README
¶
OpenCTEM API
Backend API for the OpenCTEM Continuous Threat Exposure Management platform. Built with Go, PostgreSQL, and Redis using Clean Architecture (DDD).
Features
Asset Management (35 asset types)
- External Attack Surface: Domains, Subdomains, Certificates, IPs
- Applications: Websites, APIs, Mobile Apps, Services
- Cloud: Cloud Accounts, Compute, Storage, Serverless, Container Registry
- Infrastructure: Hosts, Containers, Databases, Networks, VPCs, K8s
- Identity: IAM Users, IAM Roles, Service Accounts
- Code: Git Repositories
- Recon: HTTP Services, Open Ports, Discovered URLs
Security & Findings
- Vulnerability management with severity-based prioritization
- CVSS scoring and exploit maturity tracking
- Finding lifecycle: Open > Confirmed > Fix Applied > Resolved
- AI-powered triage (Claude, OpenAI, Gemini)
- SLA policy enforcement with escalation
Scanning
- 30+ scanner integrations via Agent SDK (Nuclei, Trivy, Semgrep, Gitleaks, Nmap, etc.)
- Pipeline-based scan orchestration with multi-step workflows
- Platform agents with K8s-inspired lifecycle management
- Bootstrap token authentication for agent self-registration
Access Control
- 2-layer RBAC: Permissions (what you can DO) + Groups (what you can SEE)
- 126 granular permissions across all modules
- Real-time permission sync via Redis
- OAuth2 (Google, GitHub, Microsoft) + OIDC (Keycloak)
Integrations
- ITSM: Jira, Linear, Asana
- SCM: GitHub, GitLab (repository sync, credential import)
- Notifications: Slack, Teams, Telegram, Email, Webhooks
- Compliance: PCI-DSS, HIPAA, SOC2, GDPR, ISO27001, NIST, FedRAMP, CCPA
Observability
- Prometheus metrics (HTTP, Redis, Pipeline, Scan, Agent, Finding)
- Structured logging (slog)
- Audit logging with tenant isolation
Tech Stack
| Component | Technology |
|---|---|
| Language | Go 1.26+ |
| Router | Chi (net/http compatible) |
| Database | PostgreSQL 17 |
| Cache/Queue | Redis 7 (Asynq) |
| Auth | JWT (local) / OAuth2 / OIDC |
| Metrics | Prometheus client_golang |
| Encryption | AES-256-GCM |
Project Structure
api/
├── cmd/
│ ├── server/ # Main API server
│ └── openctem-admin/ # Admin CLI tool
├── internal/
│ ├── app/ # Application services (business logic, 40+ services)
│ ├── config/ # Configuration loading
│ └── infra/ # Infrastructure adapters
│ ├── http/ # Handlers (200+ endpoints), middleware, routes
│ ├── postgres/ # Repository implementations (30+ repos)
│ ├── redis/ # Cache, sessions, job queue
│ ├── notifier/ # Slack, Teams, Telegram, Email, Webhook
│ ├── llm/ # AI triage (Claude, OpenAI, Gemini)
│ ├── scm/ # GitHub, GitLab integration
│ ├── controller/ # Background jobs
│ └── telemetry/ # Tracing
├── pkg/
│ ├── domain/ # Domain models (35+ entities)
│ │ ├── asset/ # Asset entity, risk scoring, value objects
│ │ ├── vulnerability/ # Finding, approval, suppression
│ │ ├── scan/ # Scan orchestration
│ │ ├── agent/ # Platform agents, bootstrap tokens
│ │ ├── workflow/ # Workflow engine
│ │ ├── pipeline/ # Scan pipelines
│ │ └── ... # 25+ more domains
│ ├── jwt/ # Token generation/validation
│ ├── crypto/ # AES-256-GCM encryption
│ ├── validator/ # Input validation + SSRF protection
│ ├── password/ # bcrypt hashing
│ └── pagination/ # Cursor/offset pagination
├── migrations/ # 156 sequential migrations
├── tests/
│ ├── unit/ # Unit tests (100+ files)
