sharang/compliance-scanner-agent
1
0
Fork 0
Code Issues 51 Pull Requests 1 Actions Packages Projects Releases 1 Wiki Activity

Compare commits

merge into: sharang/compliance-scanner-agent:fix/scan-resource-limits-and-script-error
Branches Tags
sharang/compliance-scanner-agent:main sharang/compliance-scanner-agent:feat/light-mode-theme-toggle sharang/compliance-scanner-agent:fix/embedding-build-progress sharang/compliance-scanner-agent:fix/cve-scan-http-timeout sharang/compliance-scanner-agent:fix/scan-resource-limits-and-script-error sharang/compliance-scanner-agent:fix/multiple-issues sharang/compliance-scanner-agent:feat/cve-alerts sharang/compliance-scanner-agent:feat/e2e-tests sharang/compliance-scanner-agent:feat/help-chat-widget sharang/compliance-scanner-agent:fix/cascade-delete-repo sharang/compliance-scanner-agent:feat/refine-llm-prompts sharang/compliance-scanner-agent:fix/gitea-pr-review-error-handling sharang/compliance-scanner-agent:test/dummy-bad-code sharang/compliance-scanner-agent:fix/remove-code-review-from-findings sharang/compliance-scanner-agent:feat/pentest-onboarding
sharang/compliance-scanner-agent:v0.2.0
..
pull from: sharang/compliance-scanner-agent:fix/cve-scan-http-timeout
Branches Tags
sharang/compliance-scanner-agent:main sharang/compliance-scanner-agent:feat/light-mode-theme-toggle sharang/compliance-scanner-agent:fix/embedding-build-progress sharang/compliance-scanner-agent:fix/cve-scan-http-timeout sharang/compliance-scanner-agent:fix/scan-resource-limits-and-script-error sharang/compliance-scanner-agent:fix/multiple-issues sharang/compliance-scanner-agent:feat/cve-alerts sharang/compliance-scanner-agent:feat/e2e-tests sharang/compliance-scanner-agent:feat/help-chat-widget sharang/compliance-scanner-agent:fix/cascade-delete-repo sharang/compliance-scanner-agent:feat/refine-llm-prompts sharang/compliance-scanner-agent:fix/gitea-pr-review-error-handling sharang/compliance-scanner-agent:test/dummy-bad-code sharang/compliance-scanner-agent:fix/remove-code-review-from-findings sharang/compliance-scanner-agent:feat/pentest-onboarding
sharang/compliance-scanner-agent:v0.2.0

2 Commits
fix/scan-resource-limits-and-script-error .. fix/cve-scan-http-timeout

Author SHA1 Message Date
Sharang Parnerkar 4d5eedcc8b fix: add HTTP timeout to reqwest client and CVE stage timeout
CI / Check (pull_request) Successful in 9m39s
Details
CI / Detect Changes (pull_request) Has been skipped
Details
CI / Deploy Agent (pull_request) Has been skipped
Details
CI / Deploy Dashboard (pull_request) Has been skipped
Details
CI / Deploy Docs (pull_request) Has been skipped
Details
CI / Deploy MCP (pull_request) Has been skipped
Details 
Without a timeout on the reqwest client, sequential NVD API calls
for each CVE alert could hang indefinitely. With 1098 SBOM entries
producing hundreds of alerts, this would stall the scan pipeline.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-13 08:48:03 +02:00
sharang df0063abc0 fix: scanner timeouts, semgrep memory cap, syft remote lookups, Script error (#78)
CI / Check (push) Has been skipped
Details
CI / Detect Changes (push) Successful in 5s
Details
CI / Deploy Agent (push) Successful in 9m41s
Details
CI / Deploy Dashboard (push) Successful in 15m19s
Details
CI / Deploy Docs (push) Has been skipped
Details
CI / Deploy MCP (push) Successful in 3m7s
Details 
## Summary

- **Scan produces no results in Orca** — semgrep (`--config=auto`, unbounded memory) and syft (remote license network calls) were getting OOM-killed or hanging in resource-constrained Orca containers. Scan would "complete" with 0 findings/SBOMs silently because each scanner failure is caught and logged as a warning.
- **Dashboard Script error spam** — `document::Script` in Dioxus 0.7 needs a single text node child for inline scripts; `dangerous_inner_html` was invalid and spammed the error log on every unauthenticated page load.

## Changes

| File | Change |
|------|--------|
| `semgrep.rs` | Add `--max-memory 500 --jobs 1`; 10-minute timeout |
| `syft.rs` | Remove remote license lookup env vars; 5-minute timeout |
| `gitleaks.rs` | 5-minute timeout |
| `app_shell.rs` | Fix `dangerous_inner_html` → text child in `document::Script` |

## Test plan

- [ ] Trigger a scan on a repo in Orca — findings and SBOM entries should now appear
- [ ] Agent logs should show timeout/error warnings rather than silent empty results when tools are killed
- [ ] Navigate to dashboard unauthenticated — Script error gone from logs
- [ ] Verify scans work end-to-end with `docker compose up`

---------

Co-authored-by: Sharang Parnerkar <30073382+mighty840@users.noreply.github.com>
Reviewed-on: #78
 2026-05-12 11:27:24 +00:00
2 changed files with 21 additions and 9 deletions
Expand all files Collapse all files
compliance-agent/src/agent.rs
+6 -1
View File
@@ -35,11 +35,16 @@ impl ComplianceAgent {
config.litellm_model.clone(), config.litellm_model.clone(),
config.litellm_embed_model.clone(), config.litellm_embed_model.clone(),
)); ));
let http = reqwest::Client::builder()
.timeout(std::time::Duration::from_secs(30))
.connect_timeout(std::time::Duration::from_secs(10))
.build()
.unwrap_or_default();
Self { Self {
config, config,
db, db,
llm, llm,
http: reqwest::Client::new(), http,
session_streams: Arc::new(DashMap::new()), session_streams: Arc::new(DashMap::new()),
session_pause: Arc::new(DashMap::new()), session_pause: Arc::new(DashMap::new()),
session_semaphore: Arc::new(Semaphore::new(DEFAULT_MAX_CONCURRENT_SESSIONS)), session_semaphore: Arc::new(Semaphore::new(DEFAULT_MAX_CONCURRENT_SESSIONS)),
compliance-agent/src/pipeline/orchestrator.rs
+15 -8
View File
@@ -174,19 +174,26 @@ impl PipelineOrchestrator {
k.expose_secret().to_string() k.expose_secret().to_string()
}), }),
); );
let cve_alerts = match async { let cve_alerts = match tokio::time::timeout(
cve_scanner std::time::Duration::from_secs(600),
.scan_dependencies(&repo_id, &mut sbom_entries) async {
.await cve_scanner
} .scan_dependencies(&repo_id, &mut sbom_entries)
.instrument(tracing::info_span!("stage_cve_scanning")) .await
}
.instrument(tracing::info_span!("stage_cve_scanning")),
)
.await .await
{ {
Ok(alerts) => alerts, Ok(Ok(alerts)) => alerts,
Err(e) => { Ok(Err(e)) => {
tracing::warn!("[{repo_id}] CVE scanning failed: {e}"); tracing::warn!("[{repo_id}] CVE scanning failed: {e}");
Vec::new() Vec::new()
} }
Err(_) => {
tracing::warn!("[{repo_id}] CVE scanning timed out after 10 minutes");
Vec::new()
}
}; };
// Stage 4: Pattern Scanning (GDPR + OAuth) // Stage 4: Pattern Scanning (GDPR + OAuth)