Add structured metadata fields to findings for programmatic access #385
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Adds new fields to FindingMeta for library users who need machine-readable access to security-relevant data without parsing human-readable strings: - injection_sources: Array of specific expressions being injected - lotp_tool: Living Off The Pipeline build tool (npm, pip, make, etc.) - lotp_action: LOTP GitHub Action identifier - referenced_secrets: Secrets referenced in the job (excludes GITHUB_TOKEN) The referenced_secrets field is automatically extracted when rules pass the _job field, supporting dot notation (secrets.FOO) and bracket notation (secrets['FOO'] and secrets["FOO"]). Benchmark (Apple M4 Pro): | Version | ns/op | B/op | allocs/op | |---------|-----------|-----------|-----------| | Before | 10971339 | 7149084 | 132787 | | After | 12059356 | 7858242 | 148422 | | Delta | +9.9% | +9.9% | +11.8% | Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
This pull request adds structured metadata fields to security findings, enabling programmatic access to security-relevant information without parsing human-readable text. The implementation includes new fields for injection sources, LOTP (Living Off The Pipeline) tools/actions, and referenced secrets.
Changes:
- Added four new structured metadata fields to
FindingMeta:InjectionSources,LOTPTool,LOTPAction, andReferencedSecrets - Implemented Rego helper functions to extract and sort injection sources and secrets from GitHub Actions expressions
- Updated all existing test expectations to include the new structured fields with appropriate values
- Added comprehensive test workflow and test case to verify the new fields are populated correctly
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| results/results.go | Adds four new structured metadata fields to FindingMeta struct with clear documentation |
| opa/rego/poutine/utils.rego | Implements helper functions to extract secrets from GitHub Actions expressions using regex patterns for dot and bracket notation |
| opa/rego/poutine.rego | Modifies finding() function to automatically extract referenced_secrets from _job field for GitHub Actions findings |
| opa/rego/rules/injection.rego | Adds injection_sources field (sorted array) and _job field to GitHub Actions injection findings |
| opa/rego/rules/untrusted_checkout_exec.rego | Adds lotp_tool/lotp_action fields and _job field to GitHub Actions untrusted checkout exec findings, also adds job ID to finding metadata |
| scanner/testdata/.github/workflows/test_new_fields.yml | New test workflow with injection vulnerabilities and LOTP scenarios to validate structured metadata extraction |
| scanner/inventory_test.go | Updates all test expectations with new structured fields and adds TestStructuredFindingFields to validate the implementation |
| scanner/inventory_scanner_test.go | Adds new test workflow to the expected workflow list |
| docs/content/en/structured-finding-metadata.md | Comprehensive documentation explaining the new fields, usage examples, and backward compatibility |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Fixes perfsprint linter warning by replacing fmt.Sprintf("%x", ...) with
hex.EncodeToString which is more performant.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Fixes testifylint warning by using require.NoError instead of assert.NoError for error checking in TestStructuredFindingFields. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
SUSTAPLE117
approved these changes
Jan 12, 2026
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
injection_sources,lotp_tool,lotp_action,referenced_secrets) to findings, enabling programmatic access to security-relevant information without parsing human-readable textpoutine/utils.regoto extract and sort injection sources from tainted expressionsreferenced_secretsfield is automatically extracted when rules pass the_jobfield, supporting dot notation (secrets.FOO) and bracket notation (secrets['FOO']andsecrets["FOO"])Benchmark (Apple M4 Pro)
Test plan
test_new_fields.yml) to verify structured metadata extractionTestStructuredFindingFieldstest with assertions for new fields🤖 Generated with Claude Code