scanner

package
v0.0.0-...-5988697 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 30, 2025 License: Apache-2.0 Imports: 15 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func CompileCELExpression 

func CompileCELExpression(expression string, inputs []Input) error

CompileCELExpression compiles a CEL expression and returns detailed error information This is the public version of the compileCelExpression method

func DeriveResourcePath 

func DeriveResourcePath(gvr schema.GroupVersionResource, namespace string) string

DeriveResourcePath creates a resource path from GroupVersionResource and namespace

func SaveResults 

func SaveResults(filePath string, results []CheckResult) error

SaveResults saves scan results to a JSON file

Types

type BaseRule 

type BaseRule struct {
	ID           string        `json:"id"`
	RuleType     RuleType      `json:"type"`
	RuleInputs   []Input       `json:"inputs"`
	RuleMetadata *RuleMetadata `json:"metadata,omitempty"`
}

BaseRule provides common functionality for all rule types

func (*BaseRule) Identifier 

func (r *BaseRule) Identifier() string

Identifier returns the rule ID

func (*BaseRule) Inputs 

func (r *BaseRule) Inputs() []Input

Inputs returns the rule inputs

func (*BaseRule) Metadata 

func (r *BaseRule) Metadata() *RuleMetadata

Metadata returns the rule metadata

func (*BaseRule) Type 

func (r *BaseRule) Type() RuleType

Type returns the rule type

type CelRule 

type CelRule interface {
	Rule

	// Expression returns the CEL expression to evaluate
	Expression() string
}

CelRule defines what's needed for CEL expression evaluation

func NewCelRule 

func NewCelRule(id, expression string, inputs []Input) CelRule

NewCelRule creates a new CEL rule with optional metadata

func NewCelRuleWithMetadata 

func NewCelRuleWithMetadata(id, expression string, inputs []Input, metadata *RuleMetadata) CelRule

NewCelRuleWithMetadata creates a new CEL rule with metadata

type CelRuleImpl 

type CelRuleImpl struct {
	BaseRule
	CelExpr string `json:"expression"`
}

CelRuleImpl provides a complete implementation of CelRule

func (*CelRuleImpl) Content 

func (r *CelRuleImpl) Content() interface{}

Content returns the CEL expression as the rule content

func (*CelRuleImpl) Expression 

func (r *CelRuleImpl) Expression() string

Expression returns the CEL expression

type CelVariable 

type CelVariable interface {
	// Name returns the variable name
	Name() string

	// Namespace returns the namespace context
	Namespace() string

	// Value returns the variable value
	Value() string

	// GroupVersionKind returns the Kubernetes GVK for this variable
	GroupVersionKind() schema.GroupVersionKind
}

CelVariable defines a variable available in CEL expressions

type CheckResult 

type CheckResult struct {
	ID           string              `json:"id"`
	Status       CheckResultStatus   `json:"status"`
	Metadata     CheckResultMetadata `json:"metadata"`
	Warnings     []string            `json:"warnings"`
	ErrorMessage string              `json:"errorMessage"`
}

CheckResult represents the result of a compliance check (unified with ScanResult)

type CheckResultMetadata 

type CheckResultMetadata struct {
	Environment ScanEnvironment        `json:"environment,omitempty"`
	Extensions  map[string]interface{} `json:"extensions,omitempty"`
}

CheckResultMetadata contains metadata information for a check result

type CheckResultStatus 

type CheckResultStatus string

CheckResultStatus represents the status of a check result 

const (
	CheckResultPass          CheckResultStatus = "PASS"
	CheckResultFail          CheckResultStatus = "FAIL"
	CheckResultError         CheckResultStatus = "ERROR"
	CheckResultNotApplicable CheckResultStatus = "NOT-APPLICABLE"
)

type DefaultLogger 

type DefaultLogger struct{}

DefaultLogger provides a simple console logger

func (DefaultLogger) Debug 

func (l DefaultLogger) Debug(msg string, args ...interface{})

func (DefaultLogger) Error 

func (l DefaultLogger) Error(msg string, args ...interface{})

func (DefaultLogger) Info 

func (l DefaultLogger) Info(msg string, args ...interface{})

func (DefaultLogger) Warn 

func (l DefaultLogger) Warn(msg string, args ...interface{})

type FileInput 

type FileInput struct {
	FilePath    string `json:"path"`
	FileFormat  string `json:"format,omitempty"`
	IsRecursive bool   `json:"recursive,omitempty"`
	CheckPerms  bool   `json:"checkPermissions,omitempty"`
}

