configuration

package
v0.1.37 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 11, 2026 License: MPL-2.0 Imports: 7 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func GroupsToExpression added in v0.1.34 

func GroupsToExpression(groups [][]string) string

GroupsToExpression converts DNF groups ([][]string) back to a human-readable expression string. Useful for display purposes.

Examples: 

[["a", "b"]]              → "a AND b"
[["a"], ["b"]]            → "a OR b"
[["a", "b"], ["c"]]       → "(a AND b) OR c"
[["a", "b"], ["c", "d"]]  → "(a AND b) OR (c AND d)"
[]                        → ""

func ParseRequiredExpression added in v0.1.34 

func ParseRequiredExpression(expr string) ([][]string, error)

ParseRequiredExpression parses a human-readable requirement expression and returns the equivalent DNF groups ([][]string).

Examples: 

"a AND b"             → [["a", "b"]]
"a OR b"              → [["a"], ["b"]]
"(a AND b) OR c"      → [["a", "b"], ["c"]]
"a AND (b OR c)"      → [["a", "b"], ["a", "c"]]
""                    → [] (empty — no requirements)

func ValidateExpression added in v0.1.34 

func ValidateExpression(expr string) error

ValidateExpression checks whether an expression string is syntactically valid. Returns nil if valid, or a descriptive error if not.

Types

type BranchProtectionControlConfig 

type BranchProtectionControlConfig struct {
	// Enabled controls whether this check runs
	Enabled *bool `yaml:"enabled,omitempty"`

	// NamePatterns is a list of branch name patterns that must be protected (supports wildcards)
	NamePatterns []string `yaml:"namePatterns,omitempty"`

	// DefaultMustBeProtected requires the default branch to be protected
	DefaultMustBeProtected *bool `yaml:"defaultMustBeProtected,omitempty"`

	// AllowForcePush when false, force push must be disabled on protected branches
	AllowForcePush *bool `yaml:"allowForcePush,omitempty"`

	// CodeOwnerApprovalRequired when true, code owner approval is required
	CodeOwnerApprovalRequired *bool `yaml:"codeOwnerApprovalRequired,omitempty"`

	// MinMergeAccessLevel minimum access level required to merge (0=No one, 30=Developer, 40=Maintainer)
	MinMergeAccessLevel *int `yaml:"minMergeAccessLevel,omitempty"`

	// MinPushAccessLevel minimum access level required to push (0=No one, 30=Developer, 40=Maintainer)
	MinPushAccessLevel *int `yaml:"minPushAccessLevel,omitempty"`
}

BranchProtectionControlConfig configuration for the branch protection control

func (*BranchProtectionControlConfig) IsEnabled 

func (c *BranchProtectionControlConfig) IsEnabled() bool

IsEnabled returns whether the control is enabled Returns false if not properly configured

type Configuration 

type Configuration struct {
	// GitLab connection settings
	GitlabURL   string // URL of the GitLab instance (e.g., https://gitlab.com)
	GitlabToken string // GitLab API token

	// Project settings
	ProjectPath string // Full path of the project (e.g., group/project)
	ProjectID   int    // Project ID on GitLab
	Branch      string // Branch to analyze (from --branch flag, defaults to project's default branch)

	// HTTP client settings
	HTTPClientTimeout time.Duration // Timeout for HTTP clients (REST and GraphQL)

	// GitLab API retry configuration
	GitlabRetryMaxRetries     int           // Maximum number of retries for GitLab API requests
	GitlabRetryInitialBackoff time.Duration // Initial backoff time for GitLab API retries
	GitlabRetryMaxBackoff     time.Duration // Maximum backoff time for GitLab API retries
	GitlabRetryBackoffFactor  float64       // Backoff multiplication factor for exponential backoff

	// Logging
	LogLevel logrus.Level

	// Version info
	Version string

	// Plumber Configuration (from .plumber.yaml file)
	PlumberConfig *PlumberConfig
}

