Documentation
¶
Index ¶
- Constants
- func ComplianceBadgeURL(compliance, threshold float64) string
- func ManageMergeRequestComment(projectID int, mrIID int, result *AnalysisResult, compliance float64, ...) error
- func ManageProjectBadge(projectID int, compliance float64, threshold float64, ...) error
- type AnalysisResult
- type BranchProtectionCompliance
- type BranchProtectionData
- type BranchProtectionIssue
- type BranchProtectionMetrics
- type ComponentGroupStatus
- type ErrorCode
- type ErrorCodeInfo
- type GitlabBranchProtectionControl
- type GitlabBranchProtectionResult
- type GitlabImageAuthorizedSourcesConf
- type GitlabImageAuthorizedSourcesMetrics
- type GitlabImageAuthorizedSourcesResult
- type GitlabImageForbiddenTagsConf
- type GitlabImageForbiddenTagsMetrics
- type GitlabImageForbiddenTagsResult
- type GitlabPipelineDebugTraceConf
- type GitlabPipelineDebugTraceIssue
- type GitlabPipelineDebugTraceMetrics
- type GitlabPipelineDebugTraceResult
- type GitlabPipelineHardcodedJobIssue
- type GitlabPipelineHardcodedJobsConf
- type GitlabPipelineHardcodedJobsMetrics
- type GitlabPipelineHardcodedJobsResult
- type GitlabPipelineImageIssueTag
- type GitlabPipelineImageIssueUnauthorized
- type GitlabPipelineIncludesForbiddenVersionConf
- type GitlabPipelineIncludesForbiddenVersionIssue
- type GitlabPipelineIncludesForbiddenVersionMetrics
- type GitlabPipelineIncludesForbiddenVersionResult
- type GitlabPipelineIncludesOutdatedConf
- type GitlabPipelineIncludesOutdatedIssue
- type GitlabPipelineIncludesOutdatedMetrics
- type GitlabPipelineIncludesOutdatedResult
- type GitlabPipelineRequiredComponentsConf
- type GitlabPipelineRequiredComponentsMetrics
- type GitlabPipelineRequiredComponentsResult
- type GitlabPipelineRequiredTemplatesConf
- type GitlabPipelineRequiredTemplatesMetrics
- type GitlabPipelineRequiredTemplatesResult
- type GitlabPipelineUnverifiedScriptsConf
- type GitlabPipelineUnverifiedScriptsIssue
- type GitlabPipelineUnverifiedScriptsMetrics
- type GitlabPipelineUnverifiedScriptsResult
- type GitlabPipelineVariableInjectionConf
- type GitlabPipelineVariableInjectionIssue
- type GitlabPipelineVariableInjectionMetrics
- type GitlabPipelineVariableInjectionResult
- type GitlabSecurityJobsWeakenedConf
- type GitlabSecurityJobsWeakenedIssue
- type GitlabSecurityJobsWeakenedMetrics
- type GitlabSecurityJobsWeakenedResult
- type PipelineImageMetricsSummary
- type PipelineOriginMetricsSummary
- type RequiredComponentIssue
- type RequiredComponentOverriddenIssue
- type RequiredTemplateIssue
- type RequiredTemplateOverriddenIssue
- type TemplateGroupStatus
Constants ¶
View Source
const ControlTypeGitlabImageAuthorizedSourcesVersion = "0.1.0"
View Source
const ControlTypeGitlabImageForbiddenTagsVersion = "0.3.0"
View Source
const ControlTypeGitlabPipelineDebugTraceVersion = "0.1.0"
View Source
const ControlTypeGitlabPipelineOriginHardcodedJobsVersion = "0.1.0"
View Source
const ControlTypeGitlabPipelineOriginOutdatedVersion = "0.1.0"
View Source
const ControlTypeGitlabPipelineOriginRequiredComponentsVersion = "0.2.0"
View Source
const ControlTypeGitlabPipelineOriginRequiredTemplatesVersion = "0.2.0"
View Source
const ControlTypeGitlabPipelineOriginVersionVersion = "0.1.0"
View Source
const ControlTypeGitlabPipelineUnverifiedScriptsVersion = "0.1.0"
View Source
const ControlTypeGitlabPipelineVariableInjectionVersion = "0.1.0"
View Source
const ControlTypeGitlabProtectionBranchProtectionNotCompliantVersion = "0.2.0"
View Source
const ControlTypeGitlabSecurityJobsWeakenedVersion = "0.1.0"
View Source
const ( // MRCommentIdentifier is an invisible HTML comment used to find the Plumber // comment in the merge request notes so it can be updated on subsequent runs. MRCommentIdentifier = "<!-- Plumber Compliance Comment -->" )
Variables ¶
This section is empty.
Functions ¶
func ComplianceBadgeURL ¶ added in v0.1.42
ComplianceBadgeURL builds a Shields.io badge URL for the given compliance %. Color is green if compliance meets threshold, red otherwise. Exported so it can be used by the project badge feature.
func ManageMergeRequestComment ¶ added in v0.1.42
func ManageMergeRequestComment( projectID int, mrIID int, result *AnalysisResult, compliance float64, threshold float64, conf *configuration.Configuration, ) error
ManageMergeRequestComment creates or updates the Plumber compliance comment on the given merge request. projectID and gitlabURL come from the already- resolved configuration/result; only mrIID is CI-specific.
func ManageProjectBadge ¶ added in v0.1.42
func ManageProjectBadge( projectID int, compliance float64, threshold float64, conf *configuration.Configuration, ) error
ManageProjectBadge creates or updates the Plumber compliance badge on the project. The badge shows the compliance percentage with green (passed) or red (failed) color.