FileInput provides a concrete implementation of FileInputSpec

func (*FileInput) CheckPermissions 

func (s *FileInput) CheckPermissions() bool

func (*FileInput) Format 

func (s *FileInput) Format() string

func (*FileInput) Path 

func (s *FileInput) Path() string

func (*FileInput) Recursive 

func (s *FileInput) Recursive() bool

func (*FileInput) Validate 

func (s *FileInput) Validate() error

type FileInputSpec 

type FileInputSpec interface {
	InputSpec

	// Path returns the file or directory path
	Path() string

	// Format returns the expected file format (json, yaml, text, etc.)
	Format() string

	// Recursive indicates if directory traversal should be recursive
	Recursive() bool

	// CheckPermissions indicates if file permissions should be included
	CheckPermissions() bool
}

FileInputSpec specifies a file system input

type HTTPInput 

type HTTPInput struct {
	Endpoint    string            `json:"url"`
	HTTPMethod  string            `json:"method,omitempty"`
	HTTPHeaders map[string]string `json:"headers,omitempty"`
	HTTPBody    []byte            `json:"body,omitempty"`
}

HTTPInput provides a concrete implementation of HTTPInputSpec

func (*HTTPInput) Body 

func (s *HTTPInput) Body() []byte

func (*HTTPInput) Headers 

func (s *HTTPInput) Headers() map[string]string

func (*HTTPInput) Method 

func (s *HTTPInput) Method() string

func (*HTTPInput) URL 

func (s *HTTPInput) URL() string

func (*HTTPInput) Validate 

func (s *HTTPInput) Validate() error

type HTTPInputSpec 

type HTTPInputSpec interface {
	InputSpec

	// URL returns the HTTP endpoint URL
	URL() string

	// Method returns the HTTP method (GET, POST, etc.)
	Method() string

	// Headers returns HTTP headers
	Headers() map[string]string

	// Body returns the request body
	Body() []byte
}

HTTPInputSpec specifies an HTTP API input

type Input 

type Input interface {
	// Name returns the name to bind this input to in the CEL context
	Name() string

	// Type returns the type of input (kubernetes, file, system, etc.)
	Type() InputType

	// Spec returns the input specification
	Spec() InputSpec
}

Input defines a generic input that a CEL rule needs

func NewFileInput 

func NewFileInput(name, path, format string, recursive bool, checkPermissions bool) Input

NewFileInput creates a file system input

func NewHTTPInput 

func NewHTTPInput(name, url, method string, headers map[string]string, body []byte) Input

NewHTTPInput creates an HTTP API input

func NewKubernetesInput 

func NewKubernetesInput(name, group, version, resourceType, namespace, resourceName string) Input

NewKubernetesInput creates a Kubernetes resource input

func NewSystemInput 

func NewSystemInput(name, service, command string, args []string) Input

NewSystemInput creates a system service/process input

type InputFetcher 

type InputFetcher interface {
	// FetchInputs retrieves data for the specified inputs
	FetchInputs(inputs []Input, variables []CelVariable) (map[string]interface{}, error)

	// SupportsInputType returns whether this fetcher supports the given input type
	SupportsInputType(inputType InputType) bool
}

InputFetcher retrieves data for different input types

type InputImpl 

type InputImpl struct {
	InputName string    `json:"name"`
	InputType InputType `json:"type"`
	InputSpec InputSpec `json:"spec"`
}

InputImpl provides a concrete implementation of the Input interface

func (*InputImpl) Name 

func (i *InputImpl) Name() string

func (*InputImpl) Spec 

func (i *InputImpl) Spec() InputSpec

func (*InputImpl) Type 

func (i *InputImpl) Type() InputType

type InputSpec 

type InputSpec interface {
	// Validate checks if the input specification is valid
	Validate() error
}

InputSpec is a generic interface for input specifications

type InputType 

type InputType string

InputType represents the different types of inputs supported 

const (
	// InputTypeKubernetes represents Kubernetes resources
	InputTypeKubernetes InputType = "kubernetes"

	// InputTypeFile represents file system inputs
	InputTypeFile InputType = "file"

	// InputTypeSystem represents system service/process inputs
	InputTypeSystem InputType = "system"

	// InputTypeHTTP represents HTTP API inputs
	InputTypeHTTP InputType = "http"

