Why Go
- Case Studies
  
  Common problems companies solve with Go
- Use Cases
  
  Stories about how and why companies use Go
- Security
  
  How Go can help keep you secure by default
Learn
Docs
- Effective Go
  
  Tips for writing clear, performant, and idiomatic Go code
- Go User Manual
  
  A complete introduction to building software with Go
- Standard library
  
  Reference documentation for Go's standard library
- Release Notes
  
  Learn what's new in each Go release
Packages
Community
- Recorded Talks
  
  Videos from prior events
- Meetups
  
  Meet other local Go developers
- Conferences
  
  Learn and network with Go developers from around the world
- Go blog
  
  The Go project's official blog.
- Go project
  
  Get help and stay informed from Go
- Get connected

scanner

package

Go to main page

Versions in this module

v0

v0.25.0

Apr 24, 2026

v0.24.9

Apr 23, 2026

v0.24.8

Apr 23, 2026

v0.24.7

Apr 23, 2026

v0.24.6

Apr 17, 2026

v0.24.5

Apr 17, 2026

v0.24.4

Apr 14, 2026

v0.24.3

Apr 13, 2026

Changes in this version

+ func ClassifyScannerExecFailure(stderr string, exitCode int) string

type ScannerRunConfig

+ DisableNoNewPrivileges bool

type Service

+ func (s *Service) SetScannerDisableNoNewPrivileges(disable bool)

v0.24.2

Apr 11, 2026

v0.24.1

Apr 11, 2026

v0.24.0

Apr 11, 2026

Changes in this version

+ const DefaultWorkerPoolSize

+ const MaxLogBytes

+ const MaxQueueSize

+ const MaxScanLogLines

+ const MaxScannedFiles

+ const MaxScansPerServer

+ const QueueStatusCancelled

+ const QueueStatusCompleted

+ const QueueStatusFailed

+ const QueueStatusPending

+ const QueueStatusRunning

+ const QueueStatusSkipped

+ const ScanJobStatusCancelled

+ const ScanJobStatusCompleted

+ const ScanJobStatusFailed

+ const ScanJobStatusPending

+ const ScanJobStatusRunning

+ const ScanPassSecurityScan

+ const ScanPassSupplyChainAudit

+ const ScannerStatusAvailable

+ const ScannerStatusConfigured

+ const ScannerStatusError

+ const ScannerStatusInstalled

+ const ScannerStatusPulling

+ const SeverityCritical

+ const SeverityHigh

+ const SeverityInfo

+ const SeverityLow

+ const SeverityMedium

+ const ThreatLevelDangerous

+ const ThreatLevelInfo

+ const ThreatLevelWarning

+ const ThreatMaliciousCode

+ const ThreatPromptInjection

+ const ThreatRugPull

+ const ThreatSupplyChain

+ const ThreatToolPoisoning

+ const ThreatUncategorized

+ func CalculateRiskScore(findings []ScanFinding) int

+ func ClassifyAllFindings(findings []ScanFinding)

+ func ClassifyThreat(f *ScanFinding)

+ func CollectFileList(dir string) (files []string, totalFiles int, totalSize int64)

+ func GenerateContainerName(scannerID, serverName string) string

+ func IsSARIF(data []byte) bool

+ func PrepareReportDir(baseDir, jobID, scannerID string) (string, error)

+ func ValidateManifest(s *ScannerPlugin) error

+ type AggregatedReport struct

+ EmptyScan bool

+ Findings []ScanFinding

+ JobID string

+ Pass1Complete bool

+ Pass2Complete bool

+ Pass2Running bool

+ Reports []ScanReport

+ RiskScore int

+ ScanComplete bool

+ ScanContext *ScanContext

+ ScannedAt time.Time

+ ScannerStatuses []ScannerJobStatus

+ ScannersFailed int

+ ScannersRun int

+ ScannersTotal int

+ ServerName string

+ Summary ReportSummary

+ func AggregateReports(jobID, serverName string, reports []*ScanReport) *AggregatedReport

+ func AggregateReportsWithJobStatus(jobID, serverName string, reports []*ScanReport, job *ScanJob) *AggregatedReport

