sharang/compliance-scanner-agent
1
0
Fork 0
Code Issues 51 Pull Requests 1 Actions Packages Projects Releases 1 Wiki Activity

Compare commits

base: sharang:main
Branches Tags
sharang:main sharang:fix/multiple-issues sharang:feat/cve-alerts sharang:feat/e2e-tests sharang:feat/help-chat-widget sharang:fix/cascade-delete-repo sharang:feat/refine-llm-prompts sharang:fix/gitea-pr-review-error-handling sharang:test/dummy-bad-code sharang:fix/remove-code-review-from-findings sharang:feat/pentest-onboarding
sharang:v0.2.0
..
compare: sharang:fix/multiple-issues
Branches Tags
sharang:main sharang:fix/multiple-issues sharang:feat/cve-alerts sharang:feat/e2e-tests sharang:feat/help-chat-widget sharang:fix/cascade-delete-repo sharang:feat/refine-llm-prompts sharang:fix/gitea-pr-review-error-handling sharang:test/dummy-bad-code sharang:fix/remove-code-review-from-findings sharang:feat/pentest-onboarding
sharang:v0.2.0

4 Commits
main ... fix/multip

Author SHA1 Message Date
Sharang Parnerkar
8abfec3303 fix: escape newlines in CopyButton JS string
All checks were successful
CI / Check (pull_request) Successful in 9m38s
Details
CI / Detect Changes (pull_request) Has been skipped
Details
CI / Deploy Agent (pull_request) Has been skipped
Details
CI / Deploy Dashboard (pull_request) Has been skipped
Details
CI / Deploy Docs (pull_request) Has been skipped
Details
CI / Deploy MCP (pull_request) Has been skipped
Details 
Valid finding from PR review: copy button's JS string could break
on values with newlines. Added \n and \r escaping.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-30 15:03:27 +02:00
Sharang Parnerkar
2534c03e3b feat: add CopyButton component and copy-to-clipboard across dashboard
Some checks failed
CI / Detect Changes (pull_request) Has been cancelled
Details
CI / Deploy Agent (pull_request) Has been cancelled
Details
CI / Deploy Dashboard (pull_request) Has been cancelled
Details
CI / Deploy Docs (pull_request) Has been cancelled
Details
CI / Deploy MCP (pull_request) Has been cancelled
Details
CI / Check (pull_request) Has been cancelled
Details 
New reusable CopyButton component with checkmark feedback after copy.

Added copy buttons to:
- SSH public key display (add repo modal)
- Webhook URL field (edit repo modal)
- Webhook secret field (edit repo modal)
- Code snippets in finding detail (via enhanced CodeSnippet component)
- Suggested fix code blocks
- MCP server endpoint URLs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-30 14:59:38 +02:00
Sharang Parnerkar
0e53072782 feat: add security response headers (HSTS, X-Frame-Options, nosniff, referrer)
Some checks failed
CI / Check (pull_request) Successful in 9m48s
Details
CI / Detect Changes (pull_request) Has been skipped
Details
CI / Deploy Agent (pull_request) Has been cancelled
Details
CI / Deploy Dashboard (pull_request) Has been cancelled
Details
CI / Deploy Docs (pull_request) Has been cancelled
Details
CI / Deploy MCP (pull_request) Has been cancelled
Details 
Defense-in-depth headers added via tower-http SetResponseHeaderLayer:
- Strict-Transport-Security: max-age=31536000; includeSubDomains
- X-Frame-Options: DENY
- X-Content-Type-Options: nosniff
- Referrer-Policy: strict-origin-when-cross-origin

Primary enforcement should still be at the Traefik/reverse proxy level.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-30 14:52:44 +02:00
Sharang Parnerkar
fabd397478 fix: create CVE notifications during scan, fix help chat doc loading
All checks were successful
CI / Check (pull_request) Successful in 10m4s
Details
CI / Detect Changes (pull_request) Has been skipped
Details
CI / Deploy Agent (pull_request) Has been skipped
Details
CI / Deploy Dashboard (pull_request) Has been skipped
Details
CI / Deploy Docs (pull_request) Has been skipped
Details
CI / Deploy MCP (pull_request) Has been skipped
Details 
Bug fixes:

1. CVE notifications now created during scan pipeline (not just hourly)
   - Previously, notifications were only created by the scheduled
     monitor_cves job. Users with 4 CVE alerts saw 0 notifications.
   - Now the scan pipeline (Stage 3) creates notifications immediately
     when CVE alerts are discovered, with the same dedup logic.

