Documentation
¶
Index ¶
- type Alert
- type AlertLevel
- type AllowList
- type ApprovalStatus
- type ApprovalWorkflow
- func (w *ApprovalWorkflow) AddApprover(approver string)
- func (w *ApprovalWorkflow) AddComment(templateID, versionID, user, comment string) error
- func (w *ApprovalWorkflow) ApproveVersion(templateID, versionID, user string) error
- func (w *ApprovalWorkflow) CreateVersion(ctx context.Context, template *format.Template, user string) (*TemplateVersion, error)
- func (w *ApprovalWorkflow) DeprecateVersion(templateID, versionID, user, reason string) error
- func (w *ApprovalWorkflow) GetLatestApprovedVersion(templateID string) (*TemplateVersion, error)
- func (w *ApprovalWorkflow) GetLatestVersion(templateID string) (*TemplateVersion, error)
- func (w *ApprovalWorkflow) GetVersion(templateID, versionID string) (*TemplateVersion, error)
- func (w *ApprovalWorkflow) GetVersions(templateID string) ([]*TemplateVersion, error)
- func (w *ApprovalWorkflow) IsApprover(user string) bool
- func (w *ApprovalWorkflow) RejectVersion(templateID, versionID, user, reason string) error
- func (w *ApprovalWorkflow) SubmitForReview(templateID, versionID, user string) error
- type ComplexityFactor
- type ContainerSandbox
- type ContainerSandboxOptions
- type DefaultSandbox
- func (s *DefaultSandbox) Execute(ctx context.Context, template *format.Template, options *SandboxOptions) (*ExecutionResult, error)
- func (s *DefaultSandbox) ExecuteFile(ctx context.Context, templatePath string, options *SandboxOptions) (*ExecutionResult, error)
- func (s *DefaultSandbox) GetAllowList() *AllowList
- func (s *DefaultSandbox) SetAllowList(allowList *AllowList)
- func (s *DefaultSandbox) Validate(ctx context.Context, template *format.Template, options *SandboxOptions) ([]*security.SecurityIssue, error)
- func (s *DefaultSandbox) ValidateFile(ctx context.Context, templatePath string, options *SandboxOptions) ([]*security.SecurityIssue, error)
- type DisallowedFunctionsFactor
- type ExecutionMode
- type ExecutionResult
- type FileSystemAccessFactor
- type FrameworkOptions
- type InputValidationFactor
- type MetricsCollector
- func (m *MetricsCollector) ClearAlerts()
- func (m *MetricsCollector) GetAlerts() []Alert
- func (m *MetricsCollector) GetAlertsByLevel(level AlertLevel) []Alert
- func (m *MetricsCollector) GetExecutionMetrics() map[string]interface{}
- func (m *MetricsCollector) GetValidationMetrics() map[string]interface{}
- func (m *MetricsCollector) GetWorkflowMetrics() map[string]interface{}
- func (m *MetricsCollector) RecordExecution(result *ExecutionResult, templateID string)
- func (m *MetricsCollector) RecordValidation(result *ValidationResult)
- func (m *MetricsCollector) RecordWorkflowAction(action string, version *TemplateVersion)
- func (m *MetricsCollector) ResetMetrics()
- type ResourceLimits
- type ResourceUsage
- type RiskCategory
- type RiskFactor
- type RiskFactorEvaluator
- type RiskScore
- type SandboxOptions
- type SecurityFramework
- func (f *SecurityFramework) AddApprover(approver string)
- func (f *SecurityFramework) ApproveTemplate(templateID, versionID, user string) error
- func (f *SecurityFramework) ClearAlerts()
- func (f *SecurityFramework) CreateTemplateVersion(ctx context.Context, template *format.Template, user string) (*TemplateVersion, error)
- func (f *SecurityFramework) ExecuteTemplate(ctx context.Context, template *format.Template) (*ExecutionResult, error)
- func (f *SecurityFramework) ExecuteTemplateFile(ctx context.Context, templatePath string) (*ExecutionResult, error)
- func (f *SecurityFramework) GetAlerts() []Alert
- func (f *SecurityFramework) GetAlertsByLevel(level AlertLevel) []Alert
- func (f *SecurityFramework) GetLatestApprovedTemplateVersion(templateID string) (*TemplateVersion, error)
- func (f *SecurityFramework) GetLatestTemplateVersion(templateID string) (*TemplateVersion, error)
- func (f *SecurityFramework) GetMetrics() map[string]interface{}
- func (f *SecurityFramework) GetTemplateVersion(templateID, versionID string) (*TemplateVersion, error)
- func (f *SecurityFramework) IsApprover(user string) bool
