fix: scanner timeouts, semgrep memory cap, syft remote lookups, Script error #78

2026-05-12T09:52:40Z

sharang commented

2026-05-12 09:52:40 +00:00

Summary

Scan produces no results in Orca — semgrep (--config=auto, unbounded memory) and syft (remote license network calls) were getting OOM-killed or hanging in resource-constrained Orca containers. Scan would "complete" with 0 findings/SBOMs silently because each scanner failure is caught and logged as a warning.
Dashboard Script error spam — document::Script in Dioxus 0.7 needs a single text node child for inline scripts; dangerous_inner_html was invalid and spammed the error log on every unauthenticated page load.

Changes

File	Change
`semgrep.rs`	Add `--max-memory 500 --jobs 1`; 10-minute timeout
`syft.rs`	Remove remote license lookup env vars; 5-minute timeout
`gitleaks.rs`	5-minute timeout
`app_shell.rs`	Fix `dangerous_inner_html` → text child in `document::Script`

Test plan

Trigger a scan on a repo in Orca — findings and SBOM entries should now appear
Agent logs should show timeout/error warnings rather than silent empty results when tools are killed
Navigate to dashboard unauthenticated — Script error gone from logs
Verify scans work end-to-end with docker compose up

## Summary - **Scan produces no results in Orca** — semgrep (`--config=auto`, unbounded memory) and syft (remote license network calls) were getting OOM-killed or hanging in resource-constrained Orca containers. Scan would "complete" with 0 findings/SBOMs silently because each scanner failure is caught and logged as a warning. - **Dashboard Script error spam** — `document::Script` in Dioxus 0.7 needs a single text node child for inline scripts; `dangerous_inner_html` was invalid and spammed the error log on every unauthenticated page load. ## Changes | File | Change | |------|--------| | `semgrep.rs` | Add `--max-memory 500 --jobs 1`; 10-minute timeout | | `syft.rs` | Remove remote license lookup env vars; 5-minute timeout | | `gitleaks.rs` | 5-minute timeout | | `app_shell.rs` | Fix `dangerous_inner_html` → text child in `document::Script` | ## Test plan - [ ] Trigger a scan on a repo in Orca — findings and SBOM entries should now appear - [ ] Agent logs should show timeout/error warnings rather than silent empty results when tools are killed - [ ] Navigate to dashboard unauthenticated — Script error gone from logs - [ ] Verify scans work end-to-end with `docker compose up`

sharang added 1 commit 2026-05-12 09:52:40 +00:00

fix: add timeouts to scanners, cap semgrep memory, remove syft remote lookups, fix Script error

CI / Check (pull_request) Has been cancelled

Details

CI / Detect Changes (pull_request) Has been cancelled

Details

CI / Deploy Agent (pull_request) Has been cancelled

Details

CI / Deploy Dashboard (pull_request) Has been cancelled

Details

CI / Deploy Docs (pull_request) Has been cancelled

Details

CI / Deploy MCP (pull_request) Has been cancelled

Details

e02266511a

Semgrep was running unbounded with --config=auto (downloads all rules) and no memory cap,
making it likely to get OOM-killed in resource-constrained Orca containers. Syft had remote
license lookups enabled which adds network calls and memory overhead. Neither had timeouts,
so a hung process would stall the entire scan indefinitely and silently produce 0 results.

- semgrep: add --max-memory 500 --jobs 1 and a 10-minute timeout
- syft: remove remote license lookup env vars, add 5-minute timeout
- gitleaks: add 5-minute timeout
- dashboard: fix Script dangerous_inner_html -> text child (Dioxus 0.7 Script element
  requires a single text node child, not dangerous_inner_html — was spamming error logs)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

sharang added 1 commit 2026-05-12 09:58:27 +00:00

fix: restore syft remote license lookup env vars

CI / Check (pull_request) Failing after 5m50s

Details

CI / Detect Changