Documentation
¶
Overview ¶
Package core provides the core interfaces and base implementations for the OpenCTEM Scanner SDK. Tenants can implement these interfaces to create custom scanners, collectors, and agents.
Package core provides the core interfaces and base implementations for the OpenCTEM Scanner SDK.
Index ¶
- Constants
- Variables
- func CheckBinaryInstalled(ctx context.Context, binary string, versionArgs ...string) (bool, string, error)
- func GenerateSastFingerprint(file, ruleID string, startLine int) string
- func GenerateScaFingerprint(pkgName, pkgVersion, vulnID string) string
- func GenerateSecretFingerprint(file, ruleID string, startLine int, secretValue string) string
- func ListPresetScanners() []string
- func MaskAPIKey(key string) string
- func MaskSecret(secret string) string
- func NormalizeSeverity(sev string) string
- func SetDefaultLogger(logger Logger)
- func SeverityFromCVSS(score float64) string
- func ValidateBaseAgentConfig(cfg *BaseAgentConfig) error
- func ValidateBaseScannerConfig(cfg *BaseScannerConfig) error
- func ValidateCommandPollerConfig(cfg *CommandPollerConfig) error
- func ValidateScanOptions(opts *ScanOptions) error
- func ValidateTemplate(tpl *EmbeddedTemplate) error
- type Adapter
- type AdapterOptions
- type Agent
- type AgentState
- type AgentStatus
- type BaseAgent
- func (a *BaseAgent) AddCollector(collector Collector) error
- func (a *BaseAgent) AddParser(parser Parser)
- func (a *BaseAgent) AddScanner(scanner Scanner) error
- func (a *BaseAgent) Name() string
- func (a *BaseAgent) RemoveCollector(name string) error
- func (a *BaseAgent) RemoveScanner(name string) error
- func (a *BaseAgent) SetVerbose(v bool)
- func (a *BaseAgent) Start(ctx context.Context) error
- func (a *BaseAgent) Status() *AgentStatus
- func (a *BaseAgent) Stop(ctx context.Context) error
- type BaseAgentConfig
- type BaseCollector
- func (c *BaseCollector) Collect(ctx context.Context, opts *CollectOptions) (*CollectResult, error)
- func (c *BaseCollector) FetchJSON(ctx context.Context, path string, query map[string]string, result interface{}) error
- func (c *BaseCollector) Name() string
- func (c *BaseCollector) SetVerbose(v bool)
- func (c *BaseCollector) TestConnection(ctx context.Context) error
- func (c *BaseCollector) Type() string
- type BaseCollectorConfig
- type BaseParser
- func (p *BaseParser) CanParse(data []byte) bool
- func (p *BaseParser) CreateFinding(id, title string, severity ctis.Severity) ctis.Finding
- func (p *BaseParser) CreateReport(toolName, toolVersion string) *ctis.Report
- func (p *BaseParser) Name() string
- func (p *BaseParser) Parse(ctx context.Context, data []byte, opts *ParseOptions) (*ctis.Report, error)
- func (p *BaseParser) SupportedFormats() []string
- type BaseProcessor
- func (p *BaseProcessor) AddParser(parser Parser)
- func (p *BaseProcessor) Process(ctx context.Context, scanner Scanner, opts *ProcessOptions) (*ProcessResult, error)
- func (p *BaseProcessor) ProcessBatch(ctx context.Context, scanners []Scanner, opts *ProcessOptions) ([]*ProcessResult, error)
- func (p *BaseProcessor) SetVerbose(v bool)
- type BaseScanner
- func (s *BaseScanner) BuildArgs(target string, opts *ScanOptions) []string
- func (s *BaseScanner) Capabilities() []string
- func (s *BaseScanner) IsInstalled(ctx context.Context) (bool, string, error)
- func (s *BaseScanner) Name() string
- func (s *BaseScanner) Scan(ctx context.Context, target string, opts *ScanOptions) (*ScanResult, error)
- func (s *BaseScanner) SetVerbose(v bool)
- func (s *BaseScanner) Version() string
- type BaseScannerConfig
- type CVSSData
- type CVSSSource
- type CacheStats
- type CachedTemplateMetadata
- type CollectCommandPayload
- type CollectOptions
- type CollectResult
- type Collector
- type Command
- type CommandClient
- type CommandExecutionResult
- type CommandExecutor
- type CommandPoller
- type CommandPollerConfig
- type CommandResult
- type Connector
- type ConnectorConfig
- type DNSRecord
- type DefaultCommandExecutor
- type DefaultLogger
- func (l *DefaultLogger) Debug(format string, args ...interface{})
- func (l *DefaultLogger) Error(format string, args ...interface{})
- func (l *DefaultLogger) Info(format string, args ...interface{})
- func (l *DefaultLogger) SetLevel(level LogLevel)
- func (l *DefaultLogger) SetOutput(w io.Writer)
- func (l *DefaultLogger) Warn(format string, args ...interface{})
- type DiscoveredURL
- type EmbeddedTemplate
- type Enricher
- type EnricherConfig
- type ExecConfig
- type ExecResult
- type GetCommandsResponse
- type GitHubAlertInstance
- type GitHubAlertLocation
- type GitHubAlertMessage
- type GitHubAlertRule
- type GitHubAlertTool
- type GitHubCodeScanningAlert
- type GitHubCollector
- type GitHubCollectorConfig
- type JSONParser
- type LiveHost
- type LogLevel
- type Logger
- type NopLogger
- type OAuthConfig
- type OpenPort
- type OutputHandler
- type Package
- type PackageDependency
- type PackageType
- type ParseOptions
- type Parser
- type ParserRegistry
- type PrintfLogger
- type ProcessOptions
- type ProcessResult
- type Processor
- type Provider
- type ProviderConfig
- type PushResult
- type Pusher
- type ReconOptions
- type ReconResult
- type ReconScanner
- type ReconType
- type SARIFParser
- type ScaResult
- type ScaScanOptions
- type ScaScanner
- type ScanCommandPayload
- type ScanOptions
- type ScanResult
- type Scanner
- type ScannerType
- type SecretFinding
- type SecretResult
- type SecretScanOptions
- type SecretScanner
- type Subdomain
- type Technology
- type TemplateCache
- func (c *TemplateCache) Cleanup() error
- func (c *TemplateCache) Clear(tenantID string) error
- func (c *TemplateCache) Get(contentHash string) (string, bool)
- func (c *TemplateCache) GetOrPut(tenantID string, template *EmbeddedTemplate) (string, error)
- func (c *TemplateCache) GetTemplateDir(tenantID, templateType string, templates []EmbeddedTemplate) (string, error)
- func (c *TemplateCache) Put(tenantID string, template *EmbeddedTemplate) (string, error)
- func (c *TemplateCache) Remove(contentHash string) error
- func (c *TemplateCache) Stats() *CacheStats
- type TemplateCacheConfig
- type ValidationError
- type ValidationErrors
- type Validator
- func (v *Validator) APIKey(field, value string) *Validator
- func (v *Validator) Custom(field string, check func() bool, message string) *Validator
- func (v *Validator) DirectoryExists(field, path string) *Validator
- func (v *Validator) Errors() ValidationErrors
- func (v *Validator) FileExists(field, path string) *Validator
- func (v *Validator) Max(field string, value, max int) *Validator
- func (v *Validator) MaxDuration(field string, value, max time.Duration) *Validator
- func (v *Validator) Min(field string, value, min int) *Validator
- func (v *Validator) MinDuration(field string, value, min time.Duration) *Validator
- func (v *Validator) OneOf(field, value string, allowed []string) *Validator
- func (v *Validator) Required(field, value string) *Validator
- func (v *Validator) SourceID(field, value string) *Validator
- func (v *Validator) URL(field, value string) *Validator
- func (v *Validator) Validate() error
- type Vulnerability
- type VulnerabilityMetadata
- type WebhookCollector
- type WebhookCollectorConfig
Constants ¶
View Source
const MaxTemplateNameLength = 128
MaxTemplateNameLength is the maximum allowed length for template names.
View Source
const MaxTemplateSize = 1024 * 1024
MaxTemplateSize is the maximum allowed size for a single template (1MB).
View Source
const MaxTemplatesPerCommand = 50
MaxTemplatesPerCommand is the maximum number of templates allowed per command.
Variables ¶
View Source
var CVSSPriority = []CVSSSource{ CVSSSourceNVD, CVSSSourceGHSA, CVSSSourceRedHat, CVSSSourceBitnami, }
CVSSPriority defines the priority order for CVSS sources. Higher priority sources are preferred.
