sast

package
v3.32.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 14, 2026 License: AGPL-3.0 Imports: 22 Imported by: 0

Documentation

Index

Constants

View Source 
const DefaultRegistry = "https://github.com"

DefaultRegistry is the base URL used when --rule-registry is not set.

Variables

View Source 
var DefaultRulesFS embed.FS

DefaultRulesFS holds the built-in .rego rule files compiled into the binary. The rules/ directory is relative to this file (internal/sast/rules/).

View Source 
var SeverityLabel = map[string]string{
	"critical": "Dangerous",
	"high":     "Risky",
	"medium":   "Quality",
	"low":      "Style",
	"info":     "Tentative",
}

SeverityLabel maps severity to the human-readable semantic label.

View Source 
var SeverityToLevel = map[string]string{
	"critical": "error",
	"high":     "error",
	"medium":   "warning",
	"low":      "note",
	"info":     "note",
}

SeverityToLevel maps severity to the default SARIF level when a rule doesn't explicitly set "level" in its metadata.

Functions

func CacheDir 

func CacheDir(ref RuleRef) (string, error)

CacheDir returns the OS-native cache directory for a rule repository. 

Linux:   ~/.cache/vulnetix/rules/<org>/<repo>/
macOS:   ~/Library/Caches/vulnetix/rules/<org>/<repo>/
Windows: %LOCALAPPDATA%\vulnetix\rules\<org>\<repo>\

func FetchRuleRepo 

func FetchRuleRepo(registry string, ref RuleRef, w io.Writer) (string, error)

FetchRuleRepo clones or pulls a rule repository into the system cache. Returns the local cache path. Prints progress to w.

func Fingerprint 

func Fingerprint(ruleID, artifactURI string, startLine int) string

Fingerprint produces a stable hash identifying a finding by rule + location. Used as the dedup key in memory.yaml and the SARIF fingerprints map. Returns the first 16 hex characters of SHA-256("<RuleID>\x00<ArtifactURI>\x00<StartLine>").

func LoadAllModules 

func LoadAllModules(
	defaultFS embed.FS,
	disableDefault bool,
	ruleRefs []RuleRef,
	registry string,
	w io.Writer,
) (map[string]string, error)

LoadAllModules loads default embedded rules and any external --rule repos. If disableDefault is true, embedded rules are skipped. Returns map[filename]source for all loaded .rego files.

func LoadFileContents 

func LoadFileContents(input *ScanInput, maxSize int64)

LoadFileContents populates input.FileContents for files matching the given language extensions. Files over maxSize bytes and binary files are skipped.

When LoadOptions is provided the caller can opt into binary inspection (strings + EXIF) and the synthetic content is folded into the same map.

func LoadFileContentsWithOptions added in v3.29.0 

func LoadFileContentsWithOptions(input *ScanInput, opts LoadOptions)

LoadFileContentsWithOptions is the full-control variant used by the secrets subcommand.

func MergeGitHistoryEntries added in v3.29.0 

func MergeGitHistoryEntries(input *ScanInput, entries []secretscan.GitHistoryEntry) int

MergeGitHistoryEntries injects the file versions returned by secretscan.ScanGitHistory into input.FileContents. Returns the number of entries injected. Duplicate keys (same commit, same path) are silently ignored.

func PrintHeadline added in v3.12.1 

func PrintHeadline(report *SASTReport)

PrintHeadline prints a bold SAST headline (finding count + severity breakdown) above the analysis table. Used as the top-of-output summary when SCA did not run (so the SCA "X packages | Y vulnerabilities" line is absent).

func PrintHeadlineWithLabel added in v3.27.0 

func PrintHeadlineWithLabel(report *SASTReport, label string)

PrintHeadlineWithLabel prints a bold findings headline using the scan family label supplied by the caller.

func PrintPrettySummary 

func PrintPrettySummary(report *SASTReport, resultsOnly bool)

PrintPrettySummary prints a styled SAST findings table to stdout. If resultsOnly is true, stays silent when there are no findings.

