List of all items

Structs

• baselines::Baseline
• baselines::BaselineDiff
• baselines::BaselineFinding
• baselines::CapturedWith
• custom_rules::CustomRule
• custom_rules::MatchSpec
• custom_rules::MetadataMatcher
• custom_rules::MetadataOp
• custom_rules::NodeMatcher
• custom_rules::PathMatcher
• exploit_path::ExploitEdgeExport
• exploit_path::ExploitGraphExport
• exploit_path::ExploitGraphOptions
• exploit_path::ExploitGraphSummary
• exploit_path::ExploitNodeExport
• exploit_path::ExploitPathExport
• finding::Finding
• finding::FindingExtras
• finding::PropagationPath
• graph::AuthorityEdgeSummary
• graph::AuthorityGraph
• graph::Edge
• graph::Node
• graph::ParamSpec
• graph::PipelineSource
• ignore::IgnoreConfig
• ignore::IgnoreResult
• ignore::IgnoreRule
• map::AuthorityMap
• map::MapRow
• propagation::DenseGraphError
• propagation::PropagationPath
• summary::AuthorityPropagationSummaryDocument
• summary::PropagationNodeAgg
• summary::PropagationSummaryTotals
• suppressions::Suppression
• suppressions::SuppressionConfig

Enums

• baselines::BaselineError
• custom_rules::CustomRuleError
• custom_rules::MetadataPredicate
• custom_rules::OneOrMany
• error::TauditError
• finding::FindingCategory
• finding::FindingSource
• finding::FixEffort
• finding::Recommendation
• finding::Severity
• graph::AuthorityCompleteness
• graph::EdgeKind
• graph::GapKind
• graph::IdentityScope
• graph::NodeKind
• graph::TrustZone
• ignore::IgnoreError
• map::DiagramLabelDetail
• map::DotJobCollapse
• suppressions::SuppressionError
• suppressions::SuppressionMode
• suppressions::SuppressionStatus

Traits

• ports::AnalysisRule
• ports::PipelineParser
• ports::ReportSink

Functions

• baselines::baseline_filename_for
• baselines::baseline_path_for
• baselines::baselines_dir
• baselines::compute_finding_fingerprint
• baselines::compute_pipeline_hash
• baselines::compute_pipeline_identity_material_hash
• baselines::diff
• custom_rules::evaluate_custom_rules
• custom_rules::load_rules_dir
• custom_rules::load_rules_dir_with_opts
• custom_rules::parse_rules_multi_doc
• custom_rules::parse_rules_multi_doc_with_source
• exploit_path::build_export
• exploit_path::render_dot
• exploit_path::render_json_pretty
• exploit_path::render_mermaid
• exploit_path::render_summary_pretty
• graph::is_docker_digest_pinned
• graph::is_pin_semantically_valid
• graph::is_sha_pinned
• ignore::glob_match
• map::authority_map
• map::job_names
• map::render_dot
• map::render_map
• map::render_mermaid
• propagation::is_dense_graph
• propagation::propagation_analysis
• propagation::propagation_analysis_checked
• read_capped
• read_capped_with_symlink_fence
• rules::action_major_version_pin_without_sha
• rules::addspn_with_inline_script
• rules::artifact_boundary_crossing
• rules::authority_cycle
• rules::authority_propagation
• rules::cache_key_crosses_trust_boundary
• rules::check_homoglyph_in_action_ref
• rules::checkout_self_pr_exposure
• rules::child_pipeline_trigger_inherits_authority
• rules::ci_job_token_to_external_api
• rules::ci_token_triggers_downstream_with_variable_passthrough
• rules::cross_workflow_authority_chain
• rules::dind_service_grants_host_authority
• rules::docker_socket_exposed_to_ci_step
• rules::dotenv_artifact_flows_to_privileged_deployment
• rules::floating_image
• rules::gh_cli_with_default_token_escalating
• rules::gha_action_minted_secret_to_helper
• rules::gha_action_token_env_before_bare_download_helper
• rules::gha_api_workflow_run_artifact_to_autonomous_agent_to_git_push
• rules::gha_attestation_config_driven_gate_from_workspace_file
• rules::gha_attestation_subject_digest_from_step_output_unverified
• rules::gha_attestation_subject_path_workspace_glob_with_pr_trigger
• rules::gha_azure_companion_helper_authority
• rules::gha_changesets_publish_command_with_authority
• rules::gha_composite_bare_helper_after_path_install_with_secret_env
• rules::gha_composite_entrypoint_path_shadow_with_secret_env
• rules::gha_container_image_attacker_influenced_with_secret_env
• rules::gha_create_pr_git_token_path_handoff
• rules::gha_crossrepo_secrets_inherit_unreviewed_callee
• rules::gha_crossrepo_workflow_call_floating_ref_cascade
• rules::gha_datadog_test_visibility_installer_authority
• rules::gha_docker_buildx_authority_path_handoff
• rules::gha_docker_setup_qemu_privileged_docker_helper
• rules::gha_env_credential_helper_config_redirect_before_authority
• rules::gha_env_dyld_or_ld_library_path_before_credential_helper
• rules::gha_env_node_options_code_injection_before_node_authority
• rules::gha_floating_remote_script_before_publish_sink
• rules::gha_google_deploy_gcloud_credential_path
• rules::gha_helper_path_sensitive_argv
• rules::gha_helper_path_sensitive_env
• rules::gha_helper_path_sensitive_stdin
• rules::gha_helper_untrusted_path_resolution
• rules::gha_import_gpg_private_key_helper_path
• rules::gha_issue_comment_command_to_write_token
• rules::gha_kubernetes_helper_kubeconfig_authority
• rules::gha_macos_codesign_cert_security_path
• rules::gha_manifest_cargo_build_rs_pull_request_with_token
• rules::gha_manifest_makefile_with_pr_trigger_and_secrets
• rules::gha_manifest_npm_lifecycle_hook_pr_trigger_with_token
• rules::gha_manifest_python_m_build_with_pr_credentials
• rules::gha_manifest_submodules_recursive_with_pr_authority
• rules::gha_manual_dispatch_ref_to_privileged_checkout
• rules::gha_pages_deploy_token_url_to_git_helper
• rules::gha_pat_remote_url_write
• rules::gha_post_action_input_retarget_to_cache_save
• rules::gha_post_ambient_env_cleanup_path
• rules::gha_pr_build_pushes_publishable_image
• rules::gha_pulumi_path_resolved_cli_with_authority
• rules::gha_pypi_publish_oidc_after_path_mutation
• rules::gha_remote_script_in_authority_job
• rules::gha_rubygems_release_git_token_and_oidc_helper
• rules::gha_script_injection_to_privileged_shell
• rules::gha_secret_output_after_helper_login
• rules::gha_setup_go_cache_helper_path_handoff
• rules::gha_setup_node_cache_helper_path_handoff
• rules::gha_setup_python_cache_helper_path_handoff
• rules::gha_setup_python_pip_install_authority_env
• rules::gha_ssh_agent_private_key_to_path_helper
• rules::gha_telemetry_autonomous_agent_input_from_untrusted_event
• rules::gha_telemetry_debug_flag_with_secret_env
• rules::gha_telemetry_pr_or_issue_text_to_external_sink
• rules::gha_terraform_wrapper_sensitive_output
• rules::gha_token_remote_url_with_trace_or_process_exposure
• rules::gha_tool_installer_then_shell_helper_authority
• rules::gha_workflow_call_container_image_input_secrets_inherit
• rules::gha_workflow_call_runner_label_input_privilege_escalation
• rules::gha_workflow_run_artifact_metadata_to_privileged_api
• rules::gha_workflow_run_artifact_poisoning_to_privileged_consumer
• rules::gha_workflow_run_artifact_report_to_pr_comment
• rules::gha_workflow_run_artifact_to_blob_storage_token
• rules::gha_workflow_run_artifact_to_build_scan_publish
• rules::gha_workflow_shell_authority_concentration
• rules::gitlab_deploy_job_missing_protected_branch_only
• rules::id_token_audience_overscoped
• rules::interactive_debug_action_in_authority_workflow
• rules::keyvault_secret_to_plaintext
• rules::known_compromised_action_ref
• rules::later_secret_materialized_after_path_mutation
• rules::long_lived_credential
• rules::long_lived_secret_without_oidc_recommendation
• rules::manual_dispatch_input_to_url_or_command
• rules::no_workflow_level_permissions_block
• rules::oidc_identity_in_untrusted_context
• rules::over_privileged_identity
• rules::parameter_interpolation_into_shell
• rules::pat_embedded_in_git_remote_url
• rules::persisted_credential
• rules::pr_build_pushes_image_with_floating_credentials
• rules::pr_specific_cache_key_in_default_branch_consumer
• rules::pr_trigger_with_floating_action_ref
• rules::privileged_container_in_ci_step
• rules::prod_deploy_job_no_environment_gate
• rules::pull_request_workflow_inconsistent_fork_check
• rules::risky_trigger_with_authority
• rules::run_all_rules
• rules::runtime_script_fetched_from_floating_url
• rules::script_injection_via_untrusted_context
• rules::secret_materialised_to_workspace_file
• rules::secret_to_inline_script_env_export
• rules::secret_via_env_gate_to_untrusted_consumer
• rules::secrets_inherit_overscoped_passthrough
• rules::security_job_silently_skipped
• rules::self_hosted_pool_pr_hijack
• rules::self_mutating_pipeline
• rules::sensitive_value_in_job_output
• rules::service_connection_scope_mismatch
• rules::setvariable_issecret_false
• rules::shared_self_hosted_pool_no_isolation
• rules::short_lived_sas_in_command_line
• rules::template_extends_unpinned_branch
• rules::template_repo_ref_is_feature_branch
• rules::terraform_auto_approve_in_prod
• rules::terraform_output_via_setvariable_shell_expansion
• rules::trigger_context_mismatch
• rules::unpinned_action
• rules::unpinned_include_remote_or_branch_ref
• rules::unsafe_pr_artifact_in_workflow_run_consumer
• rules::untrusted_api_response_to_env_sink
• rules::untrusted_ci_var_in_shell_interpolation
• rules::untrusted_with_authority
• rules::uplift_without_attestation
• rules::variable_group_in_pr_job
• rules::vm_remote_exec_via_pipeline_secret
• summary::build_authority_propagation_summary
• suppressions::render_entry_yaml

Type Aliases

• finding::NodeId
• graph::EdgeId
• graph::NodeId

Constants

• MAX_INPUT_FILE_BYTES
• baselines::BASELINE_SCHEMA_VERSION
• baselines::MAX_CRITICAL_WAIVER_DAYS
• baselines::MIN_REASON_LENGTH
• custom_rules::MAX_RULE_VEC_LEN
• graph::AUTHORITY_EDGE_SUMMARY_FIELD_MAX
• graph::META_ADD_SPN_TO_ENV
• graph::META_ATTESTS
• graph::META_CACHE_KEY
• graph::META_CHECKOUT_REF
• graph::META_CHECKOUT_SELF
• graph::META_CLI_FLAG_EXPOSED
• graph::META_CONDITION
• graph::META_CONTAINER
• graph::META_DEPENDS_ON
• graph::META_DIGEST
• graph::META_DISPATCH_INPUTS
• graph::META_DOTENV_FILE
• graph::META_DOWNLOADS_ARTIFACT
• graph::META_ENVIRONMENT_NAME
• graph::META_ENVIRONMENT_URL
• graph::META_ENV_APPROVAL
• graph::META_ENV_GATE_WRITES_SECRET_VALUE
• graph::META_FORK_CHECK
• graph::META_GHA_ACTION
• graph::META_GHA_CONTAINER_OPTIONS
• graph::META_GHA_ENV_ASSIGNMENTS
• graph::META_GHA_RUNS_ON
• graph::META_GHA_WITH_INPUTS
• graph::META_GHA_WORKFLOW_CALL_INPUTS
• graph::META_GITLAB_ALLOW_FAILURE
• graph::META_GITLAB_CACHE_KEY
• graph::META_GITLAB_CACHE_POLICY
• graph::META_GITLAB_DIND_SERVICE
• graph::META_GITLAB_EXTENDS
• graph::META_GITLAB_INCLUDES
• graph::META_GITLAB_TRIGGER_KIND
• graph::META_IDENTITY_SCOPE
• graph::META_IMPLICIT
• graph::META_INFERRED
• graph::META_INTERACTIVE_DEBUG
• graph::META_INTERPRETS_ARTIFACT
• graph::META_JOB_NAME
• graph::META_JOB_OUTPUTS
• graph::META_NEEDS
• graph::META_NO_WORKFLOW_PERMISSIONS
• graph::META_OIDC
• graph::META_OIDC_AUDIENCE
• graph::META_OIDC_AUDIENCES
• graph::META_PERMISSIONS
• graph::META_PLATFORM
• graph::META_READS_ENV
• graph::META_REPOSITORIES
• graph::META_RULES_PROTECTED_ONLY
• graph::META_SCRIPT_BODY
• graph::META_SECRETS_INHERIT
• graph::META_SELF_HOSTED
• graph::META_SERVICE_CONNECTION
• graph::META_SERVICE_CONNECTION_NAME
• graph::META_SETVARIABLE_ADO
• graph::META_TERRAFORM_AUTO_APPROVE
• graph::META_TRIGGER
• graph::META_TRIGGERS
• graph::META_VARIABLE_GROUP
• graph::META_WORKSPACE_CLEAN
• graph::META_WRITES_ENV_GATE
• propagation::DEFAULT_MAX_HOPS
• propagation::DENSE_GRAPH_EDGE_RATIO
• propagation::DENSE_GRAPH_NODE_THRESHOLD
• summary::AUTHORITY_PROPAGATION_SUMMARY_SCHEMA_URI
• summary::AUTHORITY_PROPAGATION_SUMMARY_SCHEMA_VERSION
• summary::PROPAGATION_SUMMARY_TOP_N