	// InputTypeDatabase represents database inputs
	InputTypeDatabase InputType = "database"
)

type IssueLocation 

type IssueLocation struct {
	// Line number in the expression (1-based)
	Line int `json:"line,omitempty"`

	// Column number in the expression (1-based)
	Column int `json:"column,omitempty"`

	// Offset is the character offset in the expression
	Offset int `json:"offset,omitempty"`
}

IssueLocation represents the location of an issue in the expression

type KubernetesInput 

type KubernetesInput struct {
	Group   string `json:"group"`
	Ver     string `json:"version"`
	ResType string `json:"resourceType"`
	Ns      string `json:"namespace,omitempty"`
	ResName string `json:"name,omitempty"`
}

KubernetesInput provides a concrete implementation of KubernetesInputSpec

func (*KubernetesInput) ApiGroup 

func (s *KubernetesInput) ApiGroup() string

func (*KubernetesInput) Name 

func (s *KubernetesInput) Name() string

func (*KubernetesInput) Namespace 

func (s *KubernetesInput) Namespace() string

func (*KubernetesInput) ResourceType 

func (s *KubernetesInput) ResourceType() string

func (*KubernetesInput) Validate 

func (s *KubernetesInput) Validate() error

func (*KubernetesInput) Version 

func (s *KubernetesInput) Version() string

type KubernetesInputSpec 

type KubernetesInputSpec interface {
	InputSpec

	// ApiGroup returns the API group (e.g., "apps", "")
	ApiGroup() string

	// Version returns the API version (e.g., "v1", "v1beta1")
	Version() string

	// ResourceType returns the resource type (e.g., "pods", "configmaps")
	ResourceType() string

	// Namespace returns the namespace to search in (empty for cluster-scoped)
	Namespace() string

	// Name returns the specific resource name (empty for all resources)
	Name() string
}

KubernetesInputSpec specifies a Kubernetes resource input

type Logger 

type Logger interface {
	Debug(msg string, args ...interface{})
	Info(msg string, args ...interface{})
	Warn(msg string, args ...interface{})
	Error(msg string, args ...interface{})
}

Logger defines the interface for logging

type ResourceFetcher 

type ResourceFetcher interface {
	FetchResources(ctx context.Context, rule Rule, variables []CelVariable) (map[string]interface{}, []string, error)
}

ResourceFetcher defines the interface for fetching resources using the new API

type Rule 

type Rule interface {
	// Identifier returns a unique identifier for this rule
	Identifier() string

	// Type returns the rule type (CEL, Rego, etc.)
	Type() RuleType

	// Inputs returns the list of inputs needed for evaluation
	Inputs() []Input

	// Metadata returns optional rule metadata for compliance reporting
	Metadata() *RuleMetadata

	// Content returns the rule-specific content (expression, policy, etc.)
	Content() interface{}
}

Rule defines a generic interface for all rule types

type RuleBuilder 

type RuleBuilder struct {
	// contains filtered or unexported fields
}

RuleBuilder provides a fluent API for building rules

func NewRuleBuilder 

func NewRuleBuilder(id string, ruleType RuleType) *RuleBuilder

NewRuleBuilder creates a new rule builder with the specified type

func (*RuleBuilder) Build 

func (b *RuleBuilder) Build() (Rule, error)

Build returns the completed rule with validation

func (*RuleBuilder) BuildCelRule 

func (b *RuleBuilder) BuildCelRule() (CelRule, error)

BuildCelRule builds and returns a CelRule (convenience method for CEL rules)

func (*RuleBuilder) GetAvailableInputNames 

func (b *RuleBuilder) GetAvailableInputNames() []string

GetAvailableInputNames returns the names of all defined inputs (useful for expression building)

func (*RuleBuilder) SetCelExpression 

func (b *RuleBuilder) SetCelExpression(expression string) *RuleBuilder

SetCelExpression sets the CEL expression for CEL rules

func (*RuleBuilder) WithDescription 

func (b *RuleBuilder) WithDescription(description string) *RuleBuilder

WithDescription sets the rule description in metadata

func (*RuleBuilder) WithExtension 

func (b *RuleBuilder) WithExtension(key string, value interface{}) *RuleBuilder

WithExtension adds an extension to the rule metadata

func (*RuleBuilder) WithFileInput 

func (b *RuleBuilder) WithFileInput(name, path, format string, recursive, checkPermissions bool) *RuleBuilder