- func (f *SecurityFramework) RejectTemplate(templateID, versionID, user, reason string) error
- func (f *SecurityFramework) ResetMetrics()
- func (f *SecurityFramework) SubmitTemplateForReview(templateID, versionID, user string) error
- func (f *SecurityFramework) ValidateTemplate(ctx context.Context, template *format.Template) (*ValidationResult, error)
- func (f *SecurityFramework) ValidateTemplateFile(ctx context.Context, templatePath string) (*ValidationResult, error)
- type SecurityIssuesFactor
- type TemplateSandbox
- type TemplateScorer
- type TemplateValidator
- type TemplateVersion
- type ValidationLevel
- type ValidationOptions
- type ValidationResult
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Alert ¶
type Alert struct {
// Timestamp is the time of the alert
Timestamp time.Time
// Level is the alert level
Level AlertLevel
// Message is the alert message
Message string
// TemplateID is the ID of the template that triggered the alert
TemplateID string
// Issues are the security issues that triggered the alert
Issues []*security.SecurityIssue
}
Alert represents a security alert
type AlertLevel ¶
type AlertLevel string
AlertLevel represents the level of an alert
const ( // AlertLevelInfo is an informational alert AlertLevelInfo AlertLevel = "info" // AlertLevelWarning is a warning alert AlertLevelWarning AlertLevel = "warning" // AlertLevelError is an error alert AlertLevelError AlertLevel = "error" // AlertLevelCritical is a critical alert AlertLevelCritical AlertLevel = "critical" )
type AllowList ¶
type AllowList struct {
// Functions is a list of allowed functions
Functions []string
// Packages is a list of allowed packages
Packages []string
// FilePatterns is a list of allowed file patterns
FilePatterns []string
// NetworkDomains is a list of allowed network domains
NetworkDomains []string
// EnvironmentVariables is a list of allowed environment variables
EnvironmentVariables []string
}
AllowList defines allowed operations for template execution
func NewAllowList ¶
func NewAllowList() *AllowList
NewAllowList creates a new allow list with default values
type ApprovalStatus ¶
type ApprovalStatus string
ApprovalStatus represents the approval status of a template
const ( // StatusDraft indicates a template is in draft status StatusDraft ApprovalStatus = "draft" // StatusPendingReview indicates a template is pending review StatusPendingReview ApprovalStatus = "pending_review" // StatusApproved indicates a template is approved StatusApproved ApprovalStatus = "approved" // StatusRejected indicates a template is rejected StatusRejected ApprovalStatus = "rejected" // StatusDeprecated indicates a template is deprecated StatusDeprecated ApprovalStatus = "deprecated" )
type ApprovalWorkflow ¶
type ApprovalWorkflow struct {
// contains filtered or unexported fields
}
ApprovalWorkflow manages the template approval workflow
func NewApprovalWorkflow ¶
func NewApprovalWorkflow(validator *TemplateValidator, scorer *TemplateScorer, storageDir string) *ApprovalWorkflow
NewApprovalWorkflow creates a new approval workflow
func (*ApprovalWorkflow) AddApprover ¶
func (w *ApprovalWorkflow) AddApprover(approver string)
AddApprover adds an approver to the workflow
func (*ApprovalWorkflow) AddComment ¶
func (w *ApprovalWorkflow) AddComment(templateID, versionID, user, comment string) error
AddComment adds a comment to a template version
func (*ApprovalWorkflow) ApproveVersion ¶
func (w *ApprovalWorkflow) ApproveVersion(templateID, versionID, user string) error
ApproveVersion approves a template version
func (*ApprovalWorkflow) CreateVersion ¶
func (w *ApprovalWorkflow) CreateVersion(ctx context.Context, template *format.Template, user string) (*TemplateVersion, error)
CreateVersion creates a new version of a template
func (*ApprovalWorkflow) DeprecateVersion ¶
func (w *ApprovalWorkflow) DeprecateVersion(templateID, versionID, user, reason string) error
DeprecateVersion deprecates a template version
func (*ApprovalWorkflow) GetLatestApprovedVersion ¶
func (w *ApprovalWorkflow) GetLatestApprovedVersion(templateID string) (*TemplateVersion, error)