Configuration represents the simplified CLI configuration options

func NewDefaultConfiguration 

func NewDefaultConfiguration() *Configuration

NewDefaultConfiguration creates a Configuration with sensible defaults

type ControlsConfig 

type ControlsConfig struct {
	// ContainerImageMustNotUseForbiddenTags control configuration
	ContainerImageMustNotUseForbiddenTags *ImageForbiddenTagsControlConfig `yaml:"containerImageMustNotUseForbiddenTags,omitempty"`

	// ContainerImageMustComeFromAuthorizedSources control configuration
	ContainerImageMustComeFromAuthorizedSources *ImageAuthorizedSourcesControlConfig `yaml:"containerImageMustComeFromAuthorizedSources,omitempty"`

	// BranchMustBeProtected control configuration
	BranchMustBeProtected *BranchProtectionControlConfig `yaml:"branchMustBeProtected,omitempty"`

	// PipelineMustNotIncludeHardcodedJobs control configuration
	PipelineMustNotIncludeHardcodedJobs *HardcodedJobsControlConfig `yaml:"pipelineMustNotIncludeHardcodedJobs,omitempty"`

	// IncludesMustBeUpToDate control configuration
	IncludesMustBeUpToDate *IncludesUpToDateControlConfig `yaml:"includesMustBeUpToDate,omitempty"`

	// IncludesMustNotUseForbiddenVersions control configuration
	IncludesMustNotUseForbiddenVersions *IncludesForbiddenVersionsControlConfig `yaml:"includesMustNotUseForbiddenVersions,omitempty"`

	// PipelineMustIncludeComponent control configuration
	PipelineMustIncludeComponent *RequiredComponentsControlConfig `yaml:"pipelineMustIncludeComponent,omitempty"`

	// PipelineMustIncludeTemplate control configuration
	PipelineMustIncludeTemplate *RequiredTemplatesControlConfig `yaml:"pipelineMustIncludeTemplate,omitempty"`
}

ControlsConfig holds configuration for all controls

type HardcodedJobsControlConfig added in v0.1.31 

type HardcodedJobsControlConfig struct {
	// Enabled controls whether this check runs
	Enabled *bool `yaml:"enabled,omitempty"`
}

HardcodedJobsControlConfig configuration for the hardcoded jobs control

func (*HardcodedJobsControlConfig) IsEnabled added in v0.1.31 

func (c *HardcodedJobsControlConfig) IsEnabled() bool

IsEnabled returns whether the control is enabled Returns false if not properly configured

type ImageAuthorizedSourcesControlConfig 

type ImageAuthorizedSourcesControlConfig struct {
	// Enabled controls whether this check runs
	Enabled *bool `yaml:"enabled,omitempty"`

	// TrustedUrls is a list of trusted registry URLs/patterns (supports wildcards)
	TrustedUrls []string `yaml:"trustedUrls,omitempty"`

	// TrustDockerHubOfficialImages trusts official Docker Hub images (e.g., nginx, alpine)
	TrustDockerHubOfficialImages *bool `yaml:"trustDockerHubOfficialImages,omitempty"`
}

ImageAuthorizedSourcesControlConfig configuration for the authorized image sources control

func (*ImageAuthorizedSourcesControlConfig) IsEnabled 

func (c *ImageAuthorizedSourcesControlConfig) IsEnabled() bool

IsEnabled returns whether the control is enabled Returns false if not properly configured

type ImageForbiddenTagsControlConfig 

type ImageForbiddenTagsControlConfig struct {
	// Enabled controls whether this check runs
	Enabled *bool `yaml:"enabled,omitempty"`

	// Tags is a list of forbidden tags (e.g., latest, dev)
	Tags []string `yaml:"tags,omitempty"`
}

ImageForbiddenTagsControlConfig configuration for the forbidden image tags control

func (*ImageForbiddenTagsControlConfig) IsEnabled 

func (c *ImageForbiddenTagsControlConfig) IsEnabled() bool

IsEnabled returns whether the control is enabled Returns false if not properly configured

type IncludesForbiddenVersionsControlConfig added in v0.1.31 

type IncludesForbiddenVersionsControlConfig struct {
	// Enabled controls whether this check runs
	Enabled *bool `yaml:"enabled,omitempty"`

	// ForbiddenVersions is a list of version patterns considered forbidden (e.g., latest, main, HEAD)
	ForbiddenVersions []string `yaml:"forbiddenVersions,omitempty"`

	// DefaultBranchIsForbiddenVersion when true, adds the project's default branch to forbidden versions
	DefaultBranchIsForbiddenVersion *bool `yaml:"defaultBranchIsForbiddenVersion,omitempty"`
}

IncludesForbiddenVersionsControlConfig configuration for the forbidden versions control

func (*IncludesForbiddenVersionsControlConfig) IsEnabled added in v0.1.31 

func (c *IncludesForbiddenVersionsControlConfig) IsEnabled() bool

IsEnabled returns whether the control is enabled Returns false if not properly configured

type IncludesUpToDateControlConfig added in v0.1.31 

type IncludesUpToDateControlConfig struct {
	// Enabled controls whether this check runs
	Enabled *bool `yaml:"enabled,omitempty"`
}

IncludesUpToDateControlConfig configuration for the includes up-to-date control

func (*IncludesUpToDateControlConfig) IsEnabled added in v0.1.31 

func (c *IncludesUpToDateControlConfig) IsEnabled() bool

IsEnabled returns whether the control is enabled Returns false if not properly configured

type PlumberConfig 

type PlumberConfig struct {
	// Version of the config file format
	Version string `yaml:"version"`

	// Controls configuration
	Controls ControlsConfig `yaml:"controls"`
}

PlumberConfig represents the .plumber.yaml configuration file structure

func LoadPlumberConfig 

func LoadPlumberConfig(configPath string) (*PlumberConfig, string, error)

LoadPlumberConfig loads configuration from a file path The config file path is required - returns error if empty or not found

func (*PlumberConfig) GetBranchMustBeProtectedConfig 

func (c *PlumberConfig) GetBranchMustBeProtectedConfig() *BranchProtectionControlConfig

GetBranchMustBeProtectedConfig returns the control configuration Returns nil if not configured

func (*PlumberConfig) GetContainerImageMustComeFromAuthorizedSourcesConfig 

func (c *PlumberConfig) GetContainerImageMustComeFromAuthorizedSourcesConfig() *ImageAuthorizedSourcesControlConfig

GetContainerImageMustComeFromAuthorizedSourcesConfig returns the control configuration Returns nil if not configured

func (*PlumberConfig) GetContainerImageMustNotUseForbiddenTagsConfig 

func (c *PlumberConfig) GetContainerImageMustNotUseForbiddenTagsConfig() *ImageForbiddenTagsControlConfig

GetContainerImageMustNotUseForbiddenTagsConfig returns the control configuration Returns nil if not configured

func (*PlumberConfig) GetIncludesMustBeUpToDateConfig added in v0.1.31 

func (c *PlumberConfig) GetIncludesMustBeUpToDateConfig() *IncludesUpToDateControlConfig

GetIncludesMustBeUpToDateConfig returns the control configuration Returns nil if not configured

func (*PlumberConfig) GetIncludesMustNotUseForbiddenVersionsConfig added in v0.1.31 

func (c *PlumberConfig) GetIncludesMustNotUseForbiddenVersionsConfig() *IncludesForbiddenVersionsControlConfig

GetIncludesMustNotUseForbiddenVersionsConfig returns the control configuration Returns nil if not configured

func (*PlumberConfig) GetPipelineMustIncludeComponentConfig added in v0.1.31 

func (c *PlumberConfig) GetPipelineMustIncludeComponentConfig() *RequiredComponentsControlConfig

GetPipelineMustIncludeComponentConfig returns the control configuration Returns nil if not configured

func (*PlumberConfig) GetPipelineMustIncludeTemplateConfig added in v0.1.31 

func (c *PlumberConfig) GetPipelineMustIncludeTemplateConfig() *RequiredTemplatesControlConfig