func PrintPrettySummaryWithTitle added in v3.27.0 

func PrintPrettySummaryWithTitle(report *SASTReport, resultsOnly bool, title string)

PrintPrettySummaryWithTitle prints a styled findings table with a caller supplied heading. Container/IaC/Secrets subcommands share the SAST engine but should not call their output "SAST".

func ResolveURL 

func ResolveURL(registry string, ref RuleRef) string

ResolveURL builds the git clone URL from a registry base URL and rule reference.

func ResolvedFingerprints 

func ResolvedFingerprints(oldLog *SARIFLog, newFindings []Finding) []string

ResolvedFingerprints returns fingerprints present in the old SARIF log but absent from the new findings. These represent resolved findings.

func WriteSARIF 

func WriteSARIF(log *SARIFLog, path string) error

WriteSARIF serializes a SARIF log to the given file path.

Types

type BuildOptions added in v3.29.0 

type BuildOptions struct {
	MaxDepth int
	Excludes []string

	// IgnoreGit, when true, skips the .git directory entirely. The default
	// is false: the secrets subcommand walks .git to surface credentials
	// that exist only in past commits.
	IgnoreGit bool

	// IgnoreGlobs is an additional set of glob patterns to exclude. The
	// patterns are matched against the relative path and the base name
	// (mirroring --exclude). The CLI's --ignore flag is wired into this
	// slice so that a single --ignore "fixtures/**" is enough.
	IgnoreGlobs []string

	// IgnoreBinaries, when true, skips binary files entirely. When false
	// (the default for the secrets subcommand), binary files are inspected
	// with strings + EXIF and the result is added to FileContents.
	IgnoreBinaries bool

	// GitHistory, when true, walks the git history at rootPath and adds
	// each file version to FileContents under the __git_history__/ prefix.
	// Requires that IgnoreGit be false; if both are set, IgnoreGit wins.
	GitHistory bool

	// GitHistoryMaxCommits caps the number of commits walked.
	GitHistoryMaxCommits int
	// GitHistoryMaxFiles caps the number of file versions emitted.
	GitHistoryMaxFiles int
}

BuildOptions controls how the filesystem is walked and how binary/git content is folded into the scan input. Zero-value options produce the legacy behaviour: text files only, no git history.

type Engine 

type Engine struct {
	// contains filtered or unexported fields
}

Engine compiles Rego modules and evaluates them against a filesystem scan.

func NewEngine 

func NewEngine(modules map[string]string, scanRoot string) *Engine

NewEngine constructs an Engine with the given Rego modules.

func (*Engine) Evaluate 

func (e *Engine) Evaluate(opts EvalOptions) (*SASTReport, error)

Evaluate runs all loaded Rego policies against the filesystem at scanRoot.

func (*Engine) ListRules 

func (e *Engine) ListRules() ([]RuleMetadata, error)

ListRules extracts metadata from all loaded rule packages without running detection. Used for --list-default-rules.

type EvalOptions 

type EvalOptions struct {
	MaxDepth int
	Excludes []string

	// IgnoreGit, IgnoreGlobs, IgnoreBinaries, GitHistory, etc. are
	// forwarded to BuildScanInputWithOptions / LoadFileContentsWithOptions
	// so the secrets subcommand can enable binary and history scanning
	// without affecting the generic scan command's behaviour.
	IgnoreGit            bool
	IgnoreGlobs          []string
	IgnoreBinaries       bool
	GitHistory           bool
	GitHistoryMaxCommits int
	GitHistoryMaxFiles   int
	MinStringLength      int
}

EvalOptions configures the SAST evaluation.

type Finding 

type Finding struct {
	RuleID      string        `json:"rule_id"`
	Message     string        `json:"message"`
	ArtifactURI string        `json:"artifact_uri"`
	Severity    string        `json:"severity"`
	Level       string        `json:"level"`
	StartLine   int           `json:"start_line"`
	EndLine     int           `json:"end_line,omitempty"`
	Snippet     string        `json:"snippet"`
	Fingerprint string        `json:"-"`
	Metadata    *RuleMetadata `json:"-"`
}

