Module graph 

Structs

AuthorityGraph

Directed authority graph. Nodes are pipeline elements (steps, secrets, artifacts, identities, images). Edges model authority/data flow.

Edge

A directed edge in the authority graph.

Node

A node in the authority graph.

PipelineSource

Where the pipeline definition came from.

Enums

AuthorityCompleteness

How complete is this authority graph? Parsers set this based on whether they could fully resolve all authority relationships in the pipeline YAML.

EdgeKind

Edge semantics model authority/data flow — not syntactic YAML relations. Design test: “Can authority propagate along this edge?”

IdentityScope

How broad is an identity’s scope? Classifies the risk surface of tokens, service principals, and OIDC identities.

NodeKind

Semantic kind of a graph node.

TrustZone

Trust classification. Explicit on every node — not inferred from kind.

Constants

META_ATTESTS

Marks a Step that performs cryptographic provenance attestation (e.g. actions/attest-build-provenance).

META_CHECKOUT_SELF

Marks a Step that performs a checkout: self (ADO) or default actions/checkout on a PR context.

META_CLI_FLAG_EXPOSED

Marks a Secret node whose value is interpolated into a CLI flag argument (e.g. -var "key=$(SECRET)"). CLI flag values appear in pipeline log output even when ADO secret masking is active, because the command string is logged before masking runs and Terraform itself logs -var values.

META_CONTAINER

Marks an Image node as a job container (not a uses: action).

META_DIGEST

META_IDENTITY_SCOPE

META_IMPLICIT

Marks an Identity node as implicitly injected by the platform (e.g. ADO System.AccessToken). Implicit tokens are structurally accessible to all tasks by platform design — exposure to untrusted steps is Info-level (structural) rather than Critical (misconfiguration).

META_INFERRED

META_OIDC

Marks an Identity node as OIDC-capable (permissions: id-token: write).

META_PERMISSIONS

META_SELF_HOSTED

Marks an Image node as a self-hosted agent pool (pool.name on ADO; runs-on: self-hosted on GHA).

META_SERVICE_CONNECTION

Marks an Identity node as an ADO service connection.

META_TRIGGER

Graph-level metadata: identifies the trigger type (e.g. pull_request_target, pr).

META_VARIABLE_GROUP

Marks a Secret node sourced from an ADO variable group (vs inline pipeline variable).

META_WRITES_ENV_GATE

Marks a Step that writes to the environment gate ($GITHUB_ENV, ADO ##vso[task.setvariable]).

Functions

is_docker_digest_pinned

Returns true if image is pinned to a Docker digest. Docker digest format: image@sha256:<64-hex-chars>.

is_sha_pinned

Returns true if ref_str is a SHA-pinned action reference. Checks: contains @, part after @ is >= 40 hex chars. Single source of truth — used by both parser and rules.

Type Aliases

EdgeId

Unique identifier for an edge in the authority graph.

NodeId

Unique identifier for a node in the authority graph.