Documentation ¶
Overview ¶
Package engine provides an implementation of the profile-engine-related objects, interfaces and functionality.
Index ¶
- Constants
- func GetRulesForEntity(p *pb.Profile, entity pb.Entity) ([]*pb.Profile_Rule, error)
- func GetRulesFromProfileOfType(p *minderv1.Profile, rt *minderv1.RuleType) ([]*minderv1.Profile_Rule, error)
- func MergeDatabaseGetIntoProfiles(ppl []db.GetProfileByProjectAndIDRow) map[string]*pb.Profile
- func MergeDatabaseListIntoProfiles[T db.ProfileRow](ppl []T) map[string]*pb.Profile
- func ParseJSON(r io.Reader) (*pb.Profile, error)
- func ParseYAML(r io.Reader) (*pb.Profile, error)
- func ReadProfileFromFile(fpath string) (*pb.Profile, error)
- func RuleDefFromDB(r *db.RuleType) (*minderv1.RuleType_Definition, error)
- func RuleTypePBFromDB(rt *db.RuleType) (*minderv1.RuleType, error)
- func TraverseAllRulesForPipeline(p *pb.Profile, fn func(*pb.Profile_Rule) error) error
- func TraverseRuleTypesForEntities(p *pb.Profile, fn func(pb.Entity, *pb.Profile_Rule) error) error
- func TraverseRules(rules []*pb.Profile_Rule, fn func(*pb.Profile_Rule) error) error
- func WithEntityContext(ctx context.Context, c *EntityContext) context.Context
- type EntityContext
- type Executor
- type ExecutorOption
- type Project
- type Provider
- type RuleMeta
- type RuleTypeEngine
- func (r *RuleTypeEngine) Actions(ctx context.Context, inf *entities.EntityInfoWrapper, ...) enginerr.ActionsError
- func (r *RuleTypeEngine) Eval(ctx context.Context, inf *entities.EntityInfoWrapper, ...) error
- func (r *RuleTypeEngine) GetActionsOnOff() map[engif.ActionType]engif.ActionOpt
- func (r *RuleTypeEngine) GetID() string
- func (r *RuleTypeEngine) GetRuleInstanceValidator() *RuleValidator
- func (r *RuleTypeEngine) WithIngesterCache(ingestCache ingestcache.Cache) *RuleTypeEngine
- type RuleValidationError
- type RuleValidator
Constants ¶
const ( // DefaultExecutionTimeout is the timeout for execution of a set // of profiles on an entity. DefaultExecutionTimeout = 5 * time.Minute // ArtifactSignatureWaitPeriod is the waiting period for potential artifact signature to be available // before proceeding with evaluation. ArtifactSignatureWaitPeriod = 10 * time.Second )
Variables ¶
This section is empty.
Functions ¶
func GetRulesForEntity ¶
GetRulesForEntity returns the rules for the given entity
func GetRulesFromProfileOfType ¶
func GetRulesFromProfileOfType(p *minderv1.Profile, rt *minderv1.RuleType) ([]*minderv1.Profile_Rule, error)
GetRulesFromProfileOfType returns the rules from the profile of the given type
func MergeDatabaseGetIntoProfiles ¶
func MergeDatabaseGetIntoProfiles(ppl []db.GetProfileByProjectAndIDRow) map[string]*pb.Profile
MergeDatabaseGetIntoProfiles merges the database get profiles into the given profiles map. This assumes that the profiles belong to the same project.
TODO(jaosorior): This will have to consider the project tree once we migrate to that
func MergeDatabaseListIntoProfiles ¶
func MergeDatabaseListIntoProfiles[T db.ProfileRow](ppl []T) map[string]*pb.Profile
MergeDatabaseListIntoProfiles merges the database list profiles into the given profiles map. This assumes that the profiles belong to the same project.
TODO(jaosorior): This will have to consider the project tree once we migrate to that
func ReadProfileFromFile ¶
ReadProfileFromFile reads a pipeline profile from a file and returns it as a protobuf
func RuleDefFromDB ¶
func RuleDefFromDB(r *db.RuleType) (*minderv1.RuleType_Definition, error)
RuleDefFromDB converts a rule type definition from the database to a protobuf rule type definition
func RuleTypePBFromDB ¶
RuleTypePBFromDB converts a rule type from the database to a protobuf rule type
func TraverseAllRulesForPipeline ¶
TraverseAllRulesForPipeline traverses all rules for the given pipeline profile
func TraverseRuleTypesForEntities ¶ added in v0.0.38
TraverseRuleTypesForEntities traverses the rules for the given entities and calls the given function
func TraverseRules ¶
func TraverseRules(rules []*pb.Profile_Rule, fn func(*pb.Profile_Rule) error) error
TraverseRules traverses the rules and calls the given function for each rule TODO: do we want to collect and return _all_ errors, rather than just the first, to prevent whack-a-mole fixing?
func WithEntityContext ¶
func WithEntityContext(ctx context.Context, c *EntityContext) context.Context
WithEntityContext stores an EntityContext in the current context.
