Documentation
¶
Index ¶
- Constants
- func ComplianceBadgeURL(compliance, threshold float64) string
- func CriticalIssueCodesSorted(result *AnalysisResult) []string
- func ManageMergeRequestComment(projectID int, mrIID int, result *AnalysisResult, compliance float64, ...) error
- func ManageProjectBadge(projectID int, compliance float64, threshold float64, ...) error
- func ScoreBadgeURL(letter string) string
- func ScoreLetterMeaning(letter string) string
- type AnalysisResult
- type BranchProtectionCompliance
- type BranchProtectionData
- type BranchProtectionIssue
- type BranchProtectionMetrics
- type ComponentGroupStatus
- type ErrorCode
- type ErrorCodeInfo
- type GitlabBranchProtectionControl
- type GitlabBranchProtectionResult
- type GitlabImageAuthorizedSourcesConf
- type GitlabImageAuthorizedSourcesMetrics
- type GitlabImageAuthorizedSourcesResult
- type GitlabImageForbiddenTagsConf
- type GitlabImageForbiddenTagsMetrics
- type GitlabImageForbiddenTagsResult
- type GitlabPipelineDebugTraceConf
- type GitlabPipelineDebugTraceIssue
- type GitlabPipelineDebugTraceMetrics
- type GitlabPipelineDebugTraceResult
- type GitlabPipelineDockerInDockerConf
- type GitlabPipelineDockerInDockerIssue
- type GitlabPipelineDockerInDockerMetrics
- type GitlabPipelineDockerInDockerResult
- type GitlabPipelineHardcodedJobIssue
- type GitlabPipelineHardcodedJobsConf
- type GitlabPipelineHardcodedJobsMetrics
- type GitlabPipelineHardcodedJobsResult
- type GitlabPipelineImageIssueTag
- type GitlabPipelineImageIssueUnauthorized
- type GitlabPipelineIncludesForbiddenVersionConf
- type GitlabPipelineIncludesForbiddenVersionIssue
- type GitlabPipelineIncludesForbiddenVersionMetrics
- type GitlabPipelineIncludesForbiddenVersionResult
- type GitlabPipelineIncludesOutdatedConf
- type GitlabPipelineIncludesOutdatedIssue
- type GitlabPipelineIncludesOutdatedMetrics
- type GitlabPipelineIncludesOutdatedResult
- type GitlabPipelineJobVariablesOverrideConf
- type GitlabPipelineJobVariablesOverrideIssue
- type GitlabPipelineJobVariablesOverrideMetrics
- type GitlabPipelineJobVariablesOverrideResult
- type GitlabPipelineRequiredComponentsConf
- type GitlabPipelineRequiredComponentsMetrics
- type GitlabPipelineRequiredComponentsResult
- type GitlabPipelineRequiredTemplatesConf
- type GitlabPipelineRequiredTemplatesMetrics
- type GitlabPipelineRequiredTemplatesResult
- type GitlabPipelineUnverifiedScriptsConf
- type GitlabPipelineUnverifiedScriptsIssue
- type GitlabPipelineUnverifiedScriptsMetrics
- type GitlabPipelineUnverifiedScriptsResult
- type GitlabPipelineVariableInjectionConf
- type GitlabPipelineVariableInjectionIssue
- type GitlabPipelineVariableInjectionMetrics
- type GitlabPipelineVariableInjectionResult
- type GitlabSecurityJobsWeakenedConf
- type GitlabSecurityJobsWeakenedIssue
- type GitlabSecurityJobsWeakenedMetrics
- type GitlabSecurityJobsWeakenedResult
- type IssueSeverity
- type PipelineImageMetricsSummary
- type PipelineOriginMetricsSummary
- type PlumberScoreResult
- type RequiredComponentIssue
- type RequiredComponentOverriddenIssue
- type RequiredTemplateIssue
- type RequiredTemplateOverriddenIssue
- type SeverityCounts
- type SeverityLoss
- type TemplateGroupStatus
Constants ¶
const ControlTypeGitlabImageAuthorizedSourcesVersion = "0.1.0"
const ControlTypeGitlabImageForbiddenTagsVersion = "0.3.0"
const ControlTypeGitlabPipelineDebugTraceVersion = "0.1.0"
const ControlTypeGitlabPipelineDockerInDockerVersion = "0.1.0"
const ControlTypeGitlabPipelineJobVariablesOverrideVersion = "0.1.0"
const ControlTypeGitlabPipelineOriginHardcodedJobsVersion = "0.1.0"
const ControlTypeGitlabPipelineOriginOutdatedVersion = "0.1.0"
const ControlTypeGitlabPipelineOriginRequiredComponentsVersion = "0.2.0"
const ControlTypeGitlabPipelineOriginRequiredTemplatesVersion = "0.2.0"
const ControlTypeGitlabPipelineOriginVersionVersion = "0.1.0"
const ControlTypeGitlabPipelineUnverifiedScriptsVersion = "0.1.0"
const ControlTypeGitlabPipelineVariableInjectionVersion = "0.1.0"
const ControlTypeGitlabProtectionBranchProtectionNotCompliantVersion = "0.2.0"
const ControlTypeGitlabSecurityJobsWeakenedVersion = "0.1.0"
const ( // MRCommentIdentifier is an invisible HTML comment used to find the Plumber // comment in the merge request notes so it can be updated on subsequent runs. MRCommentIdentifier = "<!-- Plumber Compliance Comment -->" )
const PlumberScoreDocURL = "https://github.com/getplumber/plumber/blob/main/docs/scoring.md"
PlumberScoreDocURL is the canonical user-facing explanation of the Plumber letter score.
const PlumberScoreProfileID = "scoring-v2"
PlumberScoreProfileID identifies the scoring rules version (see docs/scoring.md).
Variables ¶
This section is empty.
Functions ¶
func ComplianceBadgeURL ¶ added in v0.1.42
ComplianceBadgeURL builds a Shields.io badge URL for the given compliance %. Color is green if compliance meets threshold, red otherwise. Exported so it can be used by the project badge feature.
func CriticalIssueCodesSorted ¶ added in v0.1.83
func CriticalIssueCodesSorted(result *AnalysisResult) []string
CriticalIssueCodesSorted returns unique Critical-level issue codes present in the analysis, sorted.
func ManageMergeRequestComment ¶ added in v0.1.42
func ManageMergeRequestComment( projectID int, mrIID int, result *AnalysisResult, compliance float64, threshold float64, conf *configuration.Configuration, score *PlumberScoreResult, scoreMode bool, scorePointMode bool, ) error
ManageMergeRequestComment creates or updates the Plumber compliance comment on the given merge request. projectID and gitlabURL come from the already- resolved configuration/result; only mrIID is CI-specific.
func ManageProjectBadge ¶ added in v0.1.42
func ManageProjectBadge( projectID int, compliance float64, threshold float64, conf *configuration.Configuration, ps *PlumberScoreResult, useLetterScore bool, ) error
ManageProjectBadge creates or updates the Plumber compliance badge on the project. The badge shows the compliance percentage with green (passed) or red (failed) color. When useLetterScore is true and ps is non-nil, the badge shows letter score (A–E) instead (see ScoreBadgeURL).
func ScoreBadgeURL ¶ added in v0.1.83
ScoreBadgeURL builds a Shields.io badge URL showing the Plumber letter score (A–E).
func ScoreLetterMeaning ¶ added in v0.2.5
ScoreLetterMeaning returns a short human-readable description of what a letter score implies about the pipeline. It is used by CLI banners, merge request comments, and documentation so wording stays consistent.
