configuration

package
v0.1.47 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 25, 2026 License: MPL-2.0 Imports: 8 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func GroupsToExpression added in v0.1.34 

func GroupsToExpression(groups [][]string) string

GroupsToExpression converts DNF groups ([][]string) back to a human-readable expression string. Useful for display purposes.

Examples: 

[["a", "b"]]              → "a AND b"
[["a"], ["b"]]            → "a OR b"
[["a", "b"], ["c"]]       → "(a AND b) OR c"
[["a", "b"], ["c", "d"]]  → "(a AND b) OR (c AND d)"
[]                        → ""

func ParseRequiredExpression added in v0.1.34 

func ParseRequiredExpression(expr string) ([][]string, error)

ParseRequiredExpression parses a human-readable requirement expression and returns the equivalent DNF groups ([][]string).

Examples: 

"a AND b"             → [["a", "b"]]
"a OR b"              → [["a"], ["b"]]
"(a AND b) OR c"      → [["a", "b"], ["c"]]
"a AND (b OR c)"      → [["a", "b"], ["a", "c"]]
""                    → [] (empty — no requirements)

func ValidControlNames added in v0.1.44 

func ValidControlNames() []string

ValidControlNames returns all known control names from the configuration schema;

func ValidateExpression added in v0.1.34 

func ValidateExpression(expr string) error

ValidateExpression checks whether an expression string is syntactically valid. Returns nil if valid, or a descriptive error if not.

func ValidateKnownKeys added in v0.1.43 

func ValidateKnownKeys(data []byte) []string

ValidateKnownKeys checks for unknown configuration keys in .plumber.yaml at both the control level and the sub-key level. Returns a list of warning messages for unknown keys.

Types

type BranchProtectionControlConfig 

type BranchProtectionControlConfig struct {
	// Enabled controls whether this check runs
	Enabled *bool `yaml:"enabled,omitempty"`

	// NamePatterns is a list of branch name patterns that must be protected (supports wildcards)
	NamePatterns []string `yaml:"namePatterns,omitempty"`

	// DefaultMustBeProtected requires the default branch to be protected
	DefaultMustBeProtected *bool `yaml:"defaultMustBeProtected,omitempty"`

	// AllowForcePush when false, force push must be disabled on protected branches
	AllowForcePush *bool `yaml:"allowForcePush,omitempty"`

	// CodeOwnerApprovalRequired when true, code owner approval is required
	CodeOwnerApprovalRequired *bool `yaml:"codeOwnerApprovalRequired,omitempty"`

	// MinMergeAccessLevel minimum access level required to merge (0=No one, 30=Developer, 40=Maintainer)
	MinMergeAccessLevel *int `yaml:"minMergeAccessLevel,omitempty"`

	// MinPushAccessLevel minimum access level required to push (0=No one, 30=Developer, 40=Maintainer)
	MinPushAccessLevel *int `yaml:"minPushAccessLevel,omitempty"`
}

BranchProtectionControlConfig configuration for the branch protection control

func (*BranchProtectionControlConfig) IsEnabled 

func (c *BranchProtectionControlConfig) IsEnabled() bool

IsEnabled returns whether the control is enabled Returns false if not properly configured

type Configuration 

type Configuration struct {
	// GitLab connection settings
	GitlabURL   string // URL of the GitLab instance (e.g., https://gitlab.com)
	GitlabToken string // GitLab API token

	// Project settings
	ProjectPath string // Full path of the project (e.g., group/project)
	ProjectID   int    // Project ID on GitLab
	Branch      string // Branch to analyze (from --branch flag, defaults to project's default branch)

	// HTTP client settings
	HTTPClientTimeout time.Duration // Timeout for HTTP clients (REST and GraphQL)

	// GitLab API retry configuration
	GitlabRetryMaxRetries     int           // Maximum number of retries for GitLab API requests
	GitlabRetryInitialBackoff time.Duration // Initial backoff time for GitLab API retries
	GitlabRetryMaxBackoff     time.Duration // Maximum backoff time for GitLab API retries
	GitlabRetryBackoffFactor  float64       // Backoff multiplication factor for exponential backoff

	// Local CI configuration (from local filesystem)
	LocalCIConfigContent []byte // Content of local .gitlab-ci.yml (nil if using remote)
	UsingLocalCIConfig   bool   // True when using local CI config file
	GitRepoRoot          string // Root of the git repository (empty if not in a git repo)
	IsLocalProject       bool   // True when the local git repo matches the project being analyzed