Types ¶
type EntityContext ¶
EntityContext is the context of an entity. This is relevant for getting the full information about an entity.
func EntityFromContext ¶
func EntityFromContext(ctx context.Context) EntityContext
EntityFromContext extracts the current EntityContext, WHICH MAY BE NIL!
func (*EntityContext) Validate ¶ added in v0.0.27
func (c *EntityContext) Validate(ctx context.Context, q db.Querier, providerStore providers.ProviderStore) error
Validate validates that the entity context contains values that are present in the DB
func (*EntityContext) ValidateProject ¶ added in v0.0.39
ValidateProject validates that the entity context contains a project that is present in the DB
type Executor ¶
type Executor struct {
// contains filtered or unexported fields
}
Executor is the engine that executes the rules for a given event
func NewExecutor ¶
func NewExecutor( ctx context.Context, querier db.Store, authCfg *serverconfig.AuthConfig, provCfg *serverconfig.ProviderConfig, evt events.Publisher, providerStore providers.ProviderStore, opts ...ExecutorOption, ) (*Executor, error)
NewExecutor creates a new executor
func (*Executor) HandleEntityEvent ¶
HandleEntityEvent handles events coming from webhooks/signals as well as the init event.
type ExecutorOption ¶
type ExecutorOption func(*Executor)
ExecutorOption is a function that modifies an executor
func WithMiddleware ¶ added in v0.0.25
func WithMiddleware(mdw message.HandlerMiddleware) ExecutorOption
WithMiddleware sets the aggregator middleware for the executor
func WithProviderMetrics ¶
func WithProviderMetrics(mt providertelemetry.ProviderMetrics) ExecutorOption
WithProviderMetrics sets the provider metrics for the executor
func WithRestClientCache ¶ added in v0.0.31
func WithRestClientCache(cache ratecache.RestClientCache) ExecutorOption
WithRestClientCache sets the rest client cache for the executor
type Project ¶
Project is a construct relevant to an entity's context. This is relevant for getting the full information about an entity.
type Provider ¶
type Provider struct {
Name string
}
Provider is a construct relevant to an entity's context. This is relevant for getting the full information about an entity.
type RuleMeta ¶
type RuleMeta struct { // Name is the name of the rule Name string // Organization is the ID of the organization that this rule is for Organization *string // Project is the ID of the project that this rule is for Project *string }
RuleMeta is the metadata for a rule TODO: We probably should care about a version
type RuleTypeEngine ¶
type RuleTypeEngine struct { Meta RuleMeta // contains filtered or unexported fields }
RuleTypeEngine is the engine for a rule type. It builds the multiple sections of the rule type and instantiates the needed drivers for them.
func NewRuleTypeEngine ¶
func NewRuleTypeEngine( ctx context.Context, p *minderv1.Profile, rt *minderv1.RuleType, cli *providers.ProviderBuilder, ) (*RuleTypeEngine, error)
NewRuleTypeEngine creates a new rule type engine
func (*RuleTypeEngine) Actions ¶
func (r *RuleTypeEngine) Actions( ctx context.Context, inf *entities.EntityInfoWrapper, params engif.ActionsParams, ) enginerr.ActionsError
Actions runs all actions for the rule type engine against the given entity
func (*RuleTypeEngine) Eval ¶
func (r *RuleTypeEngine) Eval(ctx context.Context, inf *entities.EntityInfoWrapper, params engif.EvalParamsReadWriter) error
Eval runs the rule type engine against the given entity
func (*RuleTypeEngine) GetActionsOnOff ¶ added in v0.0.25
func (r *RuleTypeEngine) GetActionsOnOff() map[engif.ActionType]engif.ActionOpt
GetActionsOnOff returns the on/off state of the actions
func (*RuleTypeEngine) GetID ¶
func (r *RuleTypeEngine) GetID() string
GetID returns the ID of the rule type. The ID is meant to be a serializable unique identifier for the rule type.
func (*RuleTypeEngine) GetRuleInstanceValidator ¶
func (r *RuleTypeEngine) GetRuleInstanceValidator() *RuleValidator
GetRuleInstanceValidator returns the rule instance validator for this rule type. By instance we mean a rule that has been instantiated in a profile from a given rule type.
func (*RuleTypeEngine) WithIngesterCache ¶
func (r *RuleTypeEngine) WithIngesterCache(ingestCache ingestcache.Cache) *RuleTypeEngine
WithIngesterCache sets the ingester cache for the rule type engine
type RuleValidationError ¶
RuleValidationError is used to report errors from evaluating a rule, including attribution of the particular error encountered.
func (*RuleValidationError) Error ¶
func (e *RuleValidationError) Error() string
Error implements error.Error
func (*RuleValidationError) String ¶
func (e *RuleValidationError) String() string
String implements fmt.Stringer
type RuleValidator ¶
type RuleValidator struct {
// contains filtered or unexported fields
}
RuleValidator takes a rule type and validates an instance of it. The main purpose of this is to validate the schemas that are associated with the rule.
