Initial commit: Compliance Scanner Agent

Autonomous security and compliance scanning agent for git repositories.
Features: SAST (Semgrep), SBOM (Syft), CVE monitoring (OSV.dev/NVD),
GDPR/OAuth pattern detection, LLM triage, issue creation (GitHub/GitLab/Jira),
PR reviews, and Dioxus fullstack dashboard.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

compliance-agent/src/webhooks/gitlab.rs

@@ -0,0 +1,95 @@
+use std::sync::Arc;
+
+use axum::body::Bytes;
+use axum::extract::Extension;
+use axum::http::{HeaderMap, StatusCode};
+use secrecy::ExposeSecret;
+
+use compliance_core::models::ScanTrigger;
+
+use crate::agent::ComplianceAgent;
+
+pub async fn handle_gitlab_webhook(
+    Extension(agent): Extension<Arc<ComplianceAgent>>,
+    headers: HeaderMap,
+    body: Bytes,
+) -> StatusCode {
+    // Verify GitLab token
+    if let Some(secret) = &agent.config.gitlab_webhook_secret {
+        let token = headers
+            .get("x-gitlab-token")
+            .and_then(|v| v.to_str().ok())
+            .unwrap_or("");
+
+        if token != secret.expose_secret() {
+            tracing::warn!("GitLab webhook: invalid token");
+            return StatusCode::UNAUTHORIZED;
+        }
+    }
+
+    let payload: serde_json::Value = match serde_json::from_slice(&body) {
+        Ok(v) => v,
+        Err(e) => {
+            tracing::warn!("GitLab webhook: invalid JSON: {e}");
+            return StatusCode::BAD_REQUEST;
+        }
+    };
+
+    let event_type = payload["object_kind"].as_str().unwrap_or("");
+
+    match event_type {
+        "push" => handle_push(agent, &payload).await,
+        "merge_request" => handle_merge_request(agent, &payload).await,
+        _ => {
+            tracing::debug!("GitLab webhook: ignoring event '{event_type}'");
+            StatusCode::OK
+        }
+    }
+}
+
+async fn handle_push(agent: Arc<ComplianceAgent>, payload: &serde_json::Value) -> StatusCode {
+    let repo_url = payload["project"]["git_http_url"]
+        .as_str()
+        .or_else(|| payload["project"]["web_url"].as_str())
+        .unwrap_or("");
+
+    if repo_url.is_empty() {
+        return StatusCode::BAD_REQUEST;
+    }
+
+    let repo = agent
+        .db
+        .repositories()
+        .find_one(mongodb::bson::doc! { "git_url": repo_url })
+        .await
+        .ok()
+        .flatten();
+
+    if let Some(repo) = repo {
+        let repo_id = repo.id.map(|id| id.to_hex()).unwrap_or_default();
+        let agent_clone = (*agent).clone();
+        tokio::spawn(async move {
+            tracing::info!("GitLab push webhook: triggering scan for {repo_id}");
+            if let Err(e) = agent_clone.run_scan(&repo_id, ScanTrigger::Webhook).await {
+                tracing::error!("Webhook-triggered scan failed: {e}");
+            }
+        });
+    }
+
+    StatusCode::OK
+}
+
+async fn handle_merge_request(
+    _agent: Arc<ComplianceAgent>,
+    payload: &serde_json::Value,
+) -> StatusCode {
+    let action = payload["object_attributes"]["action"].as_str().unwrap_or("");
+    if action != "open" && action != "update" {
+        return StatusCode::OK;
+    }
+
+    let mr_iid = payload["object_attributes"]["iid"].as_u64().unwrap_or(0);
+    tracing::info!("GitLab MR webhook: MR !{mr_iid} {action}");
+
+    StatusCode::OK
+}