validation

package
v0.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 5, 2025 License: MIT Imports: 13 Imported by: 0

Documentation

Overview

Package validation provides image validation and security scanning for ARC

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func CalculateRiskScore 

func CalculateRiskScore(scanResult *ScanResult) float64

CalculateRiskScore calculates a risk score for scan results

func DefaultSecurityPolicies 

func DefaultSecurityPolicies() map[string]Policy

DefaultSecurityPolicies returns a set of default security policies

func GenerateImageHash 

func GenerateImageHash(image string) string

GenerateImageHash generates a hash for an image reference

func HasCriticalVulnerabilities 

func HasCriticalVulnerabilities(scanResult *ScanResult) bool

HasCriticalVulnerabilities checks if scan result has critical vulnerabilities

func IsAllowedRegistry 

func IsAllowedRegistry(registry string, allowedList []string) bool

IsAllowedRegistry checks if a registry is in the allowed list

func SanitizeImageReference 

func SanitizeImageReference(image string) string

SanitizeImageReference removes potentially dangerous characters from image reference

func ValidateImageAge 

func ValidateImageAge(createdAt time.Time, maxAge time.Duration) error

ValidateImageAge checks if an image is within acceptable age limits

func ValidateImageForEnvironment 

func ValidateImageForEnvironment(ctx context.Context, image, environment string) error

ValidateImageForEnvironment validates an image based on the target environment

Types

type ClairScanner 

type ClairScanner struct {
	// contains filtered or unexported fields
}

ClairScanner implements VulnerabilityScanner using Clair API

func NewClairScanner 

func NewClairScanner(endpoint, apiKey string) *ClairScanner

NewClairScanner creates a new Clair-based vulnerability scanner

func (*ClairScanner) Scan 

func (c *ClairScanner) Scan(ctx context.Context, image string) (*ScanResult, error)

Scan performs a vulnerability scan using Clair API

type ComplianceCheck 

type ComplianceCheck struct {
	ID          string   `json:"id"`
	Name        string   `json:"name"`
	Description string   `json:"description"`
	Status      string   `json:"status"` // "pass", "fail", "skip"
	Severity    Severity `json:"severity"`
	Details     string   `json:"details,omitempty"`
}

ComplianceCheck represents a compliance validation

type CompositeVerifier 

type CompositeVerifier struct {
	// contains filtered or unexported fields
}

CompositeSigner implements SignatureVerifier with multiple verifiers

func NewCompositeVerifier 

func NewCompositeVerifier(verifiers ...SignatureVerifier) *CompositeVerifier

NewCompositeVerifier creates a verifier that tries multiple verification methods

func (*CompositeVerifier) VerifySignature 

func (c *CompositeVerifier) VerifySignature(ctx context.Context, image string, trustAnchors []string) error

VerifySignature tries to verify signature with any of the configured verifiers

type CosignVerifier 

type CosignVerifier struct {
	// contains filtered or unexported fields
}

CosignVerifier implements SignatureVerifier using Cosign

func NewCosignVerifier 

func NewCosignVerifier(binaryPath string) *CosignVerifier

NewCosignVerifier creates a new Cosign-based signature verifier

func (*CosignVerifier) VerifySignature 

func (c *CosignVerifier) VerifySignature(ctx context.Context, image string, trustAnchors []string) error

VerifySignature verifies an image signature using Cosign

type DefaultImageValidator 

type DefaultImageValidator struct {
	// contains filtered or unexported fields
}

DefaultImageValidator provides production-ready image validation

func CreateValidatorWithDefaults 

func CreateValidatorWithDefaults() (*DefaultImageValidator, error)

CreateValidatorWithDefaults creates a validator with sensible defaults for production

func NewDefaultImageValidator 

func NewDefaultImageValidator(config *ValidationConfig) *DefaultImageValidator

NewDefaultImageValidator creates a new image validator with default config

func (*DefaultImageValidator) CheckPolicy 

func (v *DefaultImageValidator) CheckPolicy(ctx context.Context, image string, policy Policy) error

CheckPolicy validates an image against a specific policy

func (*DefaultImageValidator) ClearCache 

func (v *DefaultImageValidator) ClearCache()

ClearCache clears the scan result cache

func (*DefaultImageValidator) ScanImage 

func (v *DefaultImageValidator) ScanImage(ctx context.Context, image string) (*ScanResult, error)

ScanImage performs security scanning on an image

func (*DefaultImageValidator) SetSignatureVerifier 

func (v *DefaultImageValidator) SetSignatureVerifier(verifier SignatureVerifier)

SetSignatureVerifier sets the signature verifier

func (*DefaultImageValidator) SetVulnerabilityScanner 

func (v *DefaultImageValidator) SetVulnerabilityScanner(scanner VulnerabilityScanner)