	// Logging
	LogLevel logrus.Level

	// Version info
	Version string

	// Plumber Configuration (from .plumber.yaml file)
	PlumberConfig *PlumberConfig

	// Values must match .plumber.yaml control keys
	// ControlsFilter runs only the listed controls when set;
	ControlsFilter []string
	// SkipControlsFilter skips the listed controls when set;
	SkipControlsFilter []string
}

Configuration represents the simplified CLI configuration options

func NewDefaultConfiguration 

func NewDefaultConfiguration() *Configuration

NewDefaultConfiguration creates a Configuration with sensible defaults

type ControlsConfig 

type ControlsConfig struct {
	// ContainerImageMustNotUseForbiddenTags control configuration
	ContainerImageMustNotUseForbiddenTags *ImageForbiddenTagsControlConfig `yaml:"containerImageMustNotUseForbiddenTags,omitempty"`

	// ContainerImageMustComeFromAuthorizedSources control configuration
	ContainerImageMustComeFromAuthorizedSources *ImageAuthorizedSourcesControlConfig `yaml:"containerImageMustComeFromAuthorizedSources,omitempty"`

	// BranchMustBeProtected control configuration
	BranchMustBeProtected *BranchProtectionControlConfig `yaml:"branchMustBeProtected,omitempty"`

	// PipelineMustNotIncludeHardcodedJobs control configuration
	PipelineMustNotIncludeHardcodedJobs *HardcodedJobsControlConfig `yaml:"pipelineMustNotIncludeHardcodedJobs,omitempty"`

	// IncludesMustBeUpToDate control configuration
	IncludesMustBeUpToDate *IncludesUpToDateControlConfig `yaml:"includesMustBeUpToDate,omitempty"`

	// IncludesMustNotUseForbiddenVersions control configuration
	IncludesMustNotUseForbiddenVersions *IncludesForbiddenVersionsControlConfig `yaml:"includesMustNotUseForbiddenVersions,omitempty"`

	// PipelineMustIncludeComponent control configuration
	PipelineMustIncludeComponent *RequiredComponentsControlConfig `yaml:"pipelineMustIncludeComponent,omitempty"`

	// PipelineMustIncludeTemplate control configuration
	PipelineMustIncludeTemplate *RequiredTemplatesControlConfig `yaml:"pipelineMustIncludeTemplate,omitempty"`
}

ControlsConfig holds configuration for all controls

type HardcodedJobsControlConfig added in v0.1.31 

type HardcodedJobsControlConfig struct {
	// Enabled controls whether this check runs
	Enabled *bool `yaml:"enabled,omitempty"`
}

HardcodedJobsControlConfig configuration for the hardcoded jobs control

func (*HardcodedJobsControlConfig) IsEnabled added in v0.1.31 

func (c *HardcodedJobsControlConfig) IsEnabled() bool

IsEnabled returns whether the control is enabled Returns false if not properly configured

type ImageAuthorizedSourcesControlConfig 

type ImageAuthorizedSourcesControlConfig struct {
	// Enabled controls whether this check runs
	Enabled *bool `yaml:"enabled,omitempty"`

	// TrustedUrls is a list of trusted registry URLs/patterns (supports wildcards)
	TrustedUrls []string `yaml:"trustedUrls,omitempty"`

	// TrustDockerHubOfficialImages trusts official Docker Hub images (e.g., nginx, alpine)
	TrustDockerHubOfficialImages *bool `yaml:"trustDockerHubOfficialImages,omitempty"`
}

ImageAuthorizedSourcesControlConfig configuration for the authorized image sources control

func (*ImageAuthorizedSourcesControlConfig) IsEnabled 

func (c *ImageAuthorizedSourcesControlConfig) IsEnabled() bool

IsEnabled returns whether the control is enabled Returns false if not properly configured

type ImageForbiddenTagsControlConfig 

type ImageForbiddenTagsControlConfig struct {
	// Enabled controls whether this check runs
	Enabled *bool `yaml:"enabled,omitempty"`

	// Tags is a list of forbidden tags (e.g., latest, dev)
	Tags []string `yaml:"tags,omitempty"`

	// ContainerImagesMustBePinnedByDigest when true, ALL images must use immutable digest references.
	// Takes precedence over the forbidden tags list — any image not pinned by digest is flagged.
	ContainerImagesMustBePinnedByDigest *bool `yaml:"containerImagesMustBePinnedByDigest,omitempty"`
}