Types ¶
type AnalysisResult ¶
type AnalysisResult struct {
// Project information
ProjectPath string `json:"projectPath"`
ProjectID int `json:"projectId"`
DefaultBranch string `json:"defaultBranch"`
// CI configuration status
CiValid bool `json:"ciValid"`
CiMissing bool `json:"ciMissing"`
CiErrors []string `json:"ciErrors,omitempty"` // Specific CI config errors from GitLab
CIConfigSource string `json:"ciConfigSource"` // "local" or "remote"
// Pipeline origin data
PipelineOriginMetrics *PipelineOriginMetricsSummary `json:"pipelineOriginMetrics,omitempty"`
// Pipeline image data
PipelineImageMetrics *PipelineImageMetricsSummary `json:"pipelineImageMetrics,omitempty"`
// Control results
ImageForbiddenTagsResult *GitlabImageForbiddenTagsResult `json:"imageForbiddenTagsResult,omitempty"`
ImageAuthorizedSourcesResult *GitlabImageAuthorizedSourcesResult `json:"imageAuthorizedSourcesResult,omitempty"`
BranchProtectionResult *GitlabBranchProtectionResult `json:"branchProtectionResult,omitempty"`
HardcodedJobsResult *GitlabPipelineHardcodedJobsResult `json:"hardcodedJobsResult,omitempty"`
OutdatedIncludesResult *GitlabPipelineIncludesOutdatedResult `json:"outdatedIncludesResult,omitempty"`
ForbiddenVersionsIncludesResult *GitlabPipelineIncludesForbiddenVersionResult `json:"forbiddenVersionsIncludesResult,omitempty"`
RequiredComponentsResult *GitlabPipelineRequiredComponentsResult `json:"requiredComponentsResult,omitempty"`
RequiredTemplatesResult *GitlabPipelineRequiredTemplatesResult `json:"requiredTemplatesResult,omitempty"`
DebugTraceResult *GitlabPipelineDebugTraceResult `json:"debugTraceResult,omitempty"`
VariableInjectionResult *GitlabPipelineVariableInjectionResult `json:"variableInjectionResult,omitempty"`
SecurityJobsWeakenedResult *GitlabSecurityJobsWeakenedResult `json:"securityJobsWeakenedResult,omitempty"`
UnverifiedScriptsResult *GitlabPipelineUnverifiedScriptsResult `json:"unverifiedScriptsResult,omitempty"`
// Raw collected data (not included in JSON output, used for PBOM generation)
PipelineImageData *collector.GitlabPipelineImageData `json:"-"`
PipelineOriginData *collector.GitlabPipelineOriginData `json:"-"`
}
AnalysisResult holds the complete result of a pipeline analysis
func RunAnalysis ¶
func RunAnalysis(conf *configuration.Configuration) (*AnalysisResult, error)
RunAnalysis executes the complete pipeline analysis for a GitLab project
type BranchProtectionCompliance ¶
type BranchProtectionCompliance struct {
BranchName string
Default bool
Protected bool
AllowForcePush bool
CodeOwnerApprovalRequired bool
MinPushAccessLevel int
MinMergeAccessLevel int
ProtectionPattern string
PushAccessLevels []gitlab.BranchProtectionAccessLevel
MergeAccessLevels []gitlab.BranchProtectionAccessLevel
}
BranchProtectionCompliance holds information about a branch's protection compliance
type BranchProtectionData ¶
type BranchProtectionData struct {
BranchName string `json:"branchName"`
Default bool `json:"default"`
Protected bool `json:"protected"`
AllowForcePush bool `json:"allowForcePush,omitempty"`
CodeOwnerApprovalRequired bool `json:"codeOwnerApprovalRequired,omitempty"`
MinMergeAccessLevel int `json:"minMergeAccessLevel,omitempty"`
MinPushAccessLevel int `json:"minPushAccessLevel,omitempty"`
AuthorizedMinMergeAccessLevel int `json:"authorizedMinMergeAccessLevel,omitempty"`
AuthorizedMinPushAccessLevel int `json:"authorizedMinPushAccessLevel,omitempty"`
}
BranchProtectionData holds information about a branch's protection status
type BranchProtectionIssue ¶
type BranchProtectionIssue struct {
Code ErrorCode `json:"code"`
DocURL string `json:"docUrl"`
Type string `json:"type"` // "unprotected" or "non_compliant"
BranchName string `json:"branchName"`
AllowForcePush bool `json:"allowForcePush,omitempty"`
AllowForcePushDisplay bool `json:"allowForcePushDisplay,omitempty"`
CodeOwnerApprovalRequired bool `json:"codeOwnerApprovalRequired,omitempty"`
CodeOwnerApprovalRequiredDisplay bool `json:"codeOwnerApprovalRequiredDisplay,omitempty"`
MinMergeAccessLevel int `json:"minMergeAccessLevel,omitempty"`
MinMergeAccessLevelDisplay bool `json:"minMergeAccessLevelDisplay,omitempty"`
AuthorizedMinMergeAccessLevel int `json:"authorizedMinMergeAccessLevel,omitempty"`
MinPushAccessLevel int `json:"minPushAccessLevel,omitempty"`
MinPushAccessLevelDisplay bool `json:"minPushAccessLevelDisplay,omitempty"`
AuthorizedMinPushAccessLevel int `json:"authorizedMinPushAccessLevel,omitempty"`
}
BranchProtectionIssue represents an issue found by the branch protection control
type BranchProtectionMetrics ¶
type BranchProtectionMetrics struct {
Branches int `json:"branches"`
BranchesToProtect int `json:"branchesToProtect"`
UnprotectedBranches int `json:"unprotectedBranches"`
NonCompliantBranches int `json:"nonCompliantBranches"`
TotalProtectedBranches int `json:"totalProtectedBranches"`
ProjectsCorrectlyProtected int `json:"projectsCorrectlyProtected"`
}
BranchProtectionMetrics holds metrics for the branch protection control
type ComponentGroupStatus ¶ added in v0.1.31
type ComponentGroupStatus struct {
GroupIndex int `json:"groupIndex"` // Which requirement group (0-based)
RequiredOrigins []string `json:"requiredOrigins"` // Components required in this group
FoundOrigins []string `json:"foundOrigins"` // Components found and not overridden
MissingOrigins []string `json:"missingOrigins"` // Components missing from this group
OverriddenOrigins []string `json:"overriddenOrigins"` // Components found but overridden with forbidden keywords
IsFullySatisfied bool `json:"isFullySatisfied"` // All components in group present (not missing)
}
ComponentGroupStatus tracks the status of a single requirement group (AND clause)
type ErrorCode ¶ added in v0.1.67
type ErrorCode string
ErrorCode represents a unique Plumber issue code (ISSUE-XXX format).
