Expand description
Scope filtering for post-evaluation stages.
A Scope decides, on a per-result basis, whether a post-engine stage
should act on a given EvaluationResult. Enrichers apply it after
the kind-vs-body filter and before
Enricher::enrich runs, so a stage
pays no I/O cost for results it would have ignored anyway.
Three independent axes:
rules: rule-id exact match or rule-title glob (viaglobset).tags: tag-set intersection with prefix wildcard support (attack.*matchesattack.t1059.001).levels: severity membership.
All three axes are AND-ed when configured: a stage acts only when
every populated axis matches. Empty axes are not filters (an empty
tags: [] does not exclude every result; it means “no tag constraint”).
Structs§
- Scope
- Scope filter applied per result before a post-engine stage acts.