fix: add timeouts to scanners, cap semgrep memory, remove syft remote lookups, fix Script error

Semgrep was running unbounded with --config=auto (downloads all rules) and no memory cap,
making it likely to get OOM-killed in resource-constrained Orca containers. Syft had remote
license lookups enabled which adds network calls and memory overhead. Neither had timeouts,
so a hung process would stall the entire scan indefinitely and silently produce 0 results.

- semgrep: add --max-memory 500 --jobs 1 and a 10-minute timeout
- syft: remove remote license lookup env vars, add 5-minute timeout
- gitleaks: add 5-minute timeout
- dashboard: fix Script dangerous_inner_html -> text child (Dioxus 0.7 Script element
  requires a single text node child, not dangerous_inner_html — was spamming error logs)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

compliance-agent/src/pipeline/gitleaks.rs

@@ -19,7 +19,9 @@ impl Scanner for GitleaksScanner {
 
     #[tracing::instrument(skip_all)]
     async fn scan(&self, repo_path: &Path, repo_id: &str) -> Result<ScanOutput, CoreError> {
-        let output = tokio::process::Command::new("gitleaks")
+        let output = tokio::time::timeout(
+            std::time::Duration::from_secs(300),
+            tokio::process::Command::new("gitleaks")
                 .args([
                     "detect",
                     "--source",
@@ -33,8 +35,13 @@ impl Scanner for GitleaksScanner {
                     "0",
                 ])
                 .current_dir(repo_path)
-            .output()
+                .output(),
+        )
         .await
+        .map_err(|_| CoreError::Scanner {
+            scanner: "gitleaks".to_string(),
+            source: "timed out after 5 minutes".into(),
+        })?
         .map_err(|e| CoreError::Scanner {
             scanner: "gitleaks".to_string(),
             source: Box::new(e),

compliance-agent/src/pipeline/sbom/syft.rs

@@ -5,16 +5,18 @@ use compliance_core::CoreError;
 
 #[tracing::instrument(skip_all, fields(repo_id = %repo_id))]
 pub(super) async fn run_syft(repo_path: &Path, repo_id: &str) -> Result<Vec<SbomEntry>, CoreError> {
-    let output = tokio::process::Command::new("syft")
+    let output = tokio::time::timeout(
+        std::time::Duration::from_secs(300),
+        tokio::process::Command::new("syft")
             .arg(repo_path)
             .args(["-o", "cyclonedx-json"])
-        // Enable remote license lookups for all ecosystems
-        .env("SYFT_GOLANG_SEARCH_REMOTE_LICENSES", "true")
-        .env("SYFT_JAVASCRIPT_SEARCH_REMOTE_LICENSES", "true")
-        .env("SYFT_PYTHON_SEARCH_REMOTE_LICENSES", "true")
-        .env("SYFT_JAVA_USE_NETWORK", "true")
-        .output()
+            .output(),
+    )
     .await
+    .map_err(|_| CoreError::Scanner {
+        scanner: "syft".to_string(),
+        source: "timed out after 5 minutes".into(),
+    })?
     .map_err(|e| CoreError::Scanner {
         scanner: "syft".to_string(),
         source: Box::new(e),

compliance-agent/src/pipeline/semgrep.rs

@@ -19,11 +19,26 @@ impl Scanner for SemgrepScanner {
 
     #[tracing::instrument(skip_all)]
     async fn scan(&self, repo_path: &Path, repo_id: &str) -> Result<ScanOutput, CoreError> {
-        let output = tokio::process::Command::new("semgrep")
-            .args(["--config=auto", "--json", "--quiet"])
+        let output = tokio::time::timeout(
+            std::time::Duration::from_secs(600),
+            tokio::process::Command::new("semgrep")
+                .args([
+                    "--config=auto",
+                    "--json",
+                    "--quiet",
+                    "--max-memory",
+                    "500",
+                    "--jobs",
+                    "1",
+                ])
                 .arg(repo_path)
-            .output()
+                .output(),
+        )
         .await
+        .map_err(|_| CoreError::Scanner {
+            scanner: "semgrep".to_string(),
+            source: "timed out after 10 minutes".into(),
+        })?
         .map_err(|e| CoreError::Scanner {
             scanner: "semgrep".to_string(),
             source: Box::new(e),

compliance-dashboard/src/components/app_shell.rs

@@ -32,7 +32,7 @@ pub fn AppShell() -> Element {
             // Not authenticated — redirect to Keycloak login
             rsx! {
                 document::Script {
-                    dangerous_inner_html: "window.location.href = '/auth';"
+                    "window.location.href = '/auth';"
                 }
             }
         }