+ type DockerRunner struct

+ func NewDockerRunner(logger *zap.Logger) *DockerRunner

+ func (d *DockerRunner) GetImageDigest(ctx context.Context, image string) (string, error)

+ func (d *DockerRunner) ImageExists(ctx context.Context, image string) bool

+ func (d *DockerRunner) IsDockerAvailable(ctx context.Context) bool

+ func (d *DockerRunner) KillContainer(ctx context.Context, name string) error

+ func (d *DockerRunner) PullImage(ctx context.Context, image string) error

+ func (d *DockerRunner) ReadReportFile(reportDir string) ([]byte, error)

+ func (d *DockerRunner) RemoveImage(ctx context.Context, image string) error

+ func (d *DockerRunner) RunScanner(ctx context.Context, cfg ScannerRunConfig) (stdout, stderr string, exitCode int, err error)

+ func (d *DockerRunner) StopContainer(ctx context.Context, name string, timeout int) error

+ type Engine struct

+ func NewEngine(docker *DockerRunner, registry *Registry, dataDir string, logger *zap.Logger) *Engine

+ func (e *Engine) CancelScan(serverName string) error

+ func (e *Engine) GetActiveJob(serverName string) *ScanJob

+ func (e *Engine) StartScan(ctx context.Context, req ScanRequest, callback ScanCallback) (*ScanJob, error)

+ type EnvRequirement struct

+ Key string

+ Label string

+ Secret bool

+ type EventEmitter interface

+ EmitSecurityIntegrityAlert func(serverName, alertType, action string)

+ EmitSecurityScanCompleted func(serverName string, findingsSummary map[string]int)

+ EmitSecurityScanFailed func(serverName, scannerID, errMsg string)

+ EmitSecurityScanProgress func(serverName, scannerID, status string, progress int)

+ EmitSecurityScanStarted func(serverName string, scanners []string, jobID string)

+ EmitSecurityScannerChanged func(scannerID, status, errMsg string)

+ type FindingCounts struct

+ Dangerous int

+ Info int

+ Total int

+ Warning int

+ type IntegrityBaseline struct

+ ApprovedAt time.Time

+ ApprovedBy string

+ DiffManifest []string

+ ImageDigest string

+ LockfileHash string

+ ScanReportIDs []string

+ ServerName string

+ SourceHash string

+ ToolHashes map[string]string

+ func (b *IntegrityBaseline) MarshalBinary() ([]byte, error)

+ func (b *IntegrityBaseline) UnmarshalBinary(data []byte) error

+ type IntegrityCheckResult struct

+ CheckedAt time.Time

+ Passed bool

+ ServerName string

+ Violations []IntegrityViolation

+ type IntegrityViolation struct

+ Actual string

+ Expected string

+ Message string

+ Type string

+ type NoopCallback struct

+ func (n *NoopCallback) OnScanCompleted(_ *ScanJob, _ []*ScanReport)

+ func (n *NoopCallback) OnScanFailed(_ *ScanJob, _ error)

+ func (n *NoopCallback) OnScanStarted(_ *ScanJob)

+ func (n *NoopCallback) OnScannerCompleted(_ *ScanJob, _ string, _ *ScanReport)

+ func (n *NoopCallback) OnScannerFailed(_ *ScanJob, _ string, _ error)

+ func (n *NoopCallback) OnScannerStarted(_ *ScanJob, _ string)

+ type NoopEmitter struct

+ func (n *NoopEmitter) EmitSecurityIntegrityAlert(string, string, string)

+ func (n *NoopEmitter) EmitSecurityScanCompleted(string, map[string]int)

+ func (n *NoopEmitter) EmitSecurityScanFailed(string, string, string)

+ func (n *NoopEmitter) EmitSecurityScanProgress(string, string, string, int)

+ func (n *NoopEmitter) EmitSecurityScanStarted(string, []string, string)

+ func (n *NoopEmitter) EmitSecurityScannerChanged(string, string, string)