const ( CodeImageUnauthorizedSource ErrorCode = "ISSUE-101" // ISSUE-102: Container image uses a forbidden tag (e.g., latest, dev) CodeImageForbiddenTag ErrorCode = "ISSUE-102" // ISSUE-103: Container image is not pinned by digest CodeImageNotPinnedByDigest ErrorCode = "ISSUE-103" )
Issue codes for container image controls (1xx)
const ( // ISSUE-203: Pipeline enables CI debug trace (CI_DEBUG_TRACE or CI_DEBUG_SERVICES) CodeDebugTraceEnabled ErrorCode = "ISSUE-203" // ISSUE-204: Unsafe variable expansion in shell re-interpretation context (eval, sh -c, etc.) CodeUnsafeVariableExpansion ErrorCode = "ISSUE-204" )
Issue codes for CI/CD variable controls (2xx)
const ( // ISSUE-401: Job is hardcoded (not sourced from include/component) CodeJobHardcoded ErrorCode = "ISSUE-401" // ISSUE-403: Include uses an outdated version CodeIncludeOutdated ErrorCode = "ISSUE-403" // ISSUE-404: Include uses a forbidden version CodeIncludeForbiddenVersion ErrorCode = "ISSUE-404" // ISSUE-405: Required template is missing from the pipeline CodeTemplateMissing ErrorCode = "ISSUE-405" // ISSUE-406: Required template jobs are overridden CodeTemplateOverridden ErrorCode = "ISSUE-406" // ISSUE-408: Required component is missing from the pipeline CodeComponentMissing ErrorCode = "ISSUE-408" // ISSUE-409: Required component jobs are overridden CodeComponentOverridden ErrorCode = "ISSUE-409" // ISSUE-410: Security job is weakened (allow_failure, rules override, when: manual) CodeSecurityJobWeakened ErrorCode = "ISSUE-410" // ISSUE-411: Pipeline downloads and executes a script without integrity verification (curl|bash, wget|sh) CodeUnverifiedScriptExecution ErrorCode = "ISSUE-411" )
Issue codes for pipeline composition controls (4xx)
const ( // ISSUE-501: Branch is not protected CodeBranchUnprotected ErrorCode = "ISSUE-501" // ISSUE-505: Branch has non-compliant protection settings CodeBranchNonCompliant ErrorCode = "ISSUE-505" )
Issue codes for access and authorization controls (5xx)
type ErrorCodeInfo ¶ added in v0.1.67
type ErrorCodeInfo struct {
// Code is the unique issue code (e.g., ISSUE-102).
Code ErrorCode `json:"code"`
// Title is a short human-readable title.
Title string `json:"title"`
// Description explains what the issue is.
Description string `json:"description"`
// Remediation provides guidance on how to fix the issue.
Remediation string `json:"remediation"`
// DocURL is a direct link to the documentation for this issue.
DocURL string `json:"docUrl"`
// ControlName is the .plumber.yaml control key this code belongs to.
ControlName string `json:"controlName"`
}
ErrorCodeInfo provides metadata about an issue code.
func AllCodes ¶ added in v0.1.67
func AllCodes() []ErrorCodeInfo
AllCodes returns all registered issue codes sorted by code.
func LookupCode ¶ added in v0.1.67
func LookupCode(code ErrorCode) *ErrorCodeInfo
LookupCode returns the ErrorCodeInfo for a given issue code, or nil if not found.
type GitlabBranchProtectionControl ¶
type GitlabBranchProtectionControl struct {
// contains filtered or unexported fields
}
GitlabBranchProtectionControl handles branch protection compliance checking
func NewGitlabBranchProtectionControl ¶
func NewGitlabBranchProtectionControl(config *configuration.BranchProtectionControlConfig) *GitlabBranchProtectionControl
NewGitlabBranchProtectionControl creates a new branch protection control instance
func (*GitlabBranchProtectionControl) Run ¶
func (c *GitlabBranchProtectionControl) Run( protectionData *collector.GitlabProtectionAnalysisData, project *gitlab.ProjectInfo, ) *GitlabBranchProtectionResult
Run executes the branch protection compliance check
type GitlabBranchProtectionResult ¶
type GitlabBranchProtectionResult struct {
Enabled bool `json:"enabled"`
Skipped bool `json:"skipped,omitempty"`
Compliance float64 `json:"compliance"`
Version string `json:"version"`
Data []BranchProtectionData `json:"data,omitempty"`
Metrics *BranchProtectionMetrics `json:"metrics,omitempty"`
Issues []BranchProtectionIssue `json:"issues,omitempty"`
Error string `json:"error,omitempty"`
}
GitlabBranchProtectionResult holds the result of the branch protection control
type GitlabImageAuthorizedSourcesConf ¶
type GitlabImageAuthorizedSourcesConf struct {
// Enabled controls whether this check runs
Enabled bool `json:"enabled"`
// TrustedUrls is a list of authorized registry URLs/patterns
TrustedUrls []string `json:"trustedUrls"`
// TrustDockerHubOfficialImages trusts official Docker Hub images (e.g., nginx, alpine)
TrustDockerHubOfficialImages bool `json:"trustDockerHubOfficialImages"`
}
GitlabImageAuthorizedSourcesConf holds the configuration for image source authorization
func (*GitlabImageAuthorizedSourcesConf) GetConf ¶
func (p *GitlabImageAuthorizedSourcesConf) GetConf(plumberConfig *configuration.PlumberConfig) error
GetConf loads configuration from PlumberConfig If config is nil or the control section is missing, the control is disabled (skipped).
func (*GitlabImageAuthorizedSourcesConf) Run ¶
func (p *GitlabImageAuthorizedSourcesConf) Run(pipelineImageData *collector.GitlabPipelineImageData) *GitlabImageAuthorizedSourcesResult
Run executes the image authorized sources control
type GitlabImageAuthorizedSourcesMetrics ¶
type GitlabImageAuthorizedSourcesMetrics struct {
Total uint `json:"total"`
Authorized uint `json:"authorized"`
CiInvalid uint `json:"ciInvalid"`
CiMissing uint `json:"ciMissing"`
}
GitlabImageAuthorizedSourcesMetrics holds metrics about image source authorization
type GitlabImageAuthorizedSourcesResult ¶
type GitlabImageAuthorizedSourcesResult struct {
Issues []GitlabPipelineImageIssueUnauthorized `json:"issues"`
Metrics GitlabImageAuthorizedSourcesMetrics `json:"metrics"`
Compliance float64 `json:"compliance"`
Version string `json:"version"`
CiValid bool `json:"ciValid"`
CiMissing bool `json:"ciMissing"`
Skipped bool `json:"skipped"` // True if control was disabled
Error string `json:"error,omitempty"` // Error message if data collection failed
}
GitlabImageAuthorizedSourcesResult holds the result of the image authorized sources control
type GitlabImageForbiddenTagsConf ¶
type GitlabImageForbiddenTagsConf struct {
// Enabled controls whether this check runs
Enabled bool `json:"enabled"`
// ForbiddenTags is a list of tags considered forbidden (e.g., latest, dev)
ForbiddenTags []string `json:"forbiddenTags"`
// MustBePinnedByDigest when true, ALL images must use immutable digest references.