│ ├── integration/ # Integration tests
│ └── repository/ # Repository tests
└── docs/ # Architecture docs
Quick Start
Prerequisites
- Go 1.26+
- Docker & Docker Compose
- PostgreSQL 17 (or use Docker)
- Redis 7 (or use Docker)
Development
# Start dependencies
docker compose up -d postgres redis
# Run with hot reload
make dev
# Or start everything
docker compose up
Production
# Set required environment variables
export DB_PASSWORD=<secure-password>
export REDIS_PASSWORD=<secure-password>
export AUTH_JWT_SECRET=<64-char-secret>
export APP_ENCRYPTION_KEY=$(openssl rand -hex 32)
export CORS_ALLOWED_ORIGINS=https://your-domain.com
# Start
docker compose -f docker-compose.prod.yml up -d
Verify
curl http://localhost:8080/health
# {"status":"healthy"}
curl http://localhost:8080/ready
# {"status":"ready","database":"ok","redis":"ok"}
Environment Variables
Required (Production)
| Variable | Description |
|---|---|
DB_PASSWORD |
PostgreSQL password |
REDIS_PASSWORD |
Redis password |
AUTH_JWT_SECRET |
JWT signing secret (min 64 chars) |
APP_ENCRYPTION_KEY |
AES-256 key (64 hex chars: openssl rand -hex 32) |
CORS_ALLOWED_ORIGINS |
Allowed CORS origins |
Optional
| Variable | Default | Description |
|---|---|---|
AUTH_PROVIDER |
local |
Auth provider: local, oidc, hybrid |
AUTH_ALLOW_REGISTRATION |
true |
Allow public registration. Set false in production — use invitation flow instead |
AI_PLATFORM_PROVIDER |
— | AI triage: claude, openai, gemini |
SMTP_ENABLED |
false |
Enable email notifications (required for invitations) |
RATE_LIMIT_RPS |
100 |
Rate limit (requests/second) |
LOG_LEVEL |
info |
Log level: debug, info, warn, error |
Production User Management
In production, disable public registration and use the invitation system:
AUTH_ALLOW_REGISTRATION=false # No public signup
SMTP_ENABLED=true # Required for invitation emails
Flow: Admin creates invitation → User receives email → User clicks link → Account created → User joins tenant.
# API: Create invitation (requires team:admin permission)
POST /api/v1/tenants/{tenant}/invitations
{"email": "user@company.com", "role_ids": ["00000000-0000-0000-0000-000000000003"]}
# System roles (pre-seeded, shared across all tenants):
# 00000000-...-000000000001 owner (full access)
# 00000000-...-000000000002 admin (all except team:delete)
# 00000000-...-000000000003 member (read/write, no delete)
# 00000000-...-000000000004 viewer (read-only)
# User accepts invitation via token link
POST /api/v1/invitations/{token}/accept
Per-Tenant SMTP
Each tenant can configure its own SMTP server for outgoing emails (invitations, notifications).
If not configured, the system-wide SMTP (SMTP_HOST, etc.) is used as fallback.
Setup via email integration:
POST /api/v1/integrations
{
"name": "Company Email",
"category": "notification",
"provider": "email",
"auth_type": "basic",
"metadata": {
"smtp_host": "smtp.company.com",
"smtp_port": 587,
"smtp_user": "noreply@company.com",
"smtp_password": "app-password",
"smtp_from": "noreply@company.com",
"smtp_from_name": "Security Team",
"smtp_tls": true
}
}
Resolution order:
- Tenant has active email integration → use tenant SMTP
- No tenant integration → use system SMTP (
SMTP_HOST,SMTP_PORT, etc.) - No system SMTP → emails skipped (logged as warning)
Credentials are encrypted at rest using AES-256-GCM.