Types ¶
type AnalysisResult ¶
type AnalysisResult struct {
// Project information
ProjectPath string `json:"projectPath"`
ProjectID int `json:"projectId"`
DefaultBranch string `json:"defaultBranch"`
// CI configuration status
CiValid bool `json:"ciValid"`
CiMissing bool `json:"ciMissing"`
CiErrors []string `json:"ciErrors,omitempty"` // Specific CI config errors from GitLab
CIConfigSource string `json:"ciConfigSource"` // "local" or "remote"
// Pipeline origin data
PipelineOriginMetrics *PipelineOriginMetricsSummary `json:"pipelineOriginMetrics,omitempty"`
// Pipeline image data
PipelineImageMetrics *PipelineImageMetricsSummary `json:"pipelineImageMetrics,omitempty"`
// Control results
ImageForbiddenTagsResult *GitlabImageForbiddenTagsResult `json:"imageForbiddenTagsResult,omitempty"`
ImageAuthorizedSourcesResult *GitlabImageAuthorizedSourcesResult `json:"imageAuthorizedSourcesResult,omitempty"`
BranchProtectionResult *GitlabBranchProtectionResult `json:"branchProtectionResult,omitempty"`
HardcodedJobsResult *GitlabPipelineHardcodedJobsResult `json:"hardcodedJobsResult,omitempty"`
OutdatedIncludesResult *GitlabPipelineIncludesOutdatedResult `json:"outdatedIncludesResult,omitempty"`
ForbiddenVersionsIncludesResult *GitlabPipelineIncludesForbiddenVersionResult `json:"forbiddenVersionsIncludesResult,omitempty"`
RequiredComponentsResult *GitlabPipelineRequiredComponentsResult `json:"requiredComponentsResult,omitempty"`
RequiredTemplatesResult *GitlabPipelineRequiredTemplatesResult `json:"requiredTemplatesResult,omitempty"`
DebugTraceResult *GitlabPipelineDebugTraceResult `json:"debugTraceResult,omitempty"`
VariableInjectionResult *GitlabPipelineVariableInjectionResult `json:"variableInjectionResult,omitempty"`
SecurityJobsWeakenedResult *GitlabSecurityJobsWeakenedResult `json:"securityJobsWeakenedResult,omitempty"`
UnverifiedScriptsResult *GitlabPipelineUnverifiedScriptsResult `json:"unverifiedScriptsResult,omitempty"`
JobVariablesOverrideResult *GitlabPipelineJobVariablesOverrideResult `json:"jobVariablesOverrideResult,omitempty"`
DockerInDockerResult *GitlabPipelineDockerInDockerResult `json:"dockerInDockerResult,omitempty"`
// Raw collected data (not included in JSON output, used for PBOM generation)
PipelineImageData *collector.GitlabPipelineImageData `json:"-"`
PipelineOriginData *collector.GitlabPipelineOriginData `json:"-"`
}
AnalysisResult holds the complete result of a pipeline analysis
func RunAnalysis ¶
func RunAnalysis(conf *configuration.Configuration) (*AnalysisResult, error)
RunAnalysis executes the complete pipeline analysis for a GitLab project
type BranchProtectionCompliance ¶
type BranchProtectionCompliance struct {
BranchName string
Default bool
Protected bool
AllowForcePush bool
CodeOwnerApprovalRequired bool
MinPushAccessLevel int
MinMergeAccessLevel int
ProtectionPattern string
PushAccessLevels []gitlab.BranchProtectionAccessLevel
MergeAccessLevels []gitlab.BranchProtectionAccessLevel
}
BranchProtectionCompliance holds information about a branch's protection compliance
type BranchProtectionData ¶
type BranchProtectionData struct {
BranchName string `json:"branchName"`
Default bool `json:"default"`
Protected bool `json:"protected"`
AllowForcePush bool `json:"allowForcePush,omitempty"`
CodeOwnerApprovalRequired bool `json:"codeOwnerApprovalRequired,omitempty"`
MinMergeAccessLevel int `json:"minMergeAccessLevel,omitempty"`
MinPushAccessLevel int `json:"minPushAccessLevel,omitempty"`
AuthorizedMinMergeAccessLevel int `json:"authorizedMinMergeAccessLevel,omitempty"`
AuthorizedMinPushAccessLevel int `json:"authorizedMinPushAccessLevel,omitempty"`
}
BranchProtectionData holds information about a branch's protection status
type BranchProtectionIssue ¶
type BranchProtectionIssue struct {
Code ErrorCode `json:"code"`
DocURL string `json:"docUrl"`
Type string `json:"type"` // "unprotected" or "non_compliant"
BranchName string `json:"branchName"`
AllowForcePush bool `json:"allowForcePush,omitempty"`
AllowForcePushDisplay bool `json:"allowForcePushDisplay,omitempty"`
CodeOwnerApprovalRequired bool `json:"codeOwnerApprovalRequired,omitempty"`
CodeOwnerApprovalRequiredDisplay bool `json:"codeOwnerApprovalRequiredDisplay,omitempty"`
MinMergeAccessLevel int `json:"minMergeAccessLevel,omitempty"`
MinMergeAccessLevelDisplay bool `json:"minMergeAccessLevelDisplay,omitempty"`
AuthorizedMinMergeAccessLevel int `json:"authorizedMinMergeAccessLevel,omitempty"`
MinPushAccessLevel int `json:"minPushAccessLevel,omitempty"`
MinPushAccessLevelDisplay bool `json:"minPushAccessLevelDisplay,omitempty"`
AuthorizedMinPushAccessLevel int `json:"authorizedMinPushAccessLevel,omitempty"`
}
BranchProtectionIssue represents an issue found by the branch protection control
type BranchProtectionMetrics ¶
type BranchProtectionMetrics struct {
Branches int `json:"branches"`
BranchesToProtect int `json:"branchesToProtect"`
UnprotectedBranches int `json:"unprotectedBranches"`
NonCompliantBranches int `json:"nonCompliantBranches"`
TotalProtectedBranches int `json:"totalProtectedBranches"`
ProjectsCorrectlyProtected int `json:"projectsCorrectlyProtected"`
}
BranchProtectionMetrics holds metrics for the branch protection control
type ComponentGroupStatus ¶ added in v0.1.31
type ComponentGroupStatus struct {
GroupIndex int `json:"groupIndex"` // Which requirement group (0-based)
RequiredOrigins []string `json:"requiredOrigins"` // Components required in this group
FoundOrigins []string `json:"foundOrigins"` // Components found and not overridden
MissingOrigins []string `json:"missingOrigins"` // Components missing from this group
OverriddenOrigins []string `json:"overriddenOrigins"` // Components found but overridden with forbidden keywords
IsFullySatisfied bool `json:"isFullySatisfied"` // All components in group present (not missing)
}
ComponentGroupStatus tracks the status of a single requirement group (AND clause)
type ErrorCode ¶ added in v0.1.67
type ErrorCode string
ErrorCode represents a unique Plumber issue code (ISSUE-XXX format).
