60 Commits

This Branch

This Branch

All Branches

Author	SHA1	Message	Date
Sharang Parnerkar	4d5eedcc8b	fix: add HTTP timeout to reqwest client and CVE stage timeout ... Without a timeout on the reqwest client, sequential NVD API calls for each CVE alert could hang indefinitely. With 1098 SBOM entries producing hundreds of alerts, this would stall the scan pipeline. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-13 08:48:03 +02:00
sharang	df0063abc0	fix: scanner timeouts, semgrep memory cap, syft remote lookups, Script error (#78) ... ## Summary - **Scan produces no results in Orca** — semgrep (`--config=auto`, unbounded memory) and syft (remote license network calls) were getting OOM-killed or hanging in resource-constrained Orca containers. Scan would "complete" with 0 findings/SBOMs silently because each scanner failure is caught and logged as a warning. - **Dashboard Script error spam** — `document::Script` in Dioxus 0.7 needs a single text node child for inline scripts; `dangerous_inner_html` was invalid and spammed the error log on every unauthenticated page load. ## Changes | File | Change | |------|--------| | `semgrep.rs` | Add `--max-memory 500 --jobs 1`; 10-minute timeout | | `syft.rs` | Remove remote license lookup env vars; 5-minute timeout | | `gitleaks.rs` | 5-minute timeout | | `app_shell.rs` | Fix `dangerous_inner_html` → text child in `document::Script` | ## Test plan - [ ] Trigger a scan on a repo in Orca — findings and SBOM entries should now appear - [ ] Agent logs should show timeout/error warnings rather than silent empty results when tools are killed - [ ] Navigate to dashboard unauthenticated — Script error gone from logs - [ ] Verify scans work end-to-end with `docker compose up` --------- Co-authored-by: Sharang Parnerkar <30073382+mighty840@users.noreply.github.com> Reviewed-on: #78	2026-05-12 11:27:24 +00:00
Sharang Parnerkar	5cafd13f44	ci: log orca webhook response so deploy steps arent silent	2026-04-08 15:09:27 +02:00
Sharang Parnerkar	69209649a5	ci: trigger first orca build for all services ... Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-08 10:10:07 +02:00
Sharang Parnerkar	d5439adc0d	ci: trigger build of dashboard, docs, mcp images for orca ... Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-08 10:09:49 +02:00
Sharang Parnerkar	bc7cdd35e4	ci: replace coolify webhook with orca deploy ... Each deploy job now builds the per-service image, pushes to the private registry as :latest and :sha, then triggers an HMAC-signed orca redeploy webhook. Coolify webhooks are no longer used. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-08 10:06:11 +02:00
Sharang Parnerkar	c062d834a1	fix: downgrade dotenv missing file from FAILED to info message ... Non-fatal in Docker where env vars come from container config. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-30 15:33:24 +02:00
sharang	23cf37b6c3	fix: CVE notifications during scan + help chat doc loading + Dockerfile (#55) v0.2.0	2026-03-30 13:10:56 +00:00
sharang	49d5cd4e0a	feat: hourly CVE alerting with notification bell and API (#53)	2026-03-30 10:39:39 +00:00
sharang	4388e98b5b	feat: add E2E test suite with nightly CI, fix dashboard Dockerfile (#52)	2026-03-30 10:04:07 +00:00
sharang	a8bb05d7b1	feat: add floating help chat widget, remove settings page (#51)	2026-03-30 08:05:29 +00:00
sharang	bae24f9cf8	fix: cascade-delete DAST targets, pentests, and downstream data on repo delete (#50)	2026-03-30 07:11:23 +00:00
sharang	dd53132746	feat: refine all LLM system prompts for precision and reduced false positives (#49)	2026-03-30 07:11:17 +00:00
sharang	ff088f9eb4	feat: deduplicate code review findings across LLM passes (#48)	2026-03-29 20:38:52 +00:00
sharang	745ad8a441	fix: check Gitea API response status and fallback for PR reviews (#47) ... ## Summary - Add HTTP response status checking to all Gitea tracker methods that were silently swallowing errors - Add fallback in create_pr_review: if inline comments fail, retry as plain PR comment ## Test plan - [ ] Deploy and trigger a PR review, check logs for actual error details - [ ] Verify fallback posts summary comment when inline comments fail Co-authored-by: Sharang Parnerkar <parnerkarsharang@gmail.com> Co-authored-by: Sharang Parnerkar <30073382+mighty840@users.noreply.github.com> Reviewed-on: #47	2026-03-25 16:26:09 +00:00
sharang	a9d039dad3	fix: stop storing code review findings in dashboard (#22)	2026-03-18 15:18:07 +00:00