Commands
make dev # Run with hot reload (Air)
make build # Build production binary
make test # Run all tests
make lint # Run golangci-lint (30 linters)
make fmt # Format code (goimports)
make migrate-up # Run database migrations
make migrate-down # Rollback last migration
make security-scan # Run security scan (semgrep + gitleaks + trivy)
API Endpoints (200+)
Core
| Method | Endpoint | Description |
|---|---|---|
| GET | /health |
Liveness check |
| GET | /ready |
Readiness check (DB + Redis) |
| GET | /metrics |
Prometheus metrics |
| GET | /docs |
API documentation |
Assets
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/v1/assets |
List assets (paginated, 10+ filters) |
| POST | /api/v1/assets |
Create asset |
| GET | /api/v1/assets/{id} |
Get asset (tenant-scoped) |
| PUT | /api/v1/assets/{id} |
Update asset |
| DELETE | /api/v1/assets/{id} |
Delete asset |
| GET | /api/v1/assets/stats |
Aggregated statistics (SQL) |
| POST | /api/v1/assets/bulk/status |
Atomic bulk status update |
| POST | /api/v1/assets/{id}/scan |
Trigger scan |
Findings, Scans, Integrations, Compliance, Pentest, Workflows...
See /docs endpoint for complete OpenAPI documentation.
Platform Agents
| Method | Endpoint | Description |
|---|---|---|
| POST | /api/v1/platform/register |
Agent self-registration |
| PUT | /api/v1/platform/lease |
Renew agent lease |
| POST | /api/v1/platform/poll |
Long-poll for jobs |
| POST | /api/v1/platform/jobs/{id}/result |
Submit job results |
Deployment
Docker Compose
# 1. Go to setup directory
cd ../setup
# 2. Initialize environment files
make init-prod
# 3. Generate secrets and update .env files
make generate-secrets
# Update all <CHANGE_ME> values in .env.*.prod files
# 4. Setup SSL (self-signed or Let's Encrypt)
make auto-ssl
# 5. Start production
make prod-up
# 6. Create first admin user
make bootstrap-admin-prod email=admin@example.com
Kubernetes (Helm)
# 1. Create namespace and secrets
kubectl create namespace openctem
kubectl create secret generic openctem-api-secrets \
--namespace openctem \
--from-literal=AUTH_JWT_SECRET=$(openssl rand -base64 48) \
--from-literal=APP_ENCRYPTION_KEY=$(openssl rand -hex 32) \
--from-literal=DB_USER=openctem \
--from-literal=DB_PASSWORD=$(openssl rand -hex 24) \
--from-literal=DB_NAME=openctem
kubectl create secret generic openctem-db-secrets \
--namespace openctem \
--from-literal=username=openctem \
--from-literal=password=<same-db-password>
kubectl create secret generic openctem-redis-secrets \
--namespace openctem \
--from-literal=password=$(openssl rand -hex 24)
# 2. Install with bootstrap admin (first-time only)
helm install openctem ../setup/kubernetes/helm/openctem \
--namespace openctem \
--set bootstrapAdmin.enabled=true \
--set bootstrapAdmin.email=admin@example.com \
--set ingress.hosts[0].host=openctem.yourdomain.com
# 3. Get the admin API key (shown once — save it!)
kubectl logs job/openctem-bootstrap-admin -n openctem
Bootstrap Admin (First-time Setup)
The first admin user must be created via CLI — there is no default account.
Docker Compose:
make bootstrap-admin-prod email=admin@example.com role=super_admin
Kubernetes (during helm install):
helm install openctem ./openctem \
--set bootstrapAdmin.enabled=true \
--set bootstrapAdmin.email=admin@example.com
Kubernetes (after install):
kubectl exec -it deploy/openctem-api -n openctem -- \
/app/bootstrap-admin -email=admin@example.com
Standalone binary:
./bootstrap-admin \
-db="postgres://user:pass@host:5432/openctem?sslmode=require" \
-email=admin@example.com \
-role=super_admin
| Flag | Env Var | Description |
|---|---|---|
-db |
DATABASE_URL or DB_HOST/DB_USER/DB_PASSWORD/DB_NAME |
Database connection |
-email |
ADMIN_EMAIL |
Admin email (required) |
-name |
ADMIN_NAME |
Display name (defaults to email prefix) |
-role |
— | super_admin, ops_admin, viewer |
-api-key |
BOOTSTRAP_ADMIN_KEY |
Use specific key (auto-generated if empty) |
-force |
— | Overwrite existing admin with same email |
Security
- SSRF protection on all URL inputs (webhooks, integrations, template sources)
- OAuth redirect URI whitelist validation
- Command injection prevention in scan executors (ExtraArgs validation)
- Tenant isolation on all 200+ endpoints (WHERE tenant_id = ?)
