sharang/compliance-scanner-agent
1
0
Fork 0
Code Issues 51 Pull Requests 1 Actions Packages Projects Releases 1 Wiki Activity

Compare commits

base: sharang:test/dummy-bad-code
Branches Tags
sharang:main sharang:fix/multiple-issues sharang:feat/cve-alerts sharang:feat/e2e-tests sharang:feat/help-chat-widget sharang:fix/cascade-delete-repo sharang:feat/refine-llm-prompts sharang:fix/gitea-pr-review-error-handling sharang:test/dummy-bad-code sharang:fix/remove-code-review-from-findings sharang:feat/pentest-onboarding
sharang:v0.2.0
..
compare: sharang:feat/pentest-onboarding
Branches Tags
sharang:main sharang:fix/multiple-issues sharang:feat/cve-alerts sharang:feat/e2e-tests sharang:feat/help-chat-widget sharang:fix/cascade-delete-repo sharang:feat/refine-llm-prompts sharang:fix/gitea-pr-review-error-handling sharang:test/dummy-bad-code sharang:fix/remove-code-review-from-findings sharang:feat/pentest-onboarding
sharang:v0.2.0

5 Commits
test/dummy ... feat/pente

Author SHA1 Message Date
Sharang Parnerkar
681201ff45 fix: update lz4_flex 0.11.5 → 0.11.6 (RUSTSEC-2026-0041)
All checks were successful
CI / Check (pull_request) Successful in 10m54s
Details
CI / Detect Changes (pull_request) Has been skipped
Details
CI / Deploy Agent (pull_request) Has been skipped
Details
CI / Deploy MCP (pull_request) Has been skipped
Details
CI / Deploy Dashboard (pull_request) Has been skipped
Details
CI / Deploy Docs (pull_request) Has been skipped
Details 
Fixes high-severity advisory: decompressing invalid data can leak
uninitialized memory. Transitive dep via tantivy → compliance-graph.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-17 21:21:05 +01:00
Sharang Parnerkar
0236cad536 test: add 29 new tests for cleanup, orchestrator, findings, tool registry, models
Some checks failed
CI / Check (pull_request) Failing after 6m3s
Details
CI / Detect Changes (pull_request) Has been skipped
Details
CI / Deploy Agent (pull_request) Has been skipped
Details
CI / Deploy Dashboard (pull_request) Has been skipped
Details
CI / Deploy Docs (pull_request) Has been skipped
Details
CI / Deploy MCP (pull_request) Has been skipped
Details 
- cleanup.rs: 8 tests — routing logic, skip conditions, missing config errors
- orchestrator.rs: 7 tests — summarize_tool_output (screenshot strip, truncation, recursion)
- findings.rs: 6 tests — empty state, severity grouping, SAST correlation, evidence table
- tools/mod.rs: 4 tests — registry completeness, schema validation, browser action enum
- models.rs: 4 tests — TestUserRecord serde, IdentityProvider variants, BSON roundtrip

Total: 326 tests (was 297)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-17 21:13:18 +01:00
Sharang Parnerkar
37690ce734 feat: browser session persistence, auto-screenshots, context optimization, user cleanup
Some checks failed
CI / Check (pull_request) Failing after 5m55s
Details
CI / Detect Changes (pull_request) Has been skipped
Details
CI / Deploy Agent (pull_request) Has been skipped
Details
CI / Deploy Dashboard (pull_request) Has been skipped
Details
CI / Deploy Docs (pull_request) Has been skipped
Details
CI / Deploy MCP (pull_request) Has been skipped
Details 
Browser tool:
- Session-persistent Chrome tab (same tab reused across all calls in a pentest)
- Auto-screenshot on every navigate and click (stored in attack chain for report)
- Fill uses CDP Input.insertText (fixes WebSocket corruption on special chars)
- Switched from browserless/chromium to chromedp/headless-shell (stable WS)

Context window optimization:
- Strip screenshot_base64 from LLM conversation (kept in DB for report)
- Truncate HTML to 2KB, page text to 1.5KB in LLM messages
- Cap element/link arrays at 15 items
- SAST triage: batch 30 findings per LLM call instead of all at once

Report improvements:
- Auto-embed screenshots in attack chain timeline (navigate + click nodes)
- Cover page shows best app screenshot
- Attack chain phases capped at 8 (no more 20x "Final")