SetVulnerabilityScanner sets the vulnerability scanner

func (*DefaultImageValidator) ValidateImage 

func (v *DefaultImageValidator) ValidateImage(ctx context.Context, image string) error

ValidateImage performs comprehensive validation on an image reference

type GrypeScanner 

type GrypeScanner struct {
	// contains filtered or unexported fields
}

GrypeScanner implements VulnerabilityScanner using Grype

func NewGrypeScanner 

func NewGrypeScanner(binaryPath string) *GrypeScanner

NewGrypeScanner creates a new Grype-based vulnerability scanner

func (*GrypeScanner) Scan 

func (g *GrypeScanner) Scan(ctx context.Context, image string) (*ScanResult, error)

Scan performs a vulnerability scan using Grype

type ImageInfo 

type ImageInfo struct {
	Registry      string `json:"registry"`
	Namespace     string `json:"namespace"`
	Repository    string `json:"repository"`
	Tag           string `json:"tag"`
	Digest        string `json:"digest"`
	FullReference string `json:"full_reference"`
	IsOfficial    bool   `json:"is_official"`
	HasDigest     bool   `json:"has_digest"`
	HasTag        bool   `json:"has_tag"`
}

ImageInfo contains parsed image reference details

func ParseImageReference 

func ParseImageReference(image string) (*ImageInfo, error)

ParseImageReference parses a container image reference

type ImageValidator 

type ImageValidator interface {
	// ValidateImage performs comprehensive validation on an image reference
	ValidateImage(ctx context.Context, image string) error

	// ScanImage performs security scanning on an image
	ScanImage(ctx context.Context, image string) (*ScanResult, error)

	// CheckPolicy validates an image against a specific policy
	CheckPolicy(ctx context.Context, image string, policy Policy) error
}

ImageValidator defines the interface for image validation

type Layer 

type Layer struct {
	Digest    string `json:"digest"`
	Size      int64  `json:"size"`
	MediaType string `json:"media_type"`
	CreatedBy string `json:"created_by,omitempty"`
}

Layer represents a container image layer

type NotaryVerifier 

type NotaryVerifier struct {
	// contains filtered or unexported fields
}

NotaryVerifier implements SignatureVerifier using Notary

func NewNotaryVerifier 

func NewNotaryVerifier(serverURL string) *NotaryVerifier

NewNotaryVerifier creates a new Notary-based signature verifier

func (*NotaryVerifier) VerifySignature 

func (n *NotaryVerifier) VerifySignature(ctx context.Context, image string, trustAnchors []string) error

VerifySignature verifies an image signature using Notary

type OrchestratorIntegration 

type OrchestratorIntegration struct {
	// contains filtered or unexported fields
}

OrchestratorIntegration provides integration between the validator and orchestrator

func NewOrchestratorIntegration 

func NewOrchestratorIntegration(validator ImageValidator, logger *log.Logger) *OrchestratorIntegration

NewOrchestratorIntegration creates a new orchestrator integration

func (*OrchestratorIntegration) AddPolicy 

func (o *OrchestratorIntegration) AddPolicy(name string, policy Policy)

AddPolicy adds a policy for validation

func (*OrchestratorIntegration) GetPolicy 

func (o *OrchestratorIntegration) GetPolicy(name string) (Policy, bool)

GetPolicy retrieves a policy by name

func (*OrchestratorIntegration) RemovePolicy 

func (o *OrchestratorIntegration) RemovePolicy(name string)

RemovePolicy removes a policy

func (*OrchestratorIntegration) ScanAndValidateImage 

func (o *OrchestratorIntegration) ScanAndValidateImage(ctx context.Context, image string) (*SecurityReport, error)

ScanAndValidateImage performs security scanning and validation

func (*OrchestratorIntegration) ValidateAgentImage 

func (o *OrchestratorIntegration) ValidateAgentImage(ctx context.Context, agent *types.Agent) error

ValidateAgentImage validates an agent's container image before creation

func (*OrchestratorIntegration) ValidateWorkflowImages 

func (o *OrchestratorIntegration) ValidateWorkflowImages(ctx context.Context, workflow *types.Workflow) error

ValidateWorkflowImages validates all images in a workflow before execution

type Policy 

type Policy struct {
	Name        string `json:"name"`
	Description string `json:"description"`
	Enabled     bool   `json:"enabled"`

	// Registry rules
	AllowedRegistries []string `json:"allowed_registries,omitempty"`
	BlockedRegistries []string `json:"blocked_registries,omitempty"`

