List of all items
Structs
- baselines::Baseline
- baselines::BaselineDiff
- baselines::BaselineFinding
- baselines::CapturedWith
- custom_rules::CustomRule
- custom_rules::MatchSpec
- custom_rules::MetadataMatcher
- custom_rules::MetadataOp
- custom_rules::NodeMatcher
- custom_rules::PathMatcher
- finding::Finding
- finding::FindingExtras
- graph::AuthorityGraph
- graph::Edge
- graph::Node
- graph::ParamSpec
- graph::PipelineSource
- ignore::IgnoreConfig
- ignore::IgnoreResult
- ignore::IgnoreRule
- map::AuthorityMap
- map::MapRow
- propagation::DenseGraphError
- propagation::PropagationPath
- suppressions::Suppression
- suppressions::SuppressionConfig
Enums
- baselines::BaselineError
- custom_rules::CustomRuleError
- custom_rules::MetadataPredicate
- custom_rules::OneOrMany
- error::TauditError
- finding::FindingCategory
- finding::FindingSource
- finding::FixEffort
- finding::Recommendation
- finding::Severity
- graph::AuthorityCompleteness
- graph::EdgeKind
- graph::IdentityScope
- graph::NodeKind
- graph::TrustZone
- suppressions::SuppressionError
- suppressions::SuppressionMode
- suppressions::SuppressionStatus
Traits
Functions
- baselines::baseline_filename_for
- baselines::baseline_path_for
- baselines::baselines_dir
- baselines::compute_finding_fingerprint
- baselines::compute_pipeline_hash
- baselines::diff
- custom_rules::evaluate_custom_rules
- custom_rules::load_rules_dir
- custom_rules::load_rules_dir_with_opts
- custom_rules::parse_rules_multi_doc
- custom_rules::parse_rules_multi_doc_with_source
- finding::compute_finding_group_id
- finding::compute_fingerprint
- finding::downgrade_severity
- finding::rule_id_for
- graph::is_docker_digest_pinned
- graph::is_pin_semantically_valid
- graph::is_sha_pinned
- ignore::glob_match
- map::authority_map
- map::job_names
- map::render_dot
- map::render_map
- propagation::is_dense_graph
- propagation::propagation_analysis
- propagation::propagation_analysis_checked
- rules::addspn_with_inline_script
- rules::artifact_boundary_crossing
- rules::authority_cycle
- rules::authority_propagation
- rules::cache_key_crosses_trust_boundary
- rules::checkout_self_pr_exposure
- rules::child_pipeline_trigger_inherits_authority
- rules::ci_job_token_to_external_api
- rules::ci_token_triggers_downstream_with_variable_passthrough
- rules::cross_workflow_authority_chain
- rules::dind_service_grants_host_authority
- rules::dotenv_artifact_flows_to_privileged_deployment
- rules::floating_image
- rules::gh_cli_with_default_token_escalating
- rules::gitlab_deploy_job_missing_protected_branch_only
- rules::id_token_audience_overscoped
- rules::interactive_debug_action_in_authority_workflow
- rules::keyvault_secret_to_plaintext
- rules::long_lived_credential
- rules::long_lived_secret_without_oidc_recommendation
- rules::manual_dispatch_input_to_url_or_command
- rules::no_workflow_level_permissions_block
- rules::over_privileged_identity
- rules::parameter_interpolation_into_shell
- rules::pat_embedded_in_git_remote_url
- rules::persisted_credential
- rules::pr_build_pushes_image_with_floating_credentials
- rules::pr_specific_cache_key_in_default_branch_consumer
- rules::pr_trigger_with_floating_action_ref
- rules::prod_deploy_job_no_environment_gate
- rules::pull_request_workflow_inconsistent_fork_check
- rules::risky_trigger_with_authority
- rules::run_all_rules
- rules::runtime_script_fetched_from_floating_url
- rules::script_injection_via_untrusted_context
- rules::secret_materialised_to_workspace_file
- rules::secret_to_inline_script_env_export
- rules::secret_via_env_gate_to_untrusted_consumer
- rules::secrets_inherit_overscoped_passthrough
- rules::security_job_silently_skipped
- rules::self_hosted_pool_pr_hijack
- rules::self_mutating_pipeline
- rules::sensitive_value_in_job_output
- rules::service_connection_scope_mismatch
- rules::short_lived_sas_in_command_line
- rules::template_extends_unpinned_branch
- rules::template_repo_ref_is_feature_branch
- rules::terraform_auto_approve_in_prod
- rules::terraform_output_via_setvariable_shell_expansion
- rules::trigger_context_mismatch
- rules::unpinned_action
- rules::unpinned_include_remote_or_branch_ref
- rules::unsafe_pr_artifact_in_workflow_run_consumer
- rules::untrusted_api_response_to_env_sink
- rules::untrusted_ci_var_in_shell_interpolation
- rules::untrusted_with_authority
- rules::uplift_without_attestation
- rules::variable_group_in_pr_job
- rules::vm_remote_exec_via_pipeline_secret
- suppressions::render_entry_yaml
Type Aliases
Constants
- baselines::BASELINE_SCHEMA_VERSION
- baselines::MAX_CRITICAL_WAIVER_DAYS
- baselines::MIN_REASON_LENGTH
- graph::META_ADD_SPN_TO_ENV
- graph::META_ATTESTS
- graph::META_CACHE_KEY
- graph::META_CHECKOUT_REF
- graph::META_CHECKOUT_SELF
- graph::META_CLI_FLAG_EXPOSED
- graph::META_CONTAINER
- graph::META_DIGEST
- graph::META_DISPATCH_INPUTS
- graph::META_DOTENV_FILE
- graph::META_DOWNLOADS_ARTIFACT
- graph::META_ENVIRONMENT_NAME
- graph::META_ENVIRONMENT_URL
- graph::META_ENV_APPROVAL
- graph::META_FORK_CHECK
- graph::META_GITLAB_ALLOW_FAILURE
- graph::META_GITLAB_CACHE_KEY
- graph::META_GITLAB_CACHE_POLICY
- graph::META_GITLAB_DIND_SERVICE
- graph::META_GITLAB_EXTENDS
- graph::META_GITLAB_INCLUDES
- graph::META_GITLAB_TRIGGER_KIND
- graph::META_IDENTITY_SCOPE
- graph::META_IMPLICIT
- graph::META_INFERRED
- graph::META_INTERACTIVE_DEBUG
- graph::META_INTERPRETS_ARTIFACT
- graph::META_JOB_NAME
- graph::META_JOB_OUTPUTS
- graph::META_NEEDS
- graph::META_NO_WORKFLOW_PERMISSIONS
- graph::META_OIDC
- graph::META_OIDC_AUDIENCE
- graph::META_PERMISSIONS
- graph::META_PLATFORM
- graph::META_READS_ENV
- graph::META_REPOSITORIES
- graph::META_RULES_PROTECTED_ONLY
- graph::META_SCRIPT_BODY
- graph::META_SECRETS_INHERIT
- graph::META_SELF_HOSTED
- graph::META_SERVICE_CONNECTION
- graph::META_SERVICE_CONNECTION_NAME
- graph::META_TERRAFORM_AUTO_APPROVE
- graph::META_TRIGGER
- graph::META_TRIGGERS
- graph::META_VARIABLE_GROUP
- graph::META_WRITES_ENV_GATE
- propagation::DEFAULT_MAX_HOPS
- propagation::DENSE_GRAPH_EDGE_RATIO
- propagation::DENSE_GRAPH_NODE_THRESHOLD