Documentation
¶
Overview ¶
Package codesecurity provides the consolidated code security analyzer
Package codesecurity provides the consolidated code security analyzer ¶
Crypto features (merged from code-crypto analyzer) Features: ciphers, keys, random, tls, certificates
Package codesecurity provides the consolidated code security analyzer ¶
Package codesecurity provides the consolidated code security analyzer ¶
Package codesecurity provides the consolidated code security analyzer ¶
Package codesecurity provides the consolidated code security analyzer ¶
Package codesecurity provides the consolidated code security analyzer Features: vulns, secrets, api, ciphers, keys, random, tls, certificates
Index ¶
- Constants
- func CalculateEntropy(s string) float64
- func ClearRAGGitHistoryCache()
- func ClearRAGSecretsCache()
- func ConvertToSensitiveFilePatterns(ragPatterns []*RAGGitHistoryPattern) []sensitiveFilePattern
- func CountFalsePositives(findings []SecretFinding) (falsePositives, confirmed int)
- func GetRAGGitHistoryPatternCounts() (gitignore int, sensitive int)
- func GetRAGPatternCount() int
- func GetRAGPatternSummary() map[string]int
- func GetServiceProvider(secretType string) string
- func LoadRAGGitHistoryPatterns() (gitignore []*RAGGitHistoryPattern, sensitive []*RAGGitHistoryPattern, ...)
- type AIAnalysisConfig
- type AIAnalyzer
- type APIConfig
- type APIFinding
- type APIPattern
- type APIPatternLoader
- type APISummary
- type CertFinding
- type CertInfo
- type CertificatesConfig
- type CertificatesResult
- type CertificatesSummary
- type CipherFinding
- type CiphersConfig
- type CiphersSummary
- type CodeSecurityAnalyzer
- func (s *CodeSecurityAnalyzer) Dependencies() []string
- func (s *CodeSecurityAnalyzer) Description() string
- func (s *CodeSecurityAnalyzer) EstimateDuration(fileCount int) time.Duration
- func (s *CodeSecurityAnalyzer) Name() string
- func (s *CodeSecurityAnalyzer) Requirements() analyzer.AnalyzerRequirements
- func (s *CodeSecurityAnalyzer) Run(ctx context.Context, opts *analyzer.ScanOptions) (*analyzer.ScanResult, error)
- type CommitInfo
- type EntropyAnalyzer
- type EntropyConfig
- type EntropyResult
- type FeatureConfig
- type Findings
- type GitHistoryConfig
- type GitHistoryResult
- type GitHistoryScanner
- type GitHistorySecurityConfig
- type GitHistorySecurityResult
- type GitHistorySecurityScanner
- type GitHistorySecuritySummary
- type GitignoreViolation
- type HistoricalEvent
- type IaCSecretsConfig
- type KeyFinding
- type KeysConfig
- type KeysSummary
- type NativeSecretsScanner
- type OpenAPIComponents
- type OpenAPIInfo
- type OpenAPISpec
- type Operation
- type Parameter
- type PathItem
- type PurgeRecommendation
- type RAGGitHistoryPattern
- type RAGSecretPattern
- type RandomConfig
- type RandomFinding
- type RandomSummary
- type RequestBody
- type Response
- type Result
- type RotationDatabase
- type RotationGuide
- type Schema
- type SecretFinding
- type SecretPattern
- type SecretsConfig
- type SecretsSummary
- type SecurityScheme
- type SensitiveFileFinding
- type Summary
- type TLSConfig
- type TLSFinding
- type TLSSummary
- type VulnFinding
- type VulnsConfig
- type VulnsSummary
Constants ¶
View Source
const ( Name = "code-security" Version = "3.2.0" )
Variables ¶
This section is empty.
