sharang/compliance-scanner-agent
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit: Compliance Scanner Agent

Browse Source 
Autonomous security and compliance scanning agent for git repositories.
Features: SAST (Semgrep), SBOM (Syft), CVE monitoring (OSV.dev/NVD),
GDPR/OAuth pattern detection, LLM triage, issue creation (GitHub/GitLab/Jira),
PR reviews, and Dioxus fullstack dashboard.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Sharang Parnerkar
2026-03-02 13:30:17 +01:00
commit 0867e401bc
97 changed files with 11750 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

130
compliance-agent/src/webhooks/github.rs Normal file
View File

@@ -0,0 +1,130 @@
use std::sync::Arc;
use axum::body::Bytes;
use axum::extract::Extension;
use axum::http::{HeaderMap, StatusCode};
use hmac::{Hmac, Mac};
use secrecy::ExposeSecret;
use sha2::Sha256;
use compliance_core::models::ScanTrigger;
use crate::agent::ComplianceAgent;
type HmacSha256 = Hmac<Sha256>;
pub async fn handle_github_webhook(
Extension(agent): Extension<Arc<ComplianceAgent>>,
headers: HeaderMap,
body: Bytes,
) -> StatusCode {
// Verify HMAC signature
if let Some(secret) = &agent.config.github_webhook_secret {
let signature = headers
.get("x-hub-signature-256")
.and_then(|v| v.to_str().ok())
.unwrap_or("");
if !verify_signature(secret.expose_secret(), &body, signature) {
tracing::warn!("GitHub webhook: invalid signature");
return StatusCode::UNAUTHORIZED;
}
}
let event = headers
.get("x-github-event")
.and_then(|v| v.to_str().ok())
.unwrap_or("");
let payload: serde_json::Value = match serde_json::from_slice(&body) {
Ok(v) => v,
Err(e) => {
tracing::warn!("GitHub webhook: invalid JSON: {e}");
return StatusCode::BAD_REQUEST;
}
};
match event {
"push" => handle_push(agent, &payload).await,
"pull_request" => handle_pull_request(agent, &payload).await,
_ => {
tracing::debug!("GitHub webhook: ignoring event '{event}'");
StatusCode::OK
}
}
}
async fn handle_push(agent: Arc<ComplianceAgent>, payload: &serde_json::Value) -> StatusCode {
let repo_url = payload["repository"]["clone_url"]
.as_str()
.or_else(|| payload["repository"]["html_url"].as_str())
.unwrap_or("");
if repo_url.is_empty() {
return StatusCode::BAD_REQUEST;
}
// Find matching tracked repository
let repo = agent
.db
.repositories()
.find_one(mongodb::bson::doc! { "git_url": repo_url })
.await
.ok()
.flatten();
if let Some(repo) = repo {
let repo_id = repo.id.map(|id| id.to_hex()).unwrap_or_default();
let agent_clone = (*agent).clone();
tokio::spawn(async move {
tracing::info!("GitHub push webhook: triggering scan for {repo_id}");
if let Err(e) = agent_clone.run_scan(&repo_id, ScanTrigger::Webhook).await {
tracing::error!("Webhook-triggered scan failed: {e}");
}
});
} else {
tracing::debug!("GitHub push webhook: no tracked repo for {repo_url}");
}
StatusCode::OK
}
async fn handle_pull_request(
_agent: Arc<ComplianceAgent>,
payload: &serde_json::Value,
) -> StatusCode {
let action = payload["action"].as_str().unwrap_or("");
if action != "opened" && action != "synchronize" {
return StatusCode::OK;
}
let repo_url = payload["repository"]["clone_url"]
.as_str()
.unwrap_or("");
let pr_number = payload["pull_request"]["number"].as_u64().unwrap_or(0);
if repo_url.is_empty() || pr_number == 0 {
return StatusCode::BAD_REQUEST;
}
tracing::info!("GitHub PR webhook: PR #{pr_number} {action} on {repo_url}");
// PR review scan would be triggered here - runs incremental SAST on diff
// and posts review comments via the GitHub tracker
StatusCode::OK
}
fn verify_signature(secret: &str, body: &[u8], signature: &str) -> bool {
let sig = signature.strip_prefix("sha256=").unwrap_or(signature);
let sig_bytes = match hex::decode(sig) {
Ok(b) => b,
Err(_) => return false,
};
let mut mac = match HmacSha256::new_from_slice(secret.as_bytes()) {
Ok(m) => m,
Err(_) => return false,
};
mac.update(body);
mac.verify_slice(&sig_bytes).is_ok()
}