ImageForbiddenTagsControlConfig configuration for the forbidden image tags control

func (*ImageForbiddenTagsControlConfig) IsEnabled 

func (c *ImageForbiddenTagsControlConfig) IsEnabled() bool

IsEnabled returns whether the control is enabled Returns false if not properly configured

func (*ImageForbiddenTagsControlConfig) IsPinnedByDigestRequired added in v0.1.40 

func (c *ImageForbiddenTagsControlConfig) IsPinnedByDigestRequired() bool

IsPinnedByDigestRequired returns whether all images must be pinned by digest

type IncludesForbiddenVersionsControlConfig added in v0.1.31 

type IncludesForbiddenVersionsControlConfig struct {
	// Enabled controls whether this check runs
	Enabled *bool `yaml:"enabled,omitempty"`

	// ForbiddenVersions is a list of version patterns considered forbidden (e.g., latest, main, HEAD)
	ForbiddenVersions []string `yaml:"forbiddenVersions,omitempty"`

	// DefaultBranchIsForbiddenVersion when true, adds the project's default branch to forbidden versions
	DefaultBranchIsForbiddenVersion *bool `yaml:"defaultBranchIsForbiddenVersion,omitempty"`
}

IncludesForbiddenVersionsControlConfig configuration for the forbidden versions control

func (*IncludesForbiddenVersionsControlConfig) IsEnabled added in v0.1.31 

func (c *IncludesForbiddenVersionsControlConfig) IsEnabled() bool

IsEnabled returns whether the control is enabled Returns false if not properly configured

type IncludesUpToDateControlConfig added in v0.1.31 

type IncludesUpToDateControlConfig struct {
	// Enabled controls whether this check runs
	Enabled *bool `yaml:"enabled,omitempty"`
}

IncludesUpToDateControlConfig configuration for the includes up-to-date control

func (*IncludesUpToDateControlConfig) IsEnabled added in v0.1.31 

func (c *IncludesUpToDateControlConfig) IsEnabled() bool

IsEnabled returns whether the control is enabled Returns false if not properly configured

type PlumberConfig 

type PlumberConfig struct {
	// Version of the config file format
	Version string `yaml:"version"`

	// Controls configuration
	Controls ControlsConfig `yaml:"controls"`
}

PlumberConfig represents the .plumber.yaml configuration file structure

func LoadPlumberConfig 

func LoadPlumberConfig(configPath string) (*PlumberConfig, string, []string, error)

LoadPlumberConfig loads configuration from a file path. It reads the file once, validates for unknown keys, parses the YAML into the config struct, and runs structural validation. Returns the parsed config, the resolved path, any unknown-key warnings, and an error if loading or validation failed.

func (*PlumberConfig) GetBranchMustBeProtectedConfig 

func (c *PlumberConfig) GetBranchMustBeProtectedConfig() *BranchProtectionControlConfig

GetBranchMustBeProtectedConfig returns the control configuration Returns nil if not configured

func (*PlumberConfig) GetContainerImageMustComeFromAuthorizedSourcesConfig 

func (c *PlumberConfig) GetContainerImageMustComeFromAuthorizedSourcesConfig() *ImageAuthorizedSourcesControlConfig

GetContainerImageMustComeFromAuthorizedSourcesConfig returns the control configuration Returns nil if not configured

func (*PlumberConfig) GetContainerImageMustNotUseForbiddenTagsConfig 

func (c *PlumberConfig) GetContainerImageMustNotUseForbiddenTagsConfig() *ImageForbiddenTagsControlConfig

GetContainerImageMustNotUseForbiddenTagsConfig returns the control configuration Returns nil if not configured

func (*PlumberConfig) GetIncludesMustBeUpToDateConfig added in v0.1.31 

func (c *PlumberConfig) GetIncludesMustBeUpToDateConfig() *IncludesUpToDateControlConfig

GetIncludesMustBeUpToDateConfig returns the control configuration Returns nil if not configured

func (*PlumberConfig) GetIncludesMustNotUseForbiddenVersionsConfig added in v0.1.31 

func (c *PlumberConfig) GetIncludesMustNotUseForbiddenVersionsConfig() *IncludesForbiddenVersionsControlConfig

