Documentation
¶
Overview ¶
Package devops provides the consolidated DevOps and CI/CD security analyzer Renamed from infra - now includes all infrastructure, CI/CD, and GitHub Actions security
Package devops provides the consolidated DevOps and CI/CD security analyzer Features: iac, containers, github-actions, dora, git Renamed from infra - absorbed github-actions-security standalone analyzer
Index ¶
- Constants
- type AgeBucket
- type BranchInfo
- type ChurnFile
- type CodeAgeStats
- type CommitPatterns
- type ContainerFinding
- type ContainersConfig
- type ContainersSummary
- type Contributor
- type DORAConfig
- type DORAMetrics
- type DORASummary
- type Deployment
- type DevOpsAnalyzer
- func (s *DevOpsAnalyzer) Dependencies() []string
- func (s *DevOpsAnalyzer) Description() string
- func (s *DevOpsAnalyzer) EstimateDuration(fileCount int) time.Duration
- func (s *DevOpsAnalyzer) Name() string
- func (s *DevOpsAnalyzer) Requirements() analyzer.AnalyzerRequirements
- func (s *DevOpsAnalyzer) Run(ctx context.Context, opts *analyzer.ScanOptions) (*analyzer.ScanResult, error)
- type FeatureConfig
- type Findings
- type GitConfig
- type GitFindings
- type GitHubActionsConfig
- type GitHubActionsFinding
- type GitHubActionsSummary
- type GitSummary
- type IaCConfig
- type IaCFinding
- type IaCSecretsSummary
- type IaCSummary
- type PRCycleTime
- type PRMetrics
- type PRSizeDistribution
- type Result
- type ReworkAnalysis
- type ReworkMetrics
- type ReworkedFile
- type Summary
Constants ¶
View Source
const ( Name = "devops" Version = "3.0.0" )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type BranchInfo ¶
type BranchInfo struct {
Current string `json:"current"`
Default string `json:"default"`
TotalCount int `json:"total_count"`
RemoteCount int `json:"remote_count"`
}
BranchInfo contains branch information
type ChurnFile ¶
type ChurnFile struct {
File string `json:"file"`
Changes90d int `json:"changes_90d"`
Contributors int `json:"contributors"`
}
ChurnFile represents a frequently modified file
type CodeAgeStats ¶
type CodeAgeStats struct {
SampledFiles int `json:"sampled_files"`
Age0to30 AgeBucket `json:"0_30_days"`
Age31to90 AgeBucket `json:"31_90_days"`
Age91to365 AgeBucket `json:"91_365_days"`
Age365Plus AgeBucket `json:"365_plus_days"`
}
CodeAgeStats represents code age distribution
type CommitPatterns ¶
type CommitPatterns struct {
MostActiveDay string `json:"most_active_day"`
MostActiveHour int `json:"most_active_hour"`
AvgCommitSizeLines int `json:"avg_commit_size_lines"`
FirstCommit string `json:"first_commit"`
LastCommit string `json:"last_commit"`
AvgCommitsPerWeek int `json:"avg_commits_per_week"`
}
CommitPatterns contains commit pattern analysis
type ContainerFinding ¶
type ContainerFinding struct {
VulnID string `json:"vuln_id"`
Title string `json:"title"`
Description string `json:"description"`
Severity string `json:"severity"`
Image string `json:"image"`
Dockerfile string `json:"dockerfile"`
Package string `json:"package"`
Version string `json:"version"`
FixedVersion string `json:"fixed_version,omitempty"`
CVSS float64 `json:"cvss,omitempty"`
References []string `json:"references,omitempty"`
Type string `json:"type,omitempty"` // vulnerability, lint
Line int `json:"line,omitempty"` // line number for lint findings
Remediation string `json:"remediation,omitempty"` // fix recommendation
}
ContainerFinding represents a container vulnerability or lint finding
type ContainersConfig ¶
type ContainersConfig struct {
Enabled bool `json:"enabled"`
ScanBaseImages bool `json:"scan_base_images"` // Scan images from Dockerfiles
}
ContainersConfig configures container image scanning
type ContainersSummary ¶
type ContainersSummary struct {
TotalFindings int `json:"total_findings"`
Critical int `json:"critical"`