- Password reset token single-use enforcement
- X-Forwarded header injection prevention
- AES-256-GCM credential encryption
- bcrypt password hashing (cost=12)
- Constant-time token comparison
- Rate limiting on all endpoints
License
MIT License - See LICENSE file for details.
Legal
Directories
¶
| Path | Synopsis |
|---|---|
|
cmd
|
|
|
bootstrap-admin
command
Package main provides a CLI tool to create the first admin user.
|
Package main provides a CLI tool to create the first admin user. |
|
bootstrap-tenant
command
Package main provides a CLI tool to create the first tenant with an owner user.
|
Package main provides a CLI tool to create the first tenant with an owner user. |
|
encrypt-credentials
command
Command encrypt-credentials encrypts existing plaintext credentials in the database.
|
Command encrypt-credentials encrypts existing plaintext credentials in the database. |
|
gen-relationships
command
Command gen-relationships reads configs/relationship-types.yaml and emits generated source files for both the Go backend and the TypeScript frontend.
|
Command gen-relationships reads configs/relationship-types.yaml and emits generated source files for both the Go backend and the TypeScript frontend. |
|
openctem-admin
command
|
|
|
seed
command
|
|
|
server
command
|
|
|
internal
|
|
|
app
Package app provides adapters for connecting services to sub-packages.
|
Package app provides adapters for connecting services to sub-packages. |
|
app/connector
Package connector defines the common contract for cloud / infra asset-inventory connectors (AWS, GCP, Azure, Kubernetes, git-host).
|
Package connector defines the common contract for cloud / infra asset-inventory connectors (AWS, GCP, Azure, Kubernetes, git-host). |
|
app/ingest
Package ingest provides unified ingestion of assets and findings from various formats.
|
Package ingest provides unified ingestion of assets and findings from various formats. |
|
app/ioc
Package ioc wires Indicators of Compromise to the runtime telemetry stream.
|
Package ioc wires Indicators of Compromise to the runtime telemetry stream. |
|
app/pipeline
Package pipeline provides adapters to bridge app types with pipeline interfaces.
|
Package pipeline provides adapters to bridge app types with pipeline interfaces. |
|
app/reclassify
Package reclassify provides the runtime glue that connects priority-change producers (threat-intel refresh, control CRUD, rule CRUD) to the PriorityReclassifyController's queue/Reclassifier contracts.
|
Package reclassify provides the runtime glue that connects priority-change producers (threat-intel refresh, control CRUD, rule CRUD) to the PriorityReclassifyController's queue/Reclassifier contracts. |
|
app/sla
Package sla is the app-layer for SLA policy & compliance.
|
Package sla is the app-layer for SLA policy & compliance. |
|
app/template
Package validators provides template validation for different scanner types.
|
Package validators provides template validation for different scanner types. |
|
app/validation
Package validation defines the Stage-4 contract: WHAT gets validated, WHAT counts as evidence, WHO gates it — but NOT HOW a technique runs.
|
Package validation defines the Stage-4 contract: WHAT gets validated, WHAT counts as evidence, WHO gates it — but NOT HOW a technique runs. |
|
infra/adapters
Package adapters provides a registry for scanner output adapters.
|
Package adapters provides a registry for scanner output adapters. |
|
infra/adapters/core
Package core provides the core interfaces and base implementations for the OpenCTEM Scanner SDK.
|
Package core provides the core interfaces and base implementations for the OpenCTEM Scanner SDK. |
|
infra/adapters/gitleaks
Package gitleaks provides an adapter to convert Gitleaks JSON output to CTIS.