User cleanup:
- TestUserRecord model tracks created test users per session
- cleanup.rs: Keycloak (Admin REST API), Auth0 (Management API), Okta (Users API)
- Auto-cleanup on session completion when cleanup_test_user is enabled
- Env vars: KEYCLOAK_ADMIN_USERNAME, KEYCLOAK_ADMIN_PASSWORD

System prompt:
- Explicit browser usage instructions (navigate → get_content → click → fill)
- SPA auth bypass guidance (check page content, not HTTP status)
- Screenshot instructions for evidence collection

Other:
- Pin mongo:7 in docker-compose (mongo:latest/8 segfaults on kernel 6.19)
- Add deploy/docker-compose.mailserver.yml for Postfix + Dovecot

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-17 19:53:55 +01:00
Sharang Parnerkar
a737c36bc9 fix: add pentest architecture to sidebar, fix image paths, enable mermaid 
- Add vitepress-plugin-mermaid for diagram rendering
- Add Pentest Architecture page to sidebar nav
- Fix image paths (../public/ → / for VitePress public serving)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-17 00:16:53 +01:00
Sharang Parnerkar
a912ec9ad9 feat: pentest feature improvements — streaming, pause/resume, encryption, browser tool, reports, docs 
- True SSE streaming via broadcast channels (DashMap per session)
- Session pause/resume with watch channels + dashboard buttons
- AES-256-GCM credential encryption at rest (PENTEST_ENCRYPTION_KEY)
- Concurrency limiter (Semaphore, max 5 sessions, 429 on overflow)
- Browser tool: headless Chrome CDP automation (navigate, click, fill, screenshot, evaluate)
- Report code-level correlation: SAST findings, code graph, SBOM linked per DAST finding
- Split html.rs (1919 LOC) into html/ module directory (8 files)
- Wizard: target/repo dropdowns from existing data, SSH key display, close button on all steps
- Auth: auto-register with optional registration URL (Playwright discovery), plus-addressing email, IMAP overrides
- Attack chain: tool input/output in detail panel, running node pulse animation
- Architecture docs with Mermaid diagrams + 8 screenshots

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-17 00:07:50 +01:00
7 changed files with 22 additions and 88 deletions
Expand all files Collapse all files

3
compliance-agent/src/config.rs
View File

@@ -54,9 +54,6 @@ pub fn load_config() -> Result<AgentConfig, AgentError> {
pentest_verification_email: env_var_opt("PENTEST_VERIFICATION_EMAIL"),
pentest_imap_host: env_var_opt("PENTEST_IMAP_HOST"),
pentest_imap_port: env_var_opt("PENTEST_IMAP_PORT").and_then(|p| p.parse().ok()),
pentest_imap_tls: env_var_opt("PENTEST_IMAP_TLS")
.map(|v| v == "1" || v.eq_ignore_ascii_case("true"))
.unwrap_or(true),
pentest_imap_username: env_var_opt("PENTEST_IMAP_USERNAME"),
pentest_imap_password: env_secret_opt("PENTEST_IMAP_PASSWORD"),
})

1
compliance-agent/src/pentest/cleanup.rs
View File

@@ -336,7 +336,6 @@ mod tests {
pentest_verification_email: None,
pentest_imap_host: None,
pentest_imap_port: None,
pentest_imap_tls: true,
pentest_imap_username: None,
pentest_imap_password: None,
}

16
compliance-agent/src/pipeline/orchestrator.rs
View File

@@ -10,6 +10,7 @@ use compliance_core::AgentConfig;
use crate::database::Database;
use crate::error::AgentError;
use crate::llm::LlmClient;
use crate::pipeline::code_review::CodeReviewScanner;
use crate::pipeline::cve::CveScanner;
use crate::pipeline::git::GitOps;
use crate::pipeline::gitleaks::GitleaksScanner;
@@ -240,6 +241,21 @@ impl PipelineOrchestrator {
Err(e) => tracing::warn!("[{repo_id}] Lint scanning failed: {e}"),
}
// Stage 4c: LLM Code Review (only on incremental scans)
if let Some(old_sha) = &repo.last_scanned_commit {
tracing::info!("[{repo_id}] Stage 4c: LLM Code Review");
self.update_phase(scan_run_id, "code_review").await;
let review_output = async {
let reviewer = CodeReviewScanner::new(self.llm.clone());
reviewer
.review_diff(&repo_path, &repo_id, old_sha, &current_sha)
.await
}
.instrument(tracing::info_span!("stage_code_review"))
.await;
all_findings.extend(review_output.findings);
}
// Stage 4.5: Graph Building
tracing::info!("[{repo_id}] Stage 4.5: Graph Building");
self.update_phase(scan_run_id, "graph_building").await;