High int `json:"high"`
Medium int `json:"medium"`
Low int `json:"low"`
DockerfilesScanned int `json:"dockerfiles_scanned"`
ImagesScanned int `json:"images_scanned"`
ByImage map[string]int `json:"by_image"`
BySeverity map[string]int `json:"by_severity"`
Error string `json:"error,omitempty"`
}
ContainersSummary contains container security summary
type Contributor ¶
type Contributor struct {
Name string `json:"name"`
Email string `json:"email"`
TotalCommits int `json:"total_commits"`
Commits30d int `json:"commits_30d"`
Commits90d int `json:"commits_90d"`
Commits365d int `json:"commits_365d"`
LinesAdded90d int `json:"lines_added_90d"`
LinesRemoved90d int `json:"lines_removed_90d"`
}
Contributor represents a git contributor
type DORAConfig ¶
type DORAConfig struct {
Enabled bool `json:"enabled"`
PeriodDays int `json:"period_days"` // Analysis period (default 90)
// PR-level metrics (LinearB alignment)
IncludePRMetrics bool `json:"include_pr_metrics"` // Fetch PR cycle time data from GitHub API
MaxPRs int `json:"max_prs"` // Max PRs to analyze (default 100)
// Rework rate (DORA 2025)
IncludeReworkRate bool `json:"include_rework_rate"` // Calculate rework/refactor rates
}
DORAConfig configures DORA metrics calculation
type DORAMetrics ¶
type DORAMetrics struct {
DeploymentFrequency float64 `json:"deployment_frequency"`
LeadTimeHours float64 `json:"lead_time_hours"`
ChangeFailureRate float64 `json:"change_failure_rate"`
MTTRHours float64 `json:"mttr_hours"`
TotalDeployments int `json:"total_deployments"`
TotalCommits int `json:"total_commits"`
Deployments []Deployment `json:"deployments,omitempty"`
// PR-level cycle time metrics (LinearB alignment)
PRMetrics *PRMetrics `json:"pr_metrics,omitempty"`
// Rework rate (DORA 2025) - legacy fields for backwards compatibility
ReworkRate float64 `json:"rework_rate,omitempty"`
RefactorRate float64 `json:"refactor_rate,omitempty"`
// Enhanced rework analysis using git blame
ReworkAnalysis *ReworkMetrics `json:"rework_analysis,omitempty"`
}
DORAMetrics contains detailed DORA metrics
type DORASummary ¶
type DORASummary struct {
DeploymentFrequency float64 `json:"deployment_frequency"`
DeploymentFrequencyClass string `json:"deployment_frequency_class"`
LeadTimeHours float64 `json:"lead_time_hours"`
LeadTimeClass string `json:"lead_time_class"`
ChangeFailureRate float64 `json:"change_failure_rate"`
ChangeFailureClass string `json:"change_failure_class"`
MTTRHours float64 `json:"mttr_hours"`
MTTRClass string `json:"mttr_class"`
OverallClass string `json:"overall_class"`
PeriodDays int `json:"period_days"`
Error string `json:"error,omitempty"`
// PR-level cycle time metrics (LinearB alignment)
AvgPickupHours float64 `json:"avg_pickup_hours,omitempty"`
PickupClass string `json:"pickup_class,omitempty"`
AvgReviewHours float64 `json:"avg_review_hours,omitempty"`
ReviewClass string `json:"review_class,omitempty"`
AvgMergeHours float64 `json:"avg_merge_hours,omitempty"`
MergeClass string `json:"merge_class,omitempty"`
AvgPRSize int `json:"avg_pr_size,omitempty"`
PRSizeClass string `json:"pr_size_class,omitempty"`
TotalPRs int `json:"total_prs,omitempty"`
// Rework rate (DORA 2025)
ReworkRate float64 `json:"rework_rate,omitempty"`
ReworkClass string `json:"rework_class,omitempty"`
RefactorRate float64 `json:"refactor_rate,omitempty"`
RefactorClass string `json:"refactor_class,omitempty"`
// Data confidence (how reliable are these metrics)
DataConfidence *analyzer.DataConfidence `json:"data_confidence,omitempty"`
}
DORASummary contains DORA metrics summary
type Deployment ¶
type Deployment struct {
Tag string `json:"tag"`
Date time.Time `json:"date"`
Commits int `json:"commits"`
IsFix bool `json:"is_fix"`
}
Deployment represents a release/deployment
type DevOpsAnalyzer ¶
type DevOpsAnalyzer struct{}
