security

package
v1.0.14 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 3, 2026 License: MIT Imports: 10 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func EnforceFilePermissions 

func EnforceFilePermissions(path string, mode os.FileMode) error

EnforceFilePermissions sets path to the given mode via os.Chmod. Returns an error if the file does not exist or chmod fails.

func LogWAFBlock added in v1.0.13 

func LogWAFBlock(ctx context.Context, clientIP, path, rule string)

LogWAFBlock emits a structured slog event for a WAF block decision. This is the canonical log site for WAF block actions; all callers that need to record a blocked request should route through this function.

func LogWAFDetect added in v1.0.13 

func LogWAFDetect(ctx context.Context, clientIP, path, rule string)

LogWAFDetect emits a structured slog event for a WAF detection (log-only) hit.

func LogWAFEnable added in v1.0.13 

func LogWAFEnable(ctx context.Context, projectDir string)

LogWAFEnable emits a structured slog event when the WAF is first enabled.

func LogWAFModeChange added in v1.0.13 

func LogWAFModeChange(ctx context.Context, oldMode, newMode WAFMode)

LogWAFModeChange emits a structured slog event when the WAF mode is changed.

Types

type PermissionFinding 

type PermissionFinding struct {
	Path         string
	CurrentMode  os.FileMode
	RequiredMode os.FileMode
	Reason       string
}

PermissionFinding describes a file whose current permissions differ from what the security policy requires.

func AuditProjectPermissions 

func AuditProjectPermissions(projectDir string) ([]PermissionFinding, error)

AuditProjectPermissions walks projectDir and checks each file against the sensitivePatterns map. Files whose current mode is more permissive than required are reported as PermissionFinding values.

Directories are skipped; only regular files are evaluated.

type WAFEvent added in v1.0.13 

type WAFEvent struct {
	Timestamp time.Time
	ClientIP  string
	Path      string
	Rule      string
	Severity  string
	Action    string
}

WAFEvent holds a single parsed WAF audit log entry.

func ParseWAFEvent added in v1.0.13 

func ParseWAFEvent(line string) (WAFEvent, bool)

ParseWAFEvent parses a single line from the Coraza WAF audit log. Lines that do not match the expected format are returned with ok=false.

Expected format (space-separated, subset of Coraza Serial audit log): 

[timestamp] client=<ip> path=<path> rule=<id> severity=<sev> action=<act>

func ReadWAFAuditLogFromContainer added in v1.0.13 

func ReadWAFAuditLogFromContainer(ctx context.Context, workdir string) ([]WAFEvent, int, error)

ReadWAFAuditLogFromContainer reads the WAF audit log from the nginx container and returns parsed events. workdir is the nself project directory.

func ScanWAFAuditLog added in v1.0.13 

func ScanWAFAuditLog(ctx context.Context, r io.Reader) ([]WAFEvent, int, error)

ScanWAFAuditLog reads WAF audit log lines from r and returns parsed events. Lines that cannot be parsed are counted and logged at debug level. Returns all successfully parsed events and the count of unparseable lines.

type WAFMode added in v1.0.13 

type WAFMode string

WAFMode represents the Coraza WAF enforcement mode. 

const (
	WAFModeOff       WAFMode = "off"
	WAFModeDetection WAFMode = "detection"
	WAFModeBlocking  WAFMode = "blocking"
)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.