const ( CodeImageUnauthorizedSource ErrorCode = "ISSUE-101" // ISSUE-102: Container image uses a forbidden tag (e.g., latest, dev) CodeImageForbiddenTag ErrorCode = "ISSUE-102" // ISSUE-103: Container image is not pinned by digest CodeImageNotPinnedByDigest ErrorCode = "ISSUE-103" )
Issue codes for container image controls (1xx)
const ( // ISSUE-203: Pipeline enables CI debug trace (CI_DEBUG_TRACE or CI_DEBUG_SERVICES) CodeDebugTraceEnabled ErrorCode = "ISSUE-203" // ISSUE-204: Unsafe variable expansion in shell re-interpretation context (eval, sh -c, etc.) CodeUnsafeVariableExpansion ErrorCode = "ISSUE-204" // ISSUE-205: A variable that should only be set in CI/CD Settings is overridden in the pipeline config CodeJobVariableOverridden ErrorCode = "ISSUE-205" )
Issue codes for CI/CD variable controls (2xx)
const ( // ISSUE-401: Job is hardcoded (not sourced from include/component) CodeJobHardcoded ErrorCode = "ISSUE-401" // ISSUE-403: Include uses an outdated version CodeIncludeOutdated ErrorCode = "ISSUE-403" // ISSUE-404: Include uses a forbidden version CodeIncludeForbiddenVersion ErrorCode = "ISSUE-404" // ISSUE-405: Required template is missing from the pipeline CodeTemplateMissing ErrorCode = "ISSUE-405" // ISSUE-406: Required template jobs are overridden CodeTemplateOverridden ErrorCode = "ISSUE-406" // ISSUE-408: Required component is missing from the pipeline CodeComponentMissing ErrorCode = "ISSUE-408" // ISSUE-409: Required component jobs are overridden CodeComponentOverridden ErrorCode = "ISSUE-409" // ISSUE-410: Security job is weakened (allow_failure, rules override, when: manual) CodeSecurityJobWeakened ErrorCode = "ISSUE-410" // ISSUE-411: Pipeline downloads and executes a script without integrity verification (curl|bash, wget|sh) CodeUnverifiedScriptExecution ErrorCode = "ISSUE-411" // ISSUE-412: CI/CD job uses a Docker-in-Docker (dind) service CodeDockerInDockerUsage ErrorCode = "ISSUE-412" // ISSUE-413: CI/CD job uses Docker-in-Docker with insecure daemon configuration CodeDockerInDockerInsecure ErrorCode = "ISSUE-413" )
Issue codes for pipeline composition controls (4xx)
const ( // ISSUE-501: Branch is not protected CodeBranchUnprotected ErrorCode = "ISSUE-501" // ISSUE-505: Branch has non-compliant protection settings CodeBranchNonCompliant ErrorCode = "ISSUE-505" )
Issue codes for access and authorization controls (5xx)
type ErrorCodeInfo ¶ added in v0.1.67
type ErrorCodeInfo struct {
// Code is the unique issue code (e.g., ISSUE-102).
Code ErrorCode `json:"code"`
// Severity reflects potential impact (see documentation); used for Plumber Score.
Severity IssueSeverity `json:"severity"`
// Title is a short human-readable title.
Title string `json:"title"`
// Description explains what the issue is.
Description string `json:"description"`
// Remediation provides guidance on how to fix the issue.
Remediation string `json:"remediation"`
// DocURL is a direct link to the documentation for this issue.
DocURL string `json:"docUrl"`
// ControlName is the .plumber.yaml control key this code belongs to.
ControlName string `json:"controlName"`
}
ErrorCodeInfo provides metadata about an issue code.
func AllCodes ¶ added in v0.1.67
func AllCodes() []ErrorCodeInfo
AllCodes returns all registered issue codes sorted by code.
func LookupCode ¶ added in v0.1.67
func LookupCode(code ErrorCode) *ErrorCodeInfo
LookupCode returns the ErrorCodeInfo for a given issue code, or nil if not found.
type GitlabBranchProtectionControl ¶
type GitlabBranchProtectionControl struct {
// contains filtered or unexported fields
}
GitlabBranchProtectionControl handles branch protection compliance checking
func NewGitlabBranchProtectionControl ¶
func NewGitlabBranchProtectionControl(config *configuration.BranchProtectionControlConfig) *GitlabBranchProtectionControl
NewGitlabBranchProtectionControl creates a new branch protection control instance
func (*GitlabBranchProtectionControl) Run ¶
func (c *GitlabBranchProtectionControl) Run( protectionData *collector.GitlabProtectionAnalysisData, project *gitlab.ProjectInfo, ) *GitlabBranchProtectionResult
Run executes the branch protection compliance check
type GitlabBranchProtectionResult ¶
type GitlabBranchProtectionResult struct {
Enabled bool `json:"enabled"`
Skipped bool `json:"skipped,omitempty"`
Compliance float64 `json:"compliance"`
Version string `json:"version"`
Data []BranchProtectionData `json:"data,omitempty"`
Metrics *BranchProtectionMetrics `json:"metrics,omitempty"`
Issues []BranchProtectionIssue `json:"issues,omitempty"`
Error string `json:"error,omitempty"`
}
GitlabBranchProtectionResult holds the result of the branch protection control
type GitlabImageAuthorizedSourcesConf ¶
type GitlabImageAuthorizedSourcesConf struct {
// Enabled controls whether this check runs
Enabled bool `json:"enabled"`
// TrustedUrls is a list of authorized registry URLs/patterns
TrustedUrls []string `json:"trustedUrls"`
// TrustDockerHubOfficialImages trusts official Docker Hub images (e.g., nginx, alpine)
TrustDockerHubOfficialImages bool `json:"trustDockerHubOfficialImages"`
}
GitlabImageAuthorizedSourcesConf holds the configuration for image source authorization
func (*GitlabImageAuthorizedSourcesConf) GetConf ¶
func (p *GitlabImageAuthorizedSourcesConf) GetConf(plumberConfig *configuration.PlumberConfig) error
GetConf loads configuration from PlumberConfig If config is nil or the control section is missing, the control is disabled (skipped).
func (*GitlabImageAuthorizedSourcesConf) Run ¶
func (p *GitlabImageAuthorizedSourcesConf) Run(pipelineImageData *collector.GitlabPipelineImageData) *GitlabImageAuthorizedSourcesResult
Run executes the image authorized sources control
type GitlabImageAuthorizedSourcesMetrics ¶
type GitlabImageAuthorizedSourcesMetrics struct {
Total uint `json:"total"`
Authorized uint `json:"authorized"`
CiInvalid uint `json:"ciInvalid"`
CiMissing uint `json:"ciMissing"`
}
GitlabImageAuthorizedSourcesMetrics holds metrics about image source authorization
type GitlabImageAuthorizedSourcesResult ¶
type GitlabImageAuthorizedSourcesResult struct {
Issues []GitlabPipelineImageIssueUnauthorized `json:"issues"`
Metrics GitlabImageAuthorizedSourcesMetrics `json:"metrics"`
Compliance float64 `json:"compliance"`
Version string `json:"version"`
CiValid bool `json:"ciValid"`
CiMissing bool `json:"ciMissing"`
Skipped bool `json:"skipped"` // True if control was disabled
Error string `json:"error,omitempty"` // Error message if data collection failed
}
GitlabImageAuthorizedSourcesResult holds the result of the image authorized sources control
type GitlabImageForbiddenTagsConf ¶
type GitlabImageForbiddenTagsConf struct {
// Enabled controls whether this check runs
Enabled bool `json:"enabled"`
// ForbiddenTags is a list of tags considered forbidden (e.g., latest, dev)
ForbiddenTags []string `json:"forbiddenTags"`
// MustBePinnedByDigest when true, ALL images must use immutable digest references.
// Takes precedence over the forbidden tags list.