|
Package gitleaks provides an adapter to convert Gitleaks JSON output to CTIS. |
|
infra/adapters/nuclei
Package nuclei provides an adapter to convert Nuclei JSONL output to CTIS.
|
Package nuclei provides an adapter to convert Nuclei JSONL output to CTIS. |
|
infra/adapters/recon
Package recon provides an adapter that turns recon-scanner output (subdomain enumeration, DNS, port scans, HTTP probes, URL crawling) into a CTIS Report, so recon tools plug into the same ingest path as vulnerability scanners.
|
Package recon provides an adapter that turns recon-scanner output (subdomain enumeration, DNS, port scans, HTTP probes, URL crawling) into a CTIS Report, so recon tools plug into the same ingest path as vulnerability scanners. |
|
infra/adapters/sarif
Package sarif provides an adapter to convert SARIF format to CTIS.
|
Package sarif provides an adapter to convert SARIF format to CTIS. |
|
infra/adapters/semgrep
Package semgrep provides an adapter to convert Semgrep JSON output to CTIS.
|
Package semgrep provides an adapter to convert Semgrep JSON output to CTIS. |
|
infra/adapters/trivy
Package trivy provides an adapter to convert Trivy JSON output to CTIS.
|
Package trivy provides an adapter to convert Trivy JSON output to CTIS. |
|
infra/adapters/vuls
Package vuls provides an adapter to convert Vuls JSON output to CTIS.
|
Package vuls provides an adapter to convert Vuls JSON output to CTIS. |
|
infra/controller
Package controller implements K8s-style reconciliation loop controllers for self-healing background operations.
|
Package controller implements K8s-style reconciliation loop controllers for self-healing background operations. |
|
infra/fetchers
Package fetchers provides template fetching from various sources (Git, S3, HTTP).
|
Package fetchers provides template fetching from various sources (Git, S3, HTTP). |
|
infra/http/handler
Package handler provides HTTP handlers for the API server.
|
Package handler provides HTTP handlers for the API server. |
|
infra/http/middleware
Package middleware provides HTTP middleware for the API server.
|
Package middleware provides HTTP middleware for the API server. |
|
infra/http/routes
Package routes registers all HTTP routes for the API.
|
Package routes registers all HTTP routes for the API. |
|
infra/jira
Package jira provides a REST API client for Jira Cloud/Server.
|
Package jira provides a REST API client for Jira Cloud/Server. |
|
infra/jobs
Package jobs provides background job definitions and handlers using Asynq.
|
Package jobs provides background job definitions and handlers using Asynq. |
|
infra/llm
Package llm provides abstractions for Large Language Model providers.
|
Package llm provides abstractions for Large Language Model providers. |
|
infra/notifier
Package notifier provides clients for sending notifications to various providers.
|
Package notifier provides clients for sending notifications to various providers. |
|
infra/redis
Package redis provides production-ready Redis integration for the OpenCTEM application.
|
Package redis provides production-ready Redis integration for the OpenCTEM application. |
|
infra/scm
Package scm provides client implementations for various SCM (Source Code Management) providers
|
Package scm provides client implementations for various SCM (Source Code Management) providers |
|
infra/storage
Package storage provides FileStorage implementations.
|
Package storage provides FileStorage implementations. |
|
infra/telemetry
Package telemetry exposes Prometheus metrics for every CTEM stage so the loop-closure SLOs in have real numbers to alert on.
|
Package telemetry exposes Prometheus metrics for every CTEM stage so the loop-closure SLOs in have real numbers to alert on. |
|
infra/websocket
Package websocket provides WebSocket infrastructure for real-time communication.
|
Package websocket provides WebSocket infrastructure for real-time communication. |
|
pkg
|
|
|
apierror
Package apierror provides standardized API error handling.
|
Package apierror provides standardized API error handling. |
|
app
Package app defines service interfaces for the application layer.
|
Package app defines service interfaces for the application layer. |
|
crypto
Package crypto provides encryption utilities for sensitive data.
|
Package crypto provides encryption utilities for sensitive data. |
|
domain/admin
Package admin defines the AdminUser domain entity for platform administration.