2. Help chat doc context loading fixed for Docker/production
   - Added HELP_DOCS_PATH env var for explicit doc root configuration
   - Added fallback chain: env var → binary location → cwd → Docker paths
   - Dockerfile.agent now copies README.md and docs/ into /app and sets
     HELP_DOCS_PATH=/app so the help chat has doc context in production

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-30 14:14:55 +02:00
6 changed files with 21 additions and 53 deletions
Expand all files Collapse all files

68
.gitea/workflows/ci.yml
View File

@@ -145,20 +145,13 @@ jobs:
needs: [detect-changes]
if: needs.detect-changes.outputs.agent == 'true'
container:
image: docker:27-cli
image: alpine:latest
steps:
- name: Build, push and trigger orca redeploy
- name: Trigger Coolify deploy
run: |
apk add --no-cache git curl openssl
git init && git remote add origin "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git"
git fetch --depth=1 origin "${GITHUB_SHA}" && git checkout FETCH_HEAD
IMAGE=registry.meghsakha.com/compliance-agent
echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login registry.meghsakha.com -u "${{ secrets.REGISTRY_USERNAME }}" --password-stdin
docker build -f Dockerfile.agent -t "$IMAGE:latest" -t "$IMAGE:${GITHUB_SHA}" .
docker push "$IMAGE:latest" && docker push "$IMAGE:${GITHUB_SHA}"
PAYLOAD=$(printf '{"ref":"refs/heads/main","repository":{"full_name":"sharang/compliance-scanner-agent"},"head_commit":{"id":"%s","message":"deploy agent"}}' "${GITHUB_SHA}")
SIG=$(printf '%s' "$PAYLOAD" | openssl dgst -sha256 -hmac "${{ secrets.ORCA_WEBHOOK_SECRET }}" | awk '{print $2}')
RESP=$(curl -fsS -w "\nHTTP %{http_code}" -X POST "http://46.225.100.82:6880/api/v1/webhooks/github" -H "Content-Type: application/json" -H "X-Hub-Signature-256: sha256=$SIG" -d "$PAYLOAD"); echo "$RESP"
apk add --no-cache curl
curl -sf "${{ secrets.COOLIFY_WEBHOOK_AGENT }}" \
-H "Authorization: Bearer ${{ secrets.COOLIFY_TOKEN }}"
deploy-dashboard:
name: Deploy Dashboard
@@ -166,20 +159,13 @@ jobs:
needs: [detect-changes]
if: needs.detect-changes.outputs.dashboard == 'true'
container:
image: docker:27-cli
image: alpine:latest
steps:
- name: Build, push and trigger orca redeploy
- name: Trigger Coolify deploy
run: |
apk add --no-cache git curl openssl
git init && git remote add origin "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git"
git fetch --depth=1 origin "${GITHUB_SHA}" && git checkout FETCH_HEAD
IMAGE=registry.meghsakha.com/compliance-dashboard
echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login registry.meghsakha.com -u "${{ secrets.REGISTRY_USERNAME }}" --password-stdin
docker build -f Dockerfile.dashboard -t "$IMAGE:latest" -t "$IMAGE:${GITHUB_SHA}" .
docker push "$IMAGE:latest" && docker push "$IMAGE:${GITHUB_SHA}"
PAYLOAD=$(printf '{"ref":"refs/heads/main","repository":{"full_name":"sharang/compliance-scanner-agent"},"head_commit":{"id":"%s","message":"deploy dashboard"}}' "${GITHUB_SHA}")
SIG=$(printf '%s' "$PAYLOAD" | openssl dgst -sha256 -hmac "${{ secrets.ORCA_WEBHOOK_SECRET }}" | awk '{print $2}')
RESP=$(curl -fsS -w "\nHTTP %{http_code}" -X POST "http://46.225.100.82:6880/api/v1/webhooks/github" -H "Content-Type: application/json" -H "X-Hub-Signature-256: sha256=$SIG" -d "$PAYLOAD"); echo "$RESP"
apk add --no-cache curl
curl -sf "${{ secrets.COOLIFY_WEBHOOK_DASHBOARD }}" \
-H "Authorization: Bearer ${{ secrets.COOLIFY_TOKEN }}"
deploy-docs:
name: Deploy Docs
@@ -187,20 +173,13 @@ jobs:
needs: [detect-changes]
if: needs.detect-changes.outputs.docs == 'true'
container:
image: docker:27-cli
image: alpine:latest
steps:
- name: Build, push and trigger orca redeploy
- name: Trigger Coolify deploy
run: |
apk add --no-cache git curl openssl
git init && git remote add origin "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git"
git fetch --depth=1 origin "${GITHUB_SHA}" && git checkout FETCH_HEAD
IMAGE=registry.meghsakha.com/compliance-docs
echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login registry.meghsakha.com -u "${{ secrets.REGISTRY_USERNAME }}" --password-stdin
docker build -f Dockerfile.docs -t "$IMAGE:latest" -t "$IMAGE:${GITHUB_SHA}" .
docker push "$IMAGE:latest" && docker push "$IMAGE:${GITHUB_SHA}"
PAYLOAD=$(printf '{"ref":"refs/heads/main","repository":{"full_name":"sharang/compliance-scanner-agent"},"head_commit":{"id":"%s","message":"deploy docs"}}' "${GITHUB_SHA}")
SIG=$(printf '%s' "$PAYLOAD" | openssl dgst -sha256 -hmac "${{ secrets.ORCA_WEBHOOK_SECRET }}" | awk '{print $2}')
RESP=$(curl -fsS -w "\nHTTP %{http_code}" -X POST "http://46.225.100.82:6880/api/v1/webhooks/github" -H "Content-Type: application/json" -H "X-Hub-Signature-256: sha256=$SIG" -d "$PAYLOAD"); echo "$RESP"
apk add --no-cache curl
curl -sf "${{ secrets.COOLIFY_WEBHOOK_DOCS }}" \
-H "Authorization: Bearer ${{ secrets.COOLIFY_TOKEN }}"
deploy-mcp:
name: Deploy MCP
@@ -208,17 +187,10 @@ jobs:
needs: [detect-changes]
if: needs.detect-changes.outputs.mcp == 'true'
container:
image: docker:27-cli
image: alpine:latest
steps:
- name: Build, push and trigger orca redeploy
- name: Trigger Coolify deploy
run: |
apk add --no-cache git curl openssl
git init && git remote add origin "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git"
git fetch --depth=1 origin "${GITHUB_SHA}" && git checkout FETCH_HEAD
IMAGE=registry.meghsakha.com/compliance-mcp
echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login registry.meghsakha.com -u "${{ secrets.REGISTRY_USERNAME }}" --password-stdin
docker build -f Dockerfile.mcp -t "$IMAGE:latest" -t "$IMAGE:${GITHUB_SHA}" .
docker push "$IMAGE:latest" && docker push "$IMAGE:${GITHUB_SHA}"
PAYLOAD=$(printf '{"ref":"refs/heads/main","repository":{"full_name":"sharang/compliance-scanner-agent"},"head_commit":{"id":"%s","message":"deploy mcp"}}' "${GITHUB_SHA}")
SIG=$(printf '%s' "$PAYLOAD" | openssl dgst -sha256 -hmac "${{ secrets.ORCA_WEBHOOK_SECRET }}" | awk '{print $2}')
RESP=$(curl -fsS -w "\nHTTP %{http_code}" -X POST "http://46.225.100.82:6880/api/v1/webhooks/github" -H "Content-Type: application/json" -H "X-Hub-Signature-256: sha256=$SIG" -d "$PAYLOAD"); echo "$RESP"
apk add --no-cache curl
curl -sf "${{ secrets.COOLIFY_WEBHOOK_MCP }}" \
-H "Authorization: Bearer ${{ secrets.COOLIFY_TOKEN }}"