MustBePinnedByDigest bool `json:"mustBePinnedByDigest"`
}
GitlabImageForbiddenTagsConf holds the configuration for forbidden tag detection
func (*GitlabImageForbiddenTagsConf) GetConf ¶
func (p *GitlabImageForbiddenTagsConf) GetConf(plumberConfig *configuration.PlumberConfig) error
GetConf loads configuration from PlumberConfig If config is nil or the control section is missing, the control is disabled (skipped).
func (*GitlabImageForbiddenTagsConf) Run ¶
func (p *GitlabImageForbiddenTagsConf) Run(pipelineImageData *collector.GitlabPipelineImageData) *GitlabImageForbiddenTagsResult
Run executes the forbidden tag detection control
type GitlabImageForbiddenTagsMetrics ¶
type GitlabImageForbiddenTagsMetrics struct {
Total uint `json:"total"`
UsingForbiddenTags uint `json:"usingForbiddenTags"`
NotPinnedByDigest uint `json:"notPinnedByDigest,omitempty"`
PinnedByDigest uint `json:"pinnedByDigest,omitempty"`
CiInvalid uint `json:"ciInvalid"`
CiMissing uint `json:"ciMissing"`
}
GitlabImageForbiddenTagsMetrics holds metrics about forbidden image tags
type GitlabImageForbiddenTagsResult ¶
type GitlabImageForbiddenTagsResult struct {
Issues []GitlabPipelineImageIssueTag `json:"issues"`
Metrics GitlabImageForbiddenTagsMetrics `json:"metrics"`
Compliance float64 `json:"compliance"`
Version string `json:"version"`
CiValid bool `json:"ciValid"`
CiMissing bool `json:"ciMissing"`
Skipped bool `json:"skipped"` // True if control was disabled
MustBePinnedByDigest bool `json:"mustBePinnedByDigest"` // True if digest pinning mode was active
Error string `json:"error,omitempty"` // Error message if data collection failed
}
GitlabImageForbiddenTagsResult holds the result of the forbidden tags control
type GitlabPipelineDebugTraceConf ¶ added in v0.1.51
type GitlabPipelineDebugTraceConf struct {
// Enabled controls whether this check runs
Enabled bool `json:"enabled"`
// ForbiddenVariables is a list of CI/CD variable names that must not be set to "true"
ForbiddenVariables []string `json:"forbiddenVariables"`
}
GitlabPipelineDebugTraceConf holds the configuration for debug trace detection
func (*GitlabPipelineDebugTraceConf) GetConf ¶ added in v0.1.51
func (p *GitlabPipelineDebugTraceConf) GetConf(plumberConfig *configuration.PlumberConfig) error
GetConf loads configuration from PlumberConfig If config is nil or the control section is missing, the control is disabled (skipped).
func (*GitlabPipelineDebugTraceConf) Run ¶ added in v0.1.51
func (p *GitlabPipelineDebugTraceConf) Run(pipelineOriginData *collector.GitlabPipelineOriginData) *GitlabPipelineDebugTraceResult
Run executes the debug trace detection control
type GitlabPipelineDebugTraceIssue ¶ added in v0.1.51
type GitlabPipelineDebugTraceIssue struct {
Code ErrorCode `json:"code"`
DocURL string `json:"docUrl"`
VariableName string `json:"variableName"`
Value string `json:"value"`
Location string `json:"location"` // "global" or job name
}
GitlabPipelineDebugTraceIssue represents a forbidden debug variable found in the CI config
type GitlabPipelineDebugTraceMetrics ¶ added in v0.1.51
type GitlabPipelineDebugTraceMetrics struct {
TotalVariablesChecked uint `json:"totalVariablesChecked"`
ForbiddenFound uint `json:"forbiddenFound"`
}
GitlabPipelineDebugTraceMetrics holds metrics about debug trace detection
type GitlabPipelineDebugTraceResult ¶ added in v0.1.51
type GitlabPipelineDebugTraceResult struct {
Issues []GitlabPipelineDebugTraceIssue `json:"issues"`
Metrics GitlabPipelineDebugTraceMetrics `json:"metrics"`
Compliance float64 `json:"compliance"`
Version string `json:"version"`
CiValid bool `json:"ciValid"`
CiMissing bool `json:"ciMissing"`
Skipped bool `json:"skipped"`
Error string `json:"error,omitempty"`
}
GitlabPipelineDebugTraceResult holds the result of the debug trace control
type GitlabPipelineDockerInDockerConf ¶ added in v0.1.77
type GitlabPipelineDockerInDockerConf struct {
Enabled bool `json:"enabled"`
DetectInsecureDaemon bool `json:"detectInsecureDaemon"`
}
GitlabPipelineDockerInDockerConf holds the configuration for Docker-in-Docker detection
func (*GitlabPipelineDockerInDockerConf) GetConf ¶ added in v0.1.77
func (p *GitlabPipelineDockerInDockerConf) GetConf(plumberConfig *configuration.PlumberConfig) error
GetConf loads configuration from PlumberConfig. If config is nil or the control section is missing, the control is disabled (skipped).
func (*GitlabPipelineDockerInDockerConf) Run ¶ added in v0.1.77
func (p *GitlabPipelineDockerInDockerConf) Run(pipelineOriginData *collector.GitlabPipelineOriginData) *GitlabPipelineDockerInDockerResult
Run executes the Docker-in-Docker detection control
type GitlabPipelineDockerInDockerIssue ¶ added in v0.1.77
type GitlabPipelineDockerInDockerIssue struct {
Code ErrorCode `json:"code"`
DocURL string `json:"docUrl"`
JobName string `json:"jobName"`
ServiceImage string `json:"serviceImage,omitempty"`
Detail string `json:"detail,omitempty"`
}
GitlabPipelineDockerInDockerIssue represents a DinD finding in the CI config
type GitlabPipelineDockerInDockerMetrics ¶ added in v0.1.77
type GitlabPipelineDockerInDockerMetrics struct {
TotalJobsChecked uint `json:"totalJobsChecked"`
DindServicesFound uint `json:"dindServicesFound"`
InsecureDaemonFound uint `json:"insecureDaemonFound"`
}
GitlabPipelineDockerInDockerMetrics holds metrics about DinD detection
type GitlabPipelineDockerInDockerResult ¶ added in v0.1.77
type GitlabPipelineDockerInDockerResult struct {
Issues []GitlabPipelineDockerInDockerIssue `json:"issues"`
Metrics GitlabPipelineDockerInDockerMetrics `json:"metrics"`
Compliance float64 `json:"compliance"`
Version string `json:"version"`
CiValid bool `json:"ciValid"`
CiMissing bool `json:"ciMissing"`
Skipped bool `json:"skipped"`
Error string `json:"error,omitempty"`
}
GitlabPipelineDockerInDockerResult holds the result of the DinD control
type GitlabPipelineHardcodedJobIssue ¶ added in v0.1.31
type GitlabPipelineHardcodedJobIssue struct {
Code ErrorCode `json:"code"`
DocURL string `json:"docUrl"`
JobName string `json:"jobName"`
}
GitlabPipelineHardcodedJobIssue represents an issue with a hardcoded job
type GitlabPipelineHardcodedJobsConf ¶ added in v0.1.31
type GitlabPipelineHardcodedJobsConf struct {
// Enabled controls whether this check runs
Enabled bool `json:"enabled"`
}
GitlabPipelineHardcodedJobsConf holds the configuration for hardcoded job detection
func (*GitlabPipelineHardcodedJobsConf) GetConf ¶ added in v0.1.31
func (p *GitlabPipelineHardcodedJobsConf) GetConf(plumberConfig *configuration.PlumberConfig) error
GetConf loads configuration from PlumberConfig Returns error if config is nil (but control can still be disabled)
func (*GitlabPipelineHardcodedJobsConf) Run ¶ added in v0.1.31
func (p *GitlabPipelineHardcodedJobsConf) Run(pipelineOriginData *collector.GitlabPipelineOriginData) *GitlabPipelineHardcodedJobsResult
Run executes the hardcoded job detection control
type GitlabPipelineHardcodedJobsMetrics ¶ added in v0.1.31
type GitlabPipelineHardcodedJobsMetrics struct {
Total uint `json:"total"`
HardcodedJobs uint `json:"hardcodedJobs"`
CiInvalid uint `json:"ciInvalid"`
CiMissing uint `json:"ciMissing"`
}
GitlabPipelineHardcodedJobsMetrics holds metrics about hardcoded jobs