|
Package admin defines the AdminUser domain entity for platform administration. |
|
domain/agent
Package agent defines the Agent domain entity for scanner/collector/agent management.
|
Package agent defines the Agent domain entity for scanner/collector/agent management. |
|
domain/aitriage
Package aitriage provides domain entities for AI-powered vulnerability triage.
|
Package aitriage provides domain entities for AI-powered vulnerability triage. |
|
domain/assetgroup
Package asset_group provides domain models for asset group management.
|
Package asset_group provides domain models for asset group management. |
|
domain/attachment
Package attachment provides the domain model for file attachments.
|
Package attachment provides the domain model for file attachments. |
|
domain/businessunit
Package businessunit provides domain models for business unit management.
|
Package businessunit provides domain models for business unit management. |
|
domain/capability
Package capability defines the Capability domain entity.
|
Package capability defines the Capability domain entity. |
|
domain/command
Package command defines the Command domain entity for server-controlled agents.
|
Package command defines the Command domain entity for server-controlled agents. |
|
domain/compliance
Package compliance defines the Compliance Framework Mapping domain types.
|
Package compliance defines the Compliance Framework Mapping domain types. |
|
domain/component
Package component provides the component domain model for software dependencies.
|
Package component provides the component domain model for software dependencies. |
|
domain/credential
Package credential provides domain types for credential leak management.
|
Package credential provides domain types for credential leak management. |
|
domain/identityprovider
Package identityprovider provides the domain model for tenant-scoped identity provider configurations (Entra ID, Okta, Google Workspace, etc.).
|
Package identityprovider provides the domain model for tenant-scoped identity provider configurations (Entra ID, Okta, Google Workspace, etc.). |
|
domain/ioc
Package ioc — Indicators of Compromise.
|
Package ioc — Indicators of Compromise. |
|
domain/outbox
Package outbox provides domain entities for the notification outbox system.
|
Package outbox provides domain entities for the notification outbox system. |
|
domain/pentest
Package pentest defines the Pentest Campaign Management domain types.
|
Package pentest defines the Pentest Campaign Management domain types. |
|
domain/permission
Package permission defines granular permissions for resource-based authorization.
|
Package permission defines granular permissions for resource-based authorization. |
|
domain/pipeline
Package pipeline defines the Pipeline domain entities for scan orchestration.
|
Package pipeline defines the Pipeline domain entities for scan orchestration. |
|
domain/relationship
Package relationship provides domain entities for relationship suggestions.
|
Package relationship provides domain entities for relationship suggestions. |
|
domain/remediation
Package remediation provides domain models for remediation campaign management.
|
Package remediation provides domain models for remediation campaign management. |
|
domain/reportschedule
Package reportschedule provides domain models for recurring report generation.
|
Package reportschedule provides domain models for recurring report generation. |
|
domain/role
Package role provides domain entities for role-based access control.
|
Package role provides domain entities for role-based access control. |
|
domain/rule
Package rule provides domain entities for rule management.
|
Package rule provides domain entities for rule management. |
|
domain/scan
Package scan defines the Scan domain entity and types.
|
Package scan defines the Scan domain entity and types. |
|
domain/scannertemplate
Package scanner_template defines the ScannerTemplate domain entity for custom scanner templates.
|
Package scanner_template defines the ScannerTemplate domain entity for custom scanner templates. |
|
domain/scanprofile
Package scanprofile defines the ScanProfile domain entity for reusable scan configurations.
|
Package scanprofile defines the ScanProfile domain entity for reusable scan configurations. |
|
domain/secretstore
Package credential defines the Credential domain entity for secure credential storage.
|
Package credential defines the Credential domain entity for secure credential storage. |
|
domain/shared
Package shared provides shared domain types and utilities.
|
Package shared provides shared domain types and utilities. |
|
domain/simulation
Package simulation provides domain models for Breach and Attack Simulation (BAS).
|
Package simulation provides domain models for Breach and Attack Simulation (BAS). |
|
domain/suppression
Package suppression provides domain logic for platform-controlled false positive management.