Functions ¶
func CalculateEntropy ¶
CalculateEntropy computes Shannon entropy of a string Returns a value between 0 and 8 (for base-256 character set)
func ClearRAGGitHistoryCache ¶
func ClearRAGGitHistoryCache()
ClearRAGGitHistoryCache clears the cached patterns (useful for testing)
func ClearRAGSecretsCache ¶
func ClearRAGSecretsCache()
ClearRAGSecretsCache clears the cached patterns (useful for testing)
func ConvertToSensitiveFilePatterns ¶
func ConvertToSensitiveFilePatterns(ragPatterns []*RAGGitHistoryPattern) []sensitiveFilePattern
ConvertToSensitiveFilePatterns converts RAG patterns to sensitiveFilePattern structs for use with the git history security scanner
func CountFalsePositives ¶
func CountFalsePositives(findings []SecretFinding) (falsePositives, confirmed int)
CountFalsePositives counts findings marked as false positives
func GetRAGGitHistoryPatternCounts ¶
GetRAGGitHistoryPatternCounts returns the count of loaded patterns
func GetRAGPatternCount ¶
func GetRAGPatternCount() int
GetRAGPatternCount returns the number of loaded RAG patterns (for logging)
func GetRAGPatternSummary ¶
GetRAGPatternSummary returns a summary of loaded patterns by category
func GetServiceProvider ¶
GetServiceProvider returns the service provider for a secret type
func LoadRAGGitHistoryPatterns ¶
func LoadRAGGitHistoryPatterns() (gitignore []*RAGGitHistoryPattern, sensitive []*RAGGitHistoryPattern, err error)
LoadRAGGitHistoryPatterns loads all git history security patterns from RAG files Returns cached patterns if already loaded
Types ¶
type AIAnalysisConfig ¶
type AIAnalysisConfig struct {
Enabled bool `json:"enabled"`
MaxFindings int `json:"max_findings"` // Maximum findings to analyze (default: 50)
ConfidenceThreshold float64 `json:"confidence_threshold"` // Threshold to mark as FP (default: 0.8)
}
AIAnalysisConfig configures Claude-powered false positive reduction
type AIAnalyzer ¶
type AIAnalyzer struct {
// contains filtered or unexported fields
}
AIAnalyzer uses Claude to analyze findings for false positives
func NewAIAnalyzer ¶
func NewAIAnalyzer(config AIAnalysisConfig, repoPath string) *AIAnalyzer
NewAIAnalyzer creates a new AI analyzer
func (*AIAnalyzer) AnalyzeFindings ¶
func (a *AIAnalyzer) AnalyzeFindings(ctx context.Context, findings []SecretFinding) ([]SecretFinding, error)
AnalyzeFindings analyzes findings for false positives
func (*AIAnalyzer) IsAvailable ¶
func (a *AIAnalyzer) IsAvailable() bool
IsAvailable checks if the AI analyzer is available (has API key)
type APIConfig ¶
type APIConfig struct {
Enabled bool `json:"enabled"`
CheckAuth bool `json:"check_auth"` // Check authentication issues
CheckInjection bool `json:"check_injection"` // Check injection vulnerabilities
CheckSSRF bool `json:"check_ssrf"` // Check SSRF issues
CheckCORS bool `json:"check_cors"` // Check CORS misconfig
CheckOpenAPI bool `json:"check_openapi"` // Validate OpenAPI specs
CheckGraphQL bool `json:"check_graphql"` // Check GraphQL security
CheckOWASPAPI bool `json:"check_owasp_api"` // Map to OWASP API Top 10
// Non-security API quality checks
CheckDesign bool `json:"check_design"` // REST design patterns, naming conventions
CheckPerformance bool `json:"check_performance"` // N+1 queries, pagination, caching
CheckObservability bool `json:"check_observability"` // Logging, error handling, metrics
CheckDocumentation bool `json:"check_documentation"` // API documentation completeness
}
APIConfig configures API scanning (security and quality)
type APIFinding ¶
type APIFinding struct {
RuleID string `json:"rule_id"`
Title string `json:"title"`
Description string `json:"description"`
Severity string `json:"severity"`
Confidence string `json:"confidence,omitempty"` // high, medium, low
File string `json:"file"`
Line int `json:"line"`
Column int `json:"column,omitempty"`
Snippet string `json:"snippet,omitempty"`
Category string `json:"category"`
OWASPApi string `json:"owasp_api,omitempty"`
CWE []string `json:"cwe,omitempty"`
HTTPMethod string `json:"http_method,omitempty"` // GET, POST, PUT, DELETE, etc.
Endpoint string `json:"endpoint,omitempty"` // /api/users, /graphql, etc.
Framework string `json:"framework,omitempty"` // express, fastapi, django, etc.
Remediation string `json:"remediation,omitempty"`
// Evidence for analyst review and rule improvement
Evidence *findings.Evidence `json:"evidence,omitempty"`
}
APIFinding represents an API security finding
type APIPattern ¶
type APIPattern struct {
Name string // Pattern name from section header
Category string // api-auth, api-injection, etc.
Severity string // critical, high, medium, low
Confidence int // 0-100
CWE string // CWE-89, CWE-78, etc.
OWASPApi string // API1:2023, API2:2023, etc.
Pattern string // regex pattern
Languages []string // javascript, typescript, python, etc.