// Takes precedence over the forbidden tags list.
MustBePinnedByDigest bool `json:"mustBePinnedByDigest"`
}
GitlabImageForbiddenTagsConf holds the configuration for forbidden tag detection
func (*GitlabImageForbiddenTagsConf) GetConf ¶
func (p *GitlabImageForbiddenTagsConf) GetConf(plumberConfig *configuration.PlumberConfig) error
GetConf loads configuration from PlumberConfig If config is nil or the control section is missing, the control is disabled (skipped).
func (*GitlabImageForbiddenTagsConf) Run ¶
func (p *GitlabImageForbiddenTagsConf) Run(pipelineImageData *collector.GitlabPipelineImageData) *GitlabImageForbiddenTagsResult
Run executes the forbidden tag detection control
type GitlabImageForbiddenTagsMetrics ¶
type GitlabImageForbiddenTagsMetrics struct {
Total uint `json:"total"`
UsingForbiddenTags uint `json:"usingForbiddenTags"`
NotPinnedByDigest uint `json:"notPinnedByDigest,omitempty"`
PinnedByDigest uint `json:"pinnedByDigest,omitempty"`
CiInvalid uint `json:"ciInvalid"`
CiMissing uint `json:"ciMissing"`
}
GitlabImageForbiddenTagsMetrics holds metrics about forbidden image tags
type GitlabImageForbiddenTagsResult ¶
type GitlabImageForbiddenTagsResult struct {
Issues []GitlabPipelineImageIssueTag `json:"issues"`
Metrics GitlabImageForbiddenTagsMetrics `json:"metrics"`
Compliance float64 `json:"compliance"`
Version string `json:"version"`
CiValid bool `json:"ciValid"`
CiMissing bool `json:"ciMissing"`
Skipped bool `json:"skipped"` // True if control was disabled
MustBePinnedByDigest bool `json:"mustBePinnedByDigest"` // True if digest pinning mode was active
Error string `json:"error,omitempty"` // Error message if data collection failed
}
GitlabImageForbiddenTagsResult holds the result of the forbidden tags control
type GitlabPipelineDebugTraceConf ¶ added in v0.1.51
type GitlabPipelineDebugTraceConf struct {
// Enabled controls whether this check runs
Enabled bool `json:"enabled"`
// ForbiddenVariables is a list of CI/CD variable names that must not be set to "true"
ForbiddenVariables []string `json:"forbiddenVariables"`
}
GitlabPipelineDebugTraceConf holds the configuration for debug trace detection
func (*GitlabPipelineDebugTraceConf) GetConf ¶ added in v0.1.51
func (p *GitlabPipelineDebugTraceConf) GetConf(plumberConfig *configuration.PlumberConfig) error
GetConf loads configuration from PlumberConfig If config is nil or the control section is missing, the control is disabled (skipped).
func (*GitlabPipelineDebugTraceConf) Run ¶ added in v0.1.51
func (p *GitlabPipelineDebugTraceConf) Run(pipelineOriginData *collector.GitlabPipelineOriginData) *GitlabPipelineDebugTraceResult
Run executes the debug trace detection control
type GitlabPipelineDebugTraceIssue ¶ added in v0.1.51
type GitlabPipelineDebugTraceIssue struct {
Code ErrorCode `json:"code"`
DocURL string `json:"docUrl"`
VariableName string `json:"variableName"`
Value string `json:"value"`
Location string `json:"location"` // "global" or job name
}
GitlabPipelineDebugTraceIssue represents a forbidden debug variable found in the CI config
type GitlabPipelineDebugTraceMetrics ¶ added in v0.1.51
type GitlabPipelineDebugTraceMetrics struct {
TotalVariablesChecked uint `json:"totalVariablesChecked"`
ForbiddenFound uint `json:"forbiddenFound"`
}
GitlabPipelineDebugTraceMetrics holds metrics about debug trace detection
type GitlabPipelineDebugTraceResult ¶ added in v0.1.51
type GitlabPipelineDebugTraceResult struct {
Issues []GitlabPipelineDebugTraceIssue `json:"issues"`
Metrics GitlabPipelineDebugTraceMetrics `json:"metrics"`
Compliance float64 `json:"compliance"`
Version string `json:"version"`
CiValid bool `json:"ciValid"`
CiMissing bool `json:"ciMissing"`
Skipped bool `json:"skipped"`
Error string `json:"error,omitempty"`
}
GitlabPipelineDebugTraceResult holds the result of the debug trace control
type GitlabPipelineHardcodedJobIssue ¶ added in v0.1.31
type GitlabPipelineHardcodedJobIssue struct {
Code ErrorCode `json:"code"`
DocURL string `json:"docUrl"`
JobName string `json:"jobName"`
}
GitlabPipelineHardcodedJobIssue represents an issue with a hardcoded job
type GitlabPipelineHardcodedJobsConf ¶ added in v0.1.31
type GitlabPipelineHardcodedJobsConf struct {
// Enabled controls whether this check runs
Enabled bool `json:"enabled"`
}
GitlabPipelineHardcodedJobsConf holds the configuration for hardcoded job detection
func (*GitlabPipelineHardcodedJobsConf) GetConf ¶ added in v0.1.31
func (p *GitlabPipelineHardcodedJobsConf) GetConf(plumberConfig *configuration.PlumberConfig) error
GetConf loads configuration from PlumberConfig Returns error if config is nil (but control can still be disabled)
func (*GitlabPipelineHardcodedJobsConf) Run ¶ added in v0.1.31
func (p *GitlabPipelineHardcodedJobsConf) Run(pipelineOriginData *collector.GitlabPipelineOriginData) *GitlabPipelineHardcodedJobsResult
Run executes the hardcoded job detection control