DevOpsAnalyzer consolidates all DevOps and CI/CD security analysis
func (*DevOpsAnalyzer) Dependencies ¶
func (s *DevOpsAnalyzer) Dependencies() []string
func (*DevOpsAnalyzer) Description ¶
func (s *DevOpsAnalyzer) Description() string
func (*DevOpsAnalyzer) EstimateDuration ¶
func (s *DevOpsAnalyzer) EstimateDuration(fileCount int) time.Duration
func (*DevOpsAnalyzer) Name ¶
func (s *DevOpsAnalyzer) Name() string
func (*DevOpsAnalyzer) Requirements ¶
func (s *DevOpsAnalyzer) Requirements() analyzer.AnalyzerRequirements
func (*DevOpsAnalyzer) Run ¶
func (s *DevOpsAnalyzer) Run(ctx context.Context, opts *analyzer.ScanOptions) (*analyzer.ScanResult, error)
type FeatureConfig ¶
type FeatureConfig struct {
IaC IaCConfig `json:"iac"`
Containers ContainersConfig `json:"containers"`
GitHubActions GitHubActionsConfig `json:"github_actions"`
DORA DORAConfig `json:"dora"`
Git GitConfig `json:"git"`
}
FeatureConfig holds configuration for all DevOps analysis features
func DefaultConfig ¶
func DefaultConfig() FeatureConfig
DefaultConfig returns default feature configuration
func FullConfig ¶
func FullConfig() FeatureConfig
FullConfig returns config with all features enabled
func QuickConfig ¶
func QuickConfig() FeatureConfig
QuickConfig returns minimal config for fast scans
func SecurityConfig ¶
func SecurityConfig() FeatureConfig
SecurityConfig returns security-focused config
type Findings ¶
type Findings struct {
IaC []IaCFinding `json:"iac,omitempty"`
Containers []ContainerFinding `json:"containers,omitempty"`
GitHubActions []GitHubActionsFinding `json:"github_actions,omitempty"`
DORA *DORAMetrics `json:"dora,omitempty"`
Git *GitFindings `json:"git,omitempty"`
}
Findings holds findings from all features
type GitConfig ¶
type GitConfig struct {
Enabled bool `json:"enabled"`
IncludeChurn bool `json:"include_churn"` // Include high-churn file analysis
IncludeAge bool `json:"include_age"` // Include code age analysis
IncludePatterns bool `json:"include_patterns"` // Include commit pattern analysis
IncludeBranches bool `json:"include_branches"` // Include branch analysis
}
GitConfig configures git insights analysis
type GitFindings ¶
type GitFindings struct {
Contributors []Contributor `json:"contributors"`
HighChurnFiles []ChurnFile `json:"high_churn_files,omitempty"`
CodeAge *CodeAgeStats `json:"code_age,omitempty"`
Patterns *CommitPatterns `json:"patterns,omitempty"`
Branches *BranchInfo `json:"branches,omitempty"`
}
GitFindings contains git analysis findings
type GitHubActionsConfig ¶
type GitHubActionsConfig struct {
Enabled bool `json:"enabled"`
CheckPinning bool `json:"check_pinning"` // Check if actions are pinned to SHA
CheckSecrets bool `json:"check_secrets"` // Check for secret exposure
CheckInjection bool `json:"check_injection"` // Check for injection vulnerabilities
CheckPermissions bool `json:"check_permissions"` // Check for excessive permissions
}
GitHubActionsConfig configures GitHub Actions security scanning
type GitHubActionsFinding ¶
type GitHubActionsFinding struct {
RuleID string `json:"rule_id"`
Title string `json:"title"`
Description string `json:"description"`
Severity string `json:"severity"`
File string `json:"file"`
Line int `json:"line,omitempty"`
Category string `json:"category"`
Suggestion string `json:"suggestion,omitempty"`
}
GitHubActionsFinding represents a GitHub Actions security finding
type GitHubActionsSummary ¶
type GitHubActionsSummary struct {
TotalFindings int `json:"total_findings"`
Critical int `json:"critical"`
High int `json:"high"`
Medium int `json:"medium"`
Low int `json:"low"`
ByCategory map[string]int `json:"by_category"`
WorkflowsScanned int `json:"workflows_scanned"`
Error string `json:"error,omitempty"`
}
GitHubActionsSummary contains GitHub Actions security summary
