Documentation
¶
Index ¶
- Constants
- Variables
- func BuildSchemaSetFromPolicies(policies map[string]*ast.Module, paths []string, fsys fs.FS, ...) (*ast.SchemaSet, error)
- func BuiltinNamespaces() []string
- func GetInputsContents(inputs []Input) []any
- func IsBuiltinNamespace(namespace string) bool
- func IsDotFile(name string) bool
- func IsJSONFile(name string) bool
- func IsRegoFile(name string) bool
- func LoadEmbeddedLibraries() (map[string]*ast.Module, error)
- func LoadEmbeddedPolicies() (map[string]*ast.Module, error)
- func LoadPoliciesFromDirs(target fs.FS, paths ...string) (map[string]*ast.Module, error)
- func NewEngineMetadata(schema string, meta map[string]any) (*scan.EngineMetadata, error)
- func ParseRegoModule(name, input string) (*ast.Module, error)
- func RegisterRegoRules(modules map[string]*ast.Module)
- func WithCustomSchemas(schemas map[string][]byte) options.ScannerOption
- func WithDataDirs(paths ...string) options.ScannerOption
- func WithDataFilesystem(fsys fs.FS) options.ScannerOption
- func WithEmbeddedLibraries(include bool) options.ScannerOption
- func WithEmbeddedPolicies(include bool) options.ScannerOption
- func WithFrameworks(frameworks ...framework.Framework) options.ScannerOption
- func WithIncludeDeprecatedChecks(include bool) options.ScannerOption
- func WithPerResultTracing(enabled bool) options.ScannerOption
- func WithPolicyDirs(paths ...string) options.ScannerOption
- func WithPolicyFilesystem(fsys fs.FS) options.ScannerOption
- func WithPolicyNamespaces(namespaces ...string) options.ScannerOption
- func WithPolicyReader(readers ...io.Reader) options.ScannerOption
- func WithRegoErrorLimits(limit int) options.ScannerOption
- func WithRegoScanner(rs *Scanner) options.ScannerOption
- func WithTrace(w io.Writer) options.ScannerOption
- func WithTrivyVersion(version string) options.ScannerOption
- type DynamicMetadata
- type Input
- type InputOptions
- type MetadataRetriever
- type RegoModuleFilter
- type RegoScannerProvider
- type Scanner
- type Selector
- type StaticMetadata
- type SubType
Constants ¶
View Source
const CompileErrorLimit = 10
CompileErrorLimit defines the default compile error limit. We set this value explicitly instead of relying on OPA's ast.CompileErrorLimitDefault to avoid dependency on potential upstream changes.
Variables ¶
View Source
var LoadAndRegister = sync.OnceFunc(func() { modules, err := LoadEmbeddedPolicies() if err != nil { panic(err) } loadedLibs, err := LoadEmbeddedLibraries() if err != nil { panic(err) } maps.Copy(modules, loadedLibs) RegisterRegoRules(modules) })
Functions ¶
func BuiltinNamespaces ¶ added in v0.51.0
func BuiltinNamespaces() []string
func GetInputsContents ¶
func IsBuiltinNamespace ¶ added in v0.51.0
func IsJSONFile ¶
func IsRegoFile ¶
func LoadPoliciesFromDirs ¶
func NewEngineMetadata ¶
func ParseRegoModule ¶ added in v0.61.0
func RegisterRegoRules ¶
func WithCustomSchemas ¶ added in v0.56.0
func WithCustomSchemas(schemas map[string][]byte) options.ScannerOption
func WithDataDirs ¶ added in v0.56.0
func WithDataDirs(paths ...string) options.ScannerOption
func WithDataFilesystem ¶ added in v0.56.0
func WithDataFilesystem(fsys fs.FS) options.ScannerOption
func WithEmbeddedLibraries ¶ added in v0.56.0
func WithEmbeddedLibraries(include bool) options.ScannerOption
func WithEmbeddedPolicies ¶ added in v0.56.0
func WithEmbeddedPolicies(include bool) options.ScannerOption
func WithFrameworks ¶ added in v0.58.0
func WithFrameworks(frameworks ...framework.Framework) options.ScannerOption
func WithIncludeDeprecatedChecks ¶ added in v0.58.0
func WithIncludeDeprecatedChecks(include bool) options.ScannerOption
func WithPerResultTracing ¶ added in v0.56.0
func WithPerResultTracing(enabled bool) options.ScannerOption
func WithPolicyDirs ¶ added in v0.56.0