View Source
var PresetScanners = map[string]*BaseScannerConfig{ "semgrep": { Name: "semgrep", Binary: "semgrep", DefaultArgs: []string{"scan", "--sarif", "--config", "auto", "{target}"}, Timeout: 30 * time.Minute, OKExitCodes: []int{0, 1}, Capabilities: []string{"sast", "secret"}, }, "trivy-fs": { Name: "trivy", Binary: "trivy", DefaultArgs: []string{"fs", "--format", "sarif", "{target}"}, Timeout: 15 * time.Minute, OKExitCodes: []int{0}, Capabilities: []string{"sca", "vulnerability"}, }, "trivy-config": { Name: "trivy", Binary: "trivy", DefaultArgs: []string{"config", "--format", "sarif", "{target}"}, Timeout: 15 * time.Minute, OKExitCodes: []int{0}, Capabilities: []string{"iac", "misconfiguration"}, }, "gitleaks": { Name: "gitleaks", Binary: "gitleaks", DefaultArgs: []string{"detect", "--source", "{target}", "--report-format", "sarif", "--report-path", "/dev/stdout", "--no-banner"}, Timeout: 15 * time.Minute, OKExitCodes: []int{0, 1}, Capabilities: []string{"secret"}, }, "slither": { Name: "slither", Binary: "slither", DefaultArgs: []string{"{target}", "--sarif", "/dev/stdout"}, Timeout: 30 * time.Minute, OKExitCodes: []int{0, 1, 255}, Capabilities: []string{"web3", "smart-contract"}, }, "checkov": { Name: "checkov", Binary: "checkov", DefaultArgs: []string{"-d", "{target}", "-o", "sarif", "--output-file-path", "/dev/stdout"}, Timeout: 15 * time.Minute, OKExitCodes: []int{0, 1}, Capabilities: []string{"iac", "misconfiguration"}, }, "bandit": { Name: "bandit", Binary: "bandit", DefaultArgs: []string{"-r", "{target}", "-f", "sarif", "-o", "/dev/stdout"}, Timeout: 15 * time.Minute, OKExitCodes: []int{0, 1}, Capabilities: []string{"sast"}, }, "gosec": { Name: "gosec", Binary: "gosec", DefaultArgs: []string{"-fmt", "sarif", "-out", "/dev/stdout", "{target}/..."}, Timeout: 15 * time.Minute, OKExitCodes: []int{0, 1}, Capabilities: []string{"sast"}, }, "snyk": { Name: "snyk", Binary: "snyk", DefaultArgs: []string{"code", "test", "{target}", "--sarif"}, Timeout: 30 * time.Minute, OKExitCodes: []int{0, 1}, Capabilities: []string{"sast", "sca"}, }, "codeql": { Name: "codeql", Binary: "codeql", DefaultArgs: []string{"database", "analyze", "{target}", "--format=sarif-latest", "--output=/dev/stdout"}, Timeout: 60 * time.Minute, OKExitCodes: []int{0}, Capabilities: []string{"sast"}, }, }
PresetScanners contains configurations for popular security tools.
View Source
var ValidTemplateTypes = map[string]bool{ "nuclei": true, "semgrep": true, "gitleaks": true, }
ValidTemplateTypes defines allowed template types for security validation.
Functions ¶
func CheckBinaryInstalled ¶
func CheckBinaryInstalled(ctx context.Context, binary string, versionArgs ...string) (bool, string, error)
CheckBinaryInstalled checks if a binary is installed and returns its version.
func GenerateSastFingerprint ¶
GenerateSastFingerprint creates a fingerprint for SAST/Secret findings. Deprecated: Use fingerprint.GenerateSAST from pkg/shared/fingerprint instead.
func GenerateScaFingerprint ¶
GenerateScaFingerprint creates a fingerprint for SCA vulnerabilities. Deprecated: Use fingerprint.GenerateSCA from pkg/shared/fingerprint instead.
func GenerateSecretFingerprint ¶
GenerateSecretFingerprint creates a fingerprint for secret findings. Deprecated: Use fingerprint.GenerateSecret from pkg/shared/fingerprint instead.
func ListPresetScanners ¶
func ListPresetScanners() []string
ListPresetScanners returns all available preset scanner names.
func MaskSecret ¶
MaskSecret masks a secret value, showing only first and last few characters.
func NormalizeSeverity ¶
NormalizeSeverity normalizes severity strings from different scanners. Deprecated: Use severity.FromString from pkg/shared/severity instead.
func SetDefaultLogger ¶
func SetDefaultLogger(logger Logger)
SetDefaultLogger sets the global default logger.
func SeverityFromCVSS ¶
SeverityFromCVSS converts a CVSS score to severity level. Deprecated: Use severity.FromCVSS from pkg/shared/severity instead.
func ValidateBaseAgentConfig ¶
func ValidateBaseAgentConfig(cfg *BaseAgentConfig) error
ValidateBaseAgentConfig validates a BaseAgentConfig.
func ValidateBaseScannerConfig ¶
func ValidateBaseScannerConfig(cfg *BaseScannerConfig) error
ValidateBaseScannerConfig validates a BaseScannerConfig.
func ValidateCommandPollerConfig ¶
func ValidateCommandPollerConfig(cfg *CommandPollerConfig) error
ValidateCommandPollerConfig validates a CommandPollerConfig.
func ValidateScanOptions ¶
func ValidateScanOptions(opts *ScanOptions) error
ValidateScanOptions validates ScanOptions.
func ValidateTemplate ¶
func ValidateTemplate(tpl *EmbeddedTemplate) error
ValidateTemplate validates an embedded template for security issues. It checks for path traversal, valid template types, and size limits.
Types ¶
type Adapter ¶
type Adapter interface {
// Name returns the adapter name (e.g., "sarif", "cyclonedx")
Name() string
// InputFormats returns supported input formats
InputFormats() []string
// OutputFormat returns the output format (usually "ctis")
OutputFormat() string
// CanConvert checks if the input can be converted
CanConvert(input []byte) bool
// Convert transforms input to CTIS Report
Convert(ctx context.Context, input []byte, opts *AdapterOptions) (*ctis.Report, error)
}
Adapter translates between different data formats and CTIS.
type AdapterOptions ¶
type AdapterOptions struct {
// Source information
SourceName string `yaml:"source_name" json:"source_name"`
SourceType string `yaml:"source_type" json:"source_type"`
// Target repository/asset info
Repository string `yaml:"repository" json:"repository"`
Branch string `yaml:"branch" json:"branch"`
CommitSHA string `yaml:"commit_sha" json:"commit_sha"`
// Filtering
MinSeverity string `yaml:"min_severity" json:"min_severity"`
// Debug
Verbose bool `yaml:"verbose" json:"verbose"`
}
AdapterOptions configures adapter behavior.
type Agent ¶
type Agent interface {
// Name returns the agent name
Name() string
// Start starts the agent
Start(ctx context.Context) error
// Stop gracefully stops the agent
Stop(ctx context.Context) error
// Status returns the current agent status
Status() *AgentStatus
// AddScanner adds a scanner to the agent
AddScanner(scanner Scanner) error
// AddCollector adds a collector to the agent
AddCollector(collector Collector) error
// RemoveScanner removes a scanner by name
RemoveScanner(name string) error
// RemoveCollector removes a collector by name
RemoveCollector(name string) error
}
Agent is a long-running service that manages scanners and collectors. Implement this interface to create a custom agent.
type AgentState ¶
type AgentState string
AgentState represents the state of an agent.
const ( AgentStateRunning AgentState = "running" AgentStateStopped AgentState = "stopped" AgentStateStopping AgentState = "stopping" AgentStateError AgentState = "error" )
type AgentStatus ¶
type AgentStatus struct {
Name string `json:"name"`
Status AgentState `json:"status"`
StartedAt int64 `json:"started_at,omitempty"`
Uptime int64 `json:"uptime_seconds,omitempty"`
Scanners []string `json:"scanners"`
Collectors []string `json:"collectors"`
LastScan int64 `json:"last_scan,omitempty"`
LastCollect int64 `json:"last_collect,omitempty"`
TotalScans int64 `json:"total_scans"`
TotalFindings int64 `json:"total_findings"`
Errors int64 `json:"errors"`
Message string `json:"message,omitempty"`
// System Metrics (collected from agent)
CPUPercent float64 `json:"cpu_percent,omitempty"`
MemoryPercent float64 `json:"memory_percent,omitempty"`
ActiveJobs int `json:"active_jobs,omitempty"`
Region string `json:"region,omitempty"`
}
AgentStatus represents the agent's current state.
type BaseAgent ¶
type BaseAgent struct {
// contains filtered or unexported fields
}
BaseAgent provides a base implementation for agents. Embed this in your custom agent to get common functionality.