GetLatestApprovedVersion gets the latest approved version of a template
func (*ApprovalWorkflow) GetLatestVersion ¶
func (w *ApprovalWorkflow) GetLatestVersion(templateID string) (*TemplateVersion, error)
GetLatestVersion gets the latest version of a template
func (*ApprovalWorkflow) GetVersion ¶
func (w *ApprovalWorkflow) GetVersion(templateID, versionID string) (*TemplateVersion, error)
GetVersion gets a template version
func (*ApprovalWorkflow) GetVersions ¶
func (w *ApprovalWorkflow) GetVersions(templateID string) ([]*TemplateVersion, error)
GetVersions gets all versions of a template
func (*ApprovalWorkflow) IsApprover ¶
func (w *ApprovalWorkflow) IsApprover(user string) bool
IsApprover checks if a user is an approver
func (*ApprovalWorkflow) RejectVersion ¶
func (w *ApprovalWorkflow) RejectVersion(templateID, versionID, user, reason string) error
RejectVersion rejects a template version
func (*ApprovalWorkflow) SubmitForReview ¶
func (w *ApprovalWorkflow) SubmitForReview(templateID, versionID, user string) error
SubmitForReview submits a template version for review
type ComplexityFactor ¶
type ComplexityFactor struct {
// contains filtered or unexported fields
}
ComplexityFactor evaluates the risk based on template complexity
func (*ComplexityFactor) Description ¶
func (f *ComplexityFactor) Description() string
Description returns a description of the risk factor
func (*ComplexityFactor) Evaluate ¶
func (f *ComplexityFactor) Evaluate(template *format.Template, issues []*security.SecurityIssue) float64
Evaluate evaluates the risk factor for a template
func (*ComplexityFactor) Name ¶
func (f *ComplexityFactor) Name() string
Name returns the name of the risk factor
func (*ComplexityFactor) Weight ¶
func (f *ComplexityFactor) Weight() float64
Weight returns the weight of the risk factor
type ContainerSandbox ¶
type ContainerSandbox struct {
DefaultSandbox
// contains filtered or unexported fields
}
ContainerSandbox is a sandbox implementation that uses containers for isolation
func NewContainerSandbox ¶
func NewContainerSandbox(verifier security.TemplateVerifier, options *SandboxOptions, containerOptions *ContainerSandboxOptions) (*ContainerSandbox, error)
NewContainerSandbox creates a new container-based sandbox
func (*ContainerSandbox) Execute ¶
func (s *ContainerSandbox) Execute(ctx context.Context, template *format.Template, options *SandboxOptions) (*ExecutionResult, error)
Execute executes a template in a container sandbox
type ContainerSandboxOptions ¶
type ContainerSandboxOptions struct {
ContainerEngine string // "docker" or "podman"
ImageName string // Container image to use
NetworkMode string // Network mode (none, host, bridge)
VolumeBinds []string // Volume bindings
CleanupTimeout time.Duration
}
ContainerSandboxOptions contains options specific to container-based sandboxes
func DefaultContainerSandboxOptions ¶
func DefaultContainerSandboxOptions() *ContainerSandboxOptions
DefaultContainerSandboxOptions returns the default container sandbox options
type DefaultSandbox ¶
type DefaultSandbox struct {
// contains filtered or unexported fields
}
DefaultSandbox is the default implementation of TemplateSandbox
func NewSandbox ¶
func NewSandbox(verifier security.TemplateVerifier, options *SandboxOptions) *DefaultSandbox
NewSandbox creates a new template sandbox
func (*DefaultSandbox) Execute ¶
func (s *DefaultSandbox) Execute(ctx context.Context, template *format.Template, options *SandboxOptions) (*ExecutionResult, error)
Execute executes a template in the sandbox
func (*DefaultSandbox) ExecuteFile ¶
func (s *DefaultSandbox) ExecuteFile(ctx context.Context, templatePath string, options *SandboxOptions) (*ExecutionResult, error)
ExecuteFile executes a template file in the sandbox
func (*DefaultSandbox) GetAllowList ¶
func (s *DefaultSandbox) GetAllowList() *AllowList
GetAllowList returns the allow list for template execution
func (*DefaultSandbox) SetAllowList ¶
func (s *DefaultSandbox) SetAllowList(allowList *AllowList)
SetAllowList sets the allow list for template execution
func (*DefaultSandbox) Validate ¶
