ezavgorodniy
commented
1 month ago Absolutely agree with you and had the same feeling when tried to run this locally. Seems like @joreiche had the same feelings and had introduced a solution to achieve flexibility by meta script language in yaml: https://github.com/Threagile/threagile/blob/master/pkg/security/risks/scripts/accidental-secret-leak.yaml
This is not a feature that can be used from latest docker image although we're working on making an official release of Threagile 1.0 which will contain it.
P. S. I'm aware about lack of documentation on script rules, it's something that other contributors have in their TODO list
Go's plugin package seem to be a little like an "unloved child" in the Go community. And it is not (yet?) ready for Windows. Windows is not my problem but it might lock out quite some users. And it interferes with Go's sore feature of platform independence.
Apart from that I don't see the benefit. The RAA package is mandatory in the current theragile exe. You cannot run
threagile -raa-plugin "". It simply fails withplugin.Open(""): realpath failed. So what's the point in making RAA being a plugin if it must be there in the end. It would be much simpler with the default static linking of Go.