type GitlabPipelineHardcodedJobsResult ¶ added in v0.1.31
type GitlabPipelineHardcodedJobsResult struct {
Issues []GitlabPipelineHardcodedJobIssue `json:"issues"`
Metrics GitlabPipelineHardcodedJobsMetrics `json:"metrics"`
Compliance float64 `json:"compliance"`
Version string `json:"version"`
CiValid bool `json:"ciValid"`
CiMissing bool `json:"ciMissing"`
Skipped bool `json:"skipped"` // True if control was disabled
Error string `json:"error,omitempty"` // Error message if data collection failed
}
GitlabPipelineHardcodedJobsResult holds the result of the hardcoded jobs control
type GitlabPipelineImageIssueTag ¶
type GitlabPipelineImageIssueTag struct {
Code ErrorCode `json:"code"`
DocURL string `json:"docUrl"`
Link string `json:"link"`
Tag string `json:"tag"`
Job string `json:"job"`
}
GitlabPipelineImageIssueTag represents an issue with an image using a mutable tag
type GitlabPipelineImageIssueUnauthorized ¶
type GitlabPipelineImageIssueUnauthorized struct {
}
GitlabPipelineImageIssueUnauthorized represents an issue with an unauthorized image source
type GitlabPipelineIncludesForbiddenVersionConf ¶ added in v0.1.31
type GitlabPipelineIncludesForbiddenVersionConf struct {
// Enabled controls whether this check runs
Enabled bool `json:"enabled"`
// ForbiddenVersions is a list of version patterns considered forbidden (e.g., latest, main, HEAD)
ForbiddenVersions []string `json:"forbiddenVersions"`
// DefaultBranchIsForbiddenVersion when true, adds the project's default branch to forbidden versions
DefaultBranchIsForbiddenVersion bool `json:"defaultBranchIsForbiddenVersion"`
}
GitlabPipelineIncludesForbiddenVersionConf holds the configuration for forbidden version detection
func (*GitlabPipelineIncludesForbiddenVersionConf) GetConf ¶ added in v0.1.31
func (p *GitlabPipelineIncludesForbiddenVersionConf) GetConf(plumberConfig *configuration.PlumberConfig) error
GetConf loads configuration from PlumberConfig
func (*GitlabPipelineIncludesForbiddenVersionConf) Run ¶ added in v0.1.31
func (p *GitlabPipelineIncludesForbiddenVersionConf) Run(pipelineOriginData *collector.GitlabPipelineOriginData, projectDefaultBranch string) *GitlabPipelineIncludesForbiddenVersionResult
Run executes the forbidden version detection control
type GitlabPipelineIncludesForbiddenVersionIssue ¶ added in v0.1.31
type GitlabPipelineIncludesForbiddenVersionIssue struct {
Code ErrorCode `json:"code"`
DocURL string `json:"docUrl"`
Version string `json:"version"`
LatestVersion string `json:"latestVersion,omitempty"`
PlumberOriginPath string `json:"plumberOriginPath,omitempty"`
GitlabIncludeLocation string `json:"gitlabIncludeLocation"`
GitlabIncludeType string `json:"gitlabIncludeType"`
GitlabIncludeProject string `json:"gitlabIncludeProject,omitempty"`
Nested bool `json:"nested"`
ComponentName string `json:"componentName,omitempty"`
PlumberTemplateName string `json:"plumberTemplateName,omitempty"`
OriginHash uint64 `json:"originHash"`
}
GitlabPipelineIncludesForbiddenVersionIssue represents an issue with a forbidden version Issue data for mutable version usage - PolicyIssueTypeId = [11]
type GitlabPipelineIncludesForbiddenVersionMetrics ¶ added in v0.1.31
type GitlabPipelineIncludesForbiddenVersionMetrics struct {
Total uint `json:"total"`
UsingForbiddenVersion uint `json:"usingForbiddenVersion"`
UsingAuthorizedVersion uint `json:"usingAuthorizedVersion"`
}
GitlabPipelineIncludesForbiddenVersionMetrics holds metrics about forbidden version usage
type GitlabPipelineIncludesForbiddenVersionResult ¶ added in v0.1.31
type GitlabPipelineIncludesForbiddenVersionResult struct {
Issues []GitlabPipelineIncludesForbiddenVersionIssue `json:"issues"`
Metrics GitlabPipelineIncludesForbiddenVersionMetrics `json:"metrics"`
Compliance float64 `json:"compliance"`
Version string `json:"version"`
CiValid bool `json:"ciValid"`
CiMissing bool `json:"ciMissing"`
Skipped bool `json:"skipped"`
Error string `json:"error,omitempty"`
}
GitlabPipelineIncludesForbiddenVersionResult holds the result of the forbidden version control
type GitlabPipelineIncludesOutdatedConf ¶ added in v0.1.31
type GitlabPipelineIncludesOutdatedConf struct {
// Enabled controls whether this check runs
Enabled bool `json:"enabled"`
}
GitlabPipelineIncludesOutdatedConf holds the configuration for outdated includes detection No specific configuration needed for outdated detection The logic uses the UpToDate field from the analysis data
func (*GitlabPipelineIncludesOutdatedConf) GetConf ¶ added in v0.1.31
func (p *GitlabPipelineIncludesOutdatedConf) GetConf(plumberConfig *configuration.PlumberConfig) error
GetConf loads configuration from PlumberConfig
func (*GitlabPipelineIncludesOutdatedConf) Run ¶ added in v0.1.31
func (p *GitlabPipelineIncludesOutdatedConf) Run(pipelineOriginData *collector.GitlabPipelineOriginData) *GitlabPipelineIncludesOutdatedResult
Run executes the outdated includes detection control
type GitlabPipelineIncludesOutdatedIssue ¶ added in v0.1.31
type GitlabPipelineIncludesOutdatedIssue struct {
Code ErrorCode `json:"code"`
DocURL string `json:"docUrl"`
Version string `json:"version"`
LatestVersion string `json:"latestVersion"`
PlumberOriginPath string `json:"plumberOriginPath,omitempty"`
GitlabIncludeLocation string `json:"gitlabIncludeLocation"`
GitlabIncludeType string `json:"gitlabIncludeType"`
GitlabIncludeProject string `json:"gitlabIncludeProject,omitempty"`
Nested bool `json:"nested"`
ComponentName string `json:"componentName,omitempty"`
PlumberTemplateName string `json:"plumberTemplateName,omitempty"`
OriginHash uint64 `json:"originHash"`
}
GitlabPipelineIncludesOutdatedIssue represents an issue with an outdated include Issue data for outdated origin - PolicyIssueTypeId = [10]
type GitlabPipelineIncludesOutdatedMetrics ¶ added in v0.1.31
type GitlabPipelineIncludesOutdatedMetrics struct {
Total uint `json:"total"`
OriginOutdated uint `json:"originOutdated"`
CiInvalid uint `json:"ciInvalid"`
CiMissing uint `json:"ciMissing"`
}
GitlabPipelineIncludesOutdatedMetrics holds metrics about outdated includes
type GitlabPipelineIncludesOutdatedResult ¶ added in v0.1.31
type GitlabPipelineIncludesOutdatedResult struct {
Issues []GitlabPipelineIncludesOutdatedIssue `json:"issues"`
Metrics GitlabPipelineIncludesOutdatedMetrics `json:"metrics"`
Compliance float64 `json:"compliance"`
Version string `json:"version"`
CiValid bool `json:"ciValid"`
CiMissing bool `json:"ciMissing"`
Skipped bool `json:"skipped"`
Error string `json:"error,omitempty"`
}
GitlabPipelineIncludesOutdatedResult holds the result of the outdated control
type GitlabPipelineJobVariablesOverrideConf ¶ added in v0.1.76
type GitlabPipelineJobVariablesOverrideConf struct {
Enabled bool `json:"enabled"`
Variables []string `json:"variables"`
}
GitlabPipelineJobVariablesOverrideConf holds the configuration for job variable override detection
func (*GitlabPipelineJobVariablesOverrideConf) GetConf ¶ added in v0.1.76
func (p *GitlabPipelineJobVariablesOverrideConf) GetConf(plumberConfig *configuration.PlumberConfig) error
GetConf loads configuration from PlumberConfig. If config is nil or the control section is missing, the control is disabled (skipped).
