analysis

Documentation

Index

• Constants
• func ExportAnalysisConfig(format string, c *AnalysisConfig) (string, error)
• func ExportDefaultConfig(format string) (string, error)
• type AnalysisConfig
  • func DefaultAnalysisConfig() *AnalysisConfig
  • func LoadAnalysisConfig(fname string) (*AnalysisConfig, error)
• type AnalysisConfigInfo
• type AnalysisFinding
• type AnalysisReport
• type AnalysisReportFinding
• type AnalysisStats
• type Analyzer
  • func CreateAnalyzer(config *AnalysisConfig, policies []rbac.SubjectPolicyList) Analyzer
• type Exclusion
• type ExclusionInfo
• type Rule
• type Rules

Constants

const (
	SEVERITY_CRIT = "CRITICAL"
	SEVERITY_HIGH = "HIGH"
	SEVERITY_MED  = "MEDIUM"
	SEVERITY_INFO = "INFO"
)

Functions

func ExportAnalysisConfig

func ExportAnalysisConfig(format string, c *AnalysisConfig) (string, error)

func ExportDefaultConfig

func ExportDefaultConfig(format string) (string, error)

Types

type AnalysisConfig

type AnalysisConfig struct {
	AnalysisConfigInfo

	Rules []Rule

	GlobalExclusions []Exclusion
}

func DefaultAnalysisConfig

func DefaultAnalysisConfig() *AnalysisConfig

func LoadAnalysisConfig

func LoadAnalysisConfig(fname string) (*AnalysisConfig, error)

type AnalysisConfigInfo

type AnalysisConfigInfo struct {
	//Config Name
	Name string
	//Rule Description
	Description string
	//Rule UUID
	Uuid string
}

type AnalysisFinding

type AnalysisFinding struct {
	// Finding Severity
	Severity string

	//Rule Name
	Message string

	//Rule Description
	Recommendation string

	//The Rule Name that triggered this finding
	RuleName string
	//The Rule UUID that triggered this finding
	RuleUuid string

	//Documetation & additional reading references
	References []string
}

type AnalysisReport

type AnalysisReport struct {
	//The Analysis Config Info
	AnalysisConfigInfo AnalysisConfigInfo

	Stats AnalysisStats

	//Report Create Time
	CreatedOn string

	Findings []AnalysisReportFinding

	ExclusionsInfo []ExclusionInfo
}

type AnalysisReportFinding

type AnalysisReportFinding struct {
	Subject *v1.Subject

	Finding AnalysisFinding
}

type AnalysisStats

type AnalysisStats struct {
	//Analysis Rules
	RuleCount int

	ExclusionCount int
}

type Analyzer

type Analyzer interface {
	Analyze() (*AnalysisReport, error)
}

func CreateAnalyzer

func CreateAnalyzer(config *AnalysisConfig, policies []rbac.SubjectPolicyList) Analyzer

type Exclusion

type Exclusion struct {
	//Is this exclusion turned off
	Disabled bool

	//Exclusion note
	Comment string

	//Who added this exclusion
	AddedBy string

	//When this exclusion had changed -
	LastModified string

	//exception active after X, where X is a timestamp of seconds since epoch
	ValidBefore uint64

	//A Google CEL expression exceptions
	// Input: v1.Subject
	// Output: Boolean
	Expression string
}

type ExclusionInfo

type ExclusionInfo struct {
	Subject *v1.Subject

	//Exclusion Message
	Message string
}

type Rule

type Rule struct {
	//Rule Name
	Name string
	//Rule Description
	Description string
	//Rule Recommendation - rendered as a Google CEL expression to customize the message
	Recommendation string
	//Rule UUID
	Uuid string
	//Rule UUID
	Severity string

	//Documetation & additional reading references
	References []string

	//A Google CEL expression analysis rule.
	// Input: []SubjectPolicyList
	// Output: Boolean
	AnalysisExpr string

	//Any Resources that we should not report about.
	// For example do not report on findings from kube-system namespace
	Exclusions []Exclusion

	ExclusionCount uint32
}

Analysis Rule

type Rules

type Rules []Rule