type GitSummary ¶
type GitSummary struct {
TotalCommits int `json:"total_commits"`
TotalContributors int `json:"total_contributors"`
ActiveContributors30d int `json:"active_contributors_30d"`
ActiveContributors90d int `json:"active_contributors_90d"`
Commits90d int `json:"commits_90d"`
BusFactor int `json:"bus_factor"`
ActivityLevel string `json:"activity_level"`
Error string `json:"error,omitempty"`
}
GitSummary contains git insights summary
type IaCConfig ¶
type IaCConfig struct {
Enabled bool `json:"enabled"`
Tool string `json:"tool"` // checkov, trivy, auto
FallbackTool bool `json:"fallback_tool"` // Use trivy if checkov fails
ScanSecrets bool `json:"scan_secrets"` // Scan for hardcoded secrets in IaC files
CheckBestPractices bool `json:"check_best_practices"` // Check for IaC best practices
}
IaCConfig configures Infrastructure as Code scanning
type IaCFinding ¶
type IaCFinding struct {
RuleID string `json:"rule_id"`
Title string `json:"title"`
Description string `json:"description"`
Severity string `json:"severity"`
File string `json:"file"`
Line int `json:"line,omitempty"`
Resource string `json:"resource,omitempty"`
Type string `json:"type"` // terraform, kubernetes, dockerfile, cloudformation
Category string `json:"category,omitempty"` // security, best-practice
Resolution string `json:"resolution,omitempty"`
CheckType string `json:"check_type,omitempty"`
// Secret-related fields (for IaC secrets findings)
SecretType string `json:"secret_type,omitempty"` // aws_key, password, token, etc.
Snippet string `json:"snippet,omitempty"` // redacted code snippet
IsSecret bool `json:"is_secret,omitempty"` // true if this is a secrets finding
}
IaCFinding represents an IaC security or best-practice finding
type IaCSecretsSummary ¶
type IaCSecretsSummary struct {
TotalFindings int `json:"total_findings"`
ByType map[string]int `json:"by_type"` // by IaC type
BySecretType map[string]int `json:"by_secret_type"` // by secret type
BySeverity map[string]int `json:"by_severity"`
FilesScanned int `json:"files_scanned"`
}
IaCSecretsSummary contains IaC secrets scan summary
type IaCSummary ¶
type IaCSummary struct {
TotalFindings int `json:"total_findings"`
Critical int `json:"critical"`
High int `json:"high"`
Medium int `json:"medium"`
Low int `json:"low"`
ByType map[string]int `json:"by_type"`
ByCategory map[string]int `json:"by_category,omitempty"` // security vs best-practice
FilesScanned int `json:"files_scanned"`
Tool string `json:"tool"`
Error string `json:"error,omitempty"`
SecretsSummary *IaCSecretsSummary `json:"secrets_summary,omitempty"` // IaC secrets findings summary
BestPractices int `json:"best_practices,omitempty"` // count of best practice findings
}
IaCSummary contains IaC security scan summary
type PRCycleTime ¶
type PRCycleTime struct {
Number int `json:"number"`
Title string `json:"title"`
Author string `json:"author"`
CreatedAt time.Time `json:"created_at"`
MergedAt time.Time `json:"merged_at"`
PickupHours float64 `json:"pickup_hours"` // Time to first review
ReviewHours float64 `json:"review_hours"` // First review to approval
MergeHours float64 `json:"merge_hours"` // Approval to merge
CycleHours float64 `json:"cycle_hours"` // Total cycle time
Additions int `json:"additions"`
Deletions int `json:"deletions"`
Size int `json:"size"` // additions + deletions
}
PRCycleTime contains cycle time data for a single PR
type PRMetrics ¶
type PRMetrics struct {
TotalPRs int `json:"total_prs"`
AvgPickupHours float64 `json:"avg_pickup_hours"` // PR opened → first review
AvgReviewHours float64 `json:"avg_review_hours"` // First review → approval
AvgMergeHours float64 `json:"avg_merge_hours"` // Approval → merge
AvgCycleHours float64 `json:"avg_cycle_hours"` // PR opened → merge
AvgPRSize int `json:"avg_pr_size"` // additions + deletions