+ type QueueItem struct

+ DoneAt time.Time

+ Error string

+ JobID string

+ ServerName string

+ SkipReason string

+ StartedAt time.Time

+ Status string

+ type QueueProgress struct

+ BatchID string

+ Cancelled int

+ Completed int

+ DoneAt time.Time

+ Failed int

+ Items []QueueItem

+ Pending int

+ Running int

+ Skipped int

+ StartedAt time.Time

+ Status string

+ Total int

+ type Registry struct

+ func NewRegistry(dataDir string, logger *zap.Logger) *Registry

+ func (r *Registry) Get(id string) (*ScannerPlugin, error)

+ func (r *Registry) List() []*ScannerPlugin

+ func (r *Registry) Register(s *ScannerPlugin) error

+ func (r *Registry) Unregister(id string) error

+ func (r *Registry) UpdateStatus(id, status string) error

+ type ReportSummary struct

+ Critical int

+ Dangerous int

+ High int

+ Info int

+ InfoLevel int

+ Low int

+ Medium int

+ Total int

+ Warnings int

+ func SummarizeFindings(findings []ScanFinding) ReportSummary

+ type ResolvedSource struct

+ Cleanup func()

+ ContainerID string

+ Files []string

+ Method string

+ ServerURL string

+ SourceDir string

+ TotalFiles int

+ TotalSize int64

+ type SARIFArtifactLocation struct

+ URI string

+ type SARIFConfiguration struct

+ Level string

+ type SARIFDriver struct

+ Name string

+ Rules []SARIFRule

+ Version string

+ type SARIFLocation struct

+ PhysicalLocation *SARIFPhysicalLocation

+ type SARIFMessage struct

+ Text string

+ type SARIFPhysicalLocation struct

+ ArtifactLocation *SARIFArtifactLocation

+ Region *SARIFRegion

+ type SARIFRegion struct

+ EndColumn int

+ EndLine int

+ StartColumn int

+ StartLine int

+ type SARIFReport struct

+ Runs []SARIFRun

+ Schema string

+ Version string

+ func ParseSARIF(data []byte) (*SARIFReport, error)

+ type SARIFResult struct

+ Level string

+ Locations []SARIFLocation

+ Message SARIFMessage

+ Properties map[string]any

+ RuleID string

+ type SARIFRule struct

+ DefaultConfig *SARIFConfiguration

+ FullDescription *SARIFMessage

+ HelpURI string

+ ID string

+ Properties map[string]any

+ ShortDescription *SARIFMessage

+ type SARIFRun struct

+ Results []SARIFResult

+ Tool SARIFTool

+ type SARIFTool struct

+ Driver SARIFDriver

+ type ScanAllRequest struct

+ ScannerIDs []string

+ SkipEnabled bool

+ type ScanCallback interface

+ OnScanCompleted func(job *ScanJob, reports []*ScanReport)

+ OnScanFailed func(job *ScanJob, err error)

+ OnScanStarted func(job *ScanJob)

+ OnScannerCompleted func(job *ScanJob, scannerID string, report *ScanReport)

+ OnScannerFailed func(job *ScanJob, scannerID string, err error)

+ OnScannerStarted func(job *ScanJob, scannerID string)

+ type ScanContext struct

+ ContainerID string

+ ContainerImage string

+ DockerIsolation bool

+ ScannedFiles []string

+ ServerCommand string

+ ServerProtocol string

+ SourceMethod string

+ SourcePath string

+ ToolsExported int

+ TotalFiles int

+ TotalSizeBytes int64

+ type ScanFinding struct

+ CVSSScore float64

+ Category string

+ Description string

+ Evidence string

+ FixedVersion string

+ HelpURI string

+ InstalledVersion string

+ Location string

+ PackageName string

+ RuleID string

+ ScanPass int

+ Scanner string

+ Severity string

+ SupplyChainAudit bool

+ ThreatLevel string

+ ThreatType string

+ Title string

+ func NormalizeFindings(report *SARIFReport, scannerID string) []ScanFinding

+ type ScanJob struct

+ CompletedAt time.Time

+ DryRun bool

+ Error string

+ ID string

+ ScanContext *ScanContext

+ ScanPass int

+ ScannerStatuses []ScannerJobStatus

+ Scanners []string

+ ServerName string

+ StartedAt time.Time

+ Status string

+ func (j *ScanJob) MarshalBinary() ([]byte, error)

+ func (j *ScanJob) UnmarshalBinary(data []byte) error

+ type ScanJobSummary struct

+ CompletedAt time.Time

+ FindingsCount int

+ ID string

+ RiskScore int

+ ScanPass int

+ Scanners []string

+ ServerName string

+ StartedAt time.Time

+ Status string

+ type ScanQueue struct

+ func NewScanQueue(logger *zap.Logger) *ScanQueue

+ func (q *ScanQueue) CancelAll() error

+ func (q *ScanQueue) GetProgress() *QueueProgress

+ func (q *ScanQueue) IsRunning() bool

+ func (q *ScanQueue) StartScanAll(serverList []ServerStatus, ...) (*QueueProgress, error)

+ type ScanReport struct

+ Findings []ScanFinding

+ ID string

+ JobID string

+ RiskScore int

+ SarifRaw json.RawMessage

+ ScannedAt time.Time

+ ScannerID string

+ ServerName string

+ func (r *ScanReport) MarshalBinary() ([]byte, error)

+ func (r *ScanReport) UnmarshalBinary(data []byte) error

+ type ScanRequest struct

+ DryRun bool

+ Env map[string]string

+ ScanContext *ScanContext

+ ScanPass int

+ ScannerIDs []string

+ ServerName string

+ SourceDir string

+ type ScanSummary struct

+ FindingCounts *FindingCounts

+ LastScanAt *time.Time

+ RiskScore int

+ Status string

+ type ScannerJobStatus struct

+ CompletedAt time.Time

+ Error string

+ ExitCode int

+ FindingsCount int

+ ScannerID string

+ StartedAt time.Time

+ Status string

+ Stderr string

+ Stdout string

+ type ScannerPlugin struct

+ Command []string

+ ConfiguredEnv map[string]string

+ Custom bool

+ Description string

+ DockerImage string

+ ErrorMsg string

+ Homepage string

+ ID string

+ ImageOverride string

+ Inputs []string

+ InstalledAt time.Time

+ LastUsedAt time.Time

+ License string

+ Name string

+ NetworkReq bool

+ OptionalEnv []EnvRequirement

+ Outputs []string

+ RequiredEnv []EnvRequirement

+ Status string

+ Timeout string

+ Vendor string

+ func (s *ScannerPlugin) EffectiveImage() string

+ func (s *ScannerPlugin) MarshalBinary() ([]byte, error)

+ func (s *ScannerPlugin) UnmarshalBinary(data []byte) error

+ type ScannerRunConfig struct

+ CacheDir string

+ Command []string

+ ContainerName string

+ Env map[string]string

+ ExtraMounts []string

+ Image string

+ MemoryLimit string

+ NetworkMode string

+ ReadOnly bool

+ ReportDir string

+ SourceDir string

+ Timeout time.Duration

+ type SecretResolverFunc func(ctx context.Context, ref string) (string, error)

+ type SecretStore interface

+ ResolveSecret func(ctx context.Context, ref string) (string, error)

+ StoreSecret func(ctx context.Context, name, value string) error

+ type SecurityOverview struct

+ ActiveScans int

+ DockerAvailable bool

+ FindingsBySeverity ReportSummary

+ LastScanAt time.Time

+ ScannersEnabled int

+ ScannersInstalled int

+ ServersScanned int

+ TotalScans int

+ type ServerInfo struct

+ Args []string

+ Command string

+ Env map[string]string

+ Name string

+ Protocol string

+ URL string

+ WorkingDir string

+ type ServerInfoProvider interface

+ EnsureConnected func(ctx context.Context, serverName string) error

+ GetServerInfo func(serverName string) (*ServerInfo, error)

+ GetServerTools func(serverName string) ([]map[string]interface{}, error)

+ IsConnected func(serverName string) bool

+ type ServerStatus struct

+ Connected bool

+ Enabled bool

+ Name string

+ Protocol string

+ type ServerUnquarantiner interface

+ UnquarantineServer func(serverName string) error

+ type Service struct

+ func NewService(storage Storage, registry *Registry, docker *DockerRunner, dataDir string, ...) *Service

+ func (s *Service) ApproveServer(ctx context.Context, serverName string, force bool, approvedBy string) error