func NewBaseAgent ¶
func NewBaseAgent(cfg *BaseAgentConfig, pusher Pusher) *BaseAgent
NewBaseAgent creates a new base agent.
func (*BaseAgent) AddCollector ¶
AddCollector adds a collector to the agent.
func (*BaseAgent) AddScanner ¶
AddScanner adds a scanner to the agent.
func (*BaseAgent) RemoveCollector ¶
RemoveCollector removes a collector from the agent.
func (*BaseAgent) RemoveScanner ¶
RemoveScanner removes a scanner from the agent.
func (*BaseAgent) Status ¶
func (a *BaseAgent) Status() *AgentStatus
Status returns the current agent status.
type BaseAgentConfig ¶
type BaseAgentConfig struct {
Name string `yaml:"name" json:"name"`
Version string `yaml:"version" json:"version"`
Region string `yaml:"region" json:"region"` // Deployment region (e.g., "us-east-1", "ap-southeast-1")
ScanInterval time.Duration `yaml:"scan_interval" json:"scan_interval"`
CollectInterval time.Duration `yaml:"collect_interval" json:"collect_interval"`
HeartbeatInterval time.Duration `yaml:"heartbeat_interval" json:"heartbeat_interval"`
Targets []string `yaml:"targets" json:"targets"`
Verbose bool `yaml:"verbose" json:"verbose"`
}
BaseAgentConfig configures a BaseAgent.
type BaseCollector ¶
type BaseCollector struct {
// contains filtered or unexported fields
}
BaseCollector provides a base implementation for collectors. Embed this in your custom collector to get common functionality.
func NewBaseCollector ¶
func NewBaseCollector(cfg *BaseCollectorConfig) *BaseCollector
NewBaseCollector creates a new base collector.
func (*BaseCollector) Collect ¶
func (c *BaseCollector) Collect(ctx context.Context, opts *CollectOptions) (*CollectResult, error)
Collect is the base collect method - override in your implementation.
func (*BaseCollector) FetchJSON ¶
func (c *BaseCollector) FetchJSON(ctx context.Context, path string, query map[string]string, result interface{}) error
FetchJSON makes an HTTP GET request and decodes JSON response.
func (*BaseCollector) SetVerbose ¶
func (c *BaseCollector) SetVerbose(v bool)
SetVerbose sets verbose mode.
func (*BaseCollector) TestConnection ¶
func (c *BaseCollector) TestConnection(ctx context.Context) error
TestConnection tests the connection to the source.
type BaseCollectorConfig ¶
type BaseCollectorConfig struct {
Name string `yaml:"name" json:"name"`
SourceType string `yaml:"source_type" json:"source_type"`
BaseURL string `yaml:"base_url" json:"base_url"`
APIKey string `yaml:"api_key" json:"api_key"`
Headers map[string]string `yaml:"headers" json:"headers"`
Timeout time.Duration `yaml:"timeout" json:"timeout"`
Verbose bool `yaml:"verbose" json:"verbose"`
}
BaseCollectorConfig configures a BaseCollector.
type BaseParser ¶
type BaseParser struct {
// contains filtered or unexported fields
}
BaseParser provides a base implementation for custom parsers. Embed this in your custom parser for common functionality.
func NewBaseParser ¶
func NewBaseParser(name string, formats []string) *BaseParser
NewBaseParser creates a new base parser.
func (*BaseParser) CanParse ¶
func (p *BaseParser) CanParse(data []byte) bool
CanParse default implementation - override in your parser.
func (*BaseParser) CreateFinding ¶
CreateFinding is a helper to create a finding with common fields set.
func (*BaseParser) CreateReport ¶
func (p *BaseParser) CreateReport(toolName, toolVersion string) *ctis.Report
CreateReport is a helper to create a new report.
func (*BaseParser) Parse ¶
func (p *BaseParser) Parse(ctx context.Context, data []byte, opts *ParseOptions) (*ctis.Report, error)
Parse default implementation - override in your parser.
func (*BaseParser) SupportedFormats ¶
func (p *BaseParser) SupportedFormats() []string
SupportedFormats returns supported formats.
type BaseProcessor ¶
type BaseProcessor struct {
// contains filtered or unexported fields
}
BaseProcessor provides a default implementation of the Processor interface.
func NewBaseProcessor ¶
func NewBaseProcessor(pusher Pusher) *BaseProcessor
NewBaseProcessor creates a new processor.
func (*BaseProcessor) AddParser ¶
func (p *BaseProcessor) AddParser(parser Parser)
AddParser adds a custom parser.
func (*BaseProcessor) Process ¶
func (p *BaseProcessor) Process(ctx context.Context, scanner Scanner, opts *ProcessOptions) (*ProcessResult, error)
Process runs a complete scan workflow: scan -> parse -> push.
func (*BaseProcessor) ProcessBatch ¶
func (p *BaseProcessor) ProcessBatch(ctx context.Context, scanners []Scanner, opts *ProcessOptions) ([]*ProcessResult, error)
ProcessBatch runs multiple scanners in parallel.
func (*BaseProcessor) SetVerbose ¶
func (p *BaseProcessor) SetVerbose(v bool)
SetVerbose sets verbose mode.
type BaseScanner ¶
type BaseScanner struct {
// contains filtered or unexported fields
}
BaseScanner provides a base implementation for scanners. Embed this in your custom scanner to get common functionality.
func NewBaseScanner ¶
func NewBaseScanner(cfg *BaseScannerConfig) *BaseScanner
NewBaseScanner creates a new base scanner with the given config.
func NewPresetScanner ¶
func NewPresetScanner(name string) (*BaseScanner, error)
NewPresetScanner creates a scanner from a preset configuration.
func (*BaseScanner) BuildArgs ¶
func (s *BaseScanner) BuildArgs(target string, opts *ScanOptions) []string
BuildArgs builds command arguments. Override this in your scanner for custom argument handling.
func (*BaseScanner) Capabilities ¶
func (s *BaseScanner) Capabilities() []string
Capabilities returns what the scanner can detect.
func (*BaseScanner) IsInstalled ¶
IsInstalled checks if the scanner binary is available.
func (*BaseScanner) Scan ¶
func (s *BaseScanner) Scan(ctx context.Context, target string, opts *ScanOptions) (*ScanResult, error)
Scan executes the scanner with the given options. This is the base implementation - override BuildArgs in your scanner for customization.
func (*BaseScanner) SetVerbose ¶
func (s *BaseScanner) SetVerbose(v bool)
SetVerbose sets verbose mode.
func (*BaseScanner) Version ¶
func (s *BaseScanner) Version() string
Version returns the scanner version.
type BaseScannerConfig ¶
type BaseScannerConfig struct {
Name string `yaml:"name" json:"name"`
Version string `yaml:"version" json:"version"`
Binary string `yaml:"binary" json:"binary"`
DefaultArgs []string `yaml:"default_args" json:"default_args"`
Timeout time.Duration `yaml:"timeout" json:"timeout"`
OKExitCodes []int `yaml:"ok_exit_codes" json:"ok_exit_codes"`
Capabilities []string `yaml:"capabilities" json:"capabilities"`
WorkDir string `yaml:"work_dir" json:"work_dir"`
Env map[string]string `yaml:"env" json:"env"`
Verbose bool `yaml:"verbose" json:"verbose"`
}
BaseScannerConfig configures a BaseScanner.
type CVSSData ¶
type CVSSData struct {
Source CVSSSource `json:"source"`
Score float64 `json:"score"`
Vector string `json:"vector"`
}
CVSSData holds CVSS information from various sources.
func SelectBestCVSS ¶
func SelectBestCVSS(cvssMap map[CVSSSource]CVSSData) *CVSSData
SelectBestCVSS selects the best CVSS data from multiple sources. Uses priority order: NVD > GHSA > RedHat > Bitnami
type CVSSSource ¶
type CVSSSource string
CVSSSource represents the source of CVSS data.
const ( CVSSSourceNVD CVSSSource = "nvd" // National Vulnerability Database CVSSSourceGHSA CVSSSource = "ghsa" // GitHub Security Advisory CVSSSourceRedHat CVSSSource = "redhat" // Red Hat CVSSSourceBitnami CVSSSource = "bitnami" // Bitnami )
type CacheStats ¶
type CacheStats struct {
TemplateCount int `json:"template_count"`
TotalSize int64 `json:"total_size"`
TenantCount map[string]int `json:"tenant_count"`
TypeCount map[string]int `json:"type_count"`
OldestEntry time.Time `json:"oldest_entry"`
NewestEntry time.Time `json:"newest_entry"`
}
CacheStats contains cache statistics.