WithFileInput adds a file input to the rule

func (*RuleBuilder) WithHTTPInput 

func (b *RuleBuilder) WithHTTPInput(name, url, method string, headers map[string]string, body []byte) *RuleBuilder

WithHTTPInput adds an HTTP input to the rule

func (*RuleBuilder) WithInput 

func (b *RuleBuilder) WithInput(input Input) *RuleBuilder

WithInput adds an input to the rule

func (*RuleBuilder) WithKubernetesInput 

func (b *RuleBuilder) WithKubernetesInput(name, group, version, resourceType, namespace, resourceName string) *RuleBuilder

WithKubernetesInput adds a Kubernetes input to the rule

func (*RuleBuilder) WithMetadata 

func (b *RuleBuilder) WithMetadata(metadata *RuleMetadata) *RuleBuilder

WithMetadata sets the rule metadata

func (*RuleBuilder) WithName 

func (b *RuleBuilder) WithName(name string) *RuleBuilder

WithName sets the rule name in metadata

func (*RuleBuilder) WithSystemInput 

func (b *RuleBuilder) WithSystemInput(name, service, command string, args []string) *RuleBuilder

WithSystemInput adds a system input to the rule

type RuleMetadata 

type RuleMetadata struct {
	Name        string                 `json:"name,omitempty"`
	Description string                 `json:"description,omitempty"`
	Extensions  map[string]interface{} `json:"extensions,omitempty"`
}

RuleMetadata contains metadata information for a rule

type RuleType 

type RuleType string

RuleType represents the type of rule/scanner 

const (
	// RuleTypeCEL represents CEL (Common Expression Language) rules
	RuleTypeCEL RuleType = "cel"

	// RuleTypeRego represents Rego (OPA Policy Language) rules - future implementation
	RuleTypeRego RuleType = "rego"

	// RuleTypeJSONPath represents JSONPath expression rules - future implementation
	RuleTypeJSONPath RuleType = "jsonpath"

	// RuleTypeCustom represents custom rule implementations - future implementation
	RuleTypeCustom RuleType = "custom"
)

type RuleValidator 

type RuleValidator struct {
	// contains filtered or unexported fields
}

RuleValidator provides methods for validating rules

func NewRuleValidator 

func NewRuleValidator(logger Logger) *RuleValidator

NewRuleValidator creates a new rule validator

func (*RuleValidator) ValidateCELExpression 

func (v *RuleValidator) ValidateCELExpression(expression string) []ValidationIssue

ValidateCELExpression validates just the syntax of a CEL expression without requiring input declarations

func (*RuleValidator) ValidateCELExpressionWithInputs 

func (v *RuleValidator) ValidateCELExpressionWithInputs(expression string, declarations []*expr.Decl) []ValidationIssue

ValidateCELExpressionWithInputs validates a CEL expression with optional declarations

func (*RuleValidator) ValidateRule 

func (v *RuleValidator) ValidateRule(rule Rule) ValidationResult

ValidateRule performs full validation of a rule

type ScanConfig 

type ScanConfig struct {
	Rules                   []Rule        `json:"rules"`
	Variables               []CelVariable `json:"variables"`
	ApiResourcePath         string        `json:"apiResourcePath"`
	EnableDebugLogging      bool          `json:"enableDebugLogging"`
	ValidateBeforeExecution bool          `json:"validateBeforeExecution"` // Validate rules before running them
}

ScanConfig holds configuration for scanning

type ScanEnvironment 

type ScanEnvironment struct {
}

ScanEnvironment contains information about the environment where the scan is running

type ScanLogger 

type ScanLogger interface {
	// Debug logs debug information
	Debug(msg string, args ...interface{})

	// Info logs informational messages
	Info(msg string, args ...interface{})

	// Error logs error messages
	Error(msg string, args ...interface{})
}

ScanLogger handles logging during CEL evaluation

type ScanResult 

type ScanResult struct {
	// RuleID is the identifier of the rule that was evaluated
	RuleID string

	// Status indicates the result of the evaluation
	Status ScanStatus

	// Message provides additional context about the result
	Message string

	// Details contains any additional result data
	Details map[string]interface{}
}

ScanResult represents the result of evaluating a CEL rule

type ScanStatus 

type ScanStatus string

ScanStatus represents the possible outcomes of a CEL rule evaluation 

const (
	// StatusPass indicates the rule evaluation passed
	StatusPass ScanStatus = "PASS"