func (s *DefaultSandbox) Validate(ctx context.Context, template *format.Template, options *SandboxOptions) ([]*security.SecurityIssue, error)
Validate validates a template against security rules
func (*DefaultSandbox) ValidateFile ¶
func (s *DefaultSandbox) ValidateFile(ctx context.Context, templatePath string, options *SandboxOptions) ([]*security.SecurityIssue, error)
ValidateFile validates a template file against security rules
type DisallowedFunctionsFactor ¶
type DisallowedFunctionsFactor struct {
// contains filtered or unexported fields
}
DisallowedFunctionsFactor evaluates the risk based on disallowed functions
func (*DisallowedFunctionsFactor) Description ¶
func (f *DisallowedFunctionsFactor) Description() string
Description returns a description of the risk factor
func (*DisallowedFunctionsFactor) Evaluate ¶
func (f *DisallowedFunctionsFactor) Evaluate(template *format.Template, issues []*security.SecurityIssue) float64
Evaluate evaluates the risk factor for a template
func (*DisallowedFunctionsFactor) Name ¶
func (f *DisallowedFunctionsFactor) Name() string
Name returns the name of the risk factor
func (*DisallowedFunctionsFactor) Weight ¶
func (f *DisallowedFunctionsFactor) Weight() float64
Weight returns the weight of the risk factor
type ExecutionMode ¶
type ExecutionMode string
ExecutionMode defines how templates are executed in the sandbox
const ( // ModeStrict runs templates with maximum restrictions ModeStrict ExecutionMode = "strict" // ModeStandard runs templates with standard restrictions ModeStandard ExecutionMode = "standard" // ModeDevelopment runs templates with minimal restrictions (for development only) ModeDevelopment ExecutionMode = "development" )
type ExecutionResult ¶
type ExecutionResult struct {
// Success indicates if the execution was successful
Success bool
// Output is the output of the execution
Output string
// Error is the error message if execution failed
Error string
// ExecutionTime is the execution time
ExecutionTime time.Duration
// ResourceUsage contains information about resource usage
ResourceUsage ResourceUsage
// SecurityIssues contains security issues found during execution
SecurityIssues []*security.SecurityIssue
}
ExecutionResult represents the result of template execution in the sandbox
type FileSystemAccessFactor ¶
type FileSystemAccessFactor struct {
// contains filtered or unexported fields
}
FileSystemAccessFactor evaluates the risk based on file system access
func (*FileSystemAccessFactor) Description ¶
func (f *FileSystemAccessFactor) Description() string
Description returns a description of the risk factor
func (*FileSystemAccessFactor) Evaluate ¶
func (f *FileSystemAccessFactor) Evaluate(template *format.Template, issues []*security.SecurityIssue) float64
Evaluate evaluates the risk factor for a template
func (*FileSystemAccessFactor) Name ¶
func (f *FileSystemAccessFactor) Name() string
Name returns the name of the risk factor
func (*FileSystemAccessFactor) Weight ¶
func (f *FileSystemAccessFactor) Weight() float64
Weight returns the weight of the risk factor
type FrameworkOptions ¶
type FrameworkOptions struct {
// ValidationOptions are the validation options
ValidationOptions *ValidationOptions
// SandboxOptions are the sandbox options
SandboxOptions *SandboxOptions
// WorkflowStorageDir is the directory for storing workflow data
WorkflowStorageDir string
// EnableContainerSandbox enables the container-based sandbox
EnableContainerSandbox bool
// ContainerOptions are the container sandbox options
ContainerOptions *ContainerSandboxOptions
// EnableLogging enables logging
EnableLogging bool
// LogDirectory is the directory for logs
LogDirectory string
// EnableMetrics enables metrics collection
EnableMetrics bool
}
FrameworkOptions contains options for the security framework
func DefaultFrameworkOptions ¶
func DefaultFrameworkOptions() *FrameworkOptions
DefaultFrameworkOptions returns the default framework options
type InputValidationFactor ¶
type InputValidationFactor struct {
// contains filtered or unexported fields
}