Finding is unmarshaled from each element of the Rego "findings" set. Detection fields (ArtifactURI, StartLine, Snippet) are set by Rego logic. Fingerprint and Metadata are set by the engine after evaluation.

type LoadOptions added in v3.29.0 

type LoadOptions struct {
	// MaxFileSize is the upper bound for any single file's text content
	// (raw or extracted). Files larger than this are skipped entirely.
	MaxFileSize int64
	// IgnoreBinaries, when true, skips binary files. When false (the
	// default for the secrets subcommand), binary files are inspected:
	// printable strings are extracted with the secretscan package and any
	// EXIF/IPTC/XMP metadata is added under __exif__/.
	IgnoreBinaries bool
	// MinStringLength is the minimum run length to surface when extracting
	// strings from binaries. Defaults to secretscan.StringMin (4).
	MinStringLength int
}

LoadOptions configures LoadFileContents. The MaxFileSize and IgnoreBinaries fields correspond directly to the CLI flags of the same name; MaxDepth and Excludes are not relevant here (the walker has already determined the set of files to consider).

type RuleMetadata 

type RuleMetadata struct {
	ID          string   `json:"id"`
	Name        string   `json:"name"`
	Description string   `json:"description"`
	HelpURI     string   `json:"help_uri"`
	Languages   []string `json:"languages"`
	Severity    string   `json:"severity"`
	Level       string   `json:"level"`
	Kind        string   `json:"kind"`
	CWE         []int    `json:"cwe"`
	CAPEC       []string `json:"capec"`
	ATTACKTech  []string `json:"attack_technique"`
	CVSSv4      string   `json:"cvssv4"`
	CWSS        string   `json:"cwss"`
	Tags        []string `json:"tags"`
}

RuleMetadata is unmarshaled from the Rego "metadata" constant object. Every field maps directly to the JSON keys used in the Rego policy.

func (*RuleMetadata) EffectiveLevel 

func (m *RuleMetadata) EffectiveLevel() string

EffectiveLevel returns the SARIF level for a rule — the explicit level if set, otherwise derived from severity.

type RuleRef 

type RuleRef struct {
	Org  string
	Repo string
}

RuleRef identifies an external rule repository by org and repo name.

func ParseRuleRef 

func ParseRuleRef(arg string) (RuleRef, error)

ParseRuleRef parses a "org/repo" string from a --rule flag value.

type SARIFArtifact 

type SARIFArtifact struct {
	Location *SARIFArtifactLocation `json:"location,omitempty"`
}

SARIFArtifact describes an artifact referenced by results.

type SARIFArtifactLocation 

type SARIFArtifactLocation struct {
	URI string `json:"uri"`
}

SARIFArtifactLocation is a URI reference to an artifact.

type SARIFLocation 

type SARIFLocation struct {
	PhysicalLocation *SARIFPhysicalLocation `json:"physicalLocation,omitempty"`
}

SARIFLocation describes where a result was found.

type SARIFLog 

type SARIFLog struct {
	Schema  string     `json:"$schema"`
	Version string     `json:"version"`
	Runs    []SARIFRun `json:"runs"`
}

SARIFLog is the top-level SARIF document.

func BuildSARIF 

func BuildSARIF(findings []Finding, rules []RuleMetadata, toolVersion string) *SARIFLog

BuildSARIF converts findings and rules into a SARIF 2.1.0 log.

func LoadExistingSARIF 

func LoadExistingSARIF(path string) (*SARIFLog, error)

LoadExistingSARIF reads a SARIF log from disk. Returns nil if the file does not exist.

type SARIFMessage 

type SARIFMessage struct {
	Text string `json:"text"`
}

SARIFMessage is a SARIF message object.

type SARIFPhysicalLocation 

type SARIFPhysicalLocation struct {
	ArtifactLocation *SARIFArtifactLocation `json:"artifactLocation,omitempty"`
	Region           *SARIFRegion           `json:"region,omitempty"`
}

SARIFPhysicalLocation identifies a file and region.

type SARIFPropertyBag 

type SARIFPropertyBag map[string]any

SARIFPropertyBag is a property bag for extensible metadata.

