Expand description
Repository scanning (dcg scan) for destructive commands.
This module is intentionally extractor-based (not naive substring grep). The core idea is to extract only executable contexts from files, then evaluate extracted commands using the shared evaluator pipeline.
§Extraction contract
Each extractor returns ExtractedCommand entries:
file,line, optionalcolextractor_ididentifying the execution context (e.g.shell.script)command(the extracted executable command text)- optional
metadata(structured context for debugging / future UX)
Extractors MUST be conservative: if unsure whether something is executed, prefer returning no extraction rather than producing false positives.
§Output schema (v1)
dcg scan --format json emits a ScanReport containing:
- stable ordering of findings (deterministic output for CI / PR comments)
decisionin {allow,warn,deny}severityin {info,warning,error}- stable
rule_id(pack_id:pattern_name) when available
Note: the shared evaluator currently only blocks deny-by-default pack rules. Scan output uses this evaluator behavior for parity.
Structs§
- Extracted
Command - Extracted executable command from a file.
- Hooks
Toml - Project-level scan config for repo integrations (pre-commit/CI).
- Hooks
Toml Scan - Hooks
Toml Scan Paths - Scan
Decision Counts - Counts of findings by decision.
- Scan
Eval Context - Precomputed evaluator context for scanning.
- Scan
Finding - A scan finding produced by evaluating an extracted command.
- Scan
Options - In-memory scan configuration (CLI + defaults).
- Scan
Report - Complete scan output (stable JSON schema).
- Scan
Severity Counts - Counts of findings by severity.
- Scan
Summary - Summary statistics for a scan run.
- Skipped
Entry - One file or top-level path that was skipped during scanning, with the
reason it was skipped. The
reasonfield is a stable lower-snake-case label so JSON consumers can branch on it.
Enums§
- Scan
Decision - Scan decision for an extracted command.
- Scan
Fail On - Controls scan failure behavior (CI integration).
- Scan
Format - Scan output format.
- Scan
Redact Mode - Redaction mode for scan output.
- Scan
Severity - Scan severity (used for
--fail-onpolicy). - Skip
Reason - Why a file or path was skipped during scanning. Serialized as lower-snake-case strings for JSON stability.
Constants§
- SCAN_
HEREDOC_ MIN_ TIMEOUT_ MS - Minimum heredoc-extraction timeout the scan path enforces (milliseconds).
- SCAN_
SCHEMA_ VERSION
Functions§
- build_
report - evaluate_
extracted_ command - extract_
azure_ pipelines_ from_ str - Extract commands from Azure Pipelines YAML files.
- extract_
circleci_ from_ str - Extract commands from
CircleCIconfig files. - extract_
docker_ compose_ from_ str - Extract executable commands from docker-compose files.
- extract_
dockerfile_ from_ str - Extract commands from Dockerfile RUN instructions
- extract_
github_ actions_ workflow_ from_ str - Extract commands from GitHub Actions workflow run steps
- extract_
gitlab_ ci_ from_ str - extract_
makefile_ from_ str - Extract commands from Makefile recipe lines
- extract_
package_ json_ from_ str - Extract executable scripts from package.json.
- extract_
shell_ script_ from_ str - Extract commands from shell scripts (.sh, .bash files)
- extract_
terraform_ from_ str - Extract commands from Terraform provisioner blocks.
- parse_
hooks_ toml - Parse
.dcg/hooks.tomland return (typed config, warnings). - redact_
aggressively - redact_
quoted_ strings - scan_
paths - Scan file paths (directories are expanded recursively).
- scan_
paths_ with_ progress - Scan file paths with optional progress reporting.
- should_
fail - sort_
findings
Type Aliases§
- Scan
Progress Callback - Progress callback for scan operations.