InputValidationFactor evaluates the risk based on input validation
func (*InputValidationFactor) Description ¶
func (f *InputValidationFactor) Description() string
Description returns a description of the risk factor
func (*InputValidationFactor) Evaluate ¶
func (f *InputValidationFactor) Evaluate(template *format.Template, issues []*security.SecurityIssue) float64
Evaluate evaluates the risk factor for a template
func (*InputValidationFactor) Name ¶
func (f *InputValidationFactor) Name() string
Name returns the name of the risk factor
func (*InputValidationFactor) Weight ¶
func (f *InputValidationFactor) Weight() float64
Weight returns the weight of the risk factor
type MetricsCollector ¶
type MetricsCollector struct {
// contains filtered or unexported fields
}
MetricsCollector collects metrics for the template security framework
func NewMetricsCollector ¶
func NewMetricsCollector() *MetricsCollector
NewMetricsCollector creates a new metrics collector
func (*MetricsCollector) ClearAlerts ¶
func (m *MetricsCollector) ClearAlerts()
ClearAlerts clears all alerts
func (*MetricsCollector) GetAlerts ¶
func (m *MetricsCollector) GetAlerts() []Alert
GetAlerts gets the alerts
func (*MetricsCollector) GetAlertsByLevel ¶
func (m *MetricsCollector) GetAlertsByLevel(level AlertLevel) []Alert
GetAlertsByLevel gets alerts by level
func (*MetricsCollector) GetExecutionMetrics ¶
func (m *MetricsCollector) GetExecutionMetrics() map[string]interface{}
GetExecutionMetrics gets the execution metrics
func (*MetricsCollector) GetValidationMetrics ¶
func (m *MetricsCollector) GetValidationMetrics() map[string]interface{}
GetValidationMetrics gets the validation metrics
func (*MetricsCollector) GetWorkflowMetrics ¶
func (m *MetricsCollector) GetWorkflowMetrics() map[string]interface{}
GetWorkflowMetrics gets the workflow metrics
func (*MetricsCollector) RecordExecution ¶
func (m *MetricsCollector) RecordExecution(result *ExecutionResult, templateID string)
RecordExecution records a template execution
func (*MetricsCollector) RecordValidation ¶
func (m *MetricsCollector) RecordValidation(result *ValidationResult)
RecordValidation records a template validation
func (*MetricsCollector) RecordWorkflowAction ¶
func (m *MetricsCollector) RecordWorkflowAction(action string, version *TemplateVersion)
RecordWorkflowAction records a workflow action
func (*MetricsCollector) ResetMetrics ¶
func (m *MetricsCollector) ResetMetrics()
ResetMetrics resets all metrics
type ResourceLimits ¶
type ResourceLimits struct {
// MaxCPUTime is the maximum CPU time in seconds
MaxCPUTime float64
// MaxMemory is the maximum memory in MB
MaxMemory int64
// MaxExecutionTime is the maximum execution time
MaxExecutionTime time.Duration
// MaxFileSize is the maximum file size in bytes
MaxFileSize int64
// MaxOpenFiles is the maximum number of open files
MaxOpenFiles int
// MaxProcesses is the maximum number of processes
MaxProcesses int
// NetworkAccess determines if network access is allowed
NetworkAccess bool
// FileSystemAccess determines if file system access is allowed
FileSystemAccess bool
}
ResourceLimits defines resource limits for template execution
func DefaultResourceLimits ¶
func DefaultResourceLimits() ResourceLimits
DefaultResourceLimits returns the default resource limits
type ResourceUsage ¶
type ResourceUsage struct {
// CPUTime is the CPU time used in seconds
CPUTime float64
// MemoryUsage is the memory used in MB
MemoryUsage int64
// ExecutionTime is the execution time
ExecutionTime time.Duration
// FileOperations is the number of file operations
FileOperations int
// NetworkOperations is the number of network operations
NetworkOperations int
}
ResourceUsage contains information about resource usage during execution
type RiskCategory ¶
type RiskCategory string
RiskCategory represents a category of risk for templates
const ( // RiskCategoryLow represents low risk templates RiskCategoryLow RiskCategory = "low" // RiskCategoryMedium represents medium risk templates RiskCategoryMedium RiskCategory = "medium" // RiskCategoryHigh represents high risk templates RiskCategoryHigh RiskCategory = "high" // RiskCategoryCritical represents critical risk templates RiskCategoryCritical RiskCategory = "critical" )
