Documentation
¶
Index ¶
- Variables
- func Capabilities() *ast.Capabilities
- func ScopeMatches(query map[string]string, input map[string]interface{}) bool
- type BasePolicy
- func (p *BasePolicy) ID(ctx context.Context, state *rego.State) (string, error)
- func (p *BasePolicy) InputType() string
- func (p *BasePolicy) InputTypeMatches(inputType string) bool
- func (p *BasePolicy) Metadata(ctx context.Context, state *rego.State) (Metadata, error)
- func (p *BasePolicy) Package() string
- type Builtins
- type EvalOptions
- type LegacyIaCPolicy
- type Metadata
- type MetadataReference
- type ModuleSet
- type MultiResourcePolicy
- type MultiResourceProcessor
- type Policy
- type ProcessMultiResultSet
- type RelationsCache
- type ResourceKey
- type ResourcesQuery
- type ResourcesQueryCache
- type ResourcesResolver
- type ResourcesResult
- type SingleResourcePolicy
- type SingleResourceProcessor
- func NewFugueAllowBooleanProcessor(resource *models.ResourceState, metadata *Metadata, defaultRemediation string) SingleResourceProcessor
- func NewFugueAllowInfoProcessor(resource *models.ResourceState, metadata *Metadata, defaultRemediation string) SingleResourceProcessor
- func NewFugueDenyBooleanProcessor(resource *models.ResourceState, metadata *Metadata, defaultRemediation string) SingleResourceProcessor
- func NewSingleDenyProcessor(resource *models.ResourceState, metadata *Metadata, defaultRemediation string) SingleResourceProcessor
Constants ¶
This section is empty.
Variables ¶
var FailedToEvaluateResource = errors.New("Failed to evaluate rule for resource")
FailedToEvaluateResource indicates that an error occurred while evaluating the judgement rule query for the policy for a particular resource.
var FailedToEvaluateRule = errors.New("Failed to evaluate rule")
FailedToEvaluateRule indicates that an error occurred while evaluating the judgement rule for the policy.
var FailedToPrepareForEval = errors.New("Failed to prepare for evaluation")
FailedToPrepareForEval indicates that an error occurred while preparing the judgement rule query for the policy.
var FailedToProcessResults = errors.New("Failed to process results")
FailedToProcessResults indicates that an error occurred while processing the results of the judgement rule query.
var FailedToQueryMetadata = errors.New("Failed to query metadata")
FailedToQueryMetadata indicates that an error occurred while querying the policy's metadata rule.
var FailedToQueryResources = errors.New("Failed to query resources")
FailedToQueryResources indicates that an error occurred while querying the policy's resources rule.
var RegoAPIProvider = data.FSProvider(regoApi, "regoapi")
RegoAPIProvider is a provider for the embedded 'snyk' and 'fugue' Rego APIs.
var SupportedInputTypes = input.Types{ input.Any, input.Arm, input.CloudFormation, input.CloudScan, input.Kubernetes, input.TerraformHCL, input.TerraformPlan, input.Terraform, }
SupportedInputTypes contains all of the input types that this package officially supports.
Functions ¶
func Capabilities ¶
func Capabilities() *ast.Capabilities
Capabilities returns a Capabilities that includes the the policy engine builtins.
Types ¶
type BasePolicy ¶
type BasePolicy struct {
// contains filtered or unexported fields
}
BasePolicy implements functionality that is shared between different concrete Policy implementations.
func NewBasePolicy ¶
func NewBasePolicy(moduleSet ModuleSet) (*BasePolicy, error)
NewBasePolicy constructs a new BasePolicy. It will return an error if the Module does not contain a recognized Judgement.
func (*BasePolicy) InputType ¶
func (p *BasePolicy) InputType() string
func (*BasePolicy) InputTypeMatches ¶
func (p *BasePolicy) InputTypeMatches(inputType string) bool
func (*BasePolicy) Package ¶
func (p *BasePolicy) Package() string
Package returns the policy's package
type Builtins ¶
type Builtins struct {
// contains filtered or unexported fields
}
func NewBuiltins ¶
func NewBuiltins( input *models.State, resourcesQuery *ResourcesQueryCache, relations *RelationsCache, ) *Builtins
func (*Builtins) Implementations ¶ added in v0.21.0
func (*Builtins) ResourceTypes ¶
type EvalOptions ¶
type EvalOptions struct {
RegoState *rego.State
Input *models.State
RelationsCache *RelationsCache
ResourcesQueryCache *ResourcesQueryCache
Logger logging.Logger
Timeout time.Duration
}
type LegacyIaCPolicy ¶
type LegacyIaCPolicy struct {
*BasePolicy
}
func (*LegacyIaCPolicy) Eval ¶
func (p *LegacyIaCPolicy) Eval( ctx context.Context, options EvalOptions, ) ([]models.RuleResults, error)
func (*LegacyIaCPolicy) InputType ¶
func (p *LegacyIaCPolicy) InputType() string
func (*LegacyIaCPolicy) InputTypeMatches ¶
func (p *LegacyIaCPolicy) InputTypeMatches(inputType string) bool
type Metadata ¶
type Metadata struct {
ID string `json:"id"`
Title string `json:"title"`
Description string `json:"description"`
Platform []string `json:"platform"`
Remediation map[string]string `json:"remediation"`
References map[string][]MetadataReference `json:"references"`
Category string `json:"category"`
Labels []string `json:"labels,omitempty"`
ServiceGroup string `json:"service_group"`
Controls []string `json:"controls"`
Severity string `json:"severity"`
Product []string `json:"product"`
Kind string `json:"kind"`
}
func (Metadata) ReferencesFor ¶
func (m Metadata) ReferencesFor(inputType string) []MetadataReference
func (Metadata) RemediationFor ¶
type MetadataReference ¶
type ModuleSet ¶
ModuleSet is a set of Modules that all share the same package name
func ExtractModuleSets ¶
func ExtractModuleSets(tree *ast.ModuleTreeNode) []ModuleSet
type MultiResourcePolicy ¶
type MultiResourcePolicy struct {
*BasePolicy
// contains filtered or unexported fields
}
MultiResourcePolicy represents a policy that takes multiple resources as input.