func (*GitlabPipelineJobVariablesOverrideConf) Run ¶ added in v0.1.76
func (p *GitlabPipelineJobVariablesOverrideConf) Run(pipelineOriginData *collector.GitlabPipelineOriginData) *GitlabPipelineJobVariablesOverrideResult
Run executes the job variable override detection control. It scans the raw (pre-merge) CI config so that only variables the user actually wrote in .gitlab-ci.yml are checked. Variables injected by included templates/components are ignored.
type GitlabPipelineJobVariablesOverrideIssue ¶ added in v0.1.76
type GitlabPipelineJobVariablesOverrideIssue struct {
Code ErrorCode `json:"code"`
DocURL string `json:"docUrl"`
VariableName string `json:"variableName"`
Value string `json:"value"`
Location string `json:"location"` // "global" or job name
}
GitlabPipelineJobVariablesOverrideIssue represents a variable that should not be defined in the CI config
type GitlabPipelineJobVariablesOverrideMetrics ¶ added in v0.1.76
type GitlabPipelineJobVariablesOverrideMetrics struct {
TotalVariablesChecked uint `json:"totalVariablesChecked"`
OverriddenFound uint `json:"overriddenFound"`
}
GitlabPipelineJobVariablesOverrideMetrics holds metrics about variable override detection
type GitlabPipelineJobVariablesOverrideResult ¶ added in v0.1.76
type GitlabPipelineJobVariablesOverrideResult struct {
Issues []GitlabPipelineJobVariablesOverrideIssue `json:"issues"`
Metrics GitlabPipelineJobVariablesOverrideMetrics `json:"metrics"`
Compliance float64 `json:"compliance"`
Version string `json:"version"`
CiValid bool `json:"ciValid"`
CiMissing bool `json:"ciMissing"`
Skipped bool `json:"skipped"`
Error string `json:"error,omitempty"`
}
GitlabPipelineJobVariablesOverrideResult holds the result of the control
type GitlabPipelineRequiredComponentsConf ¶ added in v0.1.31
type GitlabPipelineRequiredComponentsConf struct {
// Enabled controls whether this check runs
Enabled bool `json:"enabled"`
// DNF (Disjunctive Normal Form) format:
// Outer array = OR (at least one group must be satisfied)
// Inner array = AND (all components in group must be present)
// Example: [["comp-a", "comp-b"], ["comp-c"]] means:
// "must have (comp-a AND comp-b) OR (comp-c)"
RequiredGroups [][]string `json:"requiredGroups"`
}
GitlabPipelineRequiredComponentsConf holds the configuration for required components check
func (*GitlabPipelineRequiredComponentsConf) GetConf ¶ added in v0.1.31
func (p *GitlabPipelineRequiredComponentsConf) GetConf(plumberConfig *configuration.PlumberConfig) error
GetConf loads configuration from PlumberConfig
func (*GitlabPipelineRequiredComponentsConf) Run ¶ added in v0.1.31
func (p *GitlabPipelineRequiredComponentsConf) Run(pipelineOriginData *collector.GitlabPipelineOriginData, gitlabURL string) *GitlabPipelineRequiredComponentsResult
Run executes the required components control
type GitlabPipelineRequiredComponentsMetrics ¶ added in v0.1.31
type GitlabPipelineRequiredComponentsMetrics struct {
TotalGroups uint `json:"totalGroups"` // Total number of requirement groups
SatisfiedGroups uint `json:"satisfiedGroups"` // Number of fully satisfied groups
AnySatisfiedGroup bool `json:"anySatisfiedGroup"` // True if at least one group satisfied
CiInvalid uint `json:"ciInvalid"`
CiMissing uint `json:"ciMissing"`
}
GitlabPipelineRequiredComponentsMetrics holds metrics about required components
type GitlabPipelineRequiredComponentsResult ¶ added in v0.1.31
type GitlabPipelineRequiredComponentsResult struct {
RequirementGroups []ComponentGroupStatus `json:"requirementGroups"`
Issues []RequiredComponentIssue `json:"issues"`
OverriddenIssues []RequiredComponentOverriddenIssue `json:"overriddenIssues"`
Metrics GitlabPipelineRequiredComponentsMetrics `json:"metrics"`
Compliance float64 `json:"compliance"`
Version string `json:"version"`
CiValid bool `json:"ciValid"`
CiMissing bool `json:"ciMissing"`
Skipped bool `json:"skipped"`
Error string `json:"error,omitempty"`
}
GitlabPipelineRequiredComponentsResult holds the result of the required components control
type GitlabPipelineRequiredTemplatesConf ¶ added in v0.1.31
type GitlabPipelineRequiredTemplatesConf struct {
// Enabled controls whether this check runs
Enabled bool `json:"enabled"`
// DNF (Disjunctive Normal Form) format:
// Outer array = OR (at least one group must be satisfied)
// Inner array = AND (all templates in group must be present)
// Example: [["go", "helm"], ["go_helm_unified"]] means:
// "must have (go AND helm) OR (go_helm_unified)"
RequiredGroups [][]string `json:"requiredGroups"`
}
GitlabPipelineRequiredTemplatesConf holds the configuration for required templates check
func (*GitlabPipelineRequiredTemplatesConf) GetConf ¶ added in v0.1.31
func (p *GitlabPipelineRequiredTemplatesConf) GetConf(plumberConfig *configuration.PlumberConfig) error
GetConf loads configuration from PlumberConfig
func (*GitlabPipelineRequiredTemplatesConf) Run ¶ added in v0.1.31
func (p *GitlabPipelineRequiredTemplatesConf) Run(pipelineOriginData *collector.GitlabPipelineOriginData) *GitlabPipelineRequiredTemplatesResult
Run executes the required templates control
type GitlabPipelineRequiredTemplatesMetrics ¶ added in v0.1.31
type GitlabPipelineRequiredTemplatesMetrics struct {
TotalGroups uint `json:"totalGroups"` // Total number of requirement groups
SatisfiedGroups uint `json:"satisfiedGroups"` // Number of fully satisfied groups
AnySatisfiedGroup bool `json:"anySatisfiedGroup"` // True if at least one group satisfied
CiInvalid uint `json:"ciInvalid"`
CiMissing uint `json:"ciMissing"`
}
GitlabPipelineRequiredTemplatesMetrics holds metrics about required templates
type GitlabPipelineRequiredTemplatesResult ¶ added in v0.1.31
type GitlabPipelineRequiredTemplatesResult struct {
RequirementGroups []TemplateGroupStatus `json:"requirementGroups"`
Issues []RequiredTemplateIssue `json:"issues"`
OverriddenIssues []RequiredTemplateOverriddenIssue `json:"overriddenIssues"`
Metrics GitlabPipelineRequiredTemplatesMetrics `json:"metrics"`
Compliance float64 `json:"compliance"`
Version string `json:"version"`
CiValid bool `json:"ciValid"`
CiMissing bool `json:"ciMissing"`
Skipped bool `json:"skipped"`
Error string `json:"error,omitempty"`
}
GitlabPipelineRequiredTemplatesResult holds the result of the required templates control
type GitlabPipelineUnverifiedScriptsConf ¶ added in v0.1.69
type GitlabPipelineUnverifiedScriptsConf struct {
Enabled bool `json:"enabled"`
TrustedUrls []string `json:"trustedUrls"`
}
GitlabPipelineUnverifiedScriptsConf holds the configuration for unverified script execution detection