type RiskFactor ¶
type RiskFactor struct {
// Name is the name of the factor
Name string
// Description is a description of the factor
Description string
// Score is the score contribution of this factor
Score float64
// Weight is the weight of this factor in the overall score
Weight float64
}
RiskFactor represents a factor that contributes to the risk score
type RiskFactorEvaluator ¶
type RiskFactorEvaluator interface {
// Name returns the name of the risk factor
Name() string
// Description returns a description of the risk factor
Description() string
// Weight returns the weight of the risk factor
Weight() float64
// Evaluate evaluates the risk factor for a template
Evaluate(template *format.Template, issues []*security.SecurityIssue) float64
}
RiskFactorEvaluator evaluates a specific risk factor
type RiskScore ¶
type RiskScore struct {
// Score is the numerical risk score (0-100)
Score float64
// Category is the risk category
Category RiskCategory
// Factors contains the factors that contributed to the score
Factors []RiskFactor
}
RiskScore represents a risk score for a template
type SandboxOptions ¶
type SandboxOptions struct {
// Mode is the execution mode
Mode ExecutionMode
// ResourceLimits defines resource limits for template execution
ResourceLimits ResourceLimits
// AllowedFunctions is a list of allowed functions
AllowedFunctions []string
// AllowedPackages is a list of allowed packages
AllowedPackages []string
// DisallowedFunctions is a list of disallowed functions
DisallowedFunctions []string
// DisallowedPackages is a list of disallowed packages
DisallowedPackages []string
// TimeoutDuration is the timeout duration for template execution
TimeoutDuration time.Duration
// EnableLogging enables logging of template execution
EnableLogging bool
// LogDirectory is the directory for logs
LogDirectory string
// ValidationOptions are the options for template validation
ValidationOptions *security.VerificationOptions
}
SandboxOptions defines options for the template sandbox
func DefaultSandboxOptions ¶
func DefaultSandboxOptions() *SandboxOptions
DefaultSandboxOptions returns the default sandbox options
type SecurityFramework ¶
type SecurityFramework struct {
// contains filtered or unexported fields
}
SecurityFramework provides a comprehensive security framework for templates
func NewSecurityFramework ¶
func NewSecurityFramework(options *FrameworkOptions) (*SecurityFramework, error)
NewSecurityFramework creates a new security framework
func (*SecurityFramework) AddApprover ¶
func (f *SecurityFramework) AddApprover(approver string)
AddApprover adds an approver to the workflow
func (*SecurityFramework) ApproveTemplate ¶
func (f *SecurityFramework) ApproveTemplate(templateID, versionID, user string) error
ApproveTemplate approves a template version
func (*SecurityFramework) ClearAlerts ¶
func (f *SecurityFramework) ClearAlerts()
ClearAlerts clears all alerts from the metrics collector
func (*SecurityFramework) CreateTemplateVersion ¶
func (f *SecurityFramework) CreateTemplateVersion(ctx context.Context, template *format.Template, user string) (*TemplateVersion, error)
CreateTemplateVersion creates a new version of a template
func (*SecurityFramework) ExecuteTemplate ¶
func (f *SecurityFramework) ExecuteTemplate(ctx context.Context, template *format.Template) (*ExecutionResult, error)
ExecuteTemplate executes a template in the sandbox
func (*SecurityFramework) ExecuteTemplateFile ¶
func (f *SecurityFramework) ExecuteTemplateFile(ctx context.Context, templatePath string) (*ExecutionResult, error)
ExecuteTemplateFile executes a template file in the sandbox
func (*SecurityFramework) GetAlerts ¶
func (f *SecurityFramework) GetAlerts() []Alert
GetAlerts returns the alerts from the metrics collector
func (*SecurityFramework) GetAlertsByLevel ¶
func (f *SecurityFramework) GetAlertsByLevel(level AlertLevel) []Alert
GetAlertsByLevel returns alerts by level from the metrics collector
func (*SecurityFramework) GetLatestApprovedTemplateVersion ¶
