security

package
v0.0.0-...-e601d7c Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 20, 2026 License: MIT Imports: 18 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	TTL_SBOM       = 24 * time.Hour // SBOM: 24h
	TTL_SCAN_GRYPE = 6 * time.Hour  // Grype scan: 6h
	TTL_SCAN_TRIVY = 6 * time.Hour  // Trivy scan: 6h
)

TTL durations for different operations

Variables

This section is empty.

Functions

func ComputeConfigHash 

func ComputeConfigHash(config interface{}) (string, error)

ComputeConfigHash computes a hash of configuration for cache keying

func ValidateImageRef 

func ValidateImageRef(imageRef string) error

ValidateImageRef checks that an image reference is safe to pass to external tools.

Types

type AttachConfig 

type AttachConfig struct {
	Enabled bool `json:"enabled" yaml:"enabled"` // Default: true
	Sign    bool `json:"sign" yaml:"sign"`       // Sign the attestation
}

AttachConfig configures attestation attachment

type BuilderConfig 

type BuilderConfig struct {
	ID string `json:"id,omitempty" yaml:"id,omitempty"` // Auto-detected from CI if not specified
}

BuilderConfig configures builder identification

type Cache 

type Cache struct {
	// contains filtered or unexported fields
}

Cache provides TTL-based caching for security operation results

func NewCache 

func NewCache(baseDir string) (*Cache, error)

NewCache creates a new cache instance

func (*Cache) Clean 

func (c *Cache) Clean() error

Clean removes expired cache entries

func (*Cache) Clear 

func (c *Cache) Clear() error

Clear removes all cached entries

func (*Cache) Get 

func (c *Cache) Get(key CacheKey) ([]byte, bool, error)

Get retrieves a cached result if it exists and hasn't expired

func (*Cache) Invalidate 

func (c *Cache) Invalidate(key CacheKey) error

Invalidate removes a cached result

func (*Cache) Set 

func (c *Cache) Set(key CacheKey, data []byte) error

Set stores a result in the cache with appropriate TTL

func (*Cache) SetWithTTL 

func (c *Cache) SetWithTTL(key CacheKey, data []byte, ttl time.Duration) error

SetWithTTL stores a result in the cache with an explicit TTL.

func (*Cache) Size 

func (c *Cache) Size() (int64, error)

Size returns the total size of the cache in bytes

type CacheConfig 

type CacheConfig struct {
	Enabled bool   `json:"enabled" yaml:"enabled"`
	TTL     string `json:"ttl,omitempty" yaml:"ttl,omitempty"` // Cache TTL, e.g. 6h
	Dir     string `json:"dir,omitempty" yaml:"dir,omitempty"` // Cache directory
}

CacheConfig configures local caching for security artifacts.

func (*CacheConfig) Validate 

func (c *CacheConfig) Validate() error

Validate validates cache configuration.

type CacheEntry 

type CacheEntry struct {
	Key       CacheKey  `json:"key"`
	Data      []byte    `json:"data"`
	CreatedAt time.Time `json:"createdAt"`
	ExpiresAt time.Time `json:"expiresAt"`
}

CacheEntry represents a cached result with metadata

type CacheKey 

type CacheKey struct {
	Operation   string // "sbom", "scan-grype", "scan-trivy", "signature"
	ImageDigest string // sha256:abc123...
	ConfigHash  string // Hash of relevant config
}

CacheKey uniquely identifies a cached result

type DefectDojoConfig 

type DefectDojoConfig struct {
	Enabled        bool     `json:"enabled" yaml:"enabled"`
	URL            string   `json:"url" yaml:"url"`                                 // DefectDojo instance URL
	APIKey         string   `json:"apiKey" yaml:"apiKey"`                           // API key for authentication
	EngagementID   int      `json:"engagementId,omitempty" yaml:"engagementId"`     // Existing engagement ID
	EngagementName string   `json:"engagementName,omitempty" yaml:"engagementName"` // Engagement name (if creating new)
	ProductID      int      `json:"productId,omitempty" yaml:"productId"`           // Product ID (required if creating new engagement)
	ProductName    string   `json:"productName,omitempty" yaml:"productName"`       // Product name (if creating new product)
	TestType       string   `json:"testType,omitempty" yaml:"testType"`             // Test type title (default: "Container Scan")
	Tags           []string `json:"tags,omitempty" yaml:"tags,omitempty"`           // Tags for the test
	Environment    string   `json:"environment,omitempty" yaml:"environment"`       // Environment (e.g., "production", "staging")
	AutoCreate     bool     `json:"autoCreate,omitempty" yaml:"autoCreate"`         // Auto-create product/engagement if not found
}