// contains filtered or unexported fields
}
APIPattern represents a parsed RAG pattern for API security
type APIPatternLoader ¶
type APIPatternLoader struct {
// contains filtered or unexported fields
}
APIPatternLoader loads and manages RAG patterns for API security
func NewAPIPatternLoader ¶
func NewAPIPatternLoader() *APIPatternLoader
NewAPIPatternLoader creates a new pattern loader
func (*APIPatternLoader) GetPatterns ¶
func (l *APIPatternLoader) GetPatterns() []APIPattern
GetPatterns returns all loaded patterns
func (*APIPatternLoader) GetPatternsByCategory ¶
func (l *APIPatternLoader) GetPatternsByCategory(category string) []APIPattern
GetPatternsByCategory returns patterns filtered by category
func (*APIPatternLoader) LoadPatterns ¶
func (l *APIPatternLoader) LoadPatterns(ragDir string) error
LoadPatterns loads all API security patterns from the RAG directory
type APISummary ¶
type APISummary struct {
TotalFindings int `json:"total_findings"`
Critical int `json:"critical"`
High int `json:"high"`
Medium int `json:"medium"`
Low int `json:"low"`
ByCategory map[string]int `json:"by_category"`
ByOWASPApi map[string]int `json:"by_owasp_api,omitempty"`
ByFramework map[string]int `json:"by_framework,omitempty"`
EndpointsFound int `json:"endpoints_found,omitempty"`
Error string `json:"error,omitempty"`
}
APISummary contains API security summary
type CertFinding ¶
type CertFinding struct {
Type string `json:"type"`
Severity string `json:"severity"`
File string `json:"file"`
Description string `json:"description"`
Suggestion string `json:"suggestion,omitempty"`
}
CertFinding represents a certificate issue
type CertInfo ¶
type CertInfo struct {
File string `json:"file"`
Subject string `json:"subject"`
Issuer string `json:"issuer"`
NotBefore time.Time `json:"not_before"`
NotAfter time.Time `json:"not_after"`
DaysUntilExp int `json:"days_until_expiry"`
KeyType string `json:"key_type"`
KeySize int `json:"key_size"`
SignatureAlgo string `json:"signature_algorithm"`
IsSelfSigned bool `json:"is_self_signed"`
IsCA bool `json:"is_ca"`
DNSNames []string `json:"dns_names,omitempty"`
Serial string `json:"serial"`
}
CertInfo contains information about an X.509 certificate
type CertificatesConfig ¶
type CertificatesConfig struct {
Enabled bool `json:"enabled"`
ExpiryWarningDays int `json:"expiry_warning_days"` // Warn if expiring within N days
CheckKeyStrength bool `json:"check_key_strength"`
CheckSignatureAlgo bool `json:"check_signature_algo"`
CheckSelfSigned bool `json:"check_self_signed"`
CheckValidityPeriod bool `json:"check_validity_period"`
}
CertificatesConfig configures X.509 certificate analysis
type CertificatesResult ¶
type CertificatesResult struct {
Certificates []CertInfo `json:"certificates"`
Findings []CertFinding `json:"findings,omitempty"`
}
CertificatesResult holds certificate analysis results
type CertificatesSummary ¶
type CertificatesSummary struct {
TotalCertificates int `json:"total_certificates"`
TotalFindings int `json:"total_findings"`
ExpiringSoon int `json:"expiring_soon"`
Expired int `json:"expired"`
WeakKey int `json:"weak_key"`
BySeverity map[string]int `json:"by_severity"`
Error string `json:"error,omitempty"`
}
CertificatesSummary contains certificate analysis summary
type CipherFinding ¶
type CipherFinding struct {
Algorithm string `json:"algorithm"`
Severity string `json:"severity"`
File string `json:"file"`
Line int `json:"line"`
Description string `json:"description"`
Match string `json:"match,omitempty"`
Suggestion string `json:"suggestion"`
CWE string `json:"cwe"`
Source string `json:"source"` // "semgrep" or "pattern"
// Evidence for analyst review and rule improvement
Evidence *findings.Evidence `json:"evidence,omitempty"`
}
CipherFinding represents a weak cipher finding
type CiphersConfig ¶
type CiphersConfig struct {
Enabled bool `json:"enabled"`
UseSemgrep bool `json:"use_semgrep"` // Use Semgrep for AST-based detection
UsePatterns bool `json:"use_patterns"` // Use regex pattern matching
}
CiphersConfig configures weak cipher detection
type CiphersSummary ¶
type CiphersSummary struct {
TotalFindings int `json:"total_findings"`
BySeverity map[string]int `json:"by_severity"`
ByAlgorithm map[string]int `json:"by_algorithm"`
UsedSemgrep bool `json:"used_semgrep"`
Error string `json:"error,omitempty"`
}
CiphersSummary contains weak cipher detection summary
type CodeSecurityAnalyzer ¶
type CodeSecurityAnalyzer struct{}
CodeSecurityAnalyzer consolidates security-focused code analysis
func (*CodeSecurityAnalyzer) Dependencies ¶
func (s *CodeSecurityAnalyzer) Dependencies() []string
func (*CodeSecurityAnalyzer) Description ¶
func (s *CodeSecurityAnalyzer) Description() string
func (*CodeSecurityAnalyzer) EstimateDuration ¶
func (s *CodeSecurityAnalyzer) EstimateDuration(fileCount int) time.Duration
func (*CodeSecurityAnalyzer) Name ¶
func (s *CodeSecurityAnalyzer) Name() string
func (*CodeSecurityAnalyzer) Requirements ¶
func (s *CodeSecurityAnalyzer) Requirements() analyzer.AnalyzerRequirements
Requirements returns what this analyzer needs to run properly Note: Git history scanning is optional and gracefully handles shallow clones
func (*CodeSecurityAnalyzer) Run ¶
func (s *CodeSecurityAnalyzer) Run(ctx context.Context, opts *analyzer.ScanOptions) (*analyzer.ScanResult, error)
type CommitInfo ¶
type CommitInfo struct {
Hash string `json:"hash"`
ShortHash string `json:"short_hash"`
Author string `json:"author"`
Email string `json:"email"`
Date string `json:"date"`
Message string `json:"message"`
IsRemoved bool `json:"is_removed"` // Was the secret later removed?
