regosig

package
v0.7.0-rc1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 16, 2022 License: Apache-2.0 Imports: 15 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func NewAIO

func NewAIO(modules map[string]string, opts ...Option) (detect.Signature, error)

NewAIO constructs a new detect.Signature with the specified Rego modules and Option items.

This implementation compiles all modules once and prepares the single, aka all in one, query for evaluation.

func NewRegoSignature

func NewRegoSignature(target string, partialEval bool, regoCodes ...string) (detect.Signature, error)

NewRegoSignature creates a new RegoSignature with the provided rego code string

Types

type Mapper

type Mapper struct {
	rego.ResultSet
}

func MapRS

func MapRS(rs rego.ResultSet) *Mapper

func (Mapper) ToDataAll

func (m Mapper) ToDataAll() (map[string]interface{}, error)

func (Mapper) ToSelectedEventsAll

func (m Mapper) ToSelectedEventsAll() (map[string][]detect.SignatureEventSelector, error)

func (Mapper) ToSignatureMetadataAll

func (m Mapper) ToSignatureMetadataAll() (map[string]detect.SignatureMetadata, error)

type Option

type Option func(*Options)

func OPAPartial

func OPAPartial(partial bool) Option

func OPATarget

func OPATarget(target string) Option

type Options

type Options struct {
	// OPATarget optionally specifies which OPA target engine to use for
	// evaluation. By default, the `rego` engine is used.
	OPATarget string

	// OPAPartial optionally specifies whether to use OPA partial evaluation
	// or not. By default, partial evaluation is disabled.
	//
	// NOTE: On average partial evaluation performs better by leveraging
	// OPA rules indexing. However, for some rules we noticed that enabling partial
	// evaluation significantly degraded performance.
	//
	// https://blog.openpolicyagent.org/partial-evaluation-162750eaf422
	OPAPartial bool
}

Options holds various Option items that can be passed to the NewAIO constructor.

type RegoSignature

type RegoSignature struct {
	// contains filtered or unexported fields
}

RegoSignature is an abstract signature that is implemented in rego each struct instance is associated with a rego file the rego file declares the following rules: __rego_metadoc__: a *document* rule that defines the rule's metadata (see GetMetadata()) tracee_selected_events: a *set* rule that defines the event selectors (see GetSelectedEvent()) tracee_match: a *boolean*, or a *document* rule that defines the logic of the signature (see OnEvent())

func (*RegoSignature) Close

func (sig *RegoSignature) Close()

func (*RegoSignature) GetMetadata

func (sig *RegoSignature) GetMetadata() (detect.SignatureMetadata, error)

GetMetadata implements the Signature interface by evaluating the Rego policy's __rego_metadoc__ rule this is a *document* rule that defines the rule's metadata based on WIP Rego convention for describing policy metadata: https://hackmd.io/@ZtQnh19kS26YiNlJLqKJnw/H1gAv5nBw

func (*RegoSignature) GetSelectedEvents

func (sig *RegoSignature) GetSelectedEvents() ([]detect.SignatureEventSelector, error)

GetSelectedEvents implements the Signature interface by evaluating the Rego policy's tracee_selected_events rule this is a *set* rule that defines the rule's SelectedEvents

func (*RegoSignature) Init

Init implements the Signature interface by resetting internal state

func (*RegoSignature) OnEvent

func (sig *RegoSignature) OnEvent(event protocol.Event) error

OnEvent implements the Signature interface by evaluating the Rego policy's tracee_match rule this is a *boolean* or a *document* rule that defines the logic of the signature if bool is "returned", a true evaluation will generate a Finding with no data if document is "returned", any non-empty evaluation will generate a Finding with the document as the Finding's "Data"

func (*RegoSignature) OnSignal

func (sig *RegoSignature) OnSignal(signal detect.Signal) error

OnSignal implements the Signature interface by handling lifecycle events of the signature

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL