Skip to main content

FindingExtras

taudit_api

Struct FindingExtras 

Source 
pub struct FindingExtras {
Show 14 fields
    pub finding_group_id: Option<String>,
    pub time_to_fix: Option<FixEffort>,
    pub compensating_controls: Vec<String>,
    pub suppressed: bool,
    pub original_severity: Option<Severity>,
    pub suppression_reason: Option<String>,
    pub fingerprint_anchor: Option<String>,
    pub confidence_scope: Option<String>,
    pub runtime_preconditions: Vec<String>,
    pub portal_control_dependency: bool,
    pub authority_kinds: Vec<String>,
    pub attacker_surface_kinds: Vec<String>,
    pub template_resolution_strength: Option<String>,
    pub cve_relationship: Option<String>,

}
Expand description

Optional finding metadata. Lives on every Finding via #[serde(flatten)] so consumers see the fields at the top of the finding object — same place they’d appear if declared inline on Finding. Default-constructed extras serialize to nothing (all Option::None and empty Vecs skip-serialize), so existing snapshots remain byte-stable until a rule populates a field.

Why a wrapper struct? The 30+ rule call sites use struct literal syntax. Adding fields directly to Finding would force every site to edit. With extras: FindingExtras::default(), new extras can be added in a single place.

Fields§

§finding_group_id: Option<String>

Stable UUID v5 over (NAMESPACE, fingerprint) — collapses per-hop findings against the same authority root into one group for SIEM display. See compute_finding_group_id.

§time_to_fix: Option<FixEffort>

Coarse remediation effort. See FixEffort.

§compensating_controls: Vec<String>

Human-readable list of controls that already neutralise (or partially neutralise) this finding — populated when a compensating-control detector downgrades severity. Empty when no downgrade applied.

§suppressed: bool

Set to true by the suppression applicator when a matching .taudit-suppressions.yml entry exists AND the configured mode is Suppress. The finding still appears in output (audit trail preserved) but consumers can filter on this field.

§original_severity: Option<Severity>

Original pre-downgrade severity. Populated by the suppression applicator OR a compensating-control detector when severity is mutated. None means the current severity is the rule-emitted value.

§suppression_reason: Option<String>

Operator-supplied justification from the matching suppression entry. None when no suppression applies.

§fingerprint_anchor: Option<String>

Per-finding stable anchor mixed into the fingerprint canonical string. Populated by rules that have no natural graph node to place in nodes_involved (e.g. ADO resources.repositories[] aliases, GitLab include: entries, workflow-level invariants). When two findings of the same rule fire in the same file, their anchors must differ for the fingerprints to differ.

Round-trips through JSON so external tools that recompute fingerprints from loaded findings get the same value as the emitting taudit run. None (the default) and Some("") are the same equivalence class — both contribute the empty marker to the canonical string.

§confidence_scope: Option<String>

Scope of confidence for this finding. Current built-in rules are yaml_only: taudit has proved a static authority shape in the scanned YAML artifact, but runtime/provider settings may still affect exploitability.

§runtime_preconditions: Vec<String>

Human-readable runtime or control-plane assumptions that must be verified before treating the static finding as live exploitability.

§portal_control_dependency: bool

True when exploitability materially depends on provider-side controls not represented in the YAML artifact, such as Azure DevOps service connection authorization or GitHub repository settings.

§authority_kinds: Vec<String>

Coarse authority kinds involved in the finding: e.g. job_token, oidc_identity, service_connection, variable_group, credential_named_variable, artifact, or image.

§attacker_surface_kinds: Vec<String>

Coarse attacker-influenced surfaces involved in the finding: e.g. untrusted_checkout, script_sink, mutable_dependency_ref, reusable_workflow_boundary, or self_hosted_runner.

§template_resolution_strength: Option<String>

Template/reusable-workflow resolution strength for delegation findings: resolved, partial, opaque, or not_applicable.

§cve_relationship: Option<String>

Relationship between this finding and any cited CVE/advisory: same_primitive, same_authority_shape, analogue_only, or not_applicable.

Implementations§

Source§

impl FindingExtras

Source

pub fn with_anchor(anchor: impl Into<String>) -> Self

Convenience constructor for the common case of “default extras plus a per-finding fingerprint anchor”. Used by rules whose emission sites have no natural graph-node anchor and need the anchor to discriminate multiple findings of the same rule in one file (see compute_fingerprint v3 contract).

Source

pub fn with_confidence_scope(scope: impl Into<String>) -> Self

Convenience constructor for report-facing metadata that is not a fingerprint anchor. Keeps rule call sites additive rather than forcing every built-in rule to hand-populate publication context.

Trait Implementations§

Source§

impl Clone for FindingExtras

Source§

fn clone(&self) -> FindingExtras

Returns a duplicate of the value. Read more
1.0.0 (const: unstable) · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Debug for FindingExtras

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl Default for FindingExtras

Source§

fn default() -> FindingExtras

Returns the “default value” for a type. Read more
Source§

impl<'de> Deserialize<'de> for FindingExtras

Source§

fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>
where __D: Deserializer<'de>,

Deserialize this value from the given Serde deserializer. Read more
Source§

impl Serialize for FindingExtras

Source§

fn serialize<__S>(&self, __serializer: __S) -> Result<__S::Ok, __S::Error>
where __S: Serializer,

Serialize this value into the given Serde serializer. Read more

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<T> DeserializeOwned for T
where T: for<'de> Deserialize<'de>,