}
CommitInfo contains git commit context for history findings
type EntropyAnalyzer ¶
type EntropyAnalyzer struct {
// contains filtered or unexported fields
}
EntropyAnalyzer detects high-entropy strings that may be secrets
func NewEntropyAnalyzer ¶
func NewEntropyAnalyzer(config EntropyConfig) *EntropyAnalyzer
NewEntropyAnalyzer creates a new entropy analyzer
func (*EntropyAnalyzer) GetEntropyLevel ¶
func (a *EntropyAnalyzer) GetEntropyLevel(entropy float64) string
GetEntropyLevel returns "high", "medium", or "low" based on entropy value
func (*EntropyAnalyzer) ScanDirectory ¶
func (a *EntropyAnalyzer) ScanDirectory(dir string) (*EntropyResult, error)
ScanDirectory scans all code files in a directory for high-entropy strings
func (*EntropyAnalyzer) ScanFile ¶
func (a *EntropyAnalyzer) ScanFile(path string) []SecretFinding
ScanFile scans a single file for high-entropy strings
type EntropyConfig ¶
type EntropyConfig struct {
Enabled bool `json:"enabled"`
MinLength int `json:"min_length"` // Minimum string length to check (default: 16)
HighThreshold float64 `json:"high_threshold"` // Entropy threshold for high confidence (default: 4.5)
MedThreshold float64 `json:"med_threshold"` // Entropy threshold for medium confidence (default: 3.5)
}
EntropyConfig configures entropy-based secret detection
type EntropyResult ¶
type EntropyResult struct {
Findings []SecretFinding
Summary struct {
FilesScanned int
HighEntropy int
MediumEntropy int
}
}
EntropyResult holds results from entropy analysis
type FeatureConfig ¶
type FeatureConfig struct {
Vulns VulnsConfig `json:"vulns"`
Secrets SecretsConfig `json:"secrets"`
API APIConfig `json:"api"`
// Crypto features (merged from code-crypto)
Ciphers CiphersConfig `json:"ciphers"`
Keys KeysConfig `json:"keys"`
Random RandomConfig `json:"random"`
TLS TLSConfig `json:"tls"`
Certificates CertificatesConfig `json:"certificates"`
}
FeatureConfig holds configuration for all code security features
func DefaultConfig ¶
func DefaultConfig() FeatureConfig
DefaultConfig returns default feature configuration
func FullConfig ¶
func FullConfig() FeatureConfig
FullConfig returns config with all features enabled
func QuickConfig ¶
func QuickConfig() FeatureConfig
QuickConfig returns minimal config for fast scans
func SecurityConfig ¶
func SecurityConfig() FeatureConfig
SecurityConfig returns config optimized for security-focused scans
type Findings ¶
type Findings struct {
Vulns []VulnFinding `json:"vulns,omitempty"`
Secrets []SecretFinding `json:"secrets,omitempty"`
API []APIFinding `json:"api,omitempty"`
// Crypto findings (merged from code-crypto)
Ciphers []CipherFinding `json:"ciphers,omitempty"`
Keys []KeyFinding `json:"keys,omitempty"`
Random []RandomFinding `json:"random,omitempty"`
TLS []TLSFinding `json:"tls,omitempty"`
Certificates *CertificatesResult `json:"certificates,omitempty"`
}
Findings holds findings from all features
type GitHistoryConfig ¶
type GitHistoryConfig struct {
Enabled bool `json:"enabled"`
MaxCommits int `json:"max_commits"` // Maximum commits to scan (default: 1000)
MaxAge string `json:"max_age"` // Maximum age to scan, e.g., "90d", "1y" (default: "1y")
ScanRemoved bool `json:"scan_removed"` // Track if secrets were later removed
}
GitHistoryConfig configures git history secret scanning
type GitHistoryResult ¶
type GitHistoryResult struct {
Findings []SecretFinding
CommitsScanned int
SecretsFound int
SecretsRemoved int
}
GitHistoryResult holds results from git history scanning
type GitHistoryScanner ¶
type GitHistoryScanner struct {
// contains filtered or unexported fields
}
GitHistoryScanner scans git history for secrets
func NewGitHistoryScanner ¶
func NewGitHistoryScanner(config GitHistoryConfig) *GitHistoryScanner
NewGitHistoryScanner creates a new git history scanner
func (*GitHistoryScanner) ScanRepository ¶
func (s *GitHistoryScanner) ScanRepository(repoPath string) (*GitHistoryResult, error)
ScanRepository scans git history for secrets
type GitHistorySecurityConfig ¶
type GitHistorySecurityConfig struct {
Enabled bool `json:"enabled"`
MaxCommits int `json:"max_commits"` // Maximum commits to scan (default: 1000)
MaxAge string `json:"max_age"` // Maximum age to scan, e.g., "90d", "1y" (default: "1y")
ScanGitignoreHistory bool `json:"scan_gitignore_history"` // Scan for gitignore violations in history
ScanSensitiveFiles bool `json:"scan_sensitive_files"` // Scan for sensitive file patterns
GeneratePurgeReport bool `json:"generate_purge_report"` // Generate purge recommendations
}
GitHistorySecurityConfig configures git history security scanning
type GitHistorySecurityResult ¶
type GitHistorySecurityResult struct {
// Files matching gitignore patterns found in history
GitignoreViolations []GitignoreViolation `json:"gitignore_violations"`
// Sensitive files found in history
SensitiveFiles []SensitiveFileFinding `json:"sensitive_files"`
// Purge recommendations
PurgeRecommendations []PurgeRecommendation `json:"purge_recommendations"`
