Documentation
¶
Index ¶
- func GenerateSampleExclusion() string
- func GetExtraHeaders(diags []*SecurityDiagnostic) []string
- type CharRange
- type Confidence
- type DefaultSecurityDiagnosticsProvider
- type Evidence
- type ExcludeContainer
- type ExcludeDefinition
- type ExcludeRequirement
- type ExclusionProvider
- type Justification
- type PolicyUpdateResult
- type Progress
- type SecurityDiagnostic
- func (sd *SecurityDiagnostic) AddTag(tag string)
- func (sd *SecurityDiagnostic) CSVHeaders(extraHeaders ...string) []string
- func (sd *SecurityDiagnostic) CSVValues(extraHeaders ...string) []string
- func (sd *SecurityDiagnostic) GetValue() string
- func (sd SecurityDiagnostic) GoString() string
- func (sd *SecurityDiagnostic) HasTag(tag string) bool
- type SecurityDiagnosticsConsumer
- type SecurityDiagnosticsProvider
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func GenerateSampleExclusion ¶
func GenerateSampleExclusion() string
GenerateSampleExclusion generates a sample exclusion YAML file content with descriptions
func GetExtraHeaders ¶ added in v0.6.7
func GetExtraHeaders(diags []*SecurityDiagnostic) []string
Derives additional headers from Tags, sorted in alphabetic order
Types ¶
type CharRange ¶
type CharRange struct {
StartIndex, EndIndex int64
}
CharRange describes the location in the file where a range of "text" is found
type Confidence ¶
type Confidence int
Confidence reflects the degree of confidence that we have in an assessment
const ( //informational Confidence in the assessment Info Confidence = iota //Low Confidence in the assessment Low //Medium Confidence in the assessment Medium //High Confidence in the assessment High //Critical Confidence in the assessment Critical )
func (Confidence) MarshalJSON ¶
func (conf Confidence) MarshalJSON() ([]byte, error)
MarshalJSON makes a string representation of the confidence
func (Confidence) String ¶
func (conf Confidence) String() string
func (*Confidence) UnmarshalJSON ¶
func (conf *Confidence) UnmarshalJSON(data []byte) error
UnmarshalJSON unmarshals a string representation of the confidence to Confidence
type DefaultSecurityDiagnosticsProvider ¶
type DefaultSecurityDiagnosticsProvider struct {
// contains filtered or unexported fields
}
DefaultSecurityDiagnosticsProvider a default implementation
func (*DefaultSecurityDiagnosticsProvider) AddConsumers ¶
func (sdp *DefaultSecurityDiagnosticsProvider) AddConsumers(consumers ...SecurityDiagnosticsConsumer)
AddConsumers adds consumers to be notified by this provider when there is a new diagnostics
func (*DefaultSecurityDiagnosticsProvider) Broadcast ¶
func (sdp *DefaultSecurityDiagnosticsProvider) Broadcast(diagnostics *SecurityDiagnostic)
Broadcast sends diagnostics to all registered consumers
type Evidence ¶
type Evidence struct {
Description string `json:"description"`
Confidence Confidence `json:"confidence"`
}
Evidence is an atomic piece of information that describes a security diagnostics
type ExcludeContainer ¶
type ExcludeContainer struct {
ExcludeDef *ExcludeDefinition
Repositories []string
}
type ExcludeDefinition ¶
type ExcludeDefinition struct {
//These specify regular expressions of matching strings that should be ignored as secrets anywhere they are found
GloballyExcludedRegExs []string `yaml:"GloballyExcludedRegExs"`
//These specify strings that should be ignored as secrets anywhere they are found
GloballyExcludedStrings []string `yaml:"GloballyExcludedStrings"`
//These specify SHA256 hashes that should be ignored as secrets anywhere they are found
GloballyExcludedHashes []string `yaml:"GloballyExcludedHashes"`
//These specify regular expressions that ignore files whose paths match
PathExclusionRegExs []string `yaml:"PathExclusionRegExs"`
//These specify sets of strings that should be excluded in a given file. That is filepath -> Set(strings)
PerFileExcludedStrings map[string][]string `yaml:"PerFileExcludedStrings"`
//These specify sets of SHA256 hashes that should be excluded in a given file. That is filepath -> Set(strings)
