Module baselines

Expand description

Per-pipeline baseline files (.taudit/baselines/<hash>.json).

A baseline is a snapshot of the findings present on a pipeline at the moment it was first onboarded into taudit. Subsequent scans diff against the baseline so reviewers see only NEW findings; pre-existing findings are summarised. Baselines are the v0.10 mechanism for adopting taudit on existing repos without forcing upfront triage of historical findings.

§Load-bearing decisions (per design council, 2026-04-26)

Layout: one file per pipeline keyed by content hash. A monolithic .taudit/baseline.json would merge-conflict on every PR. Per-pipeline files (.taudit/baselines/<sha256>.json) keep blast radius small.
Fingerprints reuse Finding::compute_fingerprint exactly. Inventing a second hashing scheme is a foot-gun — SARIF, JSON, CloudEvents and baselines must agree on what “same finding” means. The shared test baseline_fingerprint_matches_sarif_fingerprint enforces this.
Critical findings always exit 1 unless the entry carries severity_override: critical AND a reason AND expires_at <= 90d. This is the security analyst’s non-negotiable: any waiver mechanism creates a path for risk to be accepted, so critical waivers must be conscious, time-bounded and re-reviewed.
OSS-friendly default. No .taudit/ directory means today’s behaviour. Baselines are strictly opt-in.

See docs/baselines.md for the full workflow and security guarantees.

Structs§

Baseline: One baseline file = one pipeline. Keyed by pipeline_content_hash so renames preserve state and merge conflicts only touch the affected file.
BaselineDiff: Result of diffing a fresh scan against a baseline. All three buckets are independently consumable by verify’s exit-code logic.
BaselineFinding: One entry in a baseline. Keyed on fingerprint (16-hex SHA-256 truncation computed by compute_fingerprint).
CapturedWith: Tool/version provenance captured at init.

Enums§

BaselineError: Errors returned by baseline I/O and validation.

Constants§

BASELINE_SCHEMA_VERSION: Schema version emitted by init and accepted by load. Additive 1.x.y changes are non-breaking; 2.0.0 means breaking changes.
MAX_CRITICAL_WAIVER_DAYS: Maximum lifetime allowed for a critical-severity waiver. Council’s load-bearing constraint: a critical may only bypass exit-1 if its waiver expires within this window. Longer expirations are rejected at validation time (and pruned at diff time).
MIN_REASON_LENGTH: Minimum length (UTF-8 chars) of the reason string on a waiver. Empty, wip, todo, fix later strings train the wrong muscle memory; force a sentence’s worth of justification.

Functions§

baseline_filename_for: Filename for one pipeline’s baseline. The sha256: prefix is stripped so the file is portable on filesystems that disallow : (Windows NTFS).
baseline_path_for: Convenience: full <root>/.taudit/baselines/<hex>.json path for the given content hash.
baselines_dir: Default location for per-pipeline baselines, given the working directory. Returns <root>/.taudit/baselines/.
compute_finding_fingerprint: Public alias of compute_fingerprint — re-exported here so the baseline module is the single import point for “what is the fingerprint of this finding for baseline purposes”. The shared test baseline_fingerprint_matches_sarif_fingerprint asserts these are byte-equal forever.
compute_pipeline_hash: SHA-256 of content formatted as sha256:<64-hex>. The sha256: prefix mirrors OCI / git object naming so logs and dashboards can strip the algorithm tag uniformly.
compute_pipeline_identity_material_hash: SHA-256 over dependency-like parser material (include/template/repository declarations and delegation edges), formatted as sha256:<64-hex>.
diff: Diff current_findings against baseline using the SARIF-equivalent fingerprint computed from graph. Entry point for verify and the taudit baseline diff subcommand.