type GitlabPipelineHardcodedJobsMetrics ¶ added in v0.1.31
type GitlabPipelineHardcodedJobsMetrics struct {
Total uint `json:"total"`
HardcodedJobs uint `json:"hardcodedJobs"`
CiInvalid uint `json:"ciInvalid"`
CiMissing uint `json:"ciMissing"`
}
GitlabPipelineHardcodedJobsMetrics holds metrics about hardcoded jobs
type GitlabPipelineHardcodedJobsResult ¶ added in v0.1.31
type GitlabPipelineHardcodedJobsResult struct {
Issues []GitlabPipelineHardcodedJobIssue `json:"issues"`
Metrics GitlabPipelineHardcodedJobsMetrics `json:"metrics"`
Compliance float64 `json:"compliance"`
Version string `json:"version"`
CiValid bool `json:"ciValid"`
CiMissing bool `json:"ciMissing"`
Skipped bool `json:"skipped"` // True if control was disabled
Error string `json:"error,omitempty"` // Error message if data collection failed
}
GitlabPipelineHardcodedJobsResult holds the result of the hardcoded jobs control
type GitlabPipelineImageIssueTag ¶
type GitlabPipelineImageIssueTag struct {
Code ErrorCode `json:"code"`
DocURL string `json:"docUrl"`
Link string `json:"link"`
Tag string `json:"tag"`
Job string `json:"job"`
}
GitlabPipelineImageIssueTag represents an issue with an image using a mutable tag
type GitlabPipelineImageIssueUnauthorized ¶
type GitlabPipelineImageIssueUnauthorized struct {
}
GitlabPipelineImageIssueUnauthorized represents an issue with an unauthorized image source
type GitlabPipelineIncludesForbiddenVersionConf ¶ added in v0.1.31
type GitlabPipelineIncludesForbiddenVersionConf struct {
// Enabled controls whether this check runs
Enabled bool `json:"enabled"`
// ForbiddenVersions is a list of version patterns considered forbidden (e.g., latest, main, HEAD)
ForbiddenVersions []string `json:"forbiddenVersions"`
// DefaultBranchIsForbiddenVersion when true, adds the project's default branch to forbidden versions
DefaultBranchIsForbiddenVersion bool `json:"defaultBranchIsForbiddenVersion"`
}
GitlabPipelineIncludesForbiddenVersionConf holds the configuration for forbidden version detection
func (*GitlabPipelineIncludesForbiddenVersionConf) GetConf ¶ added in v0.1.31
func (p *GitlabPipelineIncludesForbiddenVersionConf) GetConf(plumberConfig *configuration.PlumberConfig) error
GetConf loads configuration from PlumberConfig
func (*GitlabPipelineIncludesForbiddenVersionConf) Run ¶ added in v0.1.31
func (p *GitlabPipelineIncludesForbiddenVersionConf) Run(pipelineOriginData *collector.GitlabPipelineOriginData, projectDefaultBranch string) *GitlabPipelineIncludesForbiddenVersionResult
Run executes the forbidden version detection control
type GitlabPipelineIncludesForbiddenVersionIssue ¶ added in v0.1.31
type GitlabPipelineIncludesForbiddenVersionIssue struct {
Code ErrorCode `json:"code"`
DocURL string `json:"docUrl"`
Version string `json:"version"`
LatestVersion string `json:"latestVersion,omitempty"`
PlumberOriginPath string `json:"plumberOriginPath,omitempty"`
GitlabIncludeLocation string `json:"gitlabIncludeLocation"`
GitlabIncludeType string `json:"gitlabIncludeType"`
GitlabIncludeProject string `json:"gitlabIncludeProject,omitempty"`
Nested bool `json:"nested"`
ComponentName string `json:"componentName,omitempty"`
PlumberTemplateName string `json:"plumberTemplateName,omitempty"`
OriginHash uint64 `json:"originHash"`
}
GitlabPipelineIncludesForbiddenVersionIssue represents an issue with a forbidden version Issue data for mutable version usage - PolicyIssueTypeId = [11]
type GitlabPipelineIncludesForbiddenVersionMetrics ¶ added in v0.1.31
type GitlabPipelineIncludesForbiddenVersionMetrics struct {
Total uint `json:"total"`
UsingForbiddenVersion uint `json:"usingForbiddenVersion"`
UsingAuthorizedVersion uint `json:"usingAuthorizedVersion"`
}
GitlabPipelineIncludesForbiddenVersionMetrics holds metrics about forbidden version usage
type GitlabPipelineIncludesForbiddenVersionResult ¶ added in v0.1.31
type GitlabPipelineIncludesForbiddenVersionResult struct {
Issues []GitlabPipelineIncludesForbiddenVersionIssue `json:"issues"`
Metrics GitlabPipelineIncludesForbiddenVersionMetrics `json:"metrics"`
Compliance float64 `json:"compliance"`
Version string `json:"version"`
CiValid bool `json:"ciValid"`
CiMissing bool `json:"ciMissing"`
Skipped bool `json:"skipped"`
Error string `json:"error,omitempty"`
}
GitlabPipelineIncludesForbiddenVersionResult holds the result of the forbidden version control
type GitlabPipelineIncludesOutdatedConf ¶ added in v0.1.31
type GitlabPipelineIncludesOutdatedConf struct {
// Enabled controls whether this check runs
Enabled bool `json:"enabled"`
}
GitlabPipelineIncludesOutdatedConf holds the configuration for outdated includes detection No specific configuration needed for outdated detection The logic uses the UpToDate field from the analysis data
func (*GitlabPipelineIncludesOutdatedConf) GetConf ¶ added in v0.1.31
func (p *GitlabPipelineIncludesOutdatedConf) GetConf(plumberConfig *configuration.PlumberConfig) error