2
compliance-core/src/config.rs
View File

@@ -33,8 +33,6 @@ pub struct AgentConfig {
pub pentest_verification_email: Option<String>,
pub pentest_imap_host: Option<String>,
pub pentest_imap_port: Option<u16>,
/// Use implicit TLS (IMAPS, port 993) instead of plain IMAP.
pub pentest_imap_tls: bool,
pub pentest_imap_username: Option<String>,
pub pentest_imap_password: Option<SecretString>,
}

1
compliance-dashboard/src/pages/findings.rs
View File

@@ -123,6 +123,7 @@ pub fn FindingsPage() -> Element {
option { value: "oauth", "OAuth" }
option { value: "secret_detection", "Secrets" }
option { value: "lint", "Lint" }
option { value: "code_review", "Code Review" }
}
select {
onchange: move |e| { status_filter.set(e.value()); page.set(1); },

16
deploy/docker-compose.mailserver.yml
View File

@@ -8,14 +8,14 @@ services:
container_name: mailserver
ports:
- "25:25" # SMTP (inbound mail)
- "993:993" # IMAPS (TLS-only)
- "587:587" # Submission (STARTTLS)
- "143:143" # IMAP (orchestrator reads mail)
- "993:993" # IMAPS (TLS)
- "587:587" # Submission (outbound, if needed)
volumes:
- maildata:/var/mail
- mailstate:/var/mail-state
- maillogs:/var/log/mail
- /etc/localtime:/etc/localtime:ro
- /etc/letsencrypt:/etc/letsencrypt:ro
environment:
# Hostname
- OVERRIDE_HOSTNAME=mail.scanner.meghsakha.com
@@ -34,14 +34,8 @@ services:
# Plus-addressing (critical for pentest)
- POSTFIX_RECIPIENT_DELIMITER=+
# TLS — use Let's Encrypt certs mounted from Coolify/Caddy
- SSL_TYPE=manual
- SSL_CERT_PATH=/etc/letsencrypt/live/mail.scanner.meghsakha.com/fullchain.pem
- SSL_KEY_PATH=/etc/letsencrypt/live/mail.scanner.meghsakha.com/privkey.pem
# Require TLS before accepting PLAIN/LOGIN auth (CERT-Bund compliance)
# Disable plaintext auth on unencrypted connections
- DOVECOT_DISABLE_PLAINTEXT_AUTH=yes
# SSL (start with no TLS, add Let's Encrypt later)
- SSL_TYPE=
# Accept mail for our domain
- PERMIT_DOCKER=none

71
test_endpoint.rs
View File

@@ -1,71 +0,0 @@
use std::process::Command;
/// Handles user login - totally secure, trust me
pub fn handle_login(username: &str, password: &str) -> bool {
// SQL injection vulnerability
let query = format!(
"SELECT * FROM users WHERE username = '{}' AND password = '{}'",
username, password
);
println!("Running query: {}", query);
// Hardcoded credentials
if username == "admin" && password == "admin123" {
return true;
}
// Command injection vulnerability
let output = Command::new("sh")
.arg("-c")
.arg(format!("echo 'User logged in: {}'", username))
.output()
.expect("failed to execute");
// Storing password in plain text log
println!("Login attempt: user={}, pass={}", username, password);
false
}
/// Process user data with no input validation
pub fn process_data(input: &str) -> String {
// Path traversal vulnerability
let file_path = format!("/var/data/{}", input);
std::fs::read_to_string(&file_path).unwrap_or_default()
}
/// Super safe token generation
pub fn generate_token() -> String {
// Predictable "random" token
let token = "abc123fixedtoken";
token.to_string()
}
// Off-by-one error
pub fn get_items(items: &[String], count: usize) -> Vec<&String> {
let mut result = Vec::new();
for i in 0..=count {
result.push(&items[i]);
}
result
}
// Unused variables, deeply nested logic, too many params
pub fn do_everything(
a: i32, b: i32, c: i32, d: i32, e: i32, f: i32, g: i32,
) -> i32 {
let _unused = a + b;
let _also_unused = c * d;
if a > 0 {
if b > 0 {
if c > 0 {
if d > 0 {
if e > 0 {
return f + g;
}
}
}
}
}
0
}