func (f *SecurityFramework) GetLatestApprovedTemplateVersion(templateID string) (*TemplateVersion, error)
GetLatestApprovedTemplateVersion gets the latest approved version of a template
func (*SecurityFramework) GetLatestTemplateVersion ¶
func (f *SecurityFramework) GetLatestTemplateVersion(templateID string) (*TemplateVersion, error)
GetLatestTemplateVersion gets the latest version of a template
func (*SecurityFramework) GetMetrics ¶
func (f *SecurityFramework) GetMetrics() map[string]interface{}
GetMetrics returns the metrics from the metrics collector
func (*SecurityFramework) GetTemplateVersion ¶
func (f *SecurityFramework) GetTemplateVersion(templateID, versionID string) (*TemplateVersion, error)
GetTemplateVersion gets a template version
func (*SecurityFramework) IsApprover ¶
func (f *SecurityFramework) IsApprover(user string) bool
IsApprover checks if a user is an approver
func (*SecurityFramework) RejectTemplate ¶
func (f *SecurityFramework) RejectTemplate(templateID, versionID, user, reason string) error
RejectTemplate rejects a template version
func (*SecurityFramework) ResetMetrics ¶
func (f *SecurityFramework) ResetMetrics()
ResetMetrics resets all metrics in the metrics collector
func (*SecurityFramework) SubmitTemplateForReview ¶
func (f *SecurityFramework) SubmitTemplateForReview(templateID, versionID, user string) error
SubmitTemplateForReview submits a template version for review
func (*SecurityFramework) ValidateTemplate ¶
func (f *SecurityFramework) ValidateTemplate(ctx context.Context, template *format.Template) (*ValidationResult, error)
ValidateTemplate validates a template
func (*SecurityFramework) ValidateTemplateFile ¶
func (f *SecurityFramework) ValidateTemplateFile(ctx context.Context, templatePath string) (*ValidationResult, error)
ValidateTemplateFile validates a template file
type SecurityIssuesFactor ¶
type SecurityIssuesFactor struct {
// contains filtered or unexported fields
}
SecurityIssuesFactor evaluates the risk based on security issues
func (*SecurityIssuesFactor) Description ¶
func (f *SecurityIssuesFactor) Description() string
Description returns a description of the risk factor
func (*SecurityIssuesFactor) Evaluate ¶
func (f *SecurityIssuesFactor) Evaluate(template *format.Template, issues []*security.SecurityIssue) float64
Evaluate evaluates the risk factor for a template
func (*SecurityIssuesFactor) Name ¶
func (f *SecurityIssuesFactor) Name() string
Name returns the name of the risk factor
func (*SecurityIssuesFactor) Weight ¶
func (f *SecurityIssuesFactor) Weight() float64
Weight returns the weight of the risk factor
type TemplateSandbox ¶
type TemplateSandbox interface {
// Execute executes a template in the sandbox
Execute(ctx context.Context, template *format.Template, options *SandboxOptions) (*ExecutionResult, error)
// ExecuteFile executes a template file in the sandbox
ExecuteFile(ctx context.Context, templatePath string, options *SandboxOptions) (*ExecutionResult, error)
// Validate validates a template against security rules
Validate(ctx context.Context, template *format.Template, options *SandboxOptions) ([]*security.SecurityIssue, error)
// ValidateFile validates a template file against security rules
ValidateFile(ctx context.Context, templatePath string, options *SandboxOptions) ([]*security.SecurityIssue, error)
// GetAllowList returns the allow list for template execution
GetAllowList() *AllowList
// SetAllowList sets the allow list for template execution
SetAllowList(allowList *AllowList)
}
TemplateSandbox is the interface for template sandboxes
type TemplateScorer ¶
type TemplateScorer struct {
// contains filtered or unexported fields
}
TemplateScorer is responsible for scoring templates based on risk factors
func NewTemplateScorer ¶
func NewTemplateScorer() *TemplateScorer
NewTemplateScorer creates a new template scorer
func (*TemplateScorer) ScoreTemplate ¶
func (s *TemplateScorer) ScoreTemplate(template *format.Template, issues []*security.SecurityIssue) *RiskScore
ScoreTemplate scores a template based on risk factors
type TemplateValidator ¶
type TemplateValidator struct {