Sharang Parnerkar	a509bdcb2e	fix: require TLS for IMAP auth, close port 143 (CERT-Bund compliance) ... - Remove port 143 from mailserver (only expose 993/IMAPS) - Enable SSL_TYPE=manual with Let's Encrypt certs - Set DOVECOT_DISABLE_PLAINTEXT_AUTH=yes - Add pentest_imap_tls config field (defaults to true) Fixes CERT-Bund report: IMAP PLAIN/LOGIN without TLS on 46.225.100.82:143 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-18 09:29:34 +01:00
sharang	c461faa2fb	feat: pentest onboarding — streaming, browser automation, reports, user cleanup (#16) ... Complete pentest feature overhaul: SSE streaming, session-persistent browser tool (CDP), AES-256 credential encryption, auto-screenshots in reports, code-level remediation correlation, SAST triage chunking, context window optimization, test user cleanup (Keycloak/Auth0/Okta), wizard dropdowns, attack chain improvements, architecture docs with Mermaid diagrams. Co-authored-by: Sharang Parnerkar <parnerkarsharang@gmail.com> Reviewed-on: #16	2026-03-17 20:32:20 +00:00
Sharang Parnerkar	11e1c5f438	Merge branch 'fix/chrome-in-agent'	2026-03-13 11:25:16 +01:00
Sharang Parnerkar	77f1c92c7b	ci: skip check stage on main push since PRs enforce it ... Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-13 11:20:39 +01:00
sharang	4eac1209d8	fix: remote Chrome PDF export & MCP endpoint sync (#15)	2026-03-13 10:12:20 +00:00
Sharang Parnerkar	584ef2c822	fix: remote Chrome PDF via CDP, sync MCP endpoint URL on boot ... - Add CHROME_WS_URL env var support for PDF report generation via Chrome DevTools Protocol over WebSocket (falls back to local binary) - Update seeded MCP server endpoint URLs on boot when MCP_ENDPOINT_URL env var differs from stored value (previously only seeded once) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-13 10:57:28 +01:00
sharang	a529e9af0c	ci: consolidate CI into single job; fix sidebar footer (#14)	2026-03-13 09:44:32 +00:00
sharang	3bb690e5bb	refactor: modularize codebase and add 404 unit tests (#13)	2026-03-13 08:03:45 +00:00
sharang	acc5b86aa4	feat: AI-driven automated penetration testing (#12)	2026-03-12 14:42:54 +00:00
sharang	3ec1456b0d	docs: rewrite user-facing documentation with screenshots (#11)	2026-03-11 15:26:00 +00:00
Sharang Parnerkar	689daa0f49	chore: upgrade Dockerfiles to Rust 1.94 ... Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-11 13:15:47 +01:00
sharang	491665559f	feat: per-repo issue tracker, Gitea support, PR review pipeline (#10)	2026-03-11 12:13:59 +00:00
Sharang Parnerkar	be4b43ed64	fix: SBOM export now triggers browser file download instead of showing JSON ... Replace the inline <pre> JSON display with a proper browser download using Blob + URL.createObjectURL. Clicking "Download" now saves a .json file (CycloneDX or SPDX format) directly to the user's downloads folder. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-11 09:57:34 +01:00
Sharang Parnerkar	895c070239	fix: rewrite SigNoz dashboards using correct v4 widget schema ... Previous JSON used an incorrect format. Rewrote both dashboards using the actual SigNoz v4 schema (widgets array, builder queryData, proper layout entries, aggregateOperator/aggregateAttribute structure). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-11 09:49:45 +01:00
Sharang Parnerkar	f84f69d1ea	feat: add SigNoz dashboard JSON configs for agent and dashboard monitoring ... Two dashboards with ClickHouse queries matching our tracing instrumentation: - compliance-agent: API handler latency/errors, scan pipeline stage durations, DAST/graph/chat API panels, and warn/error log tracking - compliance-dashboard: server function performance, page load distribution, agent connectivity health, and error log monitoring Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-11 09:29:48 +01:00
Sharang Parnerkar	99983c51e3	feat: enhance tracing with field attributes and warn logging across all handlers ... Add repo_id, finding_id, and filter fields to tracing::instrument attributes for better trace correlation in SigNoz. Replace all silently swallowed errors (Err(_) => Vec::new()) with tracing::warn! logging across mod.rs, dast.rs, graph.rs handlers. Add stage-level spans with .instrument() to pipeline orchestrator for visibility into scan phases. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-10 21:56:16 +01:00
Sharang Parnerkar	67d6a937ae	feat: add OpenTelemetry trace spans to all handlers and pipeline functions ... Add #[tracing::instrument(skip_all)] to 44 functions: - 19 API handlers in mod.rs - 3 chat handlers, 6 DAST handlers, 7 graph handlers - 2 pipeline orchestrator functions - 7 scanner functions (sbom, semgrep, gitleaks, cve, lint, patterns) This generates trace spans for SigNoz visibility into request latency, scan pipeline stages, and error tracking. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-10 17:08:13 +01:00