func NewRuleValidator ¶
func NewRuleValidator(rt *minderv1.RuleType) (*RuleValidator, error)
NewRuleValidator creates a new rule validator
func (*RuleValidator) ValidateParamsAgainstSchema ¶
func (r *RuleValidator) ValidateParamsAgainstSchema(params *structpb.Struct) error
ValidateParamsAgainstSchema validates the given parameters against the schema for this rule type
func (*RuleValidator) ValidateRuleDefAgainstSchema ¶
func (r *RuleValidator) ValidateRuleDefAgainstSchema(contextualProfile map[string]any) error
ValidateRuleDefAgainstSchema validates the given contextual profile against the schema for this rule type
Source Files ¶
Directories ¶
Path | Synopsis |
---|---|
Package actions provide necessary interfaces and implementations for processing actions, such as remediation and alerts.
|
Package actions provide necessary interfaces and implementations for processing actions, such as remediation and alerts. |
alert
Package alert provides necessary interfaces and implementations for processing alerts.
|
Package alert provides necessary interfaces and implementations for processing alerts. |
alert/noop
Package noop provides a fallback alert engine for cases where no alert is set.
|
Package noop provides a fallback alert engine for cases where no alert is set. |
alert/security_advisory
Package security_advisory provides necessary interfaces and implementations for creating alerts of type security advisory.
|
Package security_advisory provides necessary interfaces and implementations for creating alerts of type security advisory. |
remediate
Package remediate provides necessary interfaces and implementations for remediating rules.
|
Package remediate provides necessary interfaces and implementations for remediating rules. |
remediate/gh_branch_protect
Package gh_branch_protect provides the github branch protection remediation engine
|
Package gh_branch_protect provides the github branch protection remediation engine |
remediate/noop
Package noop provides a fallback remediation engine for cases where no remediation is set.
|
Package noop provides a fallback remediation engine for cases where no remediation is set. |
remediate/pull_request
Package pull_request provides the pull request remediation engine
|
Package pull_request provides the pull request remediation engine |
remediate/rest
Package rest provides the REST remediation engine
|
Package rest provides the REST remediation engine |
Package entities contains internal helper functions to deal with, validate and print the Entity protobuf enum.
|
Package entities contains internal helper functions to deal with, validate and print the Entity protobuf enum. |
Package errors provides errors for the evaluator engine
|
Package errors provides errors for the evaluator engine |
Package eval provides necessary interfaces and implementations for evaluating rules.
|
Package eval provides necessary interfaces and implementations for evaluating rules. |
homoglyphs/application
Package application contains the application logic for the homoglyphs rule type
|
Package application contains the application logic for the homoglyphs rule type |
homoglyphs/communication
Package communication contains the communication logic for the homoglyphs rule type
|
Package communication contains the communication logic for the homoglyphs rule type |
homoglyphs/domain
Package domain contains the domain logic for the homoglyphs rule type
|
Package domain contains the domain logic for the homoglyphs rule type |
homoglyphs/domain/resources
Package resources contains resources used by the homoglyphs evaluators.
|
Package resources contains resources used by the homoglyphs evaluators. |
homoglyphs/util
Package util contains utility functions for the homoglyphs evaluation engine
|
Package util contains utility functions for the homoglyphs evaluation engine |
jq
Package jq provides the jq profile evaluator
|
Package jq provides the jq profile evaluator |
pr_actions
Package pr_actions contains shared code to take on PRs
|
Package pr_actions contains shared code to take on PRs |
rego
Package rego provides the rego rule evaluator
|
Package rego provides the rego rule evaluator |
trusty
Package trusty provides an evaluator that uses the trusty API
|
Package trusty provides an evaluator that uses the trusty API |
vulncheck
Package vulncheck provides the vulnerability check evaluator
|
Package vulncheck provides the vulnerability check evaluator |
Package ingestcache a cache that is used to cache the results of ingesting data.
|
Package ingestcache a cache that is used to cache the results of ingesting data. |
Package ingester provides necessary interfaces and implementations for ingesting data for rules.
|
Package ingester provides necessary interfaces and implementations for ingesting data for rules. |
artifact
Package artifact provides the artifact ingestion engine
|
Package artifact provides the artifact ingestion engine |
builtin
Package builtin provides the builtin ingestion engine
|
Package builtin provides the builtin ingestion engine |
diff
Package diff provides the diff rule data ingest engine
|
Package diff provides the diff rule data ingest engine |
git
Package git provides the git rule data ingest engine
|
Package git provides the git rule data ingest engine |
rest
Package rest provides the REST rule data ingest engine
|
Package rest provides the REST rule data ingest engine |
Package interfaces provides necessary interfaces and implementations for implementing engine plugins
|
Package interfaces provides necessary interfaces and implementations for implementing engine plugins |