAsDefault ¶
func (p *ScanProfile) SetAsDefault()
SetAsDefault marks this profile as the default for the tenant.
func (*ScanProfile) UnsetDefault ¶
func (p *ScanProfile) UnsetDefault()
UnsetDefault removes the default flag.
func (*ScanProfile) Update ¶
func (p *ScanProfile) Update( name string, description string, toolsConfig map[string]ToolConfig, intensity Intensity, maxConcurrentScans int, timeoutSeconds int, tags []string, ) error
Update updates the scan profile properties.
func (*ScanProfile) UpdateQualityGate ¶
func (p *ScanProfile) UpdateQualityGate(gate QualityGate) error
UpdateQualityGate updates the quality gate configuration.
type TemplateMode ¶
type TemplateMode string
TemplateMode represents the mode for using scanner templates.
const ( // TemplateModeDefault uses only the tool's built-in/official templates. TemplateModeDefault TemplateMode = "default" // TemplateModeCustom uses only tenant-uploaded custom templates. TemplateModeCustom TemplateMode = "custom" // TemplateModeBoth runs both default and custom templates together. TemplateModeBoth TemplateMode = "both" )
func (TemplateMode) IsValid ¶
func (m TemplateMode) IsValid() bool
IsValid checks if the template mode is valid.
type ToolConfig ¶
type ToolConfig struct {
Enabled bool `json:"enabled"`
Severity string `json:"severity,omitempty"` // Minimum severity to report
Timeout int `json:"timeout,omitempty"` // Timeout in seconds
Options map[string]any `json:"options,omitempty"` // Tool-specific options
TemplateMode TemplateMode `json:"template_mode,omitempty"` // "default", "custom", "both"
CustomTemplateIDs []string `json:"custom_template_ids,omitempty"` // IDs of custom templates to use
}
ToolConfig represents the configuration for a specific tool.
Source Files