GetPipelineMustIncludeTemplateConfig returns the control configuration Returns nil if not configured

func (*PlumberConfig) GetPipelineMustNotIncludeHardcodedJobsConfig added in v0.1.31 

func (c *PlumberConfig) GetPipelineMustNotIncludeHardcodedJobsConfig() *HardcodedJobsControlConfig

GetPipelineMustNotIncludeHardcodedJobsConfig returns the control configuration Returns nil if not configured

type RequiredComponentsControlConfig added in v0.1.31 

type RequiredComponentsControlConfig struct {
	// Enabled controls whether this check runs
	Enabled *bool `yaml:"enabled,omitempty"`

	// Required is a human-readable boolean expression defining required components.
	// Supports AND, OR operators and parentheses for grouping.
	// AND has higher precedence than OR.
	//
	// Examples:
	//   "components/sast/sast AND components/secret-detection/secret-detection"
	//   "(components/sast/sast AND components/secret-detection/secret-detection) OR your-org/full-security/full-security"
	Required string `yaml:"required,omitempty"`

	// RequiredGroups uses DNF (Disjunctive Normal Form) format:
	// Outer array = OR (at least one group must be satisfied)
	// Inner array = AND (all components in group must be present)
	// Example: [["comp-a", "comp-b"], ["comp-c"]] means:
	//   "must have (comp-a AND comp-b) OR (comp-c)"
	//
	// Cannot be used together with 'required'.
	RequiredGroups [][]string `yaml:"requiredGroups,omitempty"`
}

RequiredComponentsControlConfig configuration for the required components control

func (*RequiredComponentsControlConfig) GetResolvedRequiredGroups added in v0.1.34 

func (c *RequiredComponentsControlConfig) GetResolvedRequiredGroups() ([][]string, error)

GetResolvedRequiredGroups returns the effective required groups by resolving either the 'required' expression or the 'requiredGroups' field. Returns an error if both are set or if the expression is invalid.

func (*RequiredComponentsControlConfig) IsEnabled added in v0.1.31 

func (c *RequiredComponentsControlConfig) IsEnabled() bool

IsEnabled returns whether the control is enabled Returns false if not properly configured

type RequiredTemplatesControlConfig added in v0.1.31 

type RequiredTemplatesControlConfig struct {
	// Enabled controls whether this check runs
	Enabled *bool `yaml:"enabled,omitempty"`

	// Required is a human-readable boolean expression defining required templates.
	// Supports AND, OR operators and parentheses for grouping.
	// AND has higher precedence than OR.
	//
	// Examples:
	//   "templates/go/go AND templates/trivy/trivy"
	//   "(templates/go/go AND templates/trivy/trivy) OR templates/full-go-pipeline"
	Required string `yaml:"required,omitempty"`

	// RequiredGroups uses DNF (Disjunctive Normal Form) format:
	// Outer array = OR (at least one group must be satisfied)
	// Inner array = AND (all templates in group must be present)
	// Example: [["go", "helm"], ["go_helm_unified"]] means:
	//   "must have (go AND helm) OR (go_helm_unified)"
	//
	// Cannot be used together with 'required'.
	RequiredGroups [][]string `yaml:"requiredGroups,omitempty"`
}

RequiredTemplatesControlConfig configuration for the required templates control

func (*RequiredTemplatesControlConfig) GetResolvedRequiredGroups added in v0.1.34 

func (c *RequiredTemplatesControlConfig) GetResolvedRequiredGroups() ([][]string, error)

GetResolvedRequiredGroups returns the effective required groups by resolving either the 'required' expression or the 'requiredGroups' field. Returns an error if both are set or if the expression is invalid.

func (*RequiredTemplatesControlConfig) IsEnabled added in v0.1.31 

func (c *RequiredTemplatesControlConfig) IsEnabled() bool

IsEnabled returns whether the control is enabled Returns false if not properly configured

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.