|
Package suppression provides domain logic for platform-controlled false positive management. |
|
domain/telemetry
Package telemetry defines the wire-format constants agents and the correlator share when reading runtime_telemetry_events.properties.
|
Package telemetry defines the wire-format constants agents and the correlator share when reading runtime_telemetry_events.properties. |
|
domain/templatesource
Package template_source defines the TemplateSource domain entity for managing external template sources.
|
Package template_source defines the TemplateSource domain entity for managing external template sources. |
|
domain/threatactor
Package threatactor provides domain models for threat actor intelligence.
|
Package threatactor provides domain models for threat actor intelligence. |
|
domain/threatintel
Package threatintel provides the threat intelligence domain model.
|
Package threatintel provides the threat intelligence domain model. |
|
domain/tool
Package tool defines the Tool domain entity for the tool registry.
|
Package tool defines the Tool domain entity for the tool registry. |
|
domain/toolcategory
Package toolcategory defines the ToolCategory domain entity.
|
Package toolcategory defines the ToolCategory domain entity. |
|
domain/user
Package user provides the user domain model.
|
Package user provides the user domain model. |
|
domain/vulnerability
Package vulnerability provides the vulnerability domain model.
|
Package vulnerability provides the vulnerability domain model. |
|
domain/workflow
Package workflow defines the Workflow domain entities for automation orchestration.
|
Package workflow defines the Workflow domain entities for automation orchestration. |
|
email
Package email provides email sending functionality using SMTP.
|
Package email provides email sending functionality using SMTP. |
|
httpsec
Package httpsec provides SSRF-safe URL validation and HTTP client construction.
|
Package httpsec provides SSRF-safe URL validation and HTTP client construction. |
|
jwt
Package jwt provides JWT token generation and validation utilities.
|
Package jwt provides JWT token generation and validation utilities. |
|
keycloak
Package keycloak provides Keycloak JWT token validation and claims extraction.
|
Package keycloak provides Keycloak JWT token validation and claims extraction. |
|
migrations
Package migrations provides edition-aware database migration loading.
|
Package migrations provides edition-aware database migration loading. |
|
pagination
Package pagination provides pagination utilities.
|
Package pagination provides pagination utilities. |
|
parsers/sarif
Package sarif provides a comprehensive parser and utilities for SARIF (Static Analysis Results Interchange Format) version 2.1.0.
|
Package sarif provides a comprehensive parser and utilities for SARIF (Static Analysis Results Interchange Format) version 2.1.0. |
|
password
Package password provides secure password hashing and validation.
|
Package password provides secure password hashing and validation. |
|
report
Package report provides HTML report generation for pentest campaigns.
|
Package report provides HTML report generation for pentest campaigns. |
|
validator
Package validator provides struct validation utilities with custom validators.
|
Package validator provides struct validation utilities with custom validators. |
|
tools
|
|
|
lint/getbyid
Package getbyid implements a go/analysis pass that flags repository methods named GetByID / DeleteByID / UpdateByID that do NOT accept a tenantID parameter.
|
Package getbyid implements a go/analysis pass that flags repository methods named GetByID / DeleteByID / UpdateByID that do NOT accept a tenantID parameter. |
|
lint/getbyid/cmd
command
Command getbyidtenant runs the F-310 tenant-scope analyzer as a single-checker binary.
|
Command getbyidtenant runs the F-310 tenant-scope analyzer as a single-checker binary. |
|
lint/routeperm
Package routeperm implements a go/analysis pass that flags HTTP write routes (POST/PUT/PATCH/DELETE) registered in the routes package without a middleware.Require* wrapper.
|
Package routeperm implements a go/analysis pass that flags HTTP write routes (POST/PUT/PATCH/DELETE) registered in the routes package without a middleware.Require* wrapper. |
|
lint/routeperm/cmd
command
Command routepermcheck runs the route-permission analyzer as a single-checker binary.
|
Command routepermcheck runs the route-permission analyzer as a single-checker binary. |
Click to show internal directories.
Click to hide internal directories.