DefectDojoConfig configures DefectDojo integration

func (*DefectDojoConfig) Sanitize 

func (c *DefectDojoConfig) Sanitize() DefectDojoConfig

Sanitize returns a copy of this config with the API key replaced by a placeholder string, safe for logging or debug serialization.

func (*DefectDojoConfig) Validate 

func (c *DefectDojoConfig) Validate() error

Validate validates DefectDojo configuration

type ExecutionContext 

type ExecutionContext struct {
	IsCI         bool
	CIProvider   string
	Repository   string
	Branch       string
	CommitSHA    string
	CommitShort  string
	BuildID      string
	BuildURL     string
	OIDCToken    string
	OIDCTokenURL string
	GitHubToken  string
	RequestToken string
}

ExecutionContext contains information about the current execution environment

func NewExecutionContext 

func NewExecutionContext(ctx context.Context) (*ExecutionContext, error)

NewExecutionContext creates a new execution context by detecting the environment

func (*ExecutionContext) DetectCI 

func (e *ExecutionContext) DetectCI()

DetectCI detects if running in a CI environment and identifies the provider

func (*ExecutionContext) GetOIDCToken 

func (e *ExecutionContext) GetOIDCToken(ctx context.Context) error

GetOIDCToken attempts to retrieve an OIDC token for keyless signing

func (*ExecutionContext) PopulateGitMetadata 

func (e *ExecutionContext) PopulateGitMetadata()

PopulateGitMetadata populates git-related metadata from environment

type MetadataConfig 

type MetadataConfig struct {
	IncludeEnv       bool `json:"includeEnv,omitempty" yaml:"includeEnv,omitempty"`             // Include environment variables
	IncludeMaterials bool `json:"includeMaterials,omitempty" yaml:"includeMaterials,omitempty"` // Include build materials
}

MetadataConfig configures metadata collection

type OutputConfig 

type OutputConfig struct {
	Local    string `json:"local,omitempty" yaml:"local,omitempty"`       // Local file path
	Registry bool   `json:"registry,omitempty" yaml:"registry,omitempty"` // Upload to registry
}

OutputConfig configures output destinations

type PRCommentConfig 

type PRCommentConfig struct {
	Enabled bool   `json:"enabled" yaml:"enabled"`
	Output  string `json:"output,omitempty" yaml:"output,omitempty"`
}

PRCommentConfig configures markdown output for pull request comments.

func (*PRCommentConfig) Validate 

func (c *PRCommentConfig) Validate() error

Validate validates pull-request comment configuration.

type ProvenanceConfig 

type ProvenanceConfig struct {
	Enabled       bool            `json:"enabled" yaml:"enabled"`
	Format        string          `json:"format,omitempty" yaml:"format,omitempty"` // Default: "slsa-v1.0"
	Output        *OutputConfig   `json:"output,omitempty" yaml:"output,omitempty"`
	IncludeGit    bool            `json:"includeGit,omitempty" yaml:"includeGit,omitempty"`               // Include git metadata
	IncludeDocker bool            `json:"includeDockerfile,omitempty" yaml:"includeDockerfile,omitempty"` // Include Dockerfile
	Required      bool            `json:"required,omitempty" yaml:"required,omitempty"`                   // Fail if provenance generation fails
	Builder       *BuilderConfig  `json:"builder,omitempty" yaml:"builder,omitempty"`
	Metadata      *MetadataConfig `json:"metadata,omitempty" yaml:"metadata,omitempty"`
}