	// Tag rules
	AllowLatestTag      bool     `json:"allow_latest_tag"`
	RequireDigest       bool     `json:"require_digest"`
	TagPatternWhitelist []string `json:"tag_pattern_whitelist,omitempty"`
	TagPatternBlacklist []string `json:"tag_pattern_blacklist,omitempty"`

	// Security thresholds
	MaxCriticalCVEs int `json:"max_critical_cves"`
	MaxHighCVEs     int `json:"max_high_cves"`
	MaxMediumCVEs   int `json:"max_medium_cves"`
	MaxLowCVEs      int `json:"max_low_cves"`

	// Image requirements
	MaxImageAge      time.Duration     `json:"max_image_age,omitempty"`
	RequireSignature bool              `json:"require_signature"`
	RequiredLabels   map[string]string `json:"required_labels,omitempty"`

	// Enforcement
	EnforcementMode string   `json:"enforcement_mode"`     // "block", "warn", "audit"
	Exceptions      []string `json:"exceptions,omitempty"` // Image patterns to exempt
}

Policy defines validation rules for images

type ScanResult 

type ScanResult struct {
	ImageReference string    `json:"image_reference"`
	ImageID        string    `json:"image_id"`
	ImageDigest    string    `json:"image_digest"`
	ScanTimestamp  time.Time `json:"scan_timestamp"`
	Scanner        string    `json:"scanner"`
	ScannerVersion string    `json:"scanner_version"`

	// Vulnerability summary
	CriticalCount int `json:"critical_count"`
	HighCount     int `json:"high_count"`
	MediumCount   int `json:"medium_count"`
	LowCount      int `json:"low_count"`
	UnknownCount  int `json:"unknown_count"`
	TotalCount    int `json:"total_count"`

	// Detailed findings
	Vulnerabilities []Vulnerability `json:"vulnerabilities"`

	// Image metadata
	OS           string    `json:"os"`
	Architecture string    `json:"architecture"`
	CreatedAt    time.Time `json:"created_at"`
	Size         int64     `json:"size"`
	Layers       []Layer   `json:"layers"`

	// Compliance
	ComplianceStatus string            `json:"compliance_status"` // "pass", "fail", "warn"
	ComplianceChecks []ComplianceCheck `json:"compliance_checks"`

	// Additional metadata
	Metadata map[string]interface{} `json:"metadata,omitempty"`
}

ScanResult contains vulnerability scan findings

type SecurityReport 

type SecurityReport struct {
	Image            string      `json:"image"`
	Timestamp        time.Time   `json:"timestamp"`
	Status           string      `json:"status"` // "approved", "warning", "rejected", "failed"
	RiskScore        float64     `json:"risk_score"`
	ScanResult       *ScanResult `json:"scan_result,omitempty"`
	ValidationErrors []string    `json:"validation_errors,omitempty"`
	ScanErrors       []string    `json:"scan_errors,omitempty"`
	Recommendation   string      `json:"recommendation"`
	PolicyViolations []string    `json:"policy_violations,omitempty"`
}

SecurityReport contains the complete security assessment of an image

type Severity 

type Severity string

Severity levels for vulnerabilities 

const (
	SeverityCritical Severity = "critical"
	SeverityHigh     Severity = "high"
	SeverityMedium   Severity = "medium"
	SeverityLow      Severity = "low"
	SeverityUnknown  Severity = "unknown"
)

type SignatureVerifier 

type SignatureVerifier interface {
	VerifySignature(ctx context.Context, image string, trustAnchors []string) error
}

SignatureVerifier interface for image signature verification

type TrivyMetadata 

type TrivyMetadata struct {
	OS          TrivyOS     `json:"OS"`
	ImageID     string      `json:"ImageID"`
	DiffIDs     []string    `json:"DiffIDs"`
	RepoTags    []string    `json:"RepoTags"`
	RepoDigests []string    `json:"RepoDigests"`
	ImageConfig interface{} `json:"ImageConfig"`
}

TrivyMetadata contains image metadata from Trivy

type TrivyOS 

type TrivyOS struct {
	Family  string `json:"Family"`
	Name    string `json:"Name"`
	Version string `json:"Version"`
}

TrivyOS contains OS information

type TrivyOutput 

type TrivyOutput struct {
	SchemaVersion int           `json:"SchemaVersion"`
	ArtifactName  string        `json:"ArtifactName"`
	ArtifactType  string        `json:"ArtifactType"`
	Metadata      TrivyMetadata `json:"Metadata"`
	Results       []TrivyResult `json:"Results"`
}

TrivyOutput represents Trivy JSON output structure

type TrivyResult 

type TrivyResult struct {
	Target          string               `json:"Target"`
	Class           string               `json:"Class"`
	Type            string               `json:"Type"`
	Vulnerabilities []TrivyVulnerability `json:"Vulnerabilities"`
}