type CachedTemplateMetadata ¶
type CachedTemplateMetadata struct {
ID string `json:"id"`
Name string `json:"name"`
TemplateType string `json:"template_type"`
ContentHash string `json:"content_hash"`
TenantID string `json:"tenant_id"`
FilePath string `json:"file_path"`
Size int64 `json:"size"`
CachedAt time.Time `json:"cached_at"`
LastUsedAt time.Time `json:"last_used_at"`
}
CachedTemplateMetadata stores metadata about a cached template.
type CollectCommandPayload ¶
type CollectCommandPayload struct {
Collector string `json:"collector"`
SourceConfig map[string]interface{} `json:"source_config,omitempty"`
}
CollectCommandPayload is the payload for collect commands.
type CollectOptions ¶
type CollectOptions struct {
// Source configuration
SourceURL string `yaml:"source_url" json:"source_url"`
APIKey string `yaml:"api_key" json:"api_key"`
Headers map[string]string `yaml:"headers" json:"headers"`
Query map[string]string `yaml:"query" json:"query"`
// Filtering
Since int64 `yaml:"since" json:"since"` // Unix timestamp
Repository string `yaml:"repository" json:"repository"`
Branches []string `yaml:"branches" json:"branches"`
// Pagination
PageSize int `yaml:"page_size" json:"page_size"`
MaxPages int `yaml:"max_pages" json:"max_pages"`
}
CollectOptions configures data collection.
type CollectResult ¶
type CollectResult struct {
// Source info
SourceName string `json:"source_name"`
SourceType string `json:"source_type"`
// Collection timing
CollectedAt int64 `json:"collected_at"`
DurationMs int64 `json:"duration_ms"`
// Results
Reports []*ctis.Report `json:"reports"`
TotalItems int `json:"total_items"`
ErrorItems int `json:"error_items"`
// Cursor for pagination
NextCursor string `json:"next_cursor,omitempty"`
HasMore bool `json:"has_more"`
}
CollectResult holds collected data.
type Collector ¶
type Collector interface {
// Name returns the collector name
Name() string
// Type returns the source type (e.g., "github", "gitlab", "api")
Type() string
// Collect pulls data from the external source
Collect(ctx context.Context, opts *CollectOptions) (*CollectResult, error)
// TestConnection verifies the connection to the external source
TestConnection(ctx context.Context) error
}
Collector pulls security data from external sources (GitHub, GitLab, etc.). Implement this interface to create a custom collector.
type Command ¶
type Command struct {
ID string `json:"id"`
Type string `json:"type"`
Priority string `json:"priority"`
Payload json.RawMessage `json:"payload"`
CreatedAt time.Time `json:"created_at"`
ExpiresAt time.Time `json:"expires_at"`
}
Command represents a server command.
type CommandClient ¶
type CommandClient interface {
GetCommands(ctx context.Context) (*GetCommandsResponse, error)
AcknowledgeCommand(ctx context.Context, cmdID string) error
ReportCommandResult(ctx context.Context, cmdID string, result *CommandResult) error
ReportCommandProgress(ctx context.Context, cmdID string, progress int, message string) error
}
CommandClient interface for command-related API operations.
type CommandExecutionResult ¶
type CommandExecutionResult struct {
DurationMs int64
FindingsCount int
ExitCode int
Metadata map[string]interface{}
}
CommandExecutionResult is the result of command execution.
type CommandExecutor ¶
type CommandExecutor interface {
Execute(ctx context.Context, cmd *Command) (*CommandExecutionResult, error)
}
CommandExecutor executes commands.
type CommandPoller ¶
type CommandPoller struct {
// contains filtered or unexported fields
}
CommandPoller polls the server for pending commands.
func NewCommandPoller ¶
func NewCommandPoller(client CommandClient, executor CommandExecutor, cfg *CommandPollerConfig) *CommandPoller
NewCommandPoller creates a new command poller.
func (*CommandPoller) SetVerbose ¶
func (p *CommandPoller) SetVerbose(v bool)
SetVerbose sets verbose mode.
type CommandPollerConfig ¶
type CommandPollerConfig struct {
PollInterval time.Duration `yaml:"poll_interval" json:"poll_interval"`
MaxConcurrent int `yaml:"max_concurrent" json:"max_concurrent"`
AllowedTypes []string `yaml:"allowed_types" json:"allowed_types"`
Verbose bool `yaml:"verbose" json:"verbose"`
}
CommandPollerConfig configures a CommandPoller.
func DefaultCommandPollerConfig ¶
func DefaultCommandPollerConfig() *CommandPollerConfig
DefaultCommandPollerConfig returns default config.
type CommandResult ¶
type CommandResult struct {
Status string `json:"status"`
CompletedAt time.Time `json:"completed_at"`
DurationMs int64 `json:"duration_ms"`
ExitCode int `json:"exit_code"`
FindingsCount int `json:"findings_count"`
Error string `json:"error,omitempty"`
Metadata map[string]interface{} `json:"metadata,omitempty"`
}
CommandResult represents the result of command execution.
type Connector ¶
type Connector interface {
// Name returns the connector name (e.g., "github", "gitlab")
Name() string
// Type returns the connector type (e.g., "scm", "cloud", "ticketing")
Type() string
// Connect establishes connection to the external system
Connect(ctx context.Context) error
// Close closes the connection
Close() error
// IsConnected returns true if connected
IsConnected() bool
// TestConnection verifies the connection is working
TestConnection(ctx context.Context) error
// HTTPClient returns the configured HTTP client (with auth headers)
HTTPClient() *http.Client
// RateLimited returns true if rate limiting is enabled
RateLimited() bool
// WaitForRateLimit blocks until rate limit allows next request
WaitForRateLimit(ctx context.Context) error
}
Connector manages connection to an external system with authentication, rate limiting, and connection pooling.
type ConnectorConfig ¶
type ConnectorConfig struct {
// Authentication
APIKey string `yaml:"api_key" json:"api_key"`
Token string `yaml:"token" json:"token"`
Username string `yaml:"username" json:"username"`
Password string `yaml:"password" json:"password"`
OAuthConfig *OAuthConfig `yaml:"oauth" json:"oauth,omitempty"`
// Connection
BaseURL string `yaml:"base_url" json:"base_url"`
Timeout time.Duration `yaml:"timeout" json:"timeout"`
// Rate limiting
RateLimit int `yaml:"rate_limit" json:"rate_limit"` // requests per hour
BurstLimit int `yaml:"burst_limit" json:"burst_limit"` // burst size
// Retry
MaxRetries int `yaml:"max_retries" json:"max_retries"`
RetryDelay time.Duration `yaml:"retry_delay" json:"retry_delay"`
// Debug
Verbose bool `yaml:"verbose" json:"verbose"`
}
ConnectorConfig holds common configuration for connectors.
type DNSRecord ¶
type DNSRecord struct {
Host string `json:"host"` // Hostname
RecordType string `json:"record_type"` // A, AAAA, CNAME, MX, NS, TXT, SOA
Values []string `json:"values"` // Record values
TTL int `json:"ttl,omitempty"` // Time to live
Resolver string `json:"resolver,omitempty"` // Resolver used
StatusCode string `json:"status_code,omitempty"` // NOERROR, NXDOMAIN, etc.
}
DNSRecord represents a DNS record.
type DefaultCommandExecutor ¶
type DefaultCommandExecutor struct {
// contains filtered or unexported fields
}
DefaultCommandExecutor provides default command execution.
func NewDefaultCommandExecutor ¶
func NewDefaultCommandExecutor(pusher Pusher) *DefaultCommandExecutor
NewDefaultCommandExecutor creates a new default executor.
func (*DefaultCommandExecutor) AddCollector ¶
func (e *DefaultCommandExecutor) AddCollector(collector Collector)
AddCollector adds a collector.
func (*DefaultCommandExecutor) AddScanner ¶
func (e *DefaultCommandExecutor) AddScanner(scanner Scanner)
AddScanner adds a scanner.
func (*DefaultCommandExecutor) Execute ¶
func (e *DefaultCommandExecutor) Execute(ctx context.Context, cmd *Command) (*CommandExecutionResult, error)
Execute executes a command.
func (*DefaultCommandExecutor) SetVerbose ¶
func (e *DefaultCommandExecutor) SetVerbose(v bool)
SetVerbose sets verbose mode.
type DefaultLogger ¶
type DefaultLogger struct {
// contains filtered or unexported fields
}
DefaultLogger is the default logger implementation using standard library.
func NewDefaultLogger ¶
func NewDefaultLogger(prefix string, level LogLevel) *DefaultLogger
NewDefaultLogger creates a new default logger.
func (*DefaultLogger) Debug ¶
func (l *DefaultLogger) Debug(format string, args ...interface{})
Debug logs a debug message.
func (*DefaultLogger) Error ¶
func (l *DefaultLogger) Error(format string, args ...interface{})
Error logs an error message.
func (*DefaultLogger) Info ¶
func (l *DefaultLogger) Info(format string, args ...interface{})
Info logs an info message.
func (*DefaultLogger) SetLevel ¶
func (l *DefaultLogger) SetLevel(level LogLevel)
SetLevel sets the log level.
func (*DefaultLogger) SetOutput ¶
func (l *DefaultLogger) SetOutput(w io.Writer)
SetOutput sets the output writer.
func (*DefaultLogger) Warn ¶
func (l *DefaultLogger) Warn(format string, args ...interface{})
Warn logs a warning message.
type DiscoveredURL ¶
type DiscoveredURL struct {
URL string `json:"url"` // Full URL
Method string `json:"method,omitempty"` // HTTP method (GET, POST, etc.)