// Timeline of when sensitive files were added
Timeline []HistoricalEvent `json:"timeline"`
// Summary statistics
Summary GitHistorySecuritySummary `json:"summary"`
}
GitHistorySecurityResult holds results from git history security scanning
type GitHistorySecurityScanner ¶
type GitHistorySecurityScanner struct {
// contains filtered or unexported fields
}
GitHistorySecurityScanner scans git history for files that should have been purged
func NewGitHistorySecurityScanner ¶
func NewGitHistorySecurityScanner(config GitHistorySecurityConfig) *GitHistorySecurityScanner
NewGitHistorySecurityScanner creates a new git history security scanner
func (*GitHistorySecurityScanner) ScanRepository ¶
func (s *GitHistorySecurityScanner) ScanRepository(repoPath string) (*GitHistorySecurityResult, error)
ScanRepository scans git history for security issues
type GitHistorySecuritySummary ¶
type GitHistorySecuritySummary struct {
TotalViolations int `json:"total_violations"`
GitignoreViolations int `json:"gitignore_violations"`
SensitiveFilesFound int `json:"sensitive_files_found"`
FilesToPurge int `json:"files_to_purge"`
CommitsScanned int `json:"commits_scanned"`
ByCategory map[string]int `json:"by_category"`
BySeverity map[string]int `json:"by_severity"`
RiskScore int `json:"risk_score"`
RiskLevel string `json:"risk_level"`
Note string `json:"note,omitempty"` // Additional notes (e.g., shallow clone warning)
}
GitHistorySecuritySummary contains summary statistics
type GitignoreViolation ¶
type GitignoreViolation struct {
File string `json:"file"`
GitignoreRule string `json:"gitignore_rule"`
FirstCommit *CommitInfo `json:"first_commit"`
LastCommit *CommitInfo `json:"last_commit,omitempty"`
StillExists bool `json:"still_exists"`
WasRemoved bool `json:"was_removed"`
GitignoreAdded string `json:"gitignore_added,omitempty"` // When the gitignore rule was added
}
GitignoreViolation represents a file in history that matches gitignore
type HistoricalEvent ¶
type HistoricalEvent struct {
Date string `json:"date"`
EventType string `json:"event_type"` // "committed", "gitignored", "removed"
File string `json:"file"`
CommitHash string `json:"commit_hash"`
Author string `json:"author"`
Description string `json:"description"`
}
HistoricalEvent represents a timeline event
type IaCSecretsConfig ¶
type IaCSecretsConfig struct {
Enabled bool `json:"enabled"` // Scan IaC files for hardcoded secrets
}
IaCSecretsConfig configures IaC-specific secrets detection
type KeyFinding ¶
type KeyFinding struct {
Type string `json:"type"`
Severity string `json:"severity"`
File string `json:"file"`
Line int `json:"line"`
Description string `json:"description"`
Match string `json:"match,omitempty"`
CWE string `json:"cwe"`
// Evidence for analyst review and rule improvement
Evidence *findings.Evidence `json:"evidence,omitempty"`
}
KeyFinding represents a hardcoded key finding
type KeysConfig ¶
type KeysConfig struct {
Enabled bool `json:"enabled"`
CheckAPIKeys bool `json:"check_api_keys"`
CheckPrivate bool `json:"check_private_keys"`
CheckAWS bool `json:"check_aws_keys"`
CheckSigning bool `json:"check_signing_keys"`
RedactMatches bool `json:"redact_matches"` // Redact sensitive values in output
}
KeysConfig configures hardcoded key detection
type KeysSummary ¶
type KeysSummary struct {
TotalFindings int `json:"total_findings"`
BySeverity map[string]int `json:"by_severity"`
ByType map[string]int `json:"by_type"`
Error string `json:"error,omitempty"`
}
KeysSummary contains hardcoded key detection summary
type NativeSecretsScanner ¶
type NativeSecretsScanner struct {
// contains filtered or unexported fields
}
NativeSecretsScanner performs secrets detection without external dependencies
func NewNativeSecretsScanner ¶
func NewNativeSecretsScanner(cfg SecretsConfig) *NativeSecretsScanner
NewNativeSecretsScanner creates a new native secrets scanner
func (*NativeSecretsScanner) GetPatternCount ¶
func (s *NativeSecretsScanner) GetPatternCount() int
GetPatternCount returns the number of loaded patterns
func (*NativeSecretsScanner) GetPatternsByCategory ¶
func (s *NativeSecretsScanner) GetPatternsByCategory() map[string]int
GetPatternsByCategory returns patterns grouped by category
func (*NativeSecretsScanner) ScanDirectory ¶
func (s *NativeSecretsScanner) ScanDirectory(dir string) ([]SecretFinding, *SecretsSummary)
ScanDirectory scans a directory for secrets using native patterns
type OpenAPIComponents ¶
type OpenAPIComponents struct {
SecuritySchemes map[string]SecurityScheme `json:"securitySchemes" yaml:"securitySchemes"`
}
OpenAPIComponents contains reusable components
type OpenAPIInfo ¶
type OpenAPIInfo struct {
Title string `json:"title" yaml:"title"`
Version string `json:"version" yaml:"version"`
}
OpenAPIInfo contains API metadata
type OpenAPISpec ¶
type OpenAPISpec struct {
OpenAPI string `json:"openapi" yaml:"openapi"`
Swagger string `json:"swagger" yaml:"swagger"`
Info OpenAPIInfo `json:"info" yaml:"info"`