ProvenanceConfig configures SLSA provenance generation

func (*ProvenanceConfig) Validate 

func (c *ProvenanceConfig) Validate() error

Validate validates provenance configuration

type ReportingConfig 

type ReportingConfig struct {
	DefectDojo *DefectDojoConfig `json:"defectdojo,omitempty" yaml:"defectdojo,omitempty"`
	PRComment  *PRCommentConfig  `json:"prComment,omitempty" yaml:"prComment,omitempty"`
}

ReportingConfig configures report uploading to external systems

func (*ReportingConfig) Validate 

func (c *ReportingConfig) Validate() error

Validate validates the reporting configuration

type SBOMConfig 

type SBOMConfig struct {
	Enabled   bool          `json:"enabled" yaml:"enabled"`
	Format    string        `json:"format,omitempty" yaml:"format,omitempty"`       // Default: "cyclonedx-json"
	Generator string        `json:"generator,omitempty" yaml:"generator,omitempty"` // Default: "syft"
	Output    *OutputConfig `json:"output,omitempty" yaml:"output,omitempty"`
	Cache     *CacheConfig  `json:"cache,omitempty" yaml:"cache,omitempty"`
	Attach    *AttachConfig `json:"attach,omitempty" yaml:"attach,omitempty"`
	Required  bool          `json:"required,omitempty" yaml:"required,omitempty"` // Fail if SBOM generation fails
}

SBOMConfig configures SBOM generation

func (*SBOMConfig) ShouldAttach 

func (c *SBOMConfig) ShouldAttach() bool

ShouldAttach returns true when SBOM attestation attachment is requested.

func (*SBOMConfig) Validate 

func (c *SBOMConfig) Validate() error

Validate validates SBOM configuration

type ScanConfig 

type ScanConfig struct {
	Enabled bool             `json:"enabled" yaml:"enabled"`
	Tools   []ScanToolConfig `json:"tools,omitempty" yaml:"tools,omitempty"`
	FailOn  Severity         `json:"failOn,omitempty" yaml:"failOn,omitempty"` // Fail on this severity or higher
	WarnOn  Severity         `json:"warnOn,omitempty" yaml:"warnOn,omitempty"` // Warn on this severity or higher
	// SoftFail converts policy violations (failOn threshold exceeded) from hard errors
	// to warnings. The scan still runs and results are reported/uploaded, but exit 0.
	SoftFail bool          `json:"softFail,omitempty" yaml:"softFail,omitempty"`
	Output   *OutputConfig `json:"output,omitempty" yaml:"output,omitempty"`
	Cache    *CacheConfig  `json:"cache,omitempty" yaml:"cache,omitempty"`
	Required bool          `json:"required,omitempty" yaml:"required,omitempty"` // Fail if scan fails
}

ScanConfig configures vulnerability scanning

func (*ScanConfig) Validate 

func (c *ScanConfig) Validate() error

Validate validates scan configuration

type ScanToolConfig 

type ScanToolConfig struct {
	Name     string   `json:"name" yaml:"name"`                             // grype, trivy
	Version  string   `json:"version,omitempty" yaml:"version,omitempty"`   // Pin specific version (install target + minimum); default: built-in minimum
	Enabled  *bool    `json:"enabled,omitempty" yaml:"enabled,omitempty"`   // Enable this tool (nil = use defaults)
	Required bool     `json:"required,omitempty" yaml:"required,omitempty"` // Fail if this tool fails
	FailOn   Severity `json:"failOn,omitempty" yaml:"failOn,omitempty"`     // Tool-specific failOn
	WarnOn   Severity `json:"warnOn,omitempty" yaml:"warnOn,omitempty"`     // Tool-specific warnOn
}