Source string `json:"source,omitempty"` // Discovery source (crawl, js, archive)
StatusCode int `json:"status_code,omitempty"`
Depth int `json:"depth,omitempty"` // Crawl depth
Parent string `json:"parent,omitempty"` // Parent URL
Type string `json:"type,omitempty"` // endpoint, form, api, static
Extension string `json:"extension,omitempty"` // File extension
}
DiscoveredURL represents a discovered URL/endpoint.
type EmbeddedTemplate ¶
type EmbeddedTemplate struct {
ID string `json:"id"`
Name string `json:"name"`
TemplateType string `json:"template_type"` // nuclei, semgrep, gitleaks
Content string `json:"content"` // Base64-encoded template content (YAML/TOML)
ContentHash string `json:"content_hash"` // SHA256 hash of decoded content for verification
}
EmbeddedTemplate is a custom template embedded in scan command payload. Templates are sent from the platform and written to temp dir before scan.
type Enricher ¶
type Enricher interface {
// Name returns the enricher name (e.g., "epss", "kev", "nvd")
Name() string
// Enrich adds threat intel to a single finding
Enrich(ctx context.Context, finding *ctis.Finding) (*ctis.Finding, error)
// EnrichBatch adds threat intel to multiple findings
EnrichBatch(ctx context.Context, findings []ctis.Finding) ([]ctis.Finding, error)
}
Enricher adds threat intelligence data to findings.
type EnricherConfig ¶
type EnricherConfig struct {
// API endpoint (optional, for custom sources)
Endpoint string `yaml:"endpoint" json:"endpoint"`
// Cache duration
CacheTTL time.Duration `yaml:"cache_ttl" json:"cache_ttl"`
// Rate limiting
RateLimit int `yaml:"rate_limit" json:"rate_limit"`
// Debug
Verbose bool `yaml:"verbose" json:"verbose"`
}
EnricherConfig holds enricher configuration.
type ExecConfig ¶
type ExecConfig struct {
Binary string // Scanner binary path
Args []string // Command arguments
WorkDir string // Working directory
Env map[string]string // Environment variables
Timeout time.Duration // Execution timeout
Verbose bool // Stream output to logs
}
ExecConfig configures scanner execution.
type ExecResult ¶
ExecResult holds the result of scanner execution.
func ExecuteScanner ¶
func ExecuteScanner(ctx context.Context, cfg *ExecConfig) (*ExecResult, error)
ExecuteScanner runs a scanner binary with real-time output streaming.
func StreamScanner ¶
func StreamScanner(ctx context.Context, cfg *ExecConfig, handler OutputHandler) (*ExecResult, error)
StreamScanner runs a scanner with real-time output handling.
type GetCommandsResponse ¶
type GetCommandsResponse struct {
Commands []*Command `json:"commands"`
PollIntervalSeconds int `json:"poll_interval_seconds,omitempty"`
}
GetCommandsResponse is the response from GetCommands.
type GitHubAlertInstance ¶
type GitHubAlertInstance struct {
Ref string `json:"ref"`
State string `json:"state"`
Location GitHubAlertLocation `json:"location"`
Message GitHubAlertMessage `json:"message"`
}
GitHubAlertInstance represents an instance of the alert.
type GitHubAlertLocation ¶
type GitHubAlertLocation struct {
Path string `json:"path"`
StartLine int `json:"start_line"`
EndLine int `json:"end_line"`
StartColumn int `json:"start_column"`
EndColumn int `json:"end_column"`
}
GitHubAlertLocation represents the location of the alert.
type GitHubAlertMessage ¶
type GitHubAlertMessage struct {
Text string `json:"text"`
}
GitHubAlertMessage represents the alert message.
type GitHubAlertRule ¶
type GitHubAlertRule struct {
ID string `json:"id"`
Severity string `json:"severity"`
SecuritySeverityLevel string `json:"security_severity_level"`
Description string `json:"description"`
Tags []string `json:"tags"`
}
GitHubAlertRule represents the rule that triggered the alert.
type GitHubAlertTool ¶
GitHubAlertTool represents the tool that found the alert.
type GitHubCodeScanningAlert ¶
type GitHubCodeScanningAlert struct {
Number int `json:"number"`
State string `json:"state"`
HTMLURL string `json:"html_url"`
Rule GitHubAlertRule `json:"rule"`
Tool GitHubAlertTool `json:"tool"`
MostRecentInstance GitHubAlertInstance `json:"most_recent_instance"`
CreatedAt string `json:"created_at"`
}
GitHubCodeScanningAlert represents a GitHub code scanning alert.
type GitHubCollector ¶
type GitHubCollector struct {
*BaseCollector
// contains filtered or unexported fields
}
GitHubCollector pulls security alerts from GitHub Advanced Security.
func NewGitHubCollector ¶
func NewGitHubCollector(cfg *GitHubCollectorConfig) *GitHubCollector
NewGitHubCollector creates a new GitHub collector.
func (*GitHubCollector) Collect ¶
func (c *GitHubCollector) Collect(ctx context.Context, opts *CollectOptions) (*CollectResult, error)
Collect pulls security alerts from GitHub.
type GitHubCollectorConfig ¶
type GitHubCollectorConfig struct {
Token string `yaml:"token" json:"token"`
Owner string `yaml:"owner" json:"owner"`
Repo string `yaml:"repo" json:"repo"`
Verbose bool `yaml:"verbose" json:"verbose"`
}
GitHubCollectorConfig configures a GitHub collector.
type JSONParser ¶
type JSONParser struct{}
JSONParser parses generic JSON output that follows CTIS schema.
func (*JSONParser) CanParse ¶
func (p *JSONParser) CanParse(data []byte) bool
CanParse checks if this parser can handle the data.
func (*JSONParser) Parse ¶
func (p *JSONParser) Parse(ctx context.Context, data []byte, opts *ParseOptions) (*ctis.Report, error)
Parse converts JSON to CTIS format.
func (*JSONParser) SupportedFormats ¶
func (p *JSONParser) SupportedFormats() []string
SupportedFormats returns supported formats.
type LiveHost ¶
type LiveHost struct {
URL string `json:"url"` // Full URL (https://example.com)
Host string `json:"host"` // Hostname
IP string `json:"ip,omitempty"` // Resolved IP
Port int `json:"port,omitempty"` // Port number
Scheme string `json:"scheme"` // http or https
StatusCode int `json:"status_code"` // HTTP status code
ContentLength int64 `json:"content_length,omitempty"` // Response size
Title string `json:"title,omitempty"` // Page title
WebServer string `json:"web_server,omitempty"` // Server header
ContentType string `json:"content_type,omitempty"` // Content-Type header
Technologies []string `json:"technologies,omitempty"` // Detected technologies
CDN string `json:"cdn,omitempty"` // CDN provider
TLSVersion string `json:"tls_version,omitempty"` // TLS version
Redirect string `json:"redirect,omitempty"` // Final redirect URL
ResponseTime int64 `json:"response_time_ms"` // Response time in ms
}
LiveHost represents an HTTP/HTTPS live host.
type Logger ¶
type Logger interface {
// Debug logs a debug message
Debug(format string, args ...interface{})
// Info logs an info message
Info(format string, args ...interface{})
// Warn logs a warning message
Warn(format string, args ...interface{})
// Error logs an error message
Error(format string, args ...interface{})
}
Logger is the interface for logging in the SDK. Implement this interface to use a custom logger (e.g., logrus, zap).
func GetDefaultLogger ¶
func GetDefaultLogger() Logger
GetDefaultLogger returns the global default logger.
func LoggerFromVerbose ¶
LoggerFromVerbose creates a logger based on verbose flag. If verbose is true, returns a PrintfLogger, otherwise returns NopLogger.
type OAuthConfig ¶
type OAuthConfig struct {
ClientID string `yaml:"client_id" json:"client_id"`
ClientSecret string `yaml:"client_secret" json:"client_secret"`
TokenURL string `yaml:"token_url" json:"token_url"`
Scopes []string `yaml:"scopes" json:"scopes"`
}
OAuthConfig holds OAuth configuration.
type OpenPort ¶
type OpenPort struct {
Host string `json:"host"` // IP or hostname
IP string `json:"ip,omitempty"` // IP address
Port int `json:"port"` // Port number
Protocol string `json:"protocol,omitempty"` // tcp, udp
Service string `json:"service,omitempty"` // Detected service name
Version string `json:"version,omitempty"` // Service version
Banner string `json:"banner,omitempty"` // Service banner
}
OpenPort represents an open port on a host.
type OutputHandler ¶
OutputHandler processes scanner output in real-time.
type Package ¶
type Package struct {
ID string `json:"id"` // Package URL or unique identifier
Name string `json:"name"` // Package name
Version string `json:"version"` // Installed version
Type string `json:"type"` // npm, maven, pip, etc.