func (*MultiResourcePolicy) Eval ¶
func (p *MultiResourcePolicy) Eval( ctx context.Context, options EvalOptions, ) ([]models.RuleResults, error)
Eval will evaluate the policy on the given input.
type MultiResourceProcessor ¶ added in v0.21.0
type MultiResourceProcessor interface {
ProcessValue(ast.Value) error
ProcessResource(ast.Value) error
Results() []models.RuleResult
}
SingleResourceProcessor can turn rego results into the results model we want.
func NewFuguePolicyProcessor ¶ added in v0.21.0
func NewFuguePolicyProcessor(metadata Metadata, defaultRemediation string) MultiResourceProcessor
func NewMultiDenyProcessor ¶ added in v0.21.0
func NewMultiDenyProcessor(metadata Metadata, defaultRemediation string) MultiResourceProcessor
type Policy ¶
type Policy interface {
Package() string
Metadata(ctx context.Context, state *rego.State) (Metadata, error)
ID(ctx context.Context, state *rego.State) (string, error)
Eval(ctx context.Context, options EvalOptions) ([]models.RuleResults, error)
InputType() string
InputTypeMatches(inputType string) bool
}
Policy is an interface that supports all of the ways we want to interact with policies.
func PolicyFactory ¶
type ProcessMultiResultSet ¶
type ProcessMultiResultSet func( metadata Metadata, defaultRemediation string, resources map[string]*ruleResultBuilder, ) ([]models.RuleResult, error)
ProcessSingleResultSet functions extract RuleResult models from the ResultSet of multi-resource type rules.
type RelationsCache ¶ added in v0.24.2
type ResourceKey ¶
Helper for unique resource identifiers, meant to be used as key in a `map`.
func RuleResultResourceKey ¶
func RuleResultResourceKey(r models.RuleResultResource) ResourceKey
func (ResourceKey) Correlation ¶
func (k ResourceKey) Correlation() string
func (ResourceKey) Less ¶ added in v0.10.0
func (l ResourceKey) Less(r ResourceKey) bool
type ResourcesQuery ¶
type ResourcesQuery struct {
ResourceType string `json:"resource_type" rego:"resource_type"`
Scope map[string]string `json:"scope" rego:"scope"`
}
ResourcesQuery describes a request for a specific resource type from the given scope. An empty scope is interpreted as the scope of the current input.
type ResourcesQueryCache ¶ added in v0.29.0
type ResourcesQueryCache struct {
ResourcesResolver ResourcesResolver
// contains filtered or unexported fields
}
func NewResourcesQueryCache ¶ added in v0.29.0
func NewResourcesQueryCache(resolver ResourcesResolver) *ResourcesQueryCache
func (*ResourcesQueryCache) ResolveResources ¶ added in v0.29.0
func (q *ResourcesQueryCache) ResolveResources(ctx context.Context, query ResourcesQuery) ([]models.ResourceState, error)
type ResourcesResolver ¶
type ResourcesResolver func(ctx context.Context, req ResourcesQuery) (ResourcesResult, error)
func NewInputResolver ¶ added in v0.29.0
func NewInputResolver(input *models.State) ResourcesResolver
func (ResourcesResolver) And ¶
func (l ResourcesResolver) And(r ResourcesResolver) ResourcesResolver
func (ResourcesResolver) Or ¶
func (l ResourcesResolver) Or(r ResourcesResolver) ResourcesResolver
type ResourcesResult ¶
type ResourcesResult struct {
ScopeFound bool
Resources []models.ResourceState
}
ResourcesResult contains an indication of whether the Scope specified in the ResourcesQuery was found and a slice of resources.
type SingleResourcePolicy ¶
type SingleResourcePolicy struct {
*BasePolicy
Query string
// contains filtered or unexported fields
}
SingleResourcePolicy represents a policy that takes a single resource as input.
func (*SingleResourcePolicy) Eval ¶
func (p *SingleResourcePolicy) Eval( ctx context.Context, options EvalOptions, ) ([]models.RuleResults, error)
Eval will evaluate the policy on the given input.
type SingleResourceProcessor ¶ added in v0.21.0
type SingleResourceProcessor interface {
Process(ast.Value) error
Results() []models.RuleResult
}
SingleResourceProcessor can turn rego results into the results model we want.
func NewFugueAllowBooleanProcessor ¶ added in v0.21.0
func NewFugueAllowBooleanProcessor( resource *models.ResourceState, metadata *Metadata, defaultRemediation string, ) SingleResourceProcessor
func NewFugueAllowInfoProcessor ¶ added in v0.21.0
func NewFugueAllowInfoProcessor( resource *models.ResourceState, metadata *Metadata, defaultRemediation string, ) SingleResourceProcessor
func NewFugueDenyBooleanProcessor ¶ added in v0.21.0
func NewFugueDenyBooleanProcessor( resource *models.ResourceState, metadata *Metadata, defaultRemediation string, ) SingleResourceProcessor
func NewSingleDenyProcessor ¶ added in v0.21.0
func NewSingleDenyProcessor( resource *models.ResourceState, metadata *Metadata, defaultRemediation string, ) SingleResourceProcessor
Source Files
Directories