Skip to content

Commit 3f07728

Browse files
chore(deps): bump Kensa to v0.6.0 (atomicity engine; 538 rules) (#670)
* chore(deps): bump Kensa to v0.6.0 (atomicity engine; 538 rules) Updates the bundled Kensa scan engine + rule corpus from v0.5.2 to v0.6.0, keeping the three version pins in sync (go.mod, internal/kensa.KensaModuleVersion, specs/system/kensa-executor.spec.yaml — TestKensaModuleVersion/TestSpec_VersionPin enforce agreement). What's in v0.6.0: - The remediation "atomicity engine": crash-recovery intent journal + `kensa recover`, mandatory post-apply VALIDATE re-check, post-state recapture into the signed evidence envelope, a footprint pre-commit gate, and agent-mode kernel-IO handlers. Kensa's CHANGELOG marks the consumed `api/` surface as additive (crash-recovery types) with no breaking change; the OpenWatch build and scan-path tests confirm it. - Rule corpus: 539 -> 538. One STIG rule was removed (system/pkg-gdm-absent.yml). No rules added. - Pulls 3 new indirect deps (elastic/go-libaudit, elastic/go-licenser, kballard/go-shellquote) from the agent-mode kernel-IO features. Verified: go build ./... clean, go vet clean, internal/kensa + the server scan-config/variable-catalog/lens tests pass, specter check 113/113 at 100% coverage. Note: docs/README/guides reference "539" rules; those need a 539->538 follow-up (left out here to avoid colliding with the pending README PR #669). * docs(kensa): update rule count 539 -> 538 for v0.6.0 Kensa v0.6.0 removed one rule, so the bundled corpus is now 538 (verified by a live end-to-end scan against a RHEL host: status=completed, total_rules=538, 0 errors). Update the factual rule-count claims in the README and the scanning/controls guides to match. Version-pinned historical statements are intentionally left unchanged (LINUX_DISTRIBUTION_SUPPORT verified against v0.4.3=539; engineering plan past measurements), as are the explicitly-approximate "~539" architectural bounds in the lens handler/openapi (the tilde already disclaims precision and the bounded-no-pagination claim is unaffected).
1 parent dea0b6d commit 3f07728

7 files changed

Lines changed: 49 additions & 12 deletions

File tree

README.md

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@ An auditor asks: *"Were these 200 servers compliant with STIG on January 15th?"*
1313

1414
With manual processes, that question takes a week to answer. With point-in-time scanning tools, you can only answer if you happened to scan that day. With OpenWatch, it is a query — executed in seconds, backed by machine-verifiable evidence, exportable as CSV, JSON, or PDF.
1515

16-
OpenWatch is the compliance operating system for teams managing Linux infrastructure under STIG, CIS, NIST 800-53, PCI-DSS, and FedRAMP. It connects to your servers over SSH, runs 539 compliance checks via the [Kensa](https://github.com/Hanalyx/kensa) engine, and provides continuous visibility into compliance posture — not just what's passing now, but what was passing last Tuesday, what drifted since your last assessment, and what needs attention before your next one.
16+
OpenWatch is the compliance operating system for teams managing Linux infrastructure under STIG, CIS, NIST 800-53, PCI-DSS, and FedRAMP. It connects to your servers over SSH, runs 538 compliance checks via the [Kensa](https://github.com/Hanalyx/kensa) engine, and provides continuous visibility into compliance posture — not just what's passing now, but what was passing last Tuesday, what drifted since your last assessment, and what needs attention before your next one.
1717

1818
> **Project status — Go rebuild, pre-release.** OpenWatch is a single Go binary
1919
> that serves both the REST API and the embedded React UI (the original
@@ -104,7 +104,7 @@ Open **https://localhost:8443** and sign in with the admin user you created.
104104
2. **Add a host** — Hosts > Add Host > enter IP, select credentials
105105
3. **Scan** — Click the play button on the host card
106106

107-
Results appear in under a minute. OpenWatch ships with 539 built-in [Kensa](https://github.com/Hanalyx/kensa) rules — human-readable YAML, not XML — ready to go.
107+
Results appear in under a minute. OpenWatch ships with 538 built-in [Kensa](https://github.com/Hanalyx/kensa) rules — human-readable YAML, not XML — ready to go.
108108