Licenses []string `json:"licenses"` // License identifiers
PURL string `json:"purl"` // Package URL (purl spec)
}
Package represents a software package.
type PackageDependency ¶
type PackageDependency struct {
PackageID string `json:"package_id"` // Parent package
Dependencies []string `json:"dependencies"` // Child package IDs
}
PackageDependency represents a dependency relationship.
type PackageType ¶
type PackageType string
PackageType represents the package ecosystem.
const ( PackageTypeMaven PackageType = "maven" PackageTypeNPM PackageType = "npm" PackageTypePyPI PackageType = "pip" PackageTypeGo PackageType = "gomod" PackageTypeCargo PackageType = "cargo" PackageTypeNuGet PackageType = "nuget" PackageTypeGem PackageType = "gem" PackageTypeComposer PackageType = "composer" )
func DetectPackageType ¶
func DetectPackageType(filename string) PackageType
DetectPackageType detects the package type from a manifest file.
type ParseOptions ¶
type ParseOptions struct {
// Tool information
ToolName string `json:"tool_name"`
ToolType string `json:"tool_type"` // sast, sca, secret, iac, web3
// Asset information
AssetType ctis.AssetType `json:"asset_type"`
AssetValue string `json:"asset_value"`
AssetID string `json:"asset_id"`
// Git information (legacy - use BranchInfo for full context)
Branch string `json:"branch"`
CommitSHA string `json:"commit_sha"`
// Branch information for branch-aware finding lifecycle
// Provides full CI/CD context for auto-resolve and expiry features
BranchInfo *ctis.BranchInfo `json:"branch_info,omitempty"`
// BasePath is the root directory of the scanned codebase.
// Used to resolve relative file paths when reading snippets from source files.
BasePath string `json:"base_path,omitempty"`
// Defaults
DefaultConfidence int `json:"default_confidence"`
}
ParseOptions configures parsing.
type Parser ¶
type Parser interface {
// Name returns the parser name (e.g., "sarif", "json", "custom-trivy")
Name() string
// SupportedFormats returns the output formats this parser can handle
SupportedFormats() []string
// Parse converts raw output to CTIS report
Parse(ctx context.Context, data []byte, opts *ParseOptions) (*ctis.Report, error)
// CanParse checks if the parser can handle the given data
CanParse(data []byte) bool
}
Parser converts scanner output to CTIS format. Implement this interface to support custom output formats.
type ParserRegistry ¶
type ParserRegistry struct {
// contains filtered or unexported fields
}
ParserRegistry manages registered parsers.
func NewParserRegistry ¶
func NewParserRegistry() *ParserRegistry
NewParserRegistry creates a new parser registry with built-in parsers.
func (*ParserRegistry) FindParser ¶
func (r *ParserRegistry) FindParser(data []byte) Parser
FindParser finds a parser that can handle the given data.
func (*ParserRegistry) Get ¶
func (r *ParserRegistry) Get(name string) Parser
Get returns a parser by name.
func (*ParserRegistry) List ¶
func (r *ParserRegistry) List() []string
List returns all registered parser names.
func (*ParserRegistry) Register ¶
func (r *ParserRegistry) Register(parser Parser)
Register adds a parser to the registry.
type PrintfLogger ¶
type PrintfLogger struct {
// contains filtered or unexported fields
}
PrintfLogger is a simple logger that uses fmt.Printf. This is what the verbose mode was using before.
func NewPrintfLogger ¶
func NewPrintfLogger(prefix string) *PrintfLogger
NewPrintfLogger creates a new printf logger.
func (*PrintfLogger) Debug ¶
func (l *PrintfLogger) Debug(format string, args ...interface{})
func (*PrintfLogger) Error ¶
func (l *PrintfLogger) Error(format string, args ...interface{})
func (*PrintfLogger) Info ¶
func (l *PrintfLogger) Info(format string, args ...interface{})
func (*PrintfLogger) Warn ¶
func (l *PrintfLogger) Warn(format string, args ...interface{})
type ProcessOptions ¶
type ProcessOptions struct {
// Scan options
ScanOptions *ScanOptions `yaml:"scan" json:"scan"`
// Parse options
ParseOptions *ParseOptions `yaml:"parse" json:"parse"`
// Push options
Push bool `yaml:"push" json:"push"`
SaveLocal bool `yaml:"save_local" json:"save_local"`
OutputDir string `yaml:"output_dir" json:"output_dir"`
// Retry
MaxRetries int `yaml:"max_retries" json:"max_retries"`
RetryDelay int `yaml:"retry_delay_seconds" json:"retry_delay_seconds"`
}
ProcessOptions configures the processing workflow.
type ProcessResult ¶
type ProcessResult struct {
// Scanner info
ScannerName string `json:"scanner_name"`
// Scan result
ScanResult *ScanResult `json:"scan_result"`
// Parsed report
Report *ctis.Report `json:"report,omitempty"`
// Push result
PushResult *PushResult `json:"push_result,omitempty"`
// Local file if saved
LocalFile string `json:"local_file,omitempty"`
// Error
Error string `json:"error,omitempty"`
}
ProcessResult holds the result of a complete processing workflow.
type Processor ¶
type Processor interface {
// Process runs a complete scan workflow
Process(ctx context.Context, scanner Scanner, opts *ProcessOptions) (*ProcessResult, error)
// ProcessBatch runs multiple scanners in parallel
ProcessBatch(ctx context.Context, scanners []Scanner, opts *ProcessOptions) ([]*ProcessResult, error)
}
Processor orchestrates the complete workflow: scan -> parse -> push.
type Provider ¶
type Provider interface {
// Name returns the provider name (e.g., "github", "aws")
Name() string
// Connector returns the underlying connector
Connector() Connector
// ListCollectors returns all available collectors
ListCollectors() []Collector
// GetCollector returns a specific collector by name
GetCollector(name string) (Collector, error)
// Initialize sets up the provider with configuration
Initialize(ctx context.Context, config *ProviderConfig) error
// TestConnection tests the provider connection
TestConnection(ctx context.Context) error
// Close closes the provider and all collectors
Close() error
}
Provider bundles a Connector with multiple Collectors for complete integration.
type ProviderConfig ¶
type ProviderConfig struct {
// Connector config
Connector ConnectorConfig `yaml:"connector" json:"connector"`
// Provider-specific settings
Settings map[string]any `yaml:"settings" json:"settings"`
// Which collectors to enable (empty = all)
EnabledCollectors []string `yaml:"enabled_collectors" json:"enabled_collectors"`
}
ProviderConfig holds provider configuration.
type PushResult ¶
type PushResult struct {
Success bool `json:"success"`
Message string `json:"message,omitempty"`
FindingsCreated int `json:"findings_created"`
FindingsUpdated int `json:"findings_updated"`
AssetsCreated int `json:"assets_created"`
AssetsUpdated int `json:"assets_updated"`
}
PushResult holds the result of a push operation.
type Pusher ¶
type Pusher interface {
// PushFindings sends findings to OpenCTEM
PushFindings(ctx context.Context, report *ctis.Report) (*PushResult, error)
// PushAssets sends assets to OpenCTEM
PushAssets(ctx context.Context, report *ctis.Report) (*PushResult, error)
// SendHeartbeat sends a heartbeat to OpenCTEM
SendHeartbeat(ctx context.Context, status *AgentStatus) error
// TestConnection tests the API connection
TestConnection(ctx context.Context) error
}
Pusher sends data to the OpenCTEM API.
type ReconOptions ¶
type ReconOptions struct {
// Target configuration
Target string `yaml:"target" json:"target"` // Domain, IP, or CIDR
InputFile string `yaml:"input_file" json:"input_file"` // File with multiple targets
OutputFile string `yaml:"output_file" json:"output_file"` // Output file path
ExtraArgs []string `yaml:"extra_args" json:"extra_args"` // Additional CLI args
// Performance
Threads int `yaml:"threads" json:"threads"` // Concurrency
RateLimit int `yaml:"rate_limit" json:"rate_limit"` // Rate limit (requests/second)
Timeout time.Duration `yaml:"timeout" json:"timeout"` // Scan timeout
// DNS configuration
Resolvers []string `yaml:"resolvers" json:"resolvers"` // Custom DNS resolvers
// Environment
Env map[string]string `yaml:"env" json:"env"` // Environment variables
// Output
Verbose bool `yaml:"verbose" json:"verbose"`
}
ReconOptions configures a reconnaissance scan.
type ReconResult ¶
type ReconResult struct {
// Scanner info
ScannerName string `json:"scanner_name"`
ScannerVersion string `json:"scanner_version"`
ReconType ReconType `json:"recon_type"`
// Target
Target string `json:"target"`
// Timing
StartedAt int64 `json:"started_at"`
FinishedAt int64 `json:"finished_at"`
DurationMs int64 `json:"duration_ms"`
// Results (populated based on ReconType)
Subdomains []Subdomain `json:"subdomains,omitempty"`
DNSRecords []DNSRecord `json:"dns_records,omitempty"`
OpenPorts []OpenPort `json:"open_ports,omitempty"`
LiveHosts []LiveHost `json:"live_hosts,omitempty"`
URLs []DiscoveredURL `json:"urls,omitempty"`
Technologies []Technology `json:"technologies,omitempty"`
// Raw output
RawOutput []byte `json:"raw_output,omitempty"`
ExitCode int `json:"exit_code"`
Error string `json:"error,omitempty"`
}
ReconResult holds the reconnaissance scan result.
type ReconScanner ¶
type ReconScanner interface {
// Name returns the scanner name (e.g., "subfinder", "naabu")
Name() string
// Version returns the scanner version
Version() string
// Type returns the recon type this scanner performs
Type() ReconType
// Scan performs reconnaissance on the target and returns results
Scan(ctx context.Context, target string, opts *ReconOptions) (*ReconResult, error)
// IsInstalled checks if the underlying tool is available
IsInstalled(ctx context.Context) (bool, string, error)
}
ReconScanner performs reconnaissance and asset discovery. Implement this interface to create a custom recon scanner.
type ReconType ¶
type ReconType string
ReconType represents the type of reconnaissance scan.
const ( ReconTypeSubdomain ReconType = "subdomain" // Subdomain enumeration ReconTypeDNS ReconType = "dns" // DNS resolution and records ReconTypePort ReconType = "port" // Port scanning ReconTypeHTTPProbe ReconType = "http_probe" // HTTP/HTTPS probing ReconTypeURLCrawl ReconType = "url_crawl" // URL and endpoint crawling ReconTypeTechDetect ReconType = "tech_detect" // Technology fingerprinting )
type SARIFParser ¶
type SARIFParser struct{}
SARIFParser parses SARIF format output.
func (*SARIFParser) CanParse ¶
func (p *SARIFParser) CanParse(data []byte) bool
CanParse checks if this parser can handle the data.
func (*SARIFParser) Parse ¶
func (p *SARIFParser) Parse(ctx context.Context, data []byte, opts *ParseOptions) (*ctis.Report, error)
Parse converts SARIF to CTIS format.
func (*SARIFParser) SupportedFormats ¶
func (p *SARIFParser) SupportedFormats() []string
SupportedFormats returns supported formats.
type ScaResult ¶
type ScaResult struct {
// Packages discovered
Packages []Package `json:"packages"`
// Dependency relationships
PackageDependencies []PackageDependency `json:"package_dependencies"`
// Vulnerabilities found
Vulnerabilities []Vulnerability `json:"vulnerabilities"`
// Timing
DurationMs int64 `json:"duration_ms"`
}
ScaResult holds SCA scan results.
type ScaScanOptions ¶
type ScaScanOptions struct {
// Target
TargetDir string `yaml:"target_dir" json:"target_dir"`
// Scan configuration
SkipDBUpdate bool `yaml:"skip_db_update" json:"skip_db_update"`
IgnoreUnfixed bool `yaml:"ignore_unfixed" json:"ignore_unfixed"`
IncludeDevDeps bool `yaml:"include_dev_deps" json:"include_dev_deps"`
// Output
GenerateSBOM bool `yaml:"generate_sbom" json:"generate_sbom"`
SBOMFormat string `yaml:"sbom_format" json:"sbom_format"` // cyclonedx, spdx
// Verbose
Verbose bool `yaml:"verbose" json:"verbose"`
}
ScaScanOptions configures an SCA scan.
type ScaScanner ¶
type ScaScanner interface {
// Name returns the scanner name (e.g., "trivy", "snyk")
Name() string
// Type returns the scanner type
Type() ScannerType
// Scan performs SCA scan and returns results
Scan(ctx context.Context, target string, opts *ScaScanOptions) (*ScaResult, error)
// IsInstalled checks if the scanner is available
IsInstalled(ctx context.Context) (bool, string, error)
}
ScaScanner performs Software Composition Analysis (dependency scanning). It generates SBOM and identifies vulnerabilities in dependencies.
type ScanCommandPayload ¶
type ScanCommandPayload struct {
Scanner string `json:"scanner"`
Target string `json:"target"`
Config map[string]interface{} `json:"config,omitempty"`
TimeoutSeconds int `json:"timeout_seconds,omitempty"`
ReportProgress bool `json:"report_progress,omitempty"`
CustomTemplates []EmbeddedTemplate `json:"custom_templates,omitempty"`
}
ScanCommandPayload is the payload for scan commands.
type ScanOptions ¶
type ScanOptions struct {
// Target configuration
TargetDir string `yaml:"target_dir" json:"target_dir"`
Include []string `yaml:"include" json:"include"`
Exclude []string `yaml:"exclude" json:"exclude"`
ConfigFile string `yaml:"config_file" json:"config_file"`
ExtraArgs []string `yaml:"extra_args" json:"extra_args"`
Env map[string]string `yaml:"env" json:"env"`
// Custom templates directory (written from embedded templates)
// Used by Nuclei (-t), Semgrep (--config), Gitleaks (--config)
CustomTemplateDir string `yaml:"custom_template_dir" json:"custom_template_dir"`
// Asset information for linking findings
RepoURL string `yaml:"repo_url" json:"repo_url"`
Branch string `yaml:"branch" json:"branch"`
CommitSHA string `yaml:"commit_sha" json:"commit_sha"`
// Output
Verbose bool `yaml:"verbose" json:"verbose"`
}
ScanOptions configures a scan.
type ScanResult ¶
type ScanResult struct {
// Scanner info
ScannerName string `json:"scanner_name"`
ScannerVersion string `json:"scanner_version"`
// Timing
StartedAt int64 `json:"started_at"`
FinishedAt int64 `json:"finished_at"`
DurationMs int64 `json:"duration_ms"`
// Output
ExitCode int `json:"exit_code"`
RawOutput []byte `json:"raw_output,omitempty"`
Stderr string `json:"stderr,omitempty"`
// Error (if scan failed)
Error string `json:"error,omitempty"`
}
ScanResult holds the raw scan result before conversion.
type Scanner ¶
type Scanner interface {
// Name returns the scanner name (e.g., "semgrep", "trivy")
Name() string
// Version returns the scanner version
Version() string
// Capabilities returns what the scanner can detect
Capabilities() []string
// Scan performs a scan on the target and returns raw output
Scan(ctx context.Context, target string, opts *ScanOptions) (*ScanResult, error)
// IsInstalled checks if the underlying tool is available
IsInstalled(ctx context.Context) (bool, string, error)
}
Scanner is the main interface for security scanning tools. Implement this interface to create a custom scanner.
type ScannerType ¶
type ScannerType string
ScannerType represents the type of security scanner.
const ( ScannerTypeSAST ScannerType = "sast" // Static Application Security Testing ScannerTypeDependency ScannerType = "dependency" // Software Composition Analysis ScannerTypeSecretDetection ScannerType = "secret_detection" // Secret/Credential Detection ScannerTypeIaC ScannerType = "iac" // Infrastructure as Code ScannerTypeContainer ScannerType = "container" // Container Image Scanning ScannerTypeWeb3 ScannerType = "web3" // Smart Contract Analysis )
type SecretFinding ¶
type SecretFinding struct {
// Identity
RuleID string `json:"rule_id"` // Detection rule ID
Fingerprint string `json:"fingerprint"` // For deduplication
// Classification
SecretType string `json:"secret_type"` // api_key, password, token, etc.
Service string `json:"service"` // AWS, GitHub, Stripe, etc.
