Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func Finalize ¶ added in v0.7.0
func Finalize(report *Report)
Finalize dedupes the report's findings and recomputes its summary and status. Call it after merging in findings from an external scanner so the publish block-on-status logic sees the combined result.
func MergeExternal ¶ added in v0.7.0
func MergeExternal(ctx context.Context, ext *ExternalScanner, dir string, report *Report)
MergeExternal runs the (optional) external scanner over dir and merges its findings into report, recomputing status. It is best-effort: if the scanner is unset it is a no-op, and if it fails it logs a warning and leaves the native report untouched — an optional external tool must never block a publish because it is missing or misconfigured.
Types ¶
type ExternalScanner ¶ added in v0.7.0
type ExternalScanner struct {
// Name namespaces the rule IDs in merged findings.
Name string
// Command is the argv to execute; the token "{dir}" is replaced with the
// skill directory. The command must emit SARIF JSON on stdout.
Command []string
// Timeout bounds a single scan; defaults to 60s when zero.
Timeout time.Duration
}
ExternalScanner is an opt-in, operator-configured external security scanner (Phase 2, SDD external.go). skael shells out to a free/OSS tool — e.g. gitleaks, Cisco skill-scanner, or Semgrep with operator-authored rules — runs it over the already-unpacked skill directory, and merges its SARIF output into the native report. Nothing is bundled: the operator installs the tool, so skael's licensing stays clean (subprocess only, no linking).
Findings are namespaced (e.g. "gitleaks:generic-api-key") and merged via Finalize so the same critical/warn → block-on-publish logic applies. If the tool is missing or errors, the caller logs and continues on the native scanner alone — an optional external must never hard-block a publish.
func NewExternalScanner ¶ added in v0.7.0
func NewExternalScanner(cmdline string, timeout time.Duration) *ExternalScanner
NewExternalScanner builds a scanner from a whitespace-separated command line, or returns nil when cmdline is empty (feature disabled). The first token is used as the scanner Name when it has no explicit name.
type Finding ¶
type Finding struct {
Rule string `json:"rule"`
Severity string `json:"severity"` // critical, high, medium, info
Confidence string `json:"confidence"` // high, medium, low
File string `json:"file"`
Line int `json:"line"`
Match string `json:"match"`
Message string `json:"message"`
}
Finding describes a single matched security rule.
type Report ¶
type Report struct {
Status string `json:"status"` // clean, info, warn, critical
Findings []Finding `json:"findings"`
Summary Summary `json:"summary"`
}
Report is the result of scanning a skill archive or content for security issues.
func ScanContent ¶
ScanContent scans a single file's content and returns a completed report.
type Rule ¶
type Rule struct {
Name string
Category string
Severity string
Confidence string
Pattern *regexp.Regexp
Message string
// Reject, when set, suppresses a match if the matched text also matches this
// pattern. Go's regexp (RE2) has no lookahead, so this is how a rule excludes
// placeholders/references (e.g. `password = "your-password-here"`) that would
// otherwise be false positives.
Reject *regexp.Regexp
}
Rule defines a single security detection rule with its pattern and metadata.
Source Files