GetConf loads configuration from PlumberConfig
func (*GitlabPipelineIncludesOutdatedConf) Run ¶ added in v0.1.31
func (p *GitlabPipelineIncludesOutdatedConf) Run(pipelineOriginData *collector.GitlabPipelineOriginData) *GitlabPipelineIncludesOutdatedResult
Run executes the outdated includes detection control
type GitlabPipelineIncludesOutdatedIssue ¶ added in v0.1.31
type GitlabPipelineIncludesOutdatedIssue struct {
Code ErrorCode `json:"code"`
DocURL string `json:"docUrl"`
Version string `json:"version"`
LatestVersion string `json:"latestVersion"`
PlumberOriginPath string `json:"plumberOriginPath,omitempty"`
GitlabIncludeLocation string `json:"gitlabIncludeLocation"`
GitlabIncludeType string `json:"gitlabIncludeType"`
GitlabIncludeProject string `json:"gitlabIncludeProject,omitempty"`
Nested bool `json:"nested"`
ComponentName string `json:"componentName,omitempty"`
PlumberTemplateName string `json:"plumberTemplateName,omitempty"`
OriginHash uint64 `json:"originHash"`
}
GitlabPipelineIncludesOutdatedIssue represents an issue with an outdated include Issue data for outdated origin - PolicyIssueTypeId = [10]
type GitlabPipelineIncludesOutdatedMetrics ¶ added in v0.1.31
type GitlabPipelineIncludesOutdatedMetrics struct {
Total uint `json:"total"`
OriginOutdated uint `json:"originOutdated"`
CiInvalid uint `json:"ciInvalid"`
CiMissing uint `json:"ciMissing"`
}
GitlabPipelineIncludesOutdatedMetrics holds metrics about outdated includes
type GitlabPipelineIncludesOutdatedResult ¶ added in v0.1.31
type GitlabPipelineIncludesOutdatedResult struct {
Issues []GitlabPipelineIncludesOutdatedIssue `json:"issues"`
Metrics GitlabPipelineIncludesOutdatedMetrics `json:"metrics"`
Compliance float64 `json:"compliance"`
Version string `json:"version"`
CiValid bool `json:"ciValid"`
CiMissing bool `json:"ciMissing"`
Skipped bool `json:"skipped"`
Error string `json:"error,omitempty"`
}
GitlabPipelineIncludesOutdatedResult holds the result of the outdated control
type GitlabPipelineRequiredComponentsConf ¶ added in v0.1.31
type GitlabPipelineRequiredComponentsConf struct {
// Enabled controls whether this check runs
Enabled bool `json:"enabled"`
// DNF (Disjunctive Normal Form) format:
// Outer array = OR (at least one group must be satisfied)
// Inner array = AND (all components in group must be present)
// Example: [["comp-a", "comp-b"], ["comp-c"]] means:
// "must have (comp-a AND comp-b) OR (comp-c)"
RequiredGroups [][]string `json:"requiredGroups"`
}
GitlabPipelineRequiredComponentsConf holds the configuration for required components check
func (*GitlabPipelineRequiredComponentsConf) GetConf ¶ added in v0.1.31
func (p *GitlabPipelineRequiredComponentsConf) GetConf(plumberConfig *configuration.PlumberConfig) error
GetConf loads configuration from PlumberConfig
func (*GitlabPipelineRequiredComponentsConf) Run ¶ added in v0.1.31
func (p *GitlabPipelineRequiredComponentsConf) Run(pipelineOriginData *collector.GitlabPipelineOriginData, gitlabURL string) *GitlabPipelineRequiredComponentsResult
Run executes the required components control
type GitlabPipelineRequiredComponentsMetrics ¶ added in v0.1.31
type GitlabPipelineRequiredComponentsMetrics struct {
TotalGroups uint `json:"totalGroups"` // Total number of requirement groups
SatisfiedGroups uint `json:"satisfiedGroups"` // Number of fully satisfied groups
AnySatisfiedGroup bool `json:"anySatisfiedGroup"` // True if at least one group satisfied
CiInvalid uint `json:"ciInvalid"`
CiMissing uint `json:"ciMissing"`
}
GitlabPipelineRequiredComponentsMetrics holds metrics about required components
type GitlabPipelineRequiredComponentsResult ¶ added in v0.1.31
type GitlabPipelineRequiredComponentsResult struct {
RequirementGroups []ComponentGroupStatus `json:"requirementGroups"`
Issues []RequiredComponentIssue `json:"issues"`
OverriddenIssues []RequiredComponentOverriddenIssue `json:"overriddenIssues"`
Metrics GitlabPipelineRequiredComponentsMetrics `json:"metrics"`
Compliance float64 `json:"compliance"`
Version string `json:"version"`
CiValid bool `json:"ciValid"`
CiMissing bool `json:"ciMissing"`
Skipped bool `json:"skipped"`
Error string `json:"error,omitempty"`
}
GitlabPipelineRequiredComponentsResult holds the result of the required components control
type GitlabPipelineRequiredTemplatesConf ¶ added in v0.1.31
type GitlabPipelineRequiredTemplatesConf struct {
// Enabled controls whether this check runs
Enabled bool `json:"enabled"`
// DNF (Disjunctive Normal Form) format:
// Outer array = OR (at least one group must be satisfied)
// Inner array = AND (all templates in group must be present)
// Example: [["go", "helm"], ["go_helm_unified"]] means:
// "must have (go AND helm) OR (go_helm_unified)"
RequiredGroups [][]string `json:"requiredGroups"`
}
GitlabPipelineRequiredTemplatesConf holds the configuration for required templates check
func (*GitlabPipelineRequiredTemplatesConf) GetConf ¶ added in v0.1.31