// Location
File string `json:"file"`
StartLine int `json:"start_line"`
EndLine int `json:"end_line"`
StartColumn int `json:"start_column"`
EndColumn int `json:"end_column"`
// Content
Match string `json:"match"` // Full matched line
MaskedValue string `json:"masked_value"` // Redacted secret
// Metadata
Entropy float64 `json:"entropy,omitempty"` // Entropy score
Valid *bool `json:"valid,omitempty"` // If verified
Author string `json:"author,omitempty"` // Git author
Commit string `json:"commit,omitempty"` // Git commit
Date string `json:"date,omitempty"` // Commit date
}
SecretFinding represents a detected secret.
type SecretResult ¶
type SecretResult struct {
// Secrets found
Secrets []SecretFinding `json:"secrets"`
// Timing
DurationMs int64 `json:"duration_ms"`
}
SecretResult holds secret scan results.
type SecretScanOptions ¶
type SecretScanOptions struct {
// Target
TargetDir string `yaml:"target_dir" json:"target_dir"`
// Scan configuration
ConfigFile string `yaml:"config_file" json:"config_file"` // Custom rules file
Exclude []string `yaml:"exclude" json:"exclude"` // Paths to exclude
NoGit bool `yaml:"no_git" json:"no_git"` // Don't use git history
// Verification
Verify bool `yaml:"verify" json:"verify"` // Verify secrets are valid
// Verbose
Verbose bool `yaml:"verbose" json:"verbose"`
}
SecretScanOptions configures a secret scan.
type SecretScanner ¶
type SecretScanner interface {
// Name returns the scanner name (e.g., "gitleaks", "trufflehog")
Name() string
// Type returns the scanner type
Type() ScannerType
// Scan performs secret detection and returns results
Scan(ctx context.Context, target string, opts *SecretScanOptions) (*SecretResult, error)
// IsInstalled checks if the scanner is available
IsInstalled(ctx context.Context) (bool, string, error)
}
SecretScanner detects secrets and credentials in code.
type Subdomain ¶
type Subdomain struct {
Host string `json:"host"` // Full subdomain (e.g., api.example.com)
Domain string `json:"domain"` // Root domain (e.g., example.com)
Source string `json:"source,omitempty"` // Discovery source (crtsh, hackertarget, etc.)
IPs []string `json:"ips,omitempty"` // Resolved IP addresses
}
Subdomain represents a discovered subdomain.
type Technology ¶
type Technology struct {
Name string `json:"name"` // Technology name
Version string `json:"version,omitempty"` // Version if detected
Categories []string `json:"categories,omitempty"` // Category (framework, cms, etc.)
Confidence int `json:"confidence,omitempty"` // Detection confidence (0-100)
Website string `json:"website,omitempty"` // Technology website
}
Technology represents a detected technology.
type TemplateCache ¶
type TemplateCache struct {
// contains filtered or unexported fields
}
TemplateCache provides persistent caching of custom templates. Templates are organized by: {cache_dir}/{tenant_id}/{template_type}/{template_name}
func NewTemplateCache ¶
func NewTemplateCache(cfg *TemplateCacheConfig) (*TemplateCache, error)
NewTemplateCache creates a new template cache.
func (*TemplateCache) Cleanup ¶
func (c *TemplateCache) Cleanup() error
Cleanup removes old and excess cached templates.
func (*TemplateCache) Clear ¶
func (c *TemplateCache) Clear(tenantID string) error
Clear removes all cached templates for a tenant.
func (*TemplateCache) Get ¶
func (c *TemplateCache) Get(contentHash string) (string, bool)
Get retrieves a template from cache by content hash. Returns the file path if found and valid, empty string otherwise.
func (*TemplateCache) GetOrPut ¶
func (c *TemplateCache) GetOrPut(tenantID string, template *EmbeddedTemplate) (string, error)
GetOrPut returns cached template path or caches the template.
func (*TemplateCache) GetTemplateDir ¶
func (c *TemplateCache) GetTemplateDir(tenantID, templateType string, templates []EmbeddedTemplate) (string, error)
GetTemplateDir returns the directory for a specific tenant and template type. Creates the directory if it doesn't exist. Returns empty string if templates slice is empty.
func (*TemplateCache) Put ¶
func (c *TemplateCache) Put(tenantID string, template *EmbeddedTemplate) (string, error)
Put stores a template in the cache. Returns the file path where the template was written.
func (*TemplateCache) Remove ¶
func (c *TemplateCache) Remove(contentHash string) error
Remove removes a template from cache by content hash.
func (*TemplateCache) Stats ¶
func (c *TemplateCache) Stats() *CacheStats
Stats returns cache statistics.
type TemplateCacheConfig ¶
type TemplateCacheConfig struct {
// CacheDir is the base directory for cached templates.
// Default: ~/.openctem/templates
CacheDir string
// MaxCacheAge is the maximum age of cached templates before cleanup.
// Default: 7 days
MaxCacheAge time.Duration
// MaxCacheSize is the maximum total size of the cache in bytes.
// Default: 100MB
MaxCacheSize int64
// CleanupInterval is how often to run cleanup.
// Default: 1 hour
CleanupInterval time.Duration
// Verbose enables verbose logging.
Verbose bool
}
TemplateCacheConfig configures the template cache.
func DefaultTemplateCacheConfig ¶
func DefaultTemplateCacheConfig() *TemplateCacheConfig
DefaultTemplateCacheConfig returns default cache configuration.
type ValidationError ¶
ValidationError represents a configuration validation error.
func (*ValidationError) Error ¶
func (e *ValidationError) Error() string
type ValidationErrors ¶
type ValidationErrors []ValidationError
ValidationErrors is a collection of validation errors.
func (*ValidationErrors) Add ¶
func (e *ValidationErrors) Add(field, message string)
Add adds a validation error.
func (ValidationErrors) Error ¶
func (e ValidationErrors) Error() string
func (ValidationErrors) HasErrors ¶
func (e ValidationErrors) HasErrors() bool
HasErrors returns true if there are any errors.
type Validator ¶
type Validator struct {
// contains filtered or unexported fields
}
Validator provides validation methods for configurations.
func (*Validator) DirectoryExists ¶
DirectoryExists validates that a directory exists.
func (*Validator) Errors ¶
func (v *Validator) Errors() ValidationErrors
Errors returns all validation errors.
func (*Validator) FileExists ¶
FileExists validates that a file exists.
func (*Validator) MaxDuration ¶
MaxDuration validates that a duration is at most the maximum.
func (*Validator) MinDuration ¶
MinDuration validates that a duration is at least the minimum.
type Vulnerability ¶
type Vulnerability struct {
// Identity
ID string `json:"id"` // CVE ID or advisory ID
Fingerprint string `json:"fingerprint"` // For deduplication
// Package info
PkgID string `json:"pkg_id"` // Affected package ID
PkgName string `json:"pkg_name"` // Package name
PkgVersion string `json:"pkg_version"` // Installed version
// Vulnerability info
Name string `json:"name"` // Short title
Description string `json:"description"` // Full description
Severity string `json:"severity"` // critical, high, medium, low
FixedVersion string `json:"fixed_version"` // Version with fix
// Metadata
Metadata *VulnerabilityMetadata `json:"metadata,omitempty"`
}
Vulnerability represents a security vulnerability in a package.
type VulnerabilityMetadata ¶
type VulnerabilityMetadata struct {
CWEs []string `json:"cwes,omitempty"` // CWE identifiers
References []string `json:"references,omitempty"` // Advisory URLs
CVSSScore float64 `json:"cvss_score,omitempty"` // CVSS score
CVSSVector string `json:"cvss_vector,omitempty"` // CVSS vector string
Source string `json:"source,omitempty"` // NVD, GHSA, etc.
}
VulnerabilityMetadata contains additional vulnerability details.
type WebhookCollector ¶
type WebhookCollector struct {
*BaseCollector
// contains filtered or unexported fields
}
WebhookCollector receives data via HTTP webhooks.
func NewWebhookCollector ¶
func NewWebhookCollector(cfg *WebhookCollectorConfig) *WebhookCollector
NewWebhookCollector creates a new webhook collector.
func (*WebhookCollector) Collect ¶
func (c *WebhookCollector) Collect(ctx context.Context, opts *CollectOptions) (*CollectResult, error)
Collect waits for webhook data (blocking).
type WebhookCollectorConfig ¶
type WebhookCollectorConfig struct {
ListenAddr string `yaml:"listen_addr" json:"listen_addr"`
Secret string `yaml:"secret" json:"secret"`
Verbose bool `yaml:"verbose" json:"verbose"`
}
WebhookCollectorConfig configures a webhook collector.
Source Files
Click to show internal directories.
Click to hide internal directories.