artifacts

package
v1.0.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 30, 2025 License: Apache-2.0 Imports: 21 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func DetectManifestFormat 

func DetectManifestFormat(path string) (string, error)

DetectManifestFormat determines if a file is Docker or OCI format

func ExtractChartMetadata 

func ExtractChartMetadata(chart *HelmChart) map[string]string

ExtractChartMetadata extracts useful metadata from a Helm chart for reporting

func ExtractK8sMetadata 

func ExtractK8sMetadata(resource *K8sResource) map[string]string

func FindSecretsInResource 

func FindSecretsInResource(resource *K8sResource) []string

func IsHelmChart 

func IsHelmChart(path string) bool

IsHelmChart checks if a path appears to be a Helm chart Looks for Chart.yaml in the root or as a .tgz archive

func IsK8sManifest 

func IsK8sManifest(path string) bool

IsK8sManifest checks if a file appears to be a Kubernetes manifest

func IsOCIImage 

func IsOCIImage(dir string) bool

IsOCIImage checks if a directory contains an OCI image layout

func IsSensitiveK8sResource 

func IsSensitiveK8sResource(resource *K8sResource) bool

func ScanArchives 

func ScanArchives(root string, limits Limits, emit func(path string, data []byte)) error

ScanArchives walks recognized archive files under root and emits text entries. It enforces per-artifact limits and does not extract to disk.

func ScanArchivesWithFilter 

func ScanArchivesWithFilter(root string, limits Limits, allow PathAllowFunc, emit func(path string, data []byte)) error

ScanArchivesWithFilter is like ScanArchives but also consults an optional allow predicate to filter which artifact filenames are processed.

func ScanArchivesWithStats 

func ScanArchivesWithStats(root string, limits Limits, allow PathAllowFunc, emit func(path string, data []byte), stats *Stats) error

func ScanContainers 

func ScanContainers(root string, limits Limits, emit func(path string, data []byte)) error

ScanContainers walks recognized container image/layer tarballs and emits text entries. Heuristic: presence of manifest.json or entries ending with "/layer.tar".

func ScanContainersWithFilter 

func ScanContainersWithFilter(root string, limits Limits, allow PathAllowFunc, emit func(path string, data []byte)) error

ScanContainersWithFilter is like ScanContainers but also consults an optional allow predicate to filter which artifact filenames are processed.

func ScanContainersWithStats 

func ScanContainersWithStats(root string, limits Limits, allow PathAllowFunc, emit func(path string, data []byte), stats *Stats) error

ScanContainersWithStats is like ScanContainersWithFilter but also increments the provided stats counters when a guardrail abort reason is encountered.

func ScanHelmCharts 

func ScanHelmCharts(root string, limits Limits, emit func(path string, data []byte)) error

ScanHelmCharts walks the root directory and scans Helm charts for secrets It processes both unpacked chart directories and .tgz archives

func ScanHelmChartsWithFilter 

func ScanHelmChartsWithFilter(root string, limits Limits, allow PathAllowFunc, emit func(path string, data []byte)) error

ScanHelmChartsWithFilter is like ScanHelmCharts but with an optional path filter

func ScanIaC 

func ScanIaC(root string, limits Limits, emit func(path string, data []byte)) error

ScanIaC scans IaC hotspots like Terraform state files and kubeconfigs.

func ScanIaCWithFilter 

func ScanIaCWithFilter(root string, limits Limits, allow PathAllowFunc, emit func(path string, data []byte)) error

ScanIaCWithFilter scans IaC hotspots like Terraform state files and kubeconfigs. For small Terraform state files, it extracts likely secret fields and emits them individually to reduce noise. For larger files, it falls back to text emission bounded by limits. Kubeconfigs are emitted as text for structured detectors to parse.

func ScanK8sManifests 

func ScanK8sManifests(root string, limits Limits, emit func(path string, data []byte)) error

ScanK8sManifests walks the root directory and scans Kubernetes manifests for secrets

func ScanK8sManifestsWithFilter 

func ScanK8sManifestsWithFilter(root string, limits Limits, allow PathAllowFunc, emit func(path string, data []byte)) error

ScanK8sManifestsWithFilter is like ScanK8sManifests but with an optional path filter

func ScanRegistryImage 

func ScanRegistryImage(imageRef string, limits Limits, emit func(path string, data []byte), stats *Stats) error

ScanRegistryImage downloads and streams layers from a remote registry without pulling the full image to disk. It uses the local Docker credentials (if available) for authentication.