Paths map[string]PathItem `json:"paths" yaml:"paths"`
Components OpenAPIComponents `json:"components" yaml:"components"`
Security []map[string][]string `json:"security" yaml:"security"`
}
OpenAPISpec represents a parsed OpenAPI/Swagger specification
type Operation ¶
type Operation struct {
OperationID string `json:"operationId" yaml:"operationId"`
Summary string `json:"summary" yaml:"summary"`
Description string `json:"description" yaml:"description"`
Security []map[string][]string `json:"security" yaml:"security"`
Deprecated bool `json:"deprecated" yaml:"deprecated"`
Tags []string `json:"tags" yaml:"tags"`
Parameters []Parameter `json:"parameters" yaml:"parameters"`
RequestBody *RequestBody `json:"requestBody" yaml:"requestBody"`
Responses map[string]Response `json:"responses" yaml:"responses"`
}
Operation represents an API operation
type Parameter ¶
type Parameter struct {
Name string `json:"name" yaml:"name"`
In string `json:"in" yaml:"in"` // query, path, header, cookie
Required bool `json:"required" yaml:"required"`
Schema Schema `json:"schema" yaml:"schema"`
}
Parameter represents an API parameter
type PathItem ¶
type PathItem struct {
Get *Operation `json:"get" yaml:"get"`
Post *Operation `json:"post" yaml:"post"`
Put *Operation `json:"put" yaml:"put"`
Delete *Operation `json:"delete" yaml:"delete"`
Patch *Operation `json:"patch" yaml:"patch"`
Options *Operation `json:"options" yaml:"options"`
}
PathItem represents an API path with its operations
type PurgeRecommendation ¶
type PurgeRecommendation struct {
File string `json:"file"`
Reason string `json:"reason"`
Severity string `json:"severity"`
Priority int `json:"priority"` // 1 = highest priority
Command string `json:"command"` // BFG or git-filter-repo command
Alternative string `json:"alternative,omitempty"`
AffectedCommits int `json:"affected_commits"`
}
PurgeRecommendation recommends files to purge from history
type RAGGitHistoryPattern ¶
type RAGGitHistoryPattern struct {
Name string
Pattern *regexp.Regexp
RawPattern string
Severity string
Category string
Description string
Type string // "filepath" for file path patterns
}
RAGGitHistoryPattern represents a pattern loaded from RAG files for git history scanning
type RAGSecretPattern ¶
type RAGSecretPattern struct {
Name string
Pattern *regexp.Regexp
RawPattern string
Severity string
Description string
Technology string
Category string
}
RAGSecretPattern represents a secret pattern loaded from RAG files
func LoadRAGSecretPatterns ¶
func LoadRAGSecretPatterns() ([]*RAGSecretPattern, error)
LoadRAGSecretPatterns loads all secret patterns from RAG patterns.md files Returns cached patterns if already loaded
type RandomConfig ¶
type RandomConfig struct {
Enabled bool `json:"enabled"`
}
RandomConfig configures insecure random detection
type RandomFinding ¶
type RandomFinding struct {
Type string `json:"type"`
Severity string `json:"severity"`
File string `json:"file"`
Line int `json:"line"`
Description string `json:"description"`
Match string `json:"match,omitempty"`
Suggestion string `json:"suggestion"`
CWE string `json:"cwe"`
// Evidence for analyst review and rule improvement
Evidence *findings.Evidence `json:"evidence,omitempty"`
}
RandomFinding represents an insecure random finding
type RandomSummary ¶
type RandomSummary struct {
TotalFindings int `json:"total_findings"`
BySeverity map[string]int `json:"by_severity"`
ByType map[string]int `json:"by_type"`
Error string `json:"error,omitempty"`
}
RandomSummary contains insecure random detection summary
type RequestBody ¶
type RequestBody struct {
Required bool `json:"required" yaml:"required"`
}
RequestBody represents a request body
type Response ¶
type Response struct {
Description string `json:"description" yaml:"description"`
}
Response represents an API response
type Result ¶
type Result struct {
FeaturesRun []string `json:"features_run"`
Summary Summary `json:"summary"`
Findings Findings `json:"findings"`
GitHistorySecurity *GitHistorySecurityResult `json:"git_history_security,omitempty"`
}
Result holds all feature results
type RotationDatabase ¶
type RotationDatabase struct {
// contains filtered or unexported fields
}
RotationDatabase provides rotation guidance for various secret types
func NewRotationDatabase ¶
func NewRotationDatabase() *RotationDatabase
NewRotationDatabase creates a new rotation database with built-in guides
func (*RotationDatabase) GetGuide ¶
func (db *RotationDatabase) GetGuide(secretType string) *RotationGuide
GetGuide returns rotation guidance for a secret type
type RotationGuide ¶
type RotationGuide struct {
Priority string `json:"priority"` // "immediate", "high", "medium", "low"
Steps []string `json:"steps"` // Step-by-step rotation instructions
RotationURL string `json:"rotation_url,omitempty"` // Direct link to rotation page
CLICommand string `json:"cli_command,omitempty"` // CLI command to rotate
AutomationHint string `json:"automation_hint,omitempty"` // Vault, Secrets Manager, etc.