109109
## Architecture
110110

@@ -121,7 +121,7 @@ Results appear in under a minute. OpenWatch ships with 539 built-in [Kensa](http
121121
│ Auth · RBAC · Scheduling · Audit · Exports │
122122
├────────────────────────┬────────────────────────────────────┤
123123
│ Kensa Engine │ Worker (Go) │
124-
539 YAML rules │ Async scanning │
124+
538 YAML rules │ Async scanning │
125125
│ 23 remediation types │ Adaptive scheduling │
126126
│ Evidence capture │ Drift detection │
127127
├────────────────────────┴────────────────────────────────────┤
@@ -246,7 +246,7 @@ endpoint.
246246

247247
## Part of the Hanalyx Compliance Platform
248248

249-
OpenWatch is the compliance operating system — the dashboard, the scheduler, the governance layer. **[Kensa](https://github.com/Hanalyx/kensa)** is the compliance engine underneath — 539 rules, 23 remediation mechanisms, automatic rollback, all over SSH.
249+
OpenWatch is the compliance operating system — the dashboard, the scheduler, the governance layer. **[Kensa](https://github.com/Hanalyx/kensa)** is the compliance engine underneath — 538 rules, 23 remediation mechanisms, automatic rollback, all over SSH.
250250

251251
If you want a CLI that integrates into scripts and pipelines, start with Kensa. If you want a platform for your team with a dashboard, scheduling, and audit workflows, start here.
252252

docs/guides/COMPLIANCE_CONTROLS.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -91,7 +91,7 @@ This document maps OpenWatch's security controls to industry frameworks, providi
9191
| 1.1 | Enterprise Asset Inventory | Host management with system info collection |
9292
| 2.1 | Software Inventory | Server intelligence (package collection) |
9393
| 3.3 | Data Encryption | AES-256-GCM at rest, TLS 1.2+ in transit |
94-
| 4.1 | Secure Configuration | Kensa compliance scanning (539-rule corpus) |
94+
| 4.1 | Secure Configuration | Kensa compliance scanning (538-rule corpus) |
9595
| 4.2 | Baseline Network Configuration | Network discovery and topology mapping |
9696
| 5.2 | Unique Passwords | Argon2id hashing, 8-char minimum (15 for admin), breached-password screening |
9797
| 5.4 | MFA | TOTP-based MFA with backup codes |

docs/guides/SCANNING_AND_COMPLIANCE.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -27,7 +27,7 @@ Kensa retrieves SSH credentials from OpenWatch's encrypted store
2727
SSH connection to target host
2828
|
2929
v
30-
539 YAML rules evaluated (check commands, config values, file permissions)
30+
538 YAML rules evaluated (check commands, config values, file permissions)
3131
|
3232
v
3333
Each rule returns: pass/fail, severity, detail, evidence

go.mod

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ go 1.26.4
44

55
require (
66
github.com/BurntSushi/toml v1.6.0
7-
github.com/Hanalyx/kensa v0.5.2
7+
github.com/Hanalyx/kensa v0.6.0
88
github.com/getkin/kin-openapi v0.139.0
99
github.com/gliderlabs/ssh v0.3.8
1010
github.com/go-chi/chi/v5 v5.3.0
@@ -26,12 +26,15 @@ require (
2626
github.com/apapsch/go-jsonmerge/v2 v2.0.0 // indirect
2727
github.com/boombuler/barcode v1.1.0 // indirect
2828
github.com/dustin/go-humanize v1.0.1 // indirect
29+
github.com/elastic/go-libaudit/v2 v2.6.2 // indirect
30+
github.com/elastic/go-licenser v0.4.1 // indirect
2931
github.com/go-openapi/jsonpointer v0.21.0 // indirect
3032
github.com/go-openapi/swag v0.23.0 // indirect
3133
github.com/jackc/pgpassfile v1.0.0 // indirect
3234
github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
3335
github.com/jackc/puddle/v2 v2.2.2 // indirect
3436
github.com/josharian/intern v1.0.0 // indirect
37+
github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
3538
github.com/mailru/easyjson v0.7.7 // indirect
3639
github.com/mattn/go-isatty v0.0.21 // indirect
3740
github.com/mfridman/interpolate v0.0.2 // indirect