	// StatusFail indicates the rule evaluation failed
	StatusFail ScanStatus = "FAIL"

	// StatusError indicates an error occurred during evaluation
	StatusError ScanStatus = "ERROR"

	// StatusSkip indicates the rule was skipped
	StatusSkip ScanStatus = "SKIP"
)

type Scanner 

type Scanner struct {
	// contains filtered or unexported fields
}

Scanner provides CEL-based compliance scanning functionality

func NewScanner 

func NewScanner(resourceFetcher ResourceFetcher, logger Logger) *Scanner

NewScanner creates a new CEL scanner instance

func (*Scanner) PreflightCheck 

func (s *Scanner) PreflightCheck(config ScanConfig) (bool, map[string]ValidationResult)

PreflightCheck performs validation on all rules before scanning Returns true if all rules are valid, false otherwise

func (*Scanner) Scan 

func (s *Scanner) Scan(ctx context.Context, config ScanConfig) ([]CheckResult, error)

Scan executes compliance checks for the given rules and returns results

func (*Scanner) ValidateAllRules 

func (s *Scanner) ValidateAllRules(config ScanConfig) map[string]ValidationResult

ValidateAllRules validates all rules in a ScanConfig without executing them Returns a map of rule ID to ValidationResult for detailed analysis

func (*Scanner) ValidateCELExpression 

func (s *Scanner) ValidateCELExpression(expression string, inputs []Input) error

ValidateCELExpression validates a CEL expression with given inputs This is a convenience method for validating just the expression

func (*Scanner) ValidateRule 

func (s *Scanner) ValidateRule(rule Rule) ValidationResult

ValidateRule validates a rule without executing it This method allows SDK users to validate CEL expressions before deployment

type SystemInput 

type SystemInput struct {
	Service string   `json:"service,omitempty"`
	Cmd     string   `json:"command,omitempty"`
	CmdArgs []string `json:"args,omitempty"`
}

SystemInput provides a concrete implementation of SystemInputSpec

func (*SystemInput) Args 

func (s *SystemInput) Args() []string

func (*SystemInput) Command 

func (s *SystemInput) Command() string

func (*SystemInput) ServiceName 

func (s *SystemInput) ServiceName() string

func (*SystemInput) Validate 

func (s *SystemInput) Validate() error

type SystemInputSpec 

type SystemInputSpec interface {
	InputSpec

	// ServiceName returns the system service name
	ServiceName() string

	// Command returns the command to execute (alternative to service)
	Command() string

	// Args returns command arguments
	Args() []string
}

SystemInputSpec specifies a system service/process input

type ValidationErrorType 

type ValidationErrorType string

ValidationErrorType represents the type of validation error 

const (
	// ValidationErrorTypeSyntax represents a syntax error in the expression
	ValidationErrorTypeSyntax ValidationErrorType = "SYNTAX_ERROR"

	// ValidationErrorTypeUndeclaredReference represents an undeclared variable reference
	ValidationErrorTypeUndeclaredReference ValidationErrorType = "UNDECLARED_REFERENCE"

	// ValidationErrorTypeType represents a type mismatch error
	ValidationErrorTypeType ValidationErrorType = "TYPE_ERROR"

	// ValidationErrorTypeOverload represents a function overload error
	ValidationErrorTypeOverload ValidationErrorType = "OVERLOAD_ERROR"

	// ValidationErrorTypeGeneral represents a general compilation error
	ValidationErrorTypeGeneral ValidationErrorType = "GENERAL_ERROR"
)

type ValidationIssue 

type ValidationIssue struct {
	// Type is the type of validation error
	Type ValidationErrorType `json:"type"`

	// Message is the human-readable error message
	Message string `json:"message"`

	// Details provides additional context about the error
	Details string `json:"details,omitempty"`

	// Location provides position information if available
	Location *IssueLocation `json:"location,omitempty"`
}

ValidationIssue represents a single validation issue

type ValidationResult 

type ValidationResult struct {
	// Valid indicates whether the rule is valid
	Valid bool `json:"valid"`

	// Issues contains any validation issues found
	Issues []ValidationIssue `json:"issues,omitempty"`

	// Warnings contains non-fatal warnings
	Warnings []string `json:"warnings,omitempty"`
}

ValidationResult represents the result of validating a rule

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.