Documentation
¶
Index ¶
- Constants
- Variables
- func CacheDir(ref RuleRef) (string, error)
- func FetchRuleRepo(registry string, ref RuleRef, w io.Writer) (string, error)
- func Fingerprint(ruleID, artifactURI string, startLine int) string
- func LoadAllModules(defaultFS embed.FS, disableDefault bool, ruleRefs []RuleRef, registry string, ...) (map[string]string, error)
- func LoadFileContents(input *ScanInput, maxSize int64)
- func PrintPrettySummary(report *SASTReport, resultsOnly bool)
- func ResolveURL(registry string, ref RuleRef) string
- func ResolvedFingerprints(oldLog *SARIFLog, newFindings []Finding) []string
- func WriteSARIF(log *SARIFLog, path string) error
- type Engine
- type EvalOptions
- type Finding
- type RuleMetadata
- type RuleRef
- type SARIFArtifact
- type SARIFArtifactLocation
- type SARIFLocation
- type SARIFLog
- type SARIFMessage
- type SARIFPhysicalLocation
- type SARIFPropertyBag
- type SARIFRegion
- type SARIFReportingDescriptor
- type SARIFResult
- type SARIFRun
- type SARIFSnippet
- type SARIFTool
- type SARIFToolDriver
- type SASTReport
- type ScanInput
Constants ¶
const DefaultRegistry = "https://github.com"
DefaultRegistry is the base URL used when --rule-registry is not set.
Variables ¶
var DefaultRulesFS embed.FS
DefaultRulesFS holds the built-in .rego rule files compiled into the binary. The rules/ directory is relative to this file (internal/sast/rules/).
var SeverityLabel = map[string]string{
"critical": "Dangerous",
"high": "Risky",
"medium": "Quality",
"low": "Style",
"info": "Tentative",
}
SeverityLabel maps severity to the human-readable semantic label.
var SeverityToLevel = map[string]string{
"critical": "error",
"high": "error",
"medium": "warning",
"low": "note",
"info": "note",
}
SeverityToLevel maps severity to the default SARIF level when a rule doesn't explicitly set "level" in its metadata.
Functions ¶
func CacheDir ¶
CacheDir returns the OS-native cache directory for a rule repository.
Linux: ~/.cache/vulnetix/rules/<org>/<repo>/ macOS: ~/Library/Caches/vulnetix/rules/<org>/<repo>/ Windows: %LOCALAPPDATA%\vulnetix\rules\<org>\<repo>\
func FetchRuleRepo ¶
FetchRuleRepo clones or pulls a rule repository into the system cache. Returns the local cache path. Prints progress to w.
func Fingerprint ¶
Fingerprint produces a stable hash identifying a finding by rule + location. Used as the dedup key in memory.yaml and the SARIF fingerprints map. Returns the first 16 hex characters of SHA-256("<RuleID>\x00<ArtifactURI>\x00<StartLine>").
func LoadAllModules ¶
func LoadAllModules( defaultFS embed.FS, disableDefault bool, ruleRefs []RuleRef, registry string, w io.Writer, ) (map[string]string, error)
LoadAllModules loads default embedded rules and any external --rule repos. If disableDefault is true, embedded rules are skipped. Returns map[filename]source for all loaded .rego files.
func LoadFileContents ¶
LoadFileContents populates input.FileContents for files matching the given language extensions. Files over maxSize bytes and binary files are skipped.
func PrintPrettySummary ¶
func PrintPrettySummary(report *SASTReport, resultsOnly bool)
PrintPrettySummary prints a styled SAST findings table to stdout. If resultsOnly is true, stays silent when there are no findings.
func ResolveURL ¶
ResolveURL builds the git clone URL from a registry base URL and rule reference.
func ResolvedFingerprints ¶
ResolvedFingerprints returns fingerprints present in the old SARIF log but absent from the new findings. These represent resolved findings.
func WriteSARIF ¶
WriteSARIF serializes a SARIF log to the given file path.
Types ¶
type Engine ¶
type Engine struct {
// contains filtered or unexported fields
}
Engine compiles Rego modules and evaluates them against a filesystem scan.
func (*Engine) Evaluate ¶
func (e *Engine) Evaluate(opts EvalOptions) (*SASTReport, error)
Evaluate runs all loaded Rego policies against the filesystem at scanRoot.
func (*Engine) ListRules ¶
func (e *Engine) ListRules() ([]RuleMetadata, error)
ListRules extracts metadata from all loaded rule packages without running detection. Used for --list-default-rules.
type EvalOptions ¶
EvalOptions configures the SAST evaluation.
type Finding ¶
type Finding struct {
RuleID string `json:"rule_id"`
Message string `json:"message"`
ArtifactURI string `json:"artifact_uri"`
Severity string `json:"severity"`
Level string `json:"level"`
StartLine int `json:"start_line"`
EndLine int `json:"end_line,omitempty"`
Snippet string `json:"snippet"`
Fingerprint string `json:"-"`
Metadata *RuleMetadata `json:"-"`
}
Finding is unmarshaled from each element of the Rego "findings" set. Detection fields (ArtifactURI, StartLine, Snippet) are set by Rego logic. Fingerprint and Metadata are set by the engine after evaluation.