go.sum

Lines changed: 36 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
github.com/BurntSushi/toml v1.6.0 h1:dRaEfpa2VI55EwlIW72hMRHdWouJeRF7TPYhI+AUQjk=
22
github.com/BurntSushi/toml v1.6.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
3-
github.com/Hanalyx/kensa v0.5.2 h1:9bp5KION7N1FlmJA4f0AKFS4uVXijXZWDiP8ucViriQ=
4-
github.com/Hanalyx/kensa v0.5.2/go.mod h1:oEJt9i8spIWwy6i6uF1YgShrLS67kFXKIWr+J1eYBOY=
3+
github.com/Hanalyx/kensa v0.6.0 h1:FQEEbL66KC+B6F6NAHqZ6aPU/0mvp2LKPR8Z06zEyPM=
4+
github.com/Hanalyx/kensa v0.6.0/go.mod h1:83T8VCn+gRjDIPFWqKS7f0oGR4aCaGSPQQ0CUe9vHXY=
55
github.com/RaveNoX/go-jsoncommentstrip v1.0.0/go.mod h1:78ihd09MekBnJnxpICcwzCMzGrKSKYe4AqU6PDYYpjk=
66
github.com/andybalholm/brotli v1.2.1 h1:R+f5xP285VArJDRgowrfb9DqL18yVK0gKAW/F+eTWro=
77
github.com/andybalholm/brotli v1.2.1/go.mod h1:rzTDkvFWvIrjDXZHkuS16NPggd91W3kUSvPlQ1pLaKY=
@@ -22,6 +22,10 @@ github.com/dlclark/regexp2 v1.11.0 h1:G/nrcoOa7ZXlpoa/91N3X7mM3r8eIlMBBJZvsz/mxK
2222
github.com/dlclark/regexp2 v1.11.0/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8=
2323
github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
2424
github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
25+
github.com/elastic/go-libaudit/v2 v2.6.2 h1:1PM6wVBTJHJQYsKl8jfA9/Aw9pFty5uUezPiUfKtOI4=
26+
github.com/elastic/go-libaudit/v2 v2.6.2/go.mod h1:8205nkf2oSrXFlO4H5j8/cyVMoSF3Y7jt+FjgS4ubQU=
27+
github.com/elastic/go-licenser v0.4.1 h1:1xDURsc8pL5zYT9R29425J3vkHdt4RT5TNEMeRN48x4=
28+
github.com/elastic/go-licenser v0.4.1/go.mod h1:V56wHMpmdURfibNBggaSBfqgPxyT1Tldns1i87iTEvU=
2529
github.com/getkin/kin-openapi v0.139.0 h1:pBFXcZJFwz9J1X64jzxlOoNgFm+TF7kNrs9+HJVN6Ic=
2630
github.com/getkin/kin-openapi v0.139.0/go.mod h1:NGxPfE4PwS/TRXEbyx2RrxDFPZvxcWw31Tw8XXjPZLs=
2731
github.com/gliderlabs/ssh v0.3.8 h1:a4YXD1V7xMF9g5nTkdfnja3Sxy1PVDCj1Zg4Wb8vY6c=
@@ -55,6 +59,8 @@ github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFr
5559
github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
5660
github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
5761
github.com/juju/gnuflag v0.0.0-20171113085948-2ce1bb71843d/go.mod h1:2PavIy+JPciBPrBUjwbNvtwB6RQlve+hkpll6QSNmOE=
62+
github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 h1:Z9n2FFNUXsshfwJMBgNA0RU6/i7WVaAegv3PtuIHPMs=
63+
github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51/go.mod h1:CzGEWj7cYgsdH8dAjBGEr58BoE7ScuLd+fwFZ44+/x8=
5864
github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
5965
github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
6066
github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
@@ -107,24 +113,52 @@ github.com/vearutop/statigz v1.4.0 h1:RQL0KG3j/uyA/PFpHeZ/L6l2ta920/MxlOAIGEOuwm
107113
github.com/vearutop/statigz v1.4.0/go.mod h1:LYTolBLiz9oJISwiVKnOQoIwhO1LWX1A7OECawGS8XE=
108114
github.com/woodsbury/decimal128 v1.3.0 h1:8pffMNWIlC0O5vbyHWFZAt5yWvWcrHA+3ovIIjVWss0=
109115
github.com/woodsbury/decimal128 v1.3.0/go.mod h1:C5UTmyTjW3JftjUFzOVhC20BEQa2a4ZKOB5I6Zjb+ds=
116+
github.com/yuin/goldmark v1.4.0/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
110117
go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
111118
go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
119+
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
120+
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
112121
golang.org/x/crypto v0.52.0 h1:RMs7fP2rXdep0CftQlK8Uf+kibLm7qkCcradZWYz988=
113122
golang.org/x/crypto v0.52.0/go.mod h1:1QgfPxDqh0T2M/elOJtp9RvuR95kVjir0e6/BvEmGbc=
123+
golang.org/x/lint v0.0.0-20210508222113-6edffad5e616/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
124+
golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
125+
golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
126+
golang.org/x/mod v0.5.1/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro=
114127
golang.org/x/mod v0.35.0 h1:Ww1D637e6Pg+Zb2KrWfHQUnH2dQRLBQyAtpr/haaJeM=
115128
golang.org/x/mod v0.35.0/go.mod h1:+GwiRhIInF8wPm+4AoT6L0FA1QWAad3OMdTRx4tFYlU=
129+
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
130+
golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
131+
golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
116132
golang.org/x/net v0.55.0 h1:bcvxaJn3e1U6InsFWt1JUq1aSjnRxLzT2rtD2KfkDF8=
117133
golang.org/x/net v0.55.0/go.mod h1:L5U2KuzuOe1lY7Z+aWVIKK6qEeJXnXV9yzGA+WCHJww=
134+
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
135+
golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
118136
golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
119137
golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
138+
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
139+
golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
140+
golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
141+
golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
142+
golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
143+
golang.org/x/sys v0.0.0-20211102192858-4dd72447c267/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
120144
golang.org/x/sys v0.46.0 h1:noSf2Fq6F8DBgS+LysIkx7rIExoNHJsxOAtPp4rthXw=
121145
golang.org/x/sys v0.46.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
146+
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
122147
golang.org/x/term v0.44.0 h1:0rLvDRCtNj0gZkyIXhCyOb2OAzEhLVqc4B+hrsBhrmc=
123148
golang.org/x/term v0.44.0/go.mod h1:7ze4MdzUzLXpSAoFP1H0bOI9aXDqveSvatT5vKcFh2Y=
149+
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
150+
golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
124151
golang.org/x/text v0.37.0 h1:Cqjiwd9eSg8e0QAkyCaQTNHFIIzWtidPahFWR83rTrc=
125152
golang.org/x/text v0.37.0/go.mod h1:a5sjxXGs9hsn/AJVwuElvCAo9v8QYLzvavO5z2PiM38=
153+
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
154+
golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
155+
golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
156+
golang.org/x/tools v0.1.7/go.mod h1:LGqMHiF4EqQNHR1JncWGqT5BVaXmza+X+BDGol+dOxo=
126157
golang.org/x/tools v0.44.0 h1:UP4ajHPIcuMjT1GqzDWRlalUEoY+uzoZKnhOjbIPD2c=
127158
golang.org/x/tools v0.44.0/go.mod h1:KA0AfVErSdxRZIsOVipbv3rQhVXTnlU6UhKxHd1seDI=
159+
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
160+
golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
161+
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
128162
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
129163
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
130164
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=