+ func (s *Service) CancelAllScans() error

+ func (s *Service) CancelScan(ctx context.Context, serverName string) error

+ func (s *Service) CheckIntegrity(ctx context.Context, serverName string) (*IntegrityCheckResult, error)

+ func (s *Service) CleanupStaleJobs()

+ func (s *Service) ConfigureScanner(_ context.Context, id string, env map[string]string, dockerImage string) error

+ func (s *Service) GetOverview(ctx context.Context) (*SecurityOverview, error)

+ func (s *Service) GetQueueProgress() *QueueProgress

+ func (s *Service) GetScanReport(ctx context.Context, serverName string) (*AggregatedReport, error)

+ func (s *Service) GetScanReportByJobID(ctx context.Context, jobID string) (*AggregatedReport, error)

+ func (s *Service) GetScanStatus(ctx context.Context, serverName string) (*ScanJob, error)

+ func (s *Service) GetScanStatusByPass(ctx context.Context, serverName string, pass int) (*ScanJob, error)

+ func (s *Service) GetScanSummary(ctx context.Context, serverName string) *ScanSummary

+ func (s *Service) GetScanner(ctx context.Context, id string) (*ScannerPlugin, error)

+ func (s *Service) GetScannerStatus(ctx context.Context, id string) (*ScannerPlugin, error)

+ func (s *Service) GetSecurityOverview(ctx context.Context) (*SecurityOverview, error)

+ func (s *Service) InstallScanner(ctx context.Context, id string) error

+ func (s *Service) IsQueueRunning() bool

+ func (s *Service) ListScanHistory(ctx context.Context) ([]ScanJobSummary, error)

+ func (s *Service) ListScanners(ctx context.Context) ([]*ScannerPlugin, error)

+ func (s *Service) RejectServer(ctx context.Context, serverName string) error

+ func (s *Service) RemoveScanner(ctx context.Context, id string) error

+ func (s *Service) ScanAll(ctx context.Context, servers []ServerStatus, scannerIDs []string) (*QueueProgress, error)

+ func (s *Service) SetEmitter(emitter EventEmitter)

+ func (s *Service) SetSecretStore(store SecretStore)

+ func (s *Service) SetServerInfoProvider(provider ServerInfoProvider)

+ func (s *Service) SetServerUnquarantiner(u ServerUnquarantiner)

+ func (s *Service) StartScan(ctx context.Context, serverName string, dryRun bool, scannerIDs []string, ...) (*ScanJob, error)

+ type SourceResolver struct

+ func NewSourceResolver(logger *zap.Logger) *SourceResolver

+ func (r *SourceResolver) EnrichWithFileList(resolved *ResolvedSource)

+ func (r *SourceResolver) Resolve(ctx context.Context, info ServerInfo) (*ResolvedSource, error)

+ func (r *SourceResolver) ResolveFullSource(ctx context.Context, info ServerInfo) (*ResolvedSource, error)

+ type Storage interface

+ DeleteIntegrityBaseline func(serverName string) error

+ DeleteScanJob func(id string) error

+ DeleteScanReport func(id string) error

+ DeleteScanner func(id string) error

+ DeleteServerScanJobs func(serverName string) error

+ DeleteServerScanReports func(serverName string) error

+ GetIntegrityBaseline func(serverName string) (*IntegrityBaseline, error)

+ GetLatestScanJob func(serverName string) (*ScanJob, error)

+ GetScanJob func(id string) (*ScanJob, error)

+ GetScanReport func(id string) (*ScanReport, error)

+ GetScanner func(id string) (*ScannerPlugin, error)

+ ListIntegrityBaselines func() ([]*IntegrityBaseline, error)

+ ListScanJobs func(serverName string) ([]*ScanJob, error)

+ ListScanReports func(serverName string) ([]*ScanReport, error)

+ ListScanReportsByJob func(jobID string) ([]*ScanReport, error)

+ ListScanners func() ([]*ScannerPlugin, error)

+ SaveIntegrityBaseline func(baseline *IntegrityBaseline) error

+ SaveScanJob func(job *ScanJob) error

+ SaveScanReport func(report *ScanReport) error

+ SaveScanner func(s *ScannerPlugin) error