Types

type HelmChart 

type HelmChart struct {
	APIVersion   string            `yaml:"apiVersion"`
	Name         string            `yaml:"name"`
	Version      string            `yaml:"version"`
	KubeVersion  string            `yaml:"kubeVersion,omitempty"`
	Description  string            `yaml:"description,omitempty"`
	Type         string            `yaml:"type,omitempty"`
	Keywords     []string          `yaml:"keywords,omitempty"`
	Home         string            `yaml:"home,omitempty"`
	Sources      []string          `yaml:"sources,omitempty"`
	Dependencies []HelmDependency  `yaml:"dependencies,omitempty"`
	Maintainers  []HelmMaintainer  `yaml:"maintainers,omitempty"`
	Icon         string            `yaml:"icon,omitempty"`
	AppVersion   string            `yaml:"appVersion,omitempty"`
	Deprecated   bool              `yaml:"deprecated,omitempty"`
	Annotations  map[string]string `yaml:"annotations,omitempty"`
}

HelmChart represents a Helm chart metadata

func ParseChartYAML 

func ParseChartYAML(path string) (*HelmChart, error)

ParseChartYAML reads and parses a Chart.yaml file

type HelmDependency 

type HelmDependency struct {
	Name       string   `yaml:"name"`
	Version    string   `yaml:"version"`
	Repository string   `yaml:"repository"`
	Condition  string   `yaml:"condition,omitempty"`
	Tags       []string `yaml:"tags,omitempty"`
	Enabled    bool     `yaml:"enabled,omitempty"`
	Alias      string   `yaml:"alias,omitempty"`
}

HelmDependency represents a chart dependency

type HelmMaintainer 

type HelmMaintainer struct {
	Name  string `yaml:"name"`
	Email string `yaml:"email,omitempty"`
	URL   string `yaml:"url,omitempty"`
}

HelmMaintainer represents a chart maintainer

type HelmValues 

type HelmValues map[string]interface{}

HelmValues represents parsed values.yaml

func ParseValuesYAML 

func ParseValuesYAML(path string) (HelmValues, error)

ParseValuesYAML reads and parses a values.yaml file

type K8sMetadata 

type K8sMetadata struct {
	Name        string            `yaml:"name"`
	Namespace   string            `yaml:"namespace,omitempty"`
	Labels      map[string]string `yaml:"labels,omitempty"`
	Annotations map[string]string `yaml:"annotations,omitempty"`
}

K8sMetadata represents Kubernetes metadata

type K8sResource 

type K8sResource struct {
	APIVersion string                 `yaml:"apiVersion"`
	Kind       string                 `yaml:"kind"`
	Metadata   K8sMetadata            `yaml:"metadata"`
	Data       map[string]interface{} `yaml:"data,omitempty"`
	StringData map[string]string      `yaml:"stringData,omitempty"`
	Spec       map[string]interface{} `yaml:"spec,omitempty"`
}

K8sResource represents a generic Kubernetes resource

func ParseK8sResource 

func ParseK8sResource(path string) (*K8sResource, error)

ParseK8sResource parses a Kubernetes resource from a file

func ParseK8sResources 

func ParseK8sResources(path string) ([]*K8sResource, error)

ParseK8sResources parses multiple Kubernetes resources from a multi-document YAML file

type LayerContext 

type LayerContext struct {
	Digest       string    // sha256:abc123...
	Index        int       // Layer 5 of 12
	TotalLayers  int       // Total number of layers
	Size         int64     // Layer size in bytes
	CreatedBy    string    // Dockerfile command that created this layer
	Created      time.Time // Layer creation timestamp
	ParentDigest string    // Previous layer digest
	Architecture string    // e.g., "amd64", "arm64"
	OS           string    // e.g., "linux", "windows"
}