type RuleMetadata ¶
type RuleMetadata struct {
ID string `json:"id"`
Name string `json:"name"`
Description string `json:"description"`
HelpURI string `json:"help_uri"`
Languages []string `json:"languages"`
Severity string `json:"severity"`
Level string `json:"level"`
Kind string `json:"kind"`
CWE []int `json:"cwe"`
CAPEC []string `json:"capec"`
ATTACKTech []string `json:"attack_technique"`
CVSSv4 string `json:"cvssv4"`
CWSS string `json:"cwss"`
Tags []string `json:"tags"`
}
RuleMetadata is unmarshaled from the Rego "metadata" constant object. Every field maps directly to the JSON keys used in the Rego policy.
func (*RuleMetadata) EffectiveLevel ¶
func (m *RuleMetadata) EffectiveLevel() string
EffectiveLevel returns the SARIF level for a rule — the explicit level if set, otherwise derived from severity.
type RuleRef ¶
RuleRef identifies an external rule repository by org and repo name.
func ParseRuleRef ¶
ParseRuleRef parses a "org/repo" string from a --rule flag value.
type SARIFArtifact ¶
type SARIFArtifact struct {
Location *SARIFArtifactLocation `json:"location,omitempty"`
}
SARIFArtifact describes an artifact referenced by results.
type SARIFArtifactLocation ¶
type SARIFArtifactLocation struct {
URI string `json:"uri"`
}
SARIFArtifactLocation is a URI reference to an artifact.
type SARIFLocation ¶
type SARIFLocation struct {
PhysicalLocation *SARIFPhysicalLocation `json:"physicalLocation,omitempty"`
}
SARIFLocation describes where a result was found.
type SARIFLog ¶
type SARIFLog struct {
Schema string `json:"$schema"`
Version string `json:"version"`
Runs []SARIFRun `json:"runs"`
}
SARIFLog is the top-level SARIF document.
func BuildSARIF ¶
func BuildSARIF(findings []Finding, rules []RuleMetadata, toolVersion string) *SARIFLog
BuildSARIF converts findings and rules into a SARIF 2.1.0 log.
func LoadExistingSARIF ¶
LoadExistingSARIF reads a SARIF log from disk. Returns nil if the file does not exist.
type SARIFMessage ¶
type SARIFMessage struct {
Text string `json:"text"`
}
SARIFMessage is a SARIF message object.
type SARIFPhysicalLocation ¶
type SARIFPhysicalLocation struct {
ArtifactLocation *SARIFArtifactLocation `json:"artifactLocation,omitempty"`
Region *SARIFRegion `json:"region,omitempty"`
}
SARIFPhysicalLocation identifies a file and region.
type SARIFPropertyBag ¶
SARIFPropertyBag is a property bag for extensible metadata.
type SARIFRegion ¶
type SARIFRegion struct {
StartLine int `json:"startLine,omitempty"`
EndLine int `json:"endLine,omitempty"`
Snippet *SARIFSnippet `json:"snippet,omitempty"`
}
SARIFRegion identifies a portion of an artifact.
type SARIFReportingDescriptor ¶
type SARIFReportingDescriptor struct {
ID string `json:"id"`
Name string `json:"name,omitempty"`
ShortDescription *SARIFMessage `json:"shortDescription,omitempty"`
HelpURI string `json:"helpUri,omitempty"`
Properties SARIFPropertyBag `json:"properties,omitempty"`
}
SARIFReportingDescriptor describes a rule.
type SARIFResult ¶
type SARIFResult struct {
RuleID string `json:"ruleId"`
Level string `json:"level,omitempty"`
Kind string `json:"kind,omitempty"`
Message SARIFMessage `json:"message"`
Locations []SARIFLocation `json:"locations,omitempty"`
Fingerprints map[string]string `json:"fingerprints,omitempty"`
Properties SARIFPropertyBag `json:"properties,omitempty"`
}
SARIFResult represents a single finding.
type SARIFRun ¶
type SARIFRun struct {
Tool SARIFTool `json:"tool"`
Results []SARIFResult `json:"results"`
Artifacts []SARIFArtifact `json:"artifacts,omitempty"`
}
SARIFRun represents a single analysis run.
type SARIFSnippet ¶
type SARIFSnippet struct {
Text string `json:"text"`
}
SARIFSnippet holds a text snippet from the source.
type SARIFTool ¶
type SARIFTool struct {
Driver SARIFToolDriver `json:"driver"`
}
SARIFTool describes the analysis tool.
type SARIFToolDriver ¶
type SARIFToolDriver struct {
Name string `json:"name"`
Version string `json:"version,omitempty"`
InformationURI string `json:"informationUri,omitempty"`
Rules []SARIFReportingDescriptor `json:"rules,omitempty"`
}
SARIFToolDriver describes the primary analysis tool component.
type SASTReport ¶
type SASTReport struct {
Findings []Finding
Rules []RuleMetadata
RulesLoaded int
}
SASTReport holds the results of a SAST evaluation run.
type ScanInput ¶
type ScanInput struct {
// FileSet maps each relative file path to true for O(1) existence checks in Rego.
FileSet map[string]bool `json:"file_set"`
// DirsByLanguage maps language name to directories containing that language's indicator files.
DirsByLanguage map[string][]string `json:"dirs_by_language"`
// FileContents maps relative path to file text. Populated lazily for small files
// when content-level rules are present. Files over 1MB and binary files are skipped.
FileContents map[string]string `json:"file_contents,omitempty"`
// ScanRoot is the absolute path being scanned (for display; rules use relative paths).
ScanRoot string `json:"scan_root"`
}
ScanInput is serialized to JSON and passed as the OPA input document.
Source Files