type SARIFRegion 

type SARIFRegion struct {
	StartLine int           `json:"startLine,omitempty"`
	EndLine   int           `json:"endLine,omitempty"`
	Snippet   *SARIFSnippet `json:"snippet,omitempty"`
}

SARIFRegion identifies a portion of an artifact.

type SARIFReportingDescriptor 

type SARIFReportingDescriptor struct {
	ID               string           `json:"id"`
	Name             string           `json:"name,omitempty"`
	ShortDescription *SARIFMessage    `json:"shortDescription,omitempty"`
	HelpURI          string           `json:"helpUri,omitempty"`
	Properties       SARIFPropertyBag `json:"properties,omitempty"`
}

SARIFReportingDescriptor describes a rule.

type SARIFResult 

type SARIFResult struct {
	RuleID       string            `json:"ruleId"`
	Level        string            `json:"level,omitempty"`
	Kind         string            `json:"kind,omitempty"`
	Message      SARIFMessage      `json:"message"`
	Locations    []SARIFLocation   `json:"locations,omitempty"`
	Fingerprints map[string]string `json:"fingerprints,omitempty"`
	Properties   SARIFPropertyBag  `json:"properties,omitempty"`
}

SARIFResult represents a single finding.

type SARIFRun 

type SARIFRun struct {
	Tool      SARIFTool       `json:"tool"`
	Results   []SARIFResult   `json:"results"`
	Artifacts []SARIFArtifact `json:"artifacts,omitempty"`
}

SARIFRun represents a single analysis run.

type SARIFSnippet 

type SARIFSnippet struct {
	Text string `json:"text"`
}

SARIFSnippet holds a text snippet from the source.

type SARIFTool 

type SARIFTool struct {
	Driver SARIFToolDriver `json:"driver"`
}

SARIFTool describes the analysis tool.

type SARIFToolDriver 

type SARIFToolDriver struct {
	Name           string                     `json:"name"`
	Version        string                     `json:"version,omitempty"`
	InformationURI string                     `json:"informationUri,omitempty"`
	Rules          []SARIFReportingDescriptor `json:"rules,omitempty"`
}

SARIFToolDriver describes the primary analysis tool component.

type SASTReport 

type SASTReport struct {
	Findings    []Finding
	Rules       []RuleMetadata
	RulesLoaded int // rules after filtering (kind/id) that were evaluated
	RulesTotal  int // rules loaded pre-filter (builtin + --rule repos)
}

SASTReport holds the results of a SAST evaluation run.

type ScanInput 

type ScanInput struct {
	// FileSet maps each relative file path to true for O(1) existence checks in Rego.
	FileSet map[string]bool `json:"file_set"`
	// DirsByLanguage maps language name to directories containing that language's indicator files.
	DirsByLanguage map[string][]string `json:"dirs_by_language"`
	// FileContents maps relative path to file text. Populated lazily for small files
	// when content-level rules are present. Files over MaxFileSize and binary files are
	// skipped unless binary inspection is enabled (see FileScanOptions).
	FileContents map[string]string `json:"file_contents,omitempty"`
	// ScanRoot is the absolute path being scanned (for display; rules use relative paths).
	ScanRoot string `json:"scan_root"`
}

ScanInput is serialized to JSON and passed as the OPA input document.

func BuildScanInput 

func BuildScanInput(rootPath string, maxDepth int, excludes []string) (*ScanInput, error)

BuildScanInput walks the filesystem at rootPath and builds the OPA input document.

func BuildScanInputWithOptions added in v3.29.0 

func BuildScanInputWithOptions(rootPath string, opts BuildOptions) (*ScanInput, error)

BuildScanInputWithOptions is the full-control entry point. It replaces BuildScanInput when the caller needs to enable binary or git-history inspection (the secrets subcommand does, the generic scan does not).

Source Files

View all Source files

Directories

Path Synopsis
Command secretsgen renders the high-fidelity secret-detection rule set and its documentation from a single source of truth: catalog.json.
 Command secretsgen renders the high-fidelity secret-detection rule set and its documentation from a single source of truth: catalog.json.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.