func (*GitlabPipelineUnverifiedScriptsConf) GetConf ¶ added in v0.1.69
func (p *GitlabPipelineUnverifiedScriptsConf) GetConf(plumberConfig *configuration.PlumberConfig) error
GetConf loads configuration from PlumberConfig
func (*GitlabPipelineUnverifiedScriptsConf) Run ¶ added in v0.1.69
func (p *GitlabPipelineUnverifiedScriptsConf) Run(pipelineOriginData *collector.GitlabPipelineOriginData) *GitlabPipelineUnverifiedScriptsResult
Run executes the unverified script execution detection control
type GitlabPipelineUnverifiedScriptsIssue ¶ added in v0.1.69
type GitlabPipelineUnverifiedScriptsIssue struct {
Code ErrorCode `json:"code"`
DocURL string `json:"docUrl"`
JobName string `json:"jobName"`
ScriptLine string `json:"scriptLine"`
ScriptBlock string `json:"scriptBlock"`
PatternType string `json:"patternType"`
}
GitlabPipelineUnverifiedScriptsIssue represents an unverified script execution found in a CI job
type GitlabPipelineUnverifiedScriptsMetrics ¶ added in v0.1.69
type GitlabPipelineUnverifiedScriptsMetrics struct {
JobsChecked uint `json:"jobsChecked"`
TotalScriptLinesChecked uint `json:"totalScriptLinesChecked"`
UnverifiedScriptsFound uint `json:"unverifiedScriptsFound"`
}
GitlabPipelineUnverifiedScriptsMetrics holds metrics about unverified script detection
type GitlabPipelineUnverifiedScriptsResult ¶ added in v0.1.69
type GitlabPipelineUnverifiedScriptsResult struct {
Issues []GitlabPipelineUnverifiedScriptsIssue `json:"issues"`
Metrics GitlabPipelineUnverifiedScriptsMetrics `json:"metrics"`
Compliance float64 `json:"compliance"`
Version string `json:"version"`
CiValid bool `json:"ciValid"`
CiMissing bool `json:"ciMissing"`
Skipped bool `json:"skipped"`
Error string `json:"error,omitempty"`
}
GitlabPipelineUnverifiedScriptsResult holds the result of the control
type GitlabPipelineVariableInjectionConf ¶ added in v0.1.52
type GitlabPipelineVariableInjectionConf struct {
Enabled bool `json:"enabled"`
DangerousVariables []string `json:"dangerousVariables"`
AllowedPatterns []string `json:"allowedPatterns"`
}
GitlabPipelineVariableInjectionConf holds the configuration for unsafe variable expansion detection
func (*GitlabPipelineVariableInjectionConf) GetConf ¶ added in v0.1.52
func (p *GitlabPipelineVariableInjectionConf) GetConf(plumberConfig *configuration.PlumberConfig) error
GetConf loads configuration from PlumberConfig
func (*GitlabPipelineVariableInjectionConf) Run ¶ added in v0.1.52
func (p *GitlabPipelineVariableInjectionConf) Run(pipelineOriginData *collector.GitlabPipelineOriginData) *GitlabPipelineVariableInjectionResult
Run executes the unsafe variable expansion detection control.
GitLab CI sets CI variables as environment variables; the shell does NOT re-parse expanded values for command substitution. So plain usage like `echo $CI_COMMIT_BRANCH` is safe: the shell treats the expanded value as an inert string.
The real injection surface is commands that RE-INTERPRET their input as shell code: eval, sh -c, bash -c, source, etc. A user-controlled variable passed to these is executed as code.
type GitlabPipelineVariableInjectionIssue ¶ added in v0.1.52
type GitlabPipelineVariableInjectionIssue struct {
Code ErrorCode `json:"code"`
DocURL string `json:"docUrl"`
JobName string `json:"jobName"`
VariableName string `json:"variableName"`
ScriptLine string `json:"scriptLine"`
ScriptBlock string `json:"scriptBlock"` // "script", "before_script", "after_script"
}
GitlabPipelineVariableInjectionIssue represents a dangerous variable found in a code-execution context
type GitlabPipelineVariableInjectionMetrics ¶ added in v0.1.52
type GitlabPipelineVariableInjectionMetrics struct {
JobsChecked uint `json:"jobsChecked"`
TotalScriptLinesChecked uint `json:"totalScriptLinesChecked"`
UnsafeExpansionsFound uint `json:"unsafeExpansionsFound"`
}
GitlabPipelineVariableInjectionMetrics holds metrics about unsafe variable expansion detection
type GitlabPipelineVariableInjectionResult ¶ added in v0.1.52
type GitlabPipelineVariableInjectionResult struct {
Issues []GitlabPipelineVariableInjectionIssue `json:"issues"`
Metrics GitlabPipelineVariableInjectionMetrics `json:"metrics"`
Compliance float64 `json:"compliance"`
Version string `json:"version"`
CiValid bool `json:"ciValid"`
CiMissing bool `json:"ciMissing"`
Skipped bool `json:"skipped"`
Error string `json:"error,omitempty"`
}
GitlabPipelineVariableInjectionResult holds the result of the control
type GitlabSecurityJobsWeakenedConf ¶ added in v0.1.64
type GitlabSecurityJobsWeakenedConf struct {
Enabled bool
SecurityJobPatterns []string
AllowFailureCheck bool
RulesCheck bool
WhenManualCheck bool
}
GitlabSecurityJobsWeakenedConf holds the runtime configuration for this control
func (*GitlabSecurityJobsWeakenedConf) GetConf ¶ added in v0.1.64
func (p *GitlabSecurityJobsWeakenedConf) GetConf(plumberConfig *configuration.PlumberConfig) error
GetConf loads configuration from PlumberConfig
func (*GitlabSecurityJobsWeakenedConf) Run ¶ added in v0.1.64
func (p *GitlabSecurityJobsWeakenedConf) Run(pipelineOriginData *collector.GitlabPipelineOriginData) *GitlabSecurityJobsWeakenedResult
Run executes the security jobs weakening detection control
type GitlabSecurityJobsWeakenedIssue ¶ added in v0.1.64
type GitlabSecurityJobsWeakenedIssue struct {
Code ErrorCode `json:"code"`
DocURL string `json:"docUrl"`
JobName string `json:"jobName"`
SubControl string `json:"subControl"` // "allowFailureMustBeFalse", "rulesMustNotBeRedefined", "whenMustNotBeManual"
Detail string `json:"detail"`
}
GitlabSecurityJobsWeakenedIssue represents a weakened security job
type GitlabSecurityJobsWeakenedMetrics ¶ added in v0.1.64
type GitlabSecurityJobsWeakenedMetrics struct {
SecurityJobsFound uint `json:"securityJobsFound"`
WeakenedJobs uint `json:"weakenedJobs"`
}
GitlabSecurityJobsWeakenedMetrics holds metrics about security job weakening detection
type GitlabSecurityJobsWeakenedResult ¶ added in v0.1.64
type GitlabSecurityJobsWeakenedResult struct {
Issues []GitlabSecurityJobsWeakenedIssue `json:"issues"`
Metrics GitlabSecurityJobsWeakenedMetrics `json:"metrics"`
Compliance float64 `json:"compliance"`
Version string `json:"version"`
CiValid bool `json:"ciValid"`
CiMissing bool `json:"ciMissing"`
Skipped bool `json:"skipped"`
Error string `json:"error,omitempty"`
}
GitlabSecurityJobsWeakenedResult holds the result of the security jobs weakened control
type IssueSeverity ¶ added in v0.1.83
type IssueSeverity string
IssueSeverity is the documented severity for an issue code (aligned with getplumber.io issue docs).