func WithPolicyDirs(paths ...string) options.ScannerOption
func WithPolicyFilesystem ¶ added in v0.56.0
func WithPolicyFilesystem(fsys fs.FS) options.ScannerOption
func WithPolicyNamespaces ¶ added in v0.56.0
func WithPolicyNamespaces(namespaces ...string) options.ScannerOption
WithPolicyNamespaces - namespaces which indicate rego policies containing enforced rules
func WithPolicyReader ¶ added in v0.56.0
func WithPolicyReader(readers ...io.Reader) options.ScannerOption
func WithRegoErrorLimits ¶ added in v0.56.0
func WithRegoErrorLimits(limit int) options.ScannerOption
func WithRegoScanner ¶ added in v0.62.0
func WithRegoScanner(rs *Scanner) options.ScannerOption
func WithTrace ¶ added in v0.56.0
func WithTrace(w io.Writer) options.ScannerOption
WithTrace specifies an io.Writer for trace logs (mainly rego tracing) - if not set, they are discarded
func WithTrivyVersion ¶ added in v0.63.0
func WithTrivyVersion(version string) options.ScannerOption
Types ¶
type DynamicMetadata ¶
type InputOptions ¶
type InputOptions struct {
Selectors []Selector
}
type MetadataRetriever ¶
type MetadataRetriever struct {
// contains filtered or unexported fields
}
func NewMetadataRetriever ¶
func NewMetadataRetriever(compiler *ast.Compiler) *MetadataRetriever
func (*MetadataRetriever) RetrieveMetadata ¶
func (m *MetadataRetriever) RetrieveMetadata(ctx context.Context, module *ast.Module, contents ...any) (*StaticMetadata, error)
type RegoModuleFilter ¶ added in v0.64.0
type RegoModuleFilter func(module *ast.Module, metadata *StaticMetadata) bool
func FrameworksFilter ¶ added in v0.64.0
func FrameworksFilter(frameworks []framework.Framework) RegoModuleFilter
FrameworksFilter returns a filter that allows only modules associated with the specified frameworks.
func IncludeDeprecatedFilter ¶ added in v0.64.0
func IncludeDeprecatedFilter(include bool) RegoModuleFilter
IncludeDeprecatedFilter returns a filter that allows deprecated modules if the include flag is true.
func TrivyVersionFilter ¶ added in v0.64.0
func TrivyVersionFilter(trivyVer string) RegoModuleFilter
TrivyVersionFilter returns a filter that allows only those modules, that are compatible with the given version of Trivy.
type RegoScannerProvider ¶ added in v0.62.0
type RegoScannerProvider struct {
// contains filtered or unexported fields
}
func NewRegoScannerProvider ¶ added in v0.62.0
func NewRegoScannerProvider(opts ...options.ScannerOption) *RegoScannerProvider
func (*RegoScannerProvider) InitRegoScanner ¶ added in v0.62.0
func (s *RegoScannerProvider) InitRegoScanner(fsys fs.FS, opts []options.ScannerOption) (*Scanner, error)
type Scanner ¶
type Scanner struct {
// contains filtered or unexported fields
}
func NewScanner ¶
func NewScanner(opts ...options.ScannerOption) *Scanner
type StaticMetadata ¶
type StaticMetadata struct {
Deprecated bool
ID string
// Deprecated: Use the ID field instead.
AVDID string
Title string
ShortCode string
Aliases []string
Description string
Severity string
RecommendedActions string
PrimaryURL string
References []string
InputOptions InputOptions
Package string
Frameworks map[framework.Framework][]string
Provider string
Service string
Library bool
CloudFormation *scan.EngineMetadata
Terraform *scan.EngineMetadata
Examples string
MinimumTrivyVersion string
}
func MetadataFromAnnotations ¶ added in v0.61.0
func MetadataFromAnnotations(module *ast.Module) (*StaticMetadata, error)
func NewStaticMetadata ¶
func NewStaticMetadata(pkgPath string, inputOpt InputOptions) *StaticMetadata
func (*StaticMetadata) FromAnnotations ¶
func (sm *StaticMetadata) FromAnnotations(annotations *ast.Annotations) error
func (*StaticMetadata) ToRule ¶
func (sm *StaticMetadata) ToRule() scan.Rule
Source Files
¶
Directories
Click to show internal directories.
Click to hide internal directories.