internal/kensa/types.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@ import (
1010
// KensaModuleVersion is the version pin recorded in the spec's context
1111
// block. AC-10 source-inspects to verify this matches the corresponding
1212
// entry in app/go.mod.
13-
const KensaModuleVersion = "v0.5.2"
13+
const KensaModuleVersion = "v0.6.0"
1414

1515
// Sentinel errors returned by Executor.Run. Tests use errors.Is for
1616
// classification; the audit emission path maps each to a typed

specs/system/kensa-executor.spec.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@ spec:
1010
feature: Kensa scan execution bridge
1111
description: >
1212
The executor invokes Kensa (Go module github.com/Hanalyx/kensa
13-
pinned to v0.5.2) to run a scan against a single host using the
13+
pinned to v0.6.0) to run a scan against a single host using the
1414
FULL rule corpus applicable to the host's detected OS
1515
capabilities. The Kensa API (`Kensa.Scan(ctx, host, rules,
1616
opts...)` per kensa-go/api/kensa.go:228) takes a `[]*api.Rule`
@@ -131,7 +131,7 @@ spec:
131131
type: technical
132132
enforcement: error
133133
- id: C-13
134-
description: The production scanFunc MUST compose the scan-only Kensa via api.New with pkg/kensa.NewScanner (kensa v0.5.2 — stateless, concurrency-safe shared) and this package's TransportFactory; no engine, store, or signer is constructed for the scan path. The worker subcommand binds it via WithScanFunc(NewProductionScanFunc(...)). unwiredScanFunc may remain ONLY as the test fallback NewExecutor defaults to before binding, annotated as such
134+
description: The production scanFunc MUST compose the scan-only Kensa via api.New with pkg/kensa.NewScanner (kensa v0.6.0 — stateless, concurrency-safe shared) and this package's TransportFactory; no engine, store, or signer is constructed for the scan path. The worker subcommand binds it via WithScanFunc(NewProductionScanFunc(...)). unwiredScanFunc may remain ONLY as the test fallback NewExecutor defaults to before binding, annotated as such
135135
type: technical
136136
enforcement: error
137137
- id: C-14

0 commit comments

Comments
 (0)