zift 0.1.5

Scan codebases for embedded authorization logic and generate Policy as Code (Rego/OPA today)
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144

use std::path::PathBuf;

use serde::{Deserialize, Serialize};

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct Finding {
    pub id: String,
    pub file: PathBuf,
    pub line_start: usize,
    pub line_end: usize,
    pub code_snippet: String,
    pub language: Language,
    pub category: AuthCategory,
    pub confidence: Confidence,
    pub description: String,
    pub pattern_rule: Option<String>,
    pub rego_stub: Option<String>,
    pub pass: ScanPass,
}

#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize, clap::ValueEnum)]
#[serde(rename_all = "snake_case")]
pub enum AuthCategory {
    Rbac,
    Abac,
    Middleware,
    #[value(name = "business-rule")]
    BusinessRule,
    Ownership,
    #[value(name = "feature-gate")]
    FeatureGate,
    Custom,
}

impl AuthCategory {
    /// Snake_case wire form, matching the serde `rename_all = "snake_case"`
    /// applied to this enum. Use this anywhere the canonical wire spelling
    /// is needed (JSON map keys, prompt schema enum, MCP tool args).
    /// Distinct from [`std::fmt::Display`], which produces a human-friendly
    /// form (`"Business Rule"`) — mixing the two in one JSON document
    /// produces inconsistent keys (e.g. summary `"business rule"` vs.
    /// finding `"business_rule"`), which breaks consumers grouping by
    /// category.
    pub fn slug(&self) -> &'static str {
        match self {
            AuthCategory::Rbac => "rbac",
            AuthCategory::Abac => "abac",
            AuthCategory::Middleware => "middleware",
            AuthCategory::BusinessRule => "business_rule",
            AuthCategory::Ownership => "ownership",
            AuthCategory::FeatureGate => "feature_gate",
            AuthCategory::Custom => "custom",
        }
    }
}

#[derive(
    Debug, Clone, Copy, PartialEq, Eq, PartialOrd, Ord, Serialize, Deserialize, clap::ValueEnum,
)]
#[serde(rename_all = "lowercase")]
pub enum Confidence {
    Low,
    Medium,
    High,
}

impl std::str::FromStr for Confidence {
    type Err = String;
    fn from_str(s: &str) -> std::result::Result<Self, Self::Err> {
        match s.to_lowercase().as_str() {
            "low" => Ok(Confidence::Low),
            "medium" => Ok(Confidence::Medium),
            "high" => Ok(Confidence::High),
            _ => Err(format!("unknown confidence level: {s}")),
        }
    }
}

#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)]
#[serde(rename_all = "lowercase")]
pub enum ScanPass {
    Structural,
    Semantic,
}

#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, Serialize, Deserialize, clap::ValueEnum)]
#[serde(rename_all = "lowercase")]
pub enum Language {
    Java,
    #[serde(rename = "typescript")]
    #[value(name = "typescript")]
    TypeScript,
    #[serde(rename = "javascript")]
    #[value(name = "javascript")]
    JavaScript,
    Python,
    Go,
    #[serde(rename = "csharp")]
    #[value(name = "csharp")]
    CSharp,
    Kotlin,
    Ruby,
    Php,
}

impl std::fmt::Display for Language {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        match self {
            Language::Java => write!(f, "java"),
            Language::TypeScript => write!(f, "typescript"),
            Language::JavaScript => write!(f, "javascript"),
            Language::Python => write!(f, "python"),
            Language::Go => write!(f, "go"),
            Language::CSharp => write!(f, "csharp"),
            Language::Kotlin => write!(f, "kotlin"),
            Language::Ruby => write!(f, "ruby"),
            Language::Php => write!(f, "php"),
        }
    }
}

impl std::fmt::Display for AuthCategory {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        match self {
            AuthCategory::Rbac => write!(f, "RBAC"),
            AuthCategory::Abac => write!(f, "ABAC"),
            AuthCategory::Middleware => write!(f, "Middleware"),
            AuthCategory::BusinessRule => write!(f, "Business Rule"),
            AuthCategory::Ownership => write!(f, "Ownership"),
            AuthCategory::FeatureGate => write!(f, "Feature Gate"),
            AuthCategory::Custom => write!(f, "Custom"),
        }
    }
}

impl std::fmt::Display for Confidence {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        match self {
            Confidence::Low => write!(f, "low"),
            Confidence::Medium => write!(f, "medium"),
            Confidence::High => write!(f, "high"),
        }
    }
}