ExpiresIn string `json:"expires_in,omitempty"` // When the secret expires
}
RotationGuide contains remediation guidance for rotating a secret
type Schema ¶
type Schema struct {
Type string `json:"type" yaml:"type"`
}
Schema represents a JSON schema
type SecretFinding ¶
type SecretFinding struct {
RuleID string `json:"rule_id"`
Type string `json:"type"`
Severity string `json:"severity"`
Message string `json:"message"`
File string `json:"file"`
Line int `json:"line"`
Column int `json:"column"`
Snippet string `json:"snippet"`
// Confidence scoring
Confidence string `json:"confidence"` // "high", "medium", "low"
ConfidenceScore float64 `json:"confidence_score,omitempty"` // 0.0-1.0 numeric score
ConfidenceReason string `json:"confidence_reason,omitempty"` // Why this confidence level
ConfidenceSignals map[string]float64 `json:"confidence_signals,omitempty"` // Individual factors
// Detection source tracking
Entropy float64 `json:"entropy,omitempty"` // Shannon entropy score (0-8)
EntropyLevel string `json:"entropy_level,omitempty"` // "low", "medium", "high"
DetectionSource string `json:"detection_source,omitempty"` // "semgrep", "entropy", "git_history", "iac-scanner", "native"
IaCType string `json:"iac_type,omitempty"` // terraform, kubernetes, cloudformation, github-actions, helm
// Git history context
CommitInfo *CommitInfo `json:"commit_info,omitempty"` // For git history findings
// AI analysis results
AIConfidence float64 `json:"ai_confidence,omitempty"` // 0.0-1.0
AIReasoning string `json:"ai_reasoning,omitempty"` // Why it's FP or real
IsFalsePositive *bool `json:"is_false_positive,omitempty"` // AI determination
// Remediation guidance
Rotation *RotationGuide `json:"rotation,omitempty"` // Rotation steps, URLs, commands
ServiceProvider string `json:"service_provider,omitempty"` // "aws", "github", "stripe", etc.
// Evidence for analyst review and rule improvement
Evidence *findings.Evidence `json:"evidence,omitempty"`
}
SecretFinding represents a detected secret
func EnrichWithRotation ¶
func EnrichWithRotation(findings []SecretFinding, db *RotationDatabase) []SecretFinding
EnrichWithRotation adds rotation guidance to a slice of secret findings
type SecretPattern ¶
type SecretPattern struct {
ID string
Name string
Pattern *regexp.Regexp
RawPattern string
Severity string
Confidence string // "high", "medium", "low" - base confidence for this pattern
Description string
Category string // aws, github, generic, database, etc.