const ( SeverityCritical IssueSeverity = "critical" SeverityHigh IssueSeverity = "high" SeverityMedium IssueSeverity = "medium" SeverityLow IssueSeverity = "low" )
func SeverityForCode ¶ added in v0.1.83
func SeverityForCode(code ErrorCode) IssueSeverity
SeverityForCode returns the documented severity for a code, or medium if unknown.
type PipelineImageMetricsSummary ¶
type PipelineImageMetricsSummary struct {
Total uint `json:"total"`
}
PipelineImageMetricsSummary is a simplified version of image metrics for output
type PipelineOriginMetricsSummary ¶
type PipelineOriginMetricsSummary struct {
JobTotal uint `json:"jobTotal"`
JobHardcoded uint `json:"jobHardcoded"`
OriginTotal uint `json:"originTotal"`
OriginComponent uint `json:"originComponent"`
OriginLocal uint `json:"originLocal"`
OriginProject uint `json:"originProject"`
OriginRemote uint `json:"originRemote"`
OriginTemplate uint `json:"originTemplate"`
OriginGitLabCatalog uint `json:"originGitLabCatalog"`
OriginOutdated uint `json:"originOutdated"`
}
PipelineOriginMetricsSummary is a simplified version of origin metrics for output
type PlumberScoreResult ¶ added in v0.1.83
type PlumberScoreResult struct {
ProfileID string `json:"profileId"`
Counts SeverityCounts `json:"counts"`
// RawPoints is 100 minus summed capped severity losses (before Critical malus).
RawPoints float64 `json:"rawPoints"`
// FinalPoints applies Critical category malus (max points in E band when any Critical exists).
FinalPoints float64 `json:"finalPoints"`
// Score is the letter A–E from final points (what people mean by “how did we score?”).
Score string `json:"score"`
CriticalMalusApplied bool `json:"criticalMalusApplied"`
CriticalMalusMax float64 `json:"criticalMalusMax,omitempty"` // max points when malus applies (30)
Losses []SeverityLoss `json:"losses"`
}
PlumberScoreResult is the official result: letter Score (A–E) derived from numeric Points (0–100).
func ComputePlumberScore ¶ added in v0.1.83
func ComputePlumberScore(counts SeverityCounts) PlumberScoreResult
ComputePlumberScore applies the scoring-v2 rules (see docs/scoring.md).
For each severity bucket with count n > 0:
loss = w × (1 + 0.5·log2(n)) (capped at the per-bucket cap)
Raw points are 100 minus the sum of capped losses. When at least one Critical issue is present, final points are capped at 30 (Critical malus), which forces the letter score into the E band. The A–E letter is then read from final points using the thresholds in scoreLetterFromPoints.
type RequiredComponentIssue ¶ added in v0.1.31
type RequiredComponentIssue struct {
Code ErrorCode `json:"code"`
DocURL string `json:"docUrl"`
ComponentPath string `json:"componentPath"`
GroupIndex int `json:"groupIndex"`
}
RequiredComponentIssue represents an issue with a missing required component
type RequiredComponentOverriddenIssue ¶ added in v0.1.47
type RequiredComponentOverriddenIssue struct {
Code ErrorCode `json:"code"`
DocURL string `json:"docUrl"`
ComponentPath string `json:"componentPath"`
GroupIndex int `json:"groupIndex"`
OverriddenJobs []utils.OverriddenJobDetail `json:"overriddenJobs"`
}
RequiredComponentOverriddenIssue represents an issue where a required component is imported but its jobs are overridden with forbidden keywords
type RequiredTemplateIssue ¶ added in v0.1.31
type RequiredTemplateIssue struct {
Code ErrorCode `json:"code"`
DocURL string `json:"docUrl"`
TemplatePath string `json:"templatePath"`
GroupIndex int `json:"groupIndex"`
}
RequiredTemplateIssue represents an issue with a missing required template
type RequiredTemplateOverriddenIssue ¶ added in v0.1.47
type RequiredTemplateOverriddenIssue struct {
Code ErrorCode `json:"code"`
DocURL string `json:"docUrl"`
TemplatePath string `json:"templatePath"`
GroupIndex int `json:"groupIndex"`
OverriddenJobs []utils.OverriddenJobDetail `json:"overriddenJobs"`
}
RequiredTemplateOverriddenIssue represents an issue where a required template is imported but its jobs are overridden with forbidden keywords
type SeverityCounts ¶ added in v0.1.83
type SeverityCounts struct {
Critical int `json:"critical"`
High int `json:"high"`
Medium int `json:"medium"`
Low int `json:"low"`
}
SeverityCounts is the number of detected issues per documented severity bucket.
func AggregateSeverityCounts ¶ added in v0.1.83
func AggregateSeverityCounts(result *AnalysisResult) SeverityCounts
AggregateSeverityCounts walks analysis issues and counts occurrences per severity.
func SeverityCountsFromIssueCodes ¶ added in v0.1.83
func SeverityCountsFromIssueCodes(codes []ErrorCode) SeverityCounts
SeverityCountsFromIssueCodes tallies severities for individual findings (one code per finding).
type SeverityLoss ¶ added in v0.1.83
type SeverityLoss struct {
Severity IssueSeverity `json:"severity"`
Count int `json:"count"`
Weight float64 `json:"weight"`
Cap float64 `json:"cap,omitempty"` // omitted when infinite (critical)
UncappedLoss float64 `json:"uncappedLoss"`
CappedLoss float64 `json:"cappedLoss"`
}
SeverityLoss is points lost for one severity bucket after weight, log growth, and cap.
type TemplateGroupStatus ¶ added in v0.1.31
type TemplateGroupStatus struct {
GroupIndex int `json:"groupIndex"` // Which requirement group (0-based)
RequiredOrigins []string `json:"requiredOrigins"` // Templates required in this group
FoundOrigins []string `json:"foundOrigins"` // Templates found and not overridden
MissingOrigins []string `json:"missingOrigins"` // Templates missing from this group
OverriddenOrigins []string `json:"overriddenOrigins"` // Templates found but overridden with forbidden keywords
IsFullySatisfied bool `json:"isFullySatisfied"` // All templates in group present (not missing)
}
TemplateGroupStatus tracks the status of a single requirement group (AND clause)
Source Files
¶
- badge.go
- codes.go
- controlGitlabImageMutable.go
- controlGitlabImageUntrusted.go
- controlGitlabPipelineDebugTrace.go
- controlGitlabPipelineDockerInDocker.go
- controlGitlabPipelineJobVariablesOverride.go
- controlGitlabPipelineOriginHardcodedJobs.go
- controlGitlabPipelineOriginOutdated.go
- controlGitlabPipelineOriginRequiredComponents.go
- controlGitlabPipelineOriginRequiredTemplates.go
- controlGitlabPipelineOriginVersion.go
- controlGitlabPipelineUnverifiedScripts.go
- controlGitlabPipelineVariableInjection.go
- controlGitlabProtectionBranchProtectionNotCompliant.go
- controlGitlabSecurityJobsWeakened.go
- mrcomment.go
- scoring.go
- task.go
- types.go
- utils.go