ScanToolConfig configures a specific scanning tool

func (*ScanToolConfig) Validate 

func (c *ScanToolConfig) Validate() error

Validate validates scan tool configuration

type SecurityConfig 

type SecurityConfig struct {
	Enabled    bool              `json:"enabled" yaml:"enabled"`
	Signing    *signing.Config   `json:"signing,omitempty" yaml:"signing,omitempty"`
	SBOM       *SBOMConfig       `json:"sbom,omitempty" yaml:"sbom,omitempty"`
	Provenance *ProvenanceConfig `json:"provenance,omitempty" yaml:"provenance,omitempty"`
	Scan       *ScanConfig       `json:"scan,omitempty" yaml:"scan,omitempty"`
	Reporting  *ReportingConfig  `json:"reporting,omitempty" yaml:"reporting,omitempty"`
}

SecurityConfig contains comprehensive configuration for all security operations

func DefaultSecurityConfig 

func DefaultSecurityConfig() *SecurityConfig

DefaultSecurityConfig returns a default security configuration

func (*SecurityConfig) Validate 

func (c *SecurityConfig) Validate() error

Validate validates the security configuration

type SecurityError 

type SecurityError struct {
	Operation string
	Err       error
	Message   string
}

SecurityError represents a security operation error

func NewSecurityError 

func NewSecurityError(operation, message string, err error) *SecurityError

NewSecurityError creates a new security error

func (*SecurityError) Error 

func (e *SecurityError) Error() string

func (*SecurityError) Unwrap 

func (e *SecurityError) Unwrap() error

type SecurityExecutor 

type SecurityExecutor struct {
	Context *ExecutionContext
	Config  *SecurityConfig
	Summary *reporting.WorkflowSummary
}

SecurityExecutor orchestrates all security operations for container images

func NewSecurityExecutor 

func NewSecurityExecutor(ctx context.Context, config *SecurityConfig) (*SecurityExecutor, error)

NewSecurityExecutor creates a new security executor

func NewSecurityExecutorWithSummary 

func NewSecurityExecutorWithSummary(ctx context.Context, config *SecurityConfig, imageRef string) (*SecurityExecutor, error)

NewSecurityExecutorWithSummary creates a new security executor with summary tracking

func (*SecurityExecutor) ExecuteProvenance 

func (e *SecurityExecutor) ExecuteProvenance(ctx context.Context, imageRef string) (*provenance.Statement, error)

ExecuteProvenance generates and optionally attaches provenance for the image.

func (*SecurityExecutor) ExecuteSBOM 

func (e *SecurityExecutor) ExecuteSBOM(ctx context.Context, imageRef string) (*sbom.SBOM, error)

ExecuteSBOM generates and optionally attaches SBOM for the image

func (*SecurityExecutor) ExecuteScanning 

func (e *SecurityExecutor) ExecuteScanning(ctx context.Context, imageRef string) (*scan.ScanResult, error)

ExecuteScanning performs vulnerability scanning on the image. All configured scan tools run in parallel; results are merged and deduplicated. This runs FIRST in the security workflow (fail-fast pattern).

func (*SecurityExecutor) ExecuteSigning 

func (e *SecurityExecutor) ExecuteSigning(ctx context.Context, imageRef string) (*signing.SignResult, error)

ExecuteSigning performs signing operations on the image

func (*SecurityExecutor) UploadReports 

func (e *SecurityExecutor) UploadReports(ctx context.Context, result *scan.ScanResult, imageRef string) error

UploadReports uploads scan results to configured reporting systems

func (*SecurityExecutor) ValidateConfig 

func (e *SecurityExecutor) ValidateConfig() error

ValidateConfig validates the security configuration

type Severity 

type Severity string

Severity represents vulnerability severity levels 

const (
	SeverityCritical Severity = "critical"
	SeverityHigh     Severity = "high"
	SeverityMedium   Severity = "medium"
	SeverityLow      Severity = "low"
	SeverityNone     Severity = "" // No severity filtering
)

func (Severity) IsAtLeast 

func (s Severity) IsAtLeast(other Severity) bool

IsAtLeast returns true if this severity is at least as severe as the given severity

func (Severity) Validate 

func (s Severity) Validate() error

Validate validates severity level

Source Files

View all Source files

Directories

Path Synopsis
Package sbom provides Software Bill of Materials (SBOM) generation and attestation functionality
 Package sbom provides Software Bill of Materials (SBOM) generation and attestation functionality

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.