// contains filtered or unexported fields
}
TemplateValidator is responsible for validating templates
func NewTemplateValidator ¶
func NewTemplateValidator(verifier security.TemplateVerifier, options *ValidationOptions) *TemplateValidator
NewTemplateValidator creates a new template validator
func (*TemplateValidator) Validate ¶
func (v *TemplateValidator) Validate(ctx context.Context, template *format.Template) ([]*security.SecurityIssue, error)
Validate validates a template
func (*TemplateValidator) ValidateFile ¶
func (v *TemplateValidator) ValidateFile(ctx context.Context, templatePath string) ([]*security.SecurityIssue, error)
ValidateFile validates a template file
type TemplateVersion ¶
type TemplateVersion struct {
// ID is the version ID
ID string
// TemplateID is the ID of the template
TemplateID string
// Version is the version number
Version string
// Content is the template content
Content string
// Status is the approval status
Status ApprovalStatus
// CreatedAt is the creation time
CreatedAt time.Time
// UpdatedAt is the last update time
UpdatedAt time.Time
// ApprovedBy is the user who approved the template
ApprovedBy string
// ApprovedAt is the approval time
ApprovedAt time.Time
// RiskScore is the risk score
RiskScore *RiskScore
// SecurityIssues are the security issues found in the template
SecurityIssues []*security.SecurityIssue
// Comments are comments on the template
Comments []string
}
TemplateVersion represents a version of a template
type ValidationLevel ¶
type ValidationLevel string
ValidationLevel defines the level of validation to perform
const ( // ValidationLevelBasic performs basic validation ValidationLevelBasic ValidationLevel = "basic" // ValidationLevelStandard performs standard validation ValidationLevelStandard ValidationLevel = "standard" // ValidationLevelStrict performs strict validation ValidationLevelStrict ValidationLevel = "strict" )
type ValidationOptions ¶
type ValidationOptions struct {
// Level is the validation level
Level ValidationLevel
// CustomChecks is a list of custom checks to perform
CustomChecks []security.SecurityCheck
// IgnorePatterns is a list of patterns to ignore
IgnorePatterns []*regexp.Regexp
// AllowedFunctions is a list of allowed functions
AllowedFunctions []string
// AllowedPackages is a list of allowed packages
AllowedPackages []string
// DisallowedFunctions is a list of disallowed functions
DisallowedFunctions []string
// DisallowedPackages is a list of disallowed packages
DisallowedPackages []string
// MaxComplexity is the maximum allowed complexity
MaxComplexity int
// MaxLineLength is the maximum allowed line length
MaxLineLength int
// RequireComments determines if comments are required
RequireComments bool
// RequireValidation determines if input validation is required
RequireValidation bool
// SecurityOptions are the security verification options
SecurityOptions *security.VerificationOptions
}
ValidationOptions defines options for template validation
func DefaultValidationOptions ¶
func DefaultValidationOptions() *ValidationOptions
DefaultValidationOptions returns the default validation options
type ValidationResult ¶
type ValidationResult struct {
// Template is the validated template
Template *format.Template
// Issues are the security issues found
Issues []*security.SecurityIssue
// RiskScore is the risk score
RiskScore *RiskScore
// ValidationTime is the time taken for validation
ValidationTime time.Duration
// Timestamp is the time of validation
Timestamp time.Time
}
ValidationResult represents the result of template validation
func (*ValidationResult) GetIssuesBySeverity ¶
func (r *ValidationResult) GetIssuesBySeverity(severity common.SeverityLevel) []*security.SecurityIssue
GetIssuesBySeverity gets issues by severity
func (*ValidationResult) HasCriticalIssues ¶
func (r *ValidationResult) HasCriticalIssues() bool
HasCriticalIssues checks if the validation result has critical issues
func (*ValidationResult) HasHighIssues ¶
func (r *ValidationResult) HasHighIssues() bool
HasHighIssues checks if the validation result has high severity issues