LayerContext provides rich context about a container layer

func BuildLayerContext 

func BuildLayerContext(config *OCIConfig, layerIndex int, layerDigest string, layerSize int64) LayerContext

BuildLayerContext extracts rich context from image config for a specific layer

type Limits 

type Limits struct {
	MaxArchiveBytes int64
	MaxEntries      int
	MaxDepth        int
	TimeBudget      time.Duration
	Workers         int
	// GlobalDeadline stops scanning across all artifacts when exceeded.
	GlobalDeadline time.Time
}

Limits controls bounded deep scanning of artifacts like archives and containers.

type OCIConfig 

type OCIConfig struct {
	Created      time.Time      `json:"created"`
	Architecture string         `json:"architecture"`
	OS           string         `json:"os"`
	Config       OCIImageConfig `json:"config"`
	RootFS       OCIRootFS      `json:"rootfs"`
	History      []OCIHistory   `json:"history"`
}

OCIConfig represents the image configuration

func ParseOCIConfig 

func ParseOCIConfig(path string) (*OCIConfig, error)

ParseOCIConfig reads and parses an OCI image config from a file

type OCIDescriptor 

type OCIDescriptor struct {
	MediaType   string            `json:"mediaType"`
	Digest      string            `json:"digest"`
	Size        int64             `json:"size"`
	Annotations map[string]string `json:"annotations,omitempty"`
}

OCIDescriptor describes a content addressable blob

type OCIHistory 

type OCIHistory struct {
	Created    time.Time `json:"created"`
	CreatedBy  string    `json:"created_by"`
	Author     string    `json:"author,omitempty"`
	Comment    string    `json:"comment,omitempty"`
	EmptyLayer bool      `json:"empty_layer,omitempty"`
}

OCIHistory records the history of each layer

type OCIImageConfig 

type OCIImageConfig struct {
	User         string              `json:"User,omitempty"`
	ExposedPorts map[string]struct{} `json:"ExposedPorts,omitempty"`
	Env          []string            `json:"Env,omitempty"`
	Entrypoint   []string            `json:"Entrypoint,omitempty"`
	Cmd          []string            `json:"Cmd,omitempty"`
	Volumes      map[string]struct{} `json:"Volumes,omitempty"`
	WorkingDir   string              `json:"WorkingDir,omitempty"`
	Labels       map[string]string   `json:"Labels,omitempty"`
}

OCIImageConfig contains image runtime configuration

type OCIIndex 

type OCIIndex struct {
	SchemaVersion int               `json:"schemaVersion"`
	MediaType     string            `json:"mediaType"`
	Manifests     []OCIDescriptor   `json:"manifests"`
	Annotations   map[string]string `json:"annotations,omitempty"`
}

OCIIndex represents an OCI image index (for multi-arch images)

func ParseOCIIndex 

func ParseOCIIndex(path string) (*OCIIndex, error)

ParseOCIIndex reads and parses an OCI image index from a file

type OCIManifest 

type OCIManifest struct {
	SchemaVersion int               `json:"schemaVersion"`
	MediaType     string            `json:"mediaType"`
	Config        OCIDescriptor     `json:"config"`
	Layers        []OCIDescriptor   `json:"layers"`
	Annotations   map[string]string `json:"annotations,omitempty"`
}

OCIManifest represents an OCI image manifest (OCI Image Spec v1)

func ParseOCIManifest 

func ParseOCIManifest(path string) (*OCIManifest, error)

ParseOCIManifest reads and parses an OCI image manifest from a file

type OCIRootFS 

type OCIRootFS struct {
	Type    string   `json:"type"`
	DiffIDs []string `json:"diff_ids"`
}

OCIRootFS describes the root filesystem

type PathAllowFunc 

type PathAllowFunc func(rel string) bool

PathAllowFunc returns true if the given relative artifact filename should be considered for deep scanning (after .redactylignore filtering). When nil, all artifact filenames are allowed.

type Stats 

type Stats struct {
	AbortedByBytes   int
	AbortedByEntries int
	AbortedByDepth   int
	AbortedByTime    int
}

Stats collects counters for artifacts aborted due to guardrails.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.