Rotation string // Rotation guidance
}
SecretPattern represents a compiled secret detection pattern
type SecretsConfig ¶
type SecretsConfig struct {
Enabled bool `json:"enabled"`
RedactSecrets bool `json:"redact_secrets"` // Redact secret values in output
// Enhanced detection features
EntropyAnalysis EntropyConfig `json:"entropy_analysis"` // Entropy-based detection
GitHistoryScan GitHistoryConfig `json:"git_history_scan"` // Git history scanning
GitHistorySecurity GitHistorySecurityConfig `json:"git_history_security"` // Git history security (gitignore violations, sensitive files)
AIAnalysis AIAnalysisConfig `json:"ai_analysis"` // Claude-powered FP reduction
RotationGuidance bool `json:"rotation_guidance"` // Add rotation recommendations
IaCSecrets IaCSecretsConfig `json:"iac_secrets"` // IaC-specific secrets detection
}
SecretsConfig configures secret detection
type SecretsSummary ¶
type SecretsSummary struct {
TotalFindings int `json:"total_findings"`
Critical int `json:"critical"`
High int `json:"high"`
Medium int `json:"medium"`
Low int `json:"low"`
RiskScore int `json:"risk_score"`
RiskLevel string `json:"risk_level"`
ByType map[string]int `json:"by_type"`
FilesAffected int `json:"files_affected"`
// Enhanced detection sources
BySource map[string]int `json:"by_source,omitempty"` // semgrep, entropy, git_history
EntropyFindings int `json:"entropy_findings,omitempty"` // Findings from entropy analysis
HistoryFindings int `json:"history_findings,omitempty"` // Findings from git history
RemovedSecrets int `json:"removed_secrets,omitempty"` // Secrets later removed from history
// AI analysis results
FalsePositives int `json:"false_positives,omitempty"` // AI-identified false positives
ConfirmedSecrets int `json:"confirmed_secrets,omitempty"` // AI-confirmed real secrets
Error string `json:"error,omitempty"`
}
SecretsSummary contains secret detection summary
type SecurityScheme ¶
type SecurityScheme struct {
Type string `json:"type" yaml:"type"`
Scheme string `json:"scheme" yaml:"scheme"`
BearerFormat string `json:"bearerFormat" yaml:"bearerFormat"`
In string `json:"in" yaml:"in"`
Name string `json:"name" yaml:"name"`
}
SecurityScheme represents an authentication scheme
type SensitiveFileFinding ¶
type SensitiveFileFinding struct {
File string `json:"file"`
Category string `json:"category"`
Severity string `json:"severity"`
Description string `json:"description"`
FirstCommit *CommitInfo `json:"first_commit"`
LastCommit *CommitInfo `json:"last_commit,omitempty"`
StillExists bool `json:"still_exists"`
WasRemoved bool `json:"was_removed"`
SizeBytes int64 `json:"size_bytes,omitempty"`
}
SensitiveFileFinding represents a sensitive file found in history
type Summary ¶
type Summary struct {
Vulns *VulnsSummary `json:"vulns,omitempty"`
Secrets *SecretsSummary `json:"secrets,omitempty"`
API *APISummary `json:"api,omitempty"`
// Crypto summaries (merged from code-crypto)
Ciphers *CiphersSummary `json:"ciphers,omitempty"`
Keys *KeysSummary `json:"keys,omitempty"`
Random *RandomSummary `json:"random,omitempty"`
TLS *TLSSummary `json:"tls,omitempty"`
Certificates *CertificatesSummary `json:"certificates,omitempty"`
Errors []string `json:"errors,omitempty"`
}
Summary holds summaries from all features
type TLSConfig ¶
type TLSConfig struct {
Enabled bool `json:"enabled"`
CheckProtocols bool `json:"check_protocols"` // Check for deprecated SSL/TLS versions
CheckVerification bool `json:"check_verification"` // Check for disabled cert verification
CheckCipherSuites bool `json:"check_cipher_suites"` // Check for weak cipher suites
CheckInsecureURLs bool `json:"check_insecure_urls"` // Check for HTTP URLs
}
TLSConfig configures TLS misconfiguration detection
type TLSFinding ¶
type TLSFinding struct {
Type string `json:"type"`
Severity string `json:"severity"`
File string `json:"file"`
Line int `json:"line"`
Description string `json:"description"`
Match string `json:"match,omitempty"`
Suggestion string `json:"suggestion"`
CWE string `json:"cwe"`
// Evidence for analyst review and rule improvement
Evidence *findings.Evidence `json:"evidence,omitempty"`
}
TLSFinding represents a TLS misconfiguration finding
type TLSSummary ¶
type TLSSummary struct {
TotalFindings int `json:"total_findings"`
BySeverity map[string]int `json:"by_severity"`
ByType map[string]int `json:"by_type"`
Error string `json:"error,omitempty"`
}
TLSSummary contains TLS misconfiguration summary
type VulnFinding ¶
type VulnFinding struct {
RuleID string `json:"rule_id"`
Title string `json:"title"`
Description string `json:"description"`
Severity string `json:"severity"`
File string `json:"file"`
Line int `json:"line"`
Column int `json:"column"`
Category string `json:"category,omitempty"`
CWE []string `json:"cwe,omitempty"`
OWASP []string `json:"owasp,omitempty"`
Fix string `json:"fix,omitempty"`
// Evidence for analyst review and rule improvement
Evidence *findings.Evidence `json:"evidence,omitempty"`
}
VulnFinding represents a code vulnerability finding
type VulnsConfig ¶
type VulnsConfig struct {
Enabled bool `json:"enabled"`
IncludeOWASP bool `json:"include_owasp"` // Include OWASP Top 10 rules
IncludeCWE bool `json:"include_cwe"` // Include CWE-mapped rules
SeverityMinimum string `json:"severity_minimum"` // low, medium, high, critical
ExcludeRules []string `json:"exclude_rules"` // Rule IDs to skip
}
VulnsConfig configures code vulnerability scanning
type VulnsSummary ¶
type VulnsSummary struct {
TotalFindings int `json:"total_findings"`
Critical int `json:"critical"`
High int `json:"high"`
Medium int `json:"medium"`
Low int `json:"low"`
ByCWE map[string]int `json:"by_cwe,omitempty"`
ByCategory map[string]int `json:"by_category,omitempty"`
Error string `json:"error,omitempty"`
}
VulnsSummary contains code vulnerability summary
Source Files
Click to show internal directories.
Click to hide internal directories.