feat(scanner/imports): detect policy imports across languages

[boorad]

Summary

• Detect policy-engine imports for Go, Python, and Java in addition to TS/JS.
• Propagate imported policy bindings through simple same-file assignment flows so indirect enforcement points are counted.

Changes

• Adds language-specific import detection for Go package imports, Python import/from-import forms, and Java class/static imports.
• Adds fixed-point propagation from policy imports into local variables, fields, object pairs, composite literal keys, and class fields.
• Pairs Go/Python multi-assignment targets with corresponding RHS expressions to avoid suppressing unrelated embedded authz findings.
• Updates scanner docs/comments and end-to-end enforcement-point coverage.

Testing

• cargo fmt --check
• cargo check
• cargo clippy --all-features -- -D warnings
• cargo test --all-features

Summary by CodeRabbit

• New Features

  • Extended policy import detection to support Go, Python, and Java alongside TypeScript/JavaScript, enabling comprehensive policy enforcement point identification across more languages.

• Tests

  • Added test coverage for multi-language policy import scenarios and binding propagation validation across supported languages.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: b237172e-9c76-443b-a0b2-e04d75f990d7

📥 Commits

Reviewing files that changed from the base of the PR and between 9da7362 and ac92c0f.

📒 Files selected for processing (3)

• src/scanner/imports.rs
• src/scanner/mod.rs
• tests/scanner_enforcement_points.rs

---

📝 Walkthrough

Walkthrough

The pull request extends policy import binding detection across TypeScript/JavaScript, Go, Python, and Java by introducing iterative one-hop propagation over assignment-shaped edges. Initial bindings are extracted per language via tree-sitter, then propagated intra-file through regex-driven edge matching until fixed point. New language-specific import and edge collectors are added, with comprehensive test coverage and updated documentation.

Changes

Multi-Language Policy Import Detection with Iterative Propagation

Layer / File(s)	Summary
Core Propagation Algorithm src/scanner/imports.rs (123-189)	find_policy_imports is refactored to seed initial bindings, then propagate_to_fixed_point iteratively grows bindings by matching assignment edges against a dynamically compiled binding regex until convergence.
Regex Builder src/scanner/imports.rs (174-189)	build_combined_binding_regex compiles a single \b(?:...)\b pattern from sorted, deduplicated bindings for efficient edge-text matching each iteration.
Go Import & Edge Extraction src/scanner/imports.rs (246-520)	find_go_policy_imports extracts unaliased and aliased OPA/policy imports; collect_go_assignment_edges gathers short-var, var, plain =, and keyed-literal edges while skipping non-= operators.
Python Import & Edge Extraction src/scanner/imports.rs (531-731)	find_py_policy_imports handles import, from...import, and module-name extraction with dotted-head and alias handling; collect_py_assignment_edges collects identifier, attribute, tuple/list destructure, and walrus-expression edges.
Java Import & Edge Extraction src/scanner/imports.rs (732-773)	find_java_policy_imports extracts fully-qualified imports (skipping wildcards) and binding names; visit_java_edge collects initializer and assignment-expression edges from identifiers and field-access patterns.
TypeScript/JavaScript Edge Extraction src/scanner/imports.rs (775-850)	visit_ts_js_edge adds support for variable declarators, assignment expressions (including member/property writes), object pairs, and class/public field initializers to propagate property bindings.
Shared Traversal Helpers src/scanner/imports.rs (246-289, 455-490)	iter_named_descendants enables non-recursive descent; Go/Python/Java string and path helpers (strip_go_string_quotes, go_path_basename) simplify language-specific parsing.
Documentation src/scanner/mod.rs (79-87)	Updated comments clarify that enforcement_points counter now uses import detection for TS/JS, Go, Python, and Java (other languages no-op).
Test Infrastructure & Coverage tests/scanner_enforcement_points.rs (130-287)	scan_fixture helper runs end-to-end scans on temporary files; new tests validate enforcement_points routing for Go OPA, Python authz, and Java permission-check imports; added propagation regression test ensuring unrelated paired assignments are not suppressed.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~65 minutes

Possibly related issues

• Cross-file policy-binding flow (and in-package implementation files) #66: Requests extension of policy-import propagation beyond single files (package- or project-scoped) and path-based bypasses; this PR fulfills the immediate single-file iterative propagation foundation for that future work.

Possibly related PRs

• EnforceAuth/zift#14: Both PRs enhance src/scanner/imports.rs binding extraction (this PR adds multi-language and propagation; #14 fixes ES named-import alias capture).
• EnforceAuth/zift#9: Both PRs extend find_policy_imports language coverage and binding detection (this PR adds Go/Python/Java with propagation; #9 added JS/TS namespace/require handling).
• EnforceAuth/zift#55: Both PRs touch enforcement-points behavior and scanner tests (this PR expands those tests across newly supported languages).

Poem

🐰 A rabbit hops through four new lands,
Gathering bindings with nimble hands,
One hop, two hops—'til patterns align,
Go, Python, Java—imports now shine!
Fixed point reached, the propagation's divine!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: extending policy import detection to multiple programming languages (Go, Python, Java) in addition to TypeScript/JavaScript.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/policy-imports-multilang

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[amazon-q-developer]

The implementation successfully extends policy import detection to Go, Python, and Java while adding intra-file data-flow propagation. The code is well-structured with comprehensive test coverage and properly handles edge cases like multi-assignment pairing to prevent false positives. All critical functionality appears to work correctly based on the extensive test suite covering real-world patterns from the OCP corpus.

---

You can now have the agent implement changes and create commits directly on your pull request's source branch. Simply comment with /q followed by your request in natural language to ask the agent to make changes.