func (p *GitlabPipelineRequiredTemplatesConf) GetConf(plumberConfig *configuration.PlumberConfig) error
GetConf loads configuration from PlumberConfig
func (*GitlabPipelineRequiredTemplatesConf) Run ¶ added in v0.1.31
func (p *GitlabPipelineRequiredTemplatesConf) Run(pipelineOriginData *collector.GitlabPipelineOriginData) *GitlabPipelineRequiredTemplatesResult
Run executes the required templates control
type GitlabPipelineRequiredTemplatesMetrics ¶ added in v0.1.31
type GitlabPipelineRequiredTemplatesMetrics struct {
TotalGroups uint `json:"totalGroups"` // Total number of requirement groups
SatisfiedGroups uint `json:"satisfiedGroups"` // Number of fully satisfied groups
AnySatisfiedGroup bool `json:"anySatisfiedGroup"` // True if at least one group satisfied
CiInvalid uint `json:"ciInvalid"`
CiMissing uint `json:"ciMissing"`
}
GitlabPipelineRequiredTemplatesMetrics holds metrics about required templates
type GitlabPipelineRequiredTemplatesResult ¶ added in v0.1.31
type GitlabPipelineRequiredTemplatesResult struct {
RequirementGroups []TemplateGroupStatus `json:"requirementGroups"`
Issues []RequiredTemplateIssue `json:"issues"`
OverriddenIssues []RequiredTemplateOverriddenIssue `json:"overriddenIssues"`
Metrics GitlabPipelineRequiredTemplatesMetrics `json:"metrics"`
Compliance float64 `json:"compliance"`
Version string `json:"version"`
CiValid bool `json:"ciValid"`
CiMissing bool `json:"ciMissing"`
Skipped bool `json:"skipped"`
Error string `json:"error,omitempty"`
}
GitlabPipelineRequiredTemplatesResult holds the result of the required templates control
type GitlabPipelineUnverifiedScriptsConf ¶ added in v0.1.69
type GitlabPipelineUnverifiedScriptsConf struct {
Enabled bool `json:"enabled"`
TrustedUrls []string `json:"trustedUrls"`
}
GitlabPipelineUnverifiedScriptsConf holds the configuration for unverified script execution detection
func (*GitlabPipelineUnverifiedScriptsConf) GetConf ¶ added in v0.1.69
func (p *GitlabPipelineUnverifiedScriptsConf) GetConf(plumberConfig *configuration.PlumberConfig) error
GetConf loads configuration from PlumberConfig
func (*GitlabPipelineUnverifiedScriptsConf) Run ¶ added in v0.1.69
func (p *GitlabPipelineUnverifiedScriptsConf) Run(pipelineOriginData *collector.GitlabPipelineOriginData) *GitlabPipelineUnverifiedScriptsResult
Run executes the unverified script execution detection control
type GitlabPipelineUnverifiedScriptsIssue ¶ added in v0.1.69
type GitlabPipelineUnverifiedScriptsIssue struct {
Code ErrorCode `json:"code"`
DocURL string `json:"docUrl"`
JobName string `json:"jobName"`
ScriptLine string `json:"scriptLine"`
ScriptBlock string `json:"scriptBlock"`
PatternType string `json:"patternType"`
}
GitlabPipelineUnverifiedScriptsIssue represents an unverified script execution found in a CI job
type GitlabPipelineUnverifiedScriptsMetrics ¶ added in v0.1.69
type GitlabPipelineUnverifiedScriptsMetrics struct {
JobsChecked uint `json:"jobsChecked"`
TotalScriptLinesChecked uint `json:"totalScriptLinesChecked"`
UnverifiedScriptsFound uint `json:"unverifiedScriptsFound"`
}
GitlabPipelineUnverifiedScriptsMetrics holds metrics about unverified script detection
type GitlabPipelineUnverifiedScriptsResult ¶ added in v0.1.69
type GitlabPipelineUnverifiedScriptsResult struct {
Issues []GitlabPipelineUnverifiedScriptsIssue `json:"issues"`
Metrics GitlabPipelineUnverifiedScriptsMetrics `json:"metrics"`
Compliance float64 `json:"compliance"`
Version string `json:"version"`
CiValid bool `json:"ciValid"`
CiMissing bool `json:"ciMissing"`
Skipped bool `json:"skipped"`
Error string `json:"error,omitempty"`
}
GitlabPipelineUnverifiedScriptsResult holds the result of the control
type GitlabPipelineVariableInjectionConf ¶ added in v0.1.52
type GitlabPipelineVariableInjectionConf struct {
Enabled bool `json:"enabled"`
DangerousVariables []string `json:"dangerousVariables"`
AllowedPatterns []string `json:"allowedPatterns"`
}
GitlabPipelineVariableInjectionConf holds the configuration for unsafe variable expansion detection
func (*GitlabPipelineVariableInjectionConf) GetConf ¶ added in v0.1.52
func (p *GitlabPipelineVariableInjectionConf) GetConf(plumberConfig *configuration.PlumberConfig) error
GetConf loads configuration from PlumberConfig
func (*GitlabPipelineVariableInjectionConf) Run ¶ added in v0.1.52
func (p *GitlabPipelineVariableInjectionConf) Run(pipelineOriginData *collector.GitlabPipelineOriginData) *GitlabPipelineVariableInjectionResult
Run executes the unsafe variable expansion detection control.
GitLab CI sets CI variables as environment variables; the shell does NOT re-parse expanded values for command substitution. So plain usage like `echo $CI_COMMIT_BRANCH` is safe: the shell treats the expanded value as an inert string.
The real injection surface is commands that RE-INTERPRET their input as shell code: eval, sh -c, bash -c, source, etc. A user-controlled variable passed to these is executed as code.