TrivyResult contains scan results for a target

type TrivyScanner 

type TrivyScanner struct {
	// contains filtered or unexported fields
}

TrivyScanner implements VulnerabilityScanner using Trivy

func NewTrivyScanner 

func NewTrivyScanner(binaryPath string) *TrivyScanner

NewTrivyScanner creates a new Trivy-based vulnerability scanner

func (*TrivyScanner) Scan 

func (t *TrivyScanner) Scan(ctx context.Context, image string) (*ScanResult, error)

Scan performs a vulnerability scan using Trivy

type TrivyVulnerability 

type TrivyVulnerability struct {
	VulnerabilityID  string                 `json:"VulnerabilityID"`
	PkgName          string                 `json:"PkgName"`
	InstalledVersion string                 `json:"InstalledVersion"`
	FixedVersion     string                 `json:"FixedVersion"`
	Title            string                 `json:"Title"`
	Description      string                 `json:"Description"`
	Severity         string                 `json:"Severity"`
	CVSS             map[string]interface{} `json:"CVSS"`
	References       []string               `json:"References"`
	PublishedDate    *time.Time             `json:"PublishedDate"`
	LastModifiedDate *time.Time             `json:"LastModifiedDate"`
}

TrivyVulnerability represents a vulnerability found by Trivy

type ValidationConfig 

type ValidationConfig struct {
	// Registry validation
	AllowedRegistries []string // Allowed registries (empty = all allowed)
	BlockedRegistries []string // Blocked registries
	RequireHTTPS      bool     // Require HTTPS for registry connections

	// Tag validation
	AllowLatestTag     bool     // Allow "latest" tag
	AllowedTagPatterns []string // Regex patterns for allowed tags
	BlockedTagPatterns []string // Regex patterns for blocked tags
	RequireDigest      bool     // Require digest in image reference

	// Security scanning
	EnableScanning    bool          // Enable vulnerability scanning
	MaxCriticalCVEs   int           // Max critical vulnerabilities (-1 = unlimited, 0 = none allowed)
	MaxHighCVEs       int           // Max high vulnerabilities (-1 = unlimited, 0 = none allowed)
	MaxMediumCVEs     int           // Max medium vulnerabilities (-1 = unlimited, 0 = none allowed)
	MaxLowCVEs        int           // Max low vulnerabilities (-1 = unlimited, 0 = none allowed)
	ScanCacheDuration time.Duration // How long to cache scan results

	// Image age validation
	MaxImageAge        time.Duration // Max age for images (0 = no limit)
	RequireRecentBuild bool          // Require images built within MaxImageAge

	// Signature verification
	RequireSignature bool     // Require signed images
	TrustAnchors     []string // Public keys or certificates for verification
	SignatureType    string   // "cosign", "notary", etc.

	// Performance
	ConcurrentScans int           // Max concurrent vulnerability scans
	ScanTimeout     time.Duration // Timeout for individual scans

	// Logging
	LogLevel string // "debug", "info", "warn", "error"
	AuditLog bool   // Enable audit logging
}

ValidationConfig configures the image validator

func DefaultValidationConfig 

func DefaultValidationConfig() *ValidationConfig

DefaultValidationConfig returns a production-ready default configuration

type Vulnerability 

type Vulnerability struct {
	ID          string   `json:"id"`
	Title       string   `json:"title"`
	Description string   `json:"description"`
	Severity    Severity `json:"severity"`
	CVSS        float64  `json:"cvss"`
	CVSSVector  string   `json:"cvss_vector"`
	CWE         []string `json:"cwe,omitempty"`

	// Affected components
	Package      string `json:"package"`
	Version      string `json:"version"`
	FixedVersion string `json:"fixed_version,omitempty"`

	// References
	References    []string  `json:"references"`
	PublishedDate time.Time `json:"published_date"`
	LastModified  time.Time `json:"last_modified"`

	// Exploitation
	Exploitable      bool   `json:"exploitable"`
	ExploitAvailable bool   `json:"exploit_available"`
	ExploitMaturity  string `json:"exploit_maturity,omitempty"`
}

Vulnerability represents a security vulnerability

func GetVulnerabilitiesBySeverity 

func GetVulnerabilitiesBySeverity(scanResult *ScanResult, severity Severity) []Vulnerability

GetVulnerabilitiesBySeverity returns vulnerabilities filtered by severity

type VulnerabilityScanner 

type VulnerabilityScanner interface {
	Scan(ctx context.Context, image string) (*ScanResult, error)
}

VulnerabilityScanner interface for vulnerability scanning

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.