95
compliance-agent/src/webhooks/gitlab.rs Normal file
View File

@@ -0,0 +1,95 @@
use std::sync::Arc;
use axum::body::Bytes;
use axum::extract::Extension;
use axum::http::{HeaderMap, StatusCode};
use secrecy::ExposeSecret;
use compliance_core::models::ScanTrigger;
use crate::agent::ComplianceAgent;
pub async fn handle_gitlab_webhook(
Extension(agent): Extension<Arc<ComplianceAgent>>,
headers: HeaderMap,
body: Bytes,
) -> StatusCode {
// Verify GitLab token
if let Some(secret) = &agent.config.gitlab_webhook_secret {
let token = headers
.get("x-gitlab-token")
.and_then(|v| v.to_str().ok())
.unwrap_or("");
if token != secret.expose_secret() {
tracing::warn!("GitLab webhook: invalid token");
return StatusCode::UNAUTHORIZED;
}
}
let payload: serde_json::Value = match serde_json::from_slice(&body) {
Ok(v) => v,
Err(e) => {
tracing::warn!("GitLab webhook: invalid JSON: {e}");
return StatusCode::BAD_REQUEST;
}
};
let event_type = payload["object_kind"].as_str().unwrap_or("");
match event_type {
"push" => handle_push(agent, &payload).await,
"merge_request" => handle_merge_request(agent, &payload).await,
_ => {
tracing::debug!("GitLab webhook: ignoring event '{event_type}'");
StatusCode::OK
}
}
}
async fn handle_push(agent: Arc<ComplianceAgent>, payload: &serde_json::Value) -> StatusCode {
let repo_url = payload["project"]["git_http_url"]
.as_str()
.or_else(|| payload["project"]["web_url"].as_str())
.unwrap_or("");
if repo_url.is_empty() {
return StatusCode::BAD_REQUEST;
}
let repo = agent
.db
.repositories()
.find_one(mongodb::bson::doc! { "git_url": repo_url })
.await
.ok()
.flatten();
if let Some(repo) = repo {
let repo_id = repo.id.map(|id| id.to_hex()).unwrap_or_default();
let agent_clone = (*agent).clone();
tokio::spawn(async move {
tracing::info!("GitLab push webhook: triggering scan for {repo_id}");
if let Err(e) = agent_clone.run_scan(&repo_id, ScanTrigger::Webhook).await {
tracing::error!("Webhook-triggered scan failed: {e}");
}
});
}
StatusCode::OK
}
async fn handle_merge_request(
_agent: Arc<ComplianceAgent>,
payload: &serde_json::Value,
) -> StatusCode {
let action = payload["object_attributes"]["action"].as_str().unwrap_or("");
if action != "open" && action != "update" {
return StatusCode::OK;
}
let mr_iid = payload["object_attributes"]["iid"].as_u64().unwrap_or(0);
tracing::info!("GitLab MR webhook: MR !{mr_iid} {action}");
StatusCode::OK
}

5
compliance-agent/src/webhooks/mod.rs Normal file
View File

@@ -0,0 +1,5 @@
pub mod github;
pub mod gitlab;
pub mod server;
pub use server::start_webhook_server;

27
compliance-agent/src/webhooks/server.rs Normal file
View File

@@ -0,0 +1,27 @@
use std::sync::Arc;
use axum::routing::post;
use axum::{Extension, Router};
use crate::agent::ComplianceAgent;
use crate::error::AgentError;
use crate::webhooks::{github, gitlab};
pub async fn start_webhook_server(agent: &ComplianceAgent) -> Result<(), AgentError> {
let app = Router::new()
.route("/webhook/github", post(github::handle_github_webhook))
.route("/webhook/gitlab", post(gitlab::handle_gitlab_webhook))
.layer(Extension(Arc::new(agent.clone())));
let addr = "0.0.0.0:3002";
let listener = tokio::net::TcpListener::bind(addr)
.await
.map_err(|e| AgentError::Other(format!("Failed to bind webhook server: {e}")))?;
tracing::info!("Webhook server listening on {addr}");
axum::serve(listener, app)
.await
.map_err(|e| AgentError::Other(format!("Webhook server error: {e}")))?;
Ok(())
}