type GitlabPipelineVariableInjectionIssue ¶ added in v0.1.52
type GitlabPipelineVariableInjectionIssue struct {
Code ErrorCode `json:"code"`
DocURL string `json:"docUrl"`
JobName string `json:"jobName"`
VariableName string `json:"variableName"`
ScriptLine string `json:"scriptLine"`
ScriptBlock string `json:"scriptBlock"` // "script", "before_script", "after_script"
}
GitlabPipelineVariableInjectionIssue represents a dangerous variable found in a code-execution context
type GitlabPipelineVariableInjectionMetrics ¶ added in v0.1.52
type GitlabPipelineVariableInjectionMetrics struct {
JobsChecked uint `json:"jobsChecked"`
TotalScriptLinesChecked uint `json:"totalScriptLinesChecked"`
UnsafeExpansionsFound uint `json:"unsafeExpansionsFound"`
}
GitlabPipelineVariableInjectionMetrics holds metrics about unsafe variable expansion detection
type GitlabPipelineVariableInjectionResult ¶ added in v0.1.52
type GitlabPipelineVariableInjectionResult struct {
Issues []GitlabPipelineVariableInjectionIssue `json:"issues"`
Metrics GitlabPipelineVariableInjectionMetrics `json:"metrics"`
Compliance float64 `json:"compliance"`
Version string `json:"version"`
CiValid bool `json:"ciValid"`
CiMissing bool `json:"ciMissing"`
Skipped bool `json:"skipped"`
Error string `json:"error,omitempty"`
}
GitlabPipelineVariableInjectionResult holds the result of the control
type GitlabSecurityJobsWeakenedConf ¶ added in v0.1.64
type GitlabSecurityJobsWeakenedConf struct {
Enabled bool
SecurityJobPatterns []string
AllowFailureCheck bool
RulesCheck bool
WhenManualCheck bool
}
GitlabSecurityJobsWeakenedConf holds the runtime configuration for this control
func (*GitlabSecurityJobsWeakenedConf) GetConf ¶ added in v0.1.64
func (p *GitlabSecurityJobsWeakenedConf) GetConf(plumberConfig *configuration.PlumberConfig) error
GetConf loads configuration from PlumberConfig
func (*GitlabSecurityJobsWeakenedConf) Run ¶ added in v0.1.64
func (p *GitlabSecurityJobsWeakenedConf) Run(pipelineOriginData *collector.GitlabPipelineOriginData) *GitlabSecurityJobsWeakenedResult
Run executes the security jobs weakening detection control
type GitlabSecurityJobsWeakenedIssue ¶ added in v0.1.64
type GitlabSecurityJobsWeakenedIssue struct {
Code ErrorCode `json:"code"`
DocURL string `json:"docUrl"`
JobName string `json:"jobName"`
SubControl string `json:"subControl"` // "allowFailureMustBeFalse", "rulesMustNotBeRedefined", "whenMustNotBeManual"
Detail string `json:"detail"`
}
GitlabSecurityJobsWeakenedIssue represents a weakened security job
type GitlabSecurityJobsWeakenedMetrics ¶ added in v0.1.64
type GitlabSecurityJobsWeakenedMetrics struct {
SecurityJobsFound uint `json:"securityJobsFound"`
WeakenedJobs uint `json:"weakenedJobs"`
}
GitlabSecurityJobsWeakenedMetrics holds metrics about security job weakening detection
type GitlabSecurityJobsWeakenedResult ¶ added in v0.1.64
type GitlabSecurityJobsWeakenedResult struct {
Issues []GitlabSecurityJobsWeakenedIssue `json:"issues"`
Metrics GitlabSecurityJobsWeakenedMetrics `json:"metrics"`
Compliance float64 `json:"compliance"`
Version string `json:"version"`
CiValid bool `json:"ciValid"`
CiMissing bool `json:"ciMissing"`
Skipped bool `json:"skipped"`
Error string `json:"error,omitempty"`
}
GitlabSecurityJobsWeakenedResult holds the result of the security jobs weakened control
type PipelineImageMetricsSummary ¶
type PipelineImageMetricsSummary struct {
Total uint `json:"total"`
}
PipelineImageMetricsSummary is a simplified version of image metrics for output
type PipelineOriginMetricsSummary ¶
type PipelineOriginMetricsSummary struct {
JobTotal uint `json:"jobTotal"`
JobHardcoded uint `json:"jobHardcoded"`
OriginTotal uint `json:"originTotal"`
OriginComponent uint `json:"originComponent"`
OriginLocal uint `json:"originLocal"`
OriginProject uint `json:"originProject"`
OriginRemote uint `json:"originRemote"`
OriginTemplate uint `json:"originTemplate"`
OriginGitLabCatalog uint `json:"originGitLabCatalog"`
OriginOutdated uint `json:"originOutdated"`
}
PipelineOriginMetricsSummary is a simplified version of origin metrics for output
type RequiredComponentIssue ¶ added in v0.1.31
type RequiredComponentIssue struct {
Code ErrorCode `json:"code"`
DocURL string `json:"docUrl"`
ComponentPath string `json:"componentPath"`
GroupIndex int `json:"groupIndex"`
}
RequiredComponentIssue represents an issue with a missing required component
type RequiredComponentOverriddenIssue ¶ added in v0.1.47
type RequiredComponentOverriddenIssue struct {
Code ErrorCode `json:"code"`
DocURL string `json:"docUrl"`
ComponentPath string `json:"componentPath"`
GroupIndex int `json:"groupIndex"`
OverriddenJobs []utils.OverriddenJobDetail `json:"overriddenJobs"`
}
RequiredComponentOverriddenIssue represents an issue where a required component is imported but its jobs are overridden with forbidden keywords
type RequiredTemplateIssue ¶ added in v0.1.31
type RequiredTemplateIssue struct {
Code ErrorCode `json:"code"`
DocURL string `json:"docUrl"`
TemplatePath string `json:"templatePath"`
GroupIndex int `json:"groupIndex"`
}
RequiredTemplateIssue represents an issue with a missing required template
type RequiredTemplateOverriddenIssue ¶ added in v0.1.47
type RequiredTemplateOverriddenIssue struct {
Code ErrorCode `json:"code"`
DocURL string `json:"docUrl"`
TemplatePath string `json:"templatePath"`
GroupIndex int `json:"groupIndex"`
OverriddenJobs []utils.OverriddenJobDetail `json:"overriddenJobs"`
}
RequiredTemplateOverriddenIssue represents an issue where a required template is imported but its jobs are overridden with forbidden keywords
type TemplateGroupStatus ¶ added in v0.1.31
type TemplateGroupStatus struct {
GroupIndex int `json:"groupIndex"` // Which requirement group (0-based)
RequiredOrigins []string `json:"requiredOrigins"` // Templates required in this group
FoundOrigins []string `json:"foundOrigins"` // Templates found and not overridden
MissingOrigins []string `json:"missingOrigins"` // Templates missing from this group
OverriddenOrigins []string `json:"overriddenOrigins"` // Templates found but overridden with forbidden keywords
IsFullySatisfied bool `json:"isFullySatisfied"` // All templates in group present (not missing)
}
TemplateGroupStatus tracks the status of a single requirement group (AND clause)
Source Files
¶
- badge.go
- codes.go
- controlGitlabImageMutable.go
- controlGitlabImageUntrusted.go
- controlGitlabPipelineDebugTrace.go
- controlGitlabPipelineOriginHardcodedJobs.go
- controlGitlabPipelineOriginOutdated.go
- controlGitlabPipelineOriginRequiredComponents.go
- controlGitlabPipelineOriginRequiredTemplates.go
- controlGitlabPipelineOriginVersion.go
- controlGitlabPipelineUnverifiedScripts.go
- controlGitlabPipelineVariableInjection.go
- controlGitlabProtectionBranchProtectionNotCompliant.go
- controlGitlabSecurityJobsWeakened.go
- mrcomment.go
- task.go
- types.go
- utils.go
Click to show internal directories.
Click to hide internal directories.