// Tier classifications (LinearB benchmarks)
PickupClass string `json:"pickup_class,omitempty"` // elite, good, fair, needs_focus
ReviewClass string `json:"review_class,omitempty"`
MergeClass string `json:"merge_class,omitempty"`
PRSizeClass string `json:"pr_size_class,omitempty"`
// PR size distribution across benchmark tiers
PRSizeDistribution *PRSizeDistribution `json:"pr_size_distribution,omitempty"`
// Individual PR data
PRs []PRCycleTime `json:"prs,omitempty"`
}
PRMetrics contains PR-level cycle time breakdowns (LinearB alignment)
type PRSizeDistribution ¶
type PRSizeDistribution struct {
Total int `json:"total"` // Total PRs analyzed
Elite int `json:"elite"` // < 100 lines
Good int `json:"good"` // 100-155 lines
Fair int `json:"fair"` // 156-228 lines
NeedsFocus int `json:"needs_focus"` // > 228 lines
Class string `json:"class"` // Overall classification based on average
}
PRSizeDistribution tracks PR size distribution across LinearB benchmark tiers
type Result ¶
type Result struct {
FeaturesRun []string `json:"features_run"`
Summary Summary `json:"summary"`
Findings Findings `json:"findings"`
}
Result holds all feature results
type ReworkAnalysis ¶
type ReworkAnalysis struct {
CommitSHA string `json:"commit_sha"`
Author string `json:"author"`
Date string `json:"date"`
IsRework bool `json:"is_rework"` // Modifies lines changed in last N commits
IsSelfRework bool `json:"is_self_rework"` // Modifies own recent changes
IsRefactor bool `json:"is_refactor"` // Large-scale moves/renames
IsLegitFix bool `json:"is_legit_fix"` // Modifies old code
DaysSinceOriginal int `json:"days_since_original"` // How recent was the original change
OriginalAuthor string `json:"original_author"` // Who wrote the original code
LinesModified int `json:"lines_modified"`
Confidence float64 `json:"confidence"` // Confidence in classification (0-1)
}
ReworkAnalysis contains analysis of a single commit for rework patterns
type ReworkMetrics ¶
type ReworkMetrics struct {
// Overall rework rate (% of commits that modify recently-changed code)
ReworkRate float64 `json:"rework_rate"`
ReworkClass string `json:"rework_class"`
RefactorRate float64 `json:"refactor_rate"`
RefactorClass string `json:"refactor_class"`
// Breakdown of rework types
TotalCommits int `json:"total_commits"`
ReworkCommits int `json:"rework_commits"` // Modifies recent lines by different author
SelfRework int `json:"self_rework"` // Modifies own recent changes
RefactorCommits int `json:"refactor_commits"` // Large-scale restructuring
LegitFixes int `json:"legit_fixes"` // Fixes old code (> threshold days)
// Configuration used
LookbackDays int `json:"lookback_days"` // How far back to look for "recent" changes
// Detailed analysis (top reworked areas)
TopReworkedFiles []ReworkedFile `json:"top_reworked_files,omitempty"`
// Method used for analysis
Method string `json:"method"` // "blame" or "pattern" (fallback)
}
ReworkMetrics contains enhanced rework rate analysis using git blame
type ReworkedFile ¶
type ReworkedFile struct {
Path string `json:"path"`
ReworkCount int `json:"rework_count"`
TotalChanges int `json:"total_changes"`
ReworkRate float64 `json:"rework_rate"` // Percentage
TopContributors []string `json:"top_contributors,omitempty"`
}
ReworkedFile identifies files with high rework activity
type Summary ¶
type Summary struct {
IaC *IaCSummary `json:"iac,omitempty"`
Containers *ContainersSummary `json:"containers,omitempty"`
GitHubActions *GitHubActionsSummary `json:"github_actions,omitempty"`
DORA *DORASummary `json:"dora,omitempty"`
Git *GitSummary `json:"git,omitempty"`
Errors []string `json:"errors,omitempty"`
}
Summary holds summaries from all features
Source Files
Click to show internal directories.
Click to hide internal directories.