1
Dockerfile.agent
View File

@@ -44,4 +44,3 @@ RUN mkdir -p /data/compliance-scanner/ssh
EXPOSE 3001 3002
ENTRYPOINT ["compliance-agent"]

1
Dockerfile.dashboard
View File

@@ -20,4 +20,3 @@ ENV IP=0.0.0.0
EXPOSE 8080
ENTRYPOINT ["./compliance-dashboard"]

1
Dockerfile.docs
View File

@@ -12,4 +12,3 @@ RUN rm /etc/nginx/conf.d/default.conf
COPY docs/nginx.conf /etc/nginx/conf.d/default.conf
COPY --from=builder /app/.vitepress/dist /usr/share/nginx/html
EXPOSE 80

1
Dockerfile.mcp
View File

@@ -14,4 +14,3 @@ EXPOSE 8090
ENV MCP_PORT=8090
ENTRYPOINT ["compliance-mcp"]

2
compliance-agent/src/main.rs
View File

@@ -4,7 +4,7 @@ use compliance_agent::{agent, api, config, database, scheduler, ssh, webhooks};
async fn main() -> Result<(), Box<dyn std::error::Error>> {
match dotenvy::dotenv() {
Ok(path) => eprintln!("[dotenv] Loaded from: {}", path.display()),
Err(_) => eprintln!("[dotenv] No .env file found, using environment variables"),
Err(e) => eprintln!("[dotenv] FAILED: {e}"),
}
let _telemetry_guard = compliance_core::telemetry::init_telemetry("compliance-agent");