GetIncludesMustNotUseForbiddenVersionsConfig returns the control configuration Returns nil if not configured

func (*PlumberConfig) GetPipelineMustIncludeComponentConfig added in v0.1.31 

func (c *PlumberConfig) GetPipelineMustIncludeComponentConfig() *RequiredComponentsControlConfig

GetPipelineMustIncludeComponentConfig returns the control configuration Returns nil if not configured

func (*PlumberConfig) GetPipelineMustIncludeTemplateConfig added in v0.1.31 

func (c *PlumberConfig) GetPipelineMustIncludeTemplateConfig() *RequiredTemplatesControlConfig

GetPipelineMustIncludeTemplateConfig returns the control configuration Returns nil if not configured

func (*PlumberConfig) GetPipelineMustNotIncludeHardcodedJobsConfig added in v0.1.31 

func (c *PlumberConfig) GetPipelineMustNotIncludeHardcodedJobsConfig() *HardcodedJobsControlConfig

GetPipelineMustNotIncludeHardcodedJobsConfig returns the control configuration Returns nil if not configured

type RequiredComponentsControlConfig added in v0.1.31 

type RequiredComponentsControlConfig struct {
	// Enabled controls whether this check runs
	Enabled *bool `yaml:"enabled,omitempty"`

	// Required is a human-readable boolean expression defining required components.
	// Supports AND, OR operators and parentheses for grouping.
	// AND has higher precedence than OR.
	//
	// Examples:
	//   "components/sast/sast AND components/secret-detection/secret-detection"
	//   "(components/sast/sast AND components/secret-detection/secret-detection) OR your-org/full-security/full-security"
	Required string `yaml:"required,omitempty"`

	// RequiredGroups uses DNF (Disjunctive Normal Form) format:
	// Outer array = OR (at least one group must be satisfied)
	// Inner array = AND (all components in group must be present)
	// Example: [["comp-a", "comp-b"], ["comp-c"]] means:
	//   "must have (comp-a AND comp-b) OR (comp-c)"
	//
	// Cannot be used together with 'required'.
	RequiredGroups [][]string `yaml:"requiredGroups,omitempty"`
}

RequiredComponentsControlConfig configuration for the required components control

func (*RequiredComponentsControlConfig) GetResolvedRequiredGroups added in v0.1.34 

func (c *RequiredComponentsControlConfig) GetResolvedRequiredGroups() ([][]string, error)

GetResolvedRequiredGroups returns the effective required groups by resolving either the 'required' expression or the 'requiredGroups' field. Returns an error if both are set or if the expression is invalid.

func (*RequiredComponentsControlConfig) IsEnabled added in v0.1.31 

func (c *RequiredComponentsControlConfig) IsEnabled() bool

IsEnabled returns whether the control is enabled Returns false if not properly configured

type RequiredTemplatesControlConfig added in v0.1.31 

type RequiredTemplatesControlConfig struct {
	// Enabled controls whether this check runs
	Enabled *bool `yaml:"enabled,omitempty"`

	// Required is a human-readable boolean expression defining required templates.
	// Supports AND, OR operators and parentheses for grouping.
	// AND has higher precedence than OR.
	//
	// Examples:
	//   "templates/go/go AND templates/trivy/trivy"
	//   "(templates/go/go AND templates/trivy/trivy) OR templates/full-go-pipeline"
	Required string `yaml:"required,omitempty"`

	// RequiredGroups uses DNF (Disjunctive Normal Form) format:
	// Outer array = OR (at least one group must be satisfied)
	// Inner array = AND (all templates in group must be present)
	// Example: [["go", "helm"], ["go_helm_unified"]] means:
	//   "must have (go AND helm) OR (go_helm_unified)"
	//
	// Cannot be used together with 'required'.
	RequiredGroups [][]string `yaml:"requiredGroups,omitempty"`
}

RequiredTemplatesControlConfig configuration for the required templates control

func (*RequiredTemplatesControlConfig) GetResolvedRequiredGroups added in v0.1.34 

func (c *RequiredTemplatesControlConfig) GetResolvedRequiredGroups() ([][]string, error)

GetResolvedRequiredGroups returns the effective required groups by resolving either the 'required' expression or the 'requiredGroups' field. Returns an error if both are set or if the expression is invalid.

func (*RequiredTemplatesControlConfig) IsEnabled added in v0.1.31 

func (c *RequiredTemplatesControlConfig) IsEnabled() bool

IsEnabled returns whether the control is enabled Returns false if not properly configured

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.