PerFileExcludedHashes map[string][]string `yaml:"PerFileExcludedHashes"`
//These specify sets of regular expressions that if matched on a path matched by the filepath key should be ignored. That is filepath_regex -> Set(regex)
//This is a quite versatile construct and can model the four above
PathRegexExcludedRegExs map[string][]string `yaml:"PathRegexExcludedRegex"`
}
ExcludeDefinition describes exclude rules
type ExcludeRequirement ¶
type ExcludeRequirement struct {
What string
Issue SecurityDiagnostic
ProjectID string
}
type ExclusionProvider ¶
type ExclusionProvider interface {
//ShouldExclude determines whether the supplied value should be excluded based on its value and the
//path (if any) of the source file providing additional context
ShouldExclude(pathContext, value string) bool
ShouldExcludeHashOnPath(pathContext, hash string) bool
ShouldExcludePath(path string) bool
ShouldExcludeValue(value string) bool
ShouldExcludeHash(hash string) bool
}
ExclusionProvider implements a exclude strategy
func CompileExcludes ¶
func CompileExcludes(container ExcludeContainer) (ExclusionProvider, error)
CompileExcludes returns a ExclusionProvider with the regular expressions already compiled
func MakeEmptyExcludes ¶
func MakeEmptyExcludes() ExclusionProvider
MakeEmptyExcludes creates an empty default exclusion list
type Justification ¶
type Justification struct {
Headline Evidence `json:"headline,omitempty"` //Headline evidence
Reasons []Evidence `json:"reasons,omitempty"` //sub-reasons that justify why this is an issue
}
Justification describes why a piece of security diagnostic has been generated
type PolicyUpdateResult ¶
type SecurityDiagnostic ¶
type SecurityDiagnostic struct {
Justification Justification `json:"justification,omitempty"`
Range code.Range `json:"range,omitempty"`
RawRange CharRange `json:"rawRange,omitempty"`
HighlightRange code.Range `json:"highlightRange,omitempty"`
//Source code evidence optionally provided
Source *string `json:"source,omitempty"`
//SHA256 checksum is an optional SHA256 hash of the secret. High-security environments
//may want to consider using an HMAC or similar and ommitting source from the reports
SHA256 *string `json:"sha256,omitempty"`
//Location is an optional value that could contain filepath or URI of resource that this diagnostic applies to
Location *string `json:"location,omitempty"`
//used for identifying the source of the diagnostics
ProviderID *string `json:"providerID,omitempty"`
Excluded bool //indicates whether or not this diagnostics has been excluded
Tags *[]string `json:"tags,omitempty"` //optionally annotate diagnostic with tags, e.g. "test"
}
SecurityDiagnostic describes a security issue
func (*SecurityDiagnostic) AddTag ¶
func (sd *SecurityDiagnostic) AddTag(tag string)
AddTag adds a tag to the diagnostic
func (*SecurityDiagnostic) CSVHeaders ¶
func (sd *SecurityDiagnostic) CSVHeaders(extraHeaders ...string) []string
func (*SecurityDiagnostic) CSVValues ¶
func (sd *SecurityDiagnostic) CSVValues(extraHeaders ...string) []string
func (*SecurityDiagnostic) GetValue ¶
func (sd *SecurityDiagnostic) GetValue() string
func (SecurityDiagnostic) GoString ¶
func (sd SecurityDiagnostic) GoString() string
GoString stringify
func (*SecurityDiagnostic) HasTag ¶
func (sd *SecurityDiagnostic) HasTag(tag string) bool
HasTag cheks whether diagnostic has the specified tag
type SecurityDiagnosticsConsumer ¶
type SecurityDiagnosticsConsumer interface {
ReceiveDiagnostic(diagnostic *SecurityDiagnostic)
}
SecurityDiagnosticsConsumer is an interface with a callback to receive security diagnostics
type SecurityDiagnosticsProvider ¶
type SecurityDiagnosticsProvider interface {
//AddConsumers adds consumers to be notified by this provider when there is a new diagnostics
AddConsumers(consumers ...SecurityDiagnosticsConsumer)
Broadcast(diagnostic *SecurityDiagnostic)
}
SecurityDiagnosticsProvider interface for security diagnostics providers
Source Files
Click to show internal directories.
Click to hide internal directories.