Sharang Parnerkar	f394cc15de	fix: SSH key display and mkdir in Dockerfile ... - Fetch SSH public key every time auth section opens (was only fetching once and caching failures) - Add mkdir for SSH key directory in Dockerfile.agent Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-10 15:37:58 +01:00
sharang	4361e67703	fix: resolve cargo audit failures by updating tantivy, scraper, quinn-proto (#9)	2026-03-10 14:05:24 +00:00
sharang	daff5812a6	fix: SBOM multi-ecosystem support with correct package managers and licenses (#8)	2026-03-10 12:37:29 +00:00
sharang	0065c7c4b2	feat: UI improvements with icons, back navigation, and overview cards (#7)	2026-03-09 17:09:40 +00:00
sharang	46bf9de549	feat: findings refinement, new scanners, and deployment tooling (#6)	2026-03-09 12:53:12 +00:00
sharang	32e5fc21e7	feat: add MCP server for exposing compliance data to LLMs (#5) ... New `compliance-mcp` crate providing a Model Context Protocol server with 7 tools: list/get/summarize findings, list SBOM packages, SBOM vulnerability report, list DAST findings, and DAST scan summary. Supports stdio (local dev) and Streamable HTTP (deployment via MCP_PORT). Includes Dockerfile, CI clippy check, and Coolify deploy job. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: Sharang Parnerkar <parnerkarsharang@gmail.com> Reviewed-on: #5	2026-03-09 08:21:04 +00:00
Sharang Parnerkar	d13cef94cb	Add Coolify deploy jobs with path-based change detection ... Deploys agent, dashboard, and docs independently based on which files changed. Only triggers on main after tests pass. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-08 19:22:56 +01:00
Sharang Parnerkar	3a01a28591	Redesign sidebar user section to fix overlap issue ... Restructured layout: avatar, truncated username, and logout icon in a single row. Collapsed state stacks vertically. Logout button uses a subtle icon-only style with red hover. Proper text ellipsis prevents name overflow. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-08 18:24:58 +01:00
Sharang Parnerkar	d490359591	Add polished login landing page with feature highlights ... Dark-themed login page with shield logo, feature grid, gradient sign-in button, subtle grid background, and glow effect. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-08 17:51:41 +01:00
Sharang Parnerkar	b95ce44fb9	Bind dashboard to 0.0.0.0 for container accessibility ... Dioxus defaults to 127.0.0.1 which is unreachable from outside the container. Hardcode 0.0.0.0 binding so reverse proxies can reach it. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-08 17:39:25 +01:00
Sharang Parnerkar	175d303dc4	Set IP=0.0.0.0 in dashboard Dockerfile for container networking ... Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-08 17:29:32 +01:00
Sharang Parnerkar	5a4af292fc	Fix OTLP HTTP exporter: use reqwest-rustls for HTTPS support ... The reqwest-client feature doesn't include TLS support, causing NoHttpClient error when connecting to HTTPS endpoints. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-08 17:07:41 +01:00
Sharang Parnerkar	04c8084943	Switch OTLP exporter from gRPC/tonic to HTTP/reqwest ... gRPC requires special reverse proxy config for HTTP/2. HTTP works behind standard HTTPS proxies like Traefik/Caddy on port 4318. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-08 17:01:02 +01:00
Sharang Parnerkar	d67a51db18	Add nginx config for VitePress SPA routing ... Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-08 15:09:42 +01:00
sharang	7e12d1433a	docs: added vite-press docs (#4) ... Co-authored-by: Sharang Parnerkar <parnerkarsharang@gmail.com> Reviewed-on: #4	2026-03-08 13:59:50 +00:00
sharang	65abc55915	feat: opentelemetry-tracing (#3) ... Co-authored-by: Sharang Parnerkar <parnerkarsharang@gmail.com> Reviewed-on: #3	2026-03-07 23:51:20 +00:00
sharang	0cb06d3d6d	feat: add Keycloak authentication for dashboard and API endpoints (#2) ... Dashboard: OAuth2/OIDC login flow with PKCE, session-based auth middleware protecting all server function endpoints, check-auth server function for frontend auth state, login page gate in AppShell, user info in sidebar. Agent API: JWT validation middleware using Keycloak JWKS endpoint, conditionally enabled when KEYCLOAK_URL and KEYCLOAK_REALM are set. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: Sharang Parnerkar <parnerkarsharang@gmail.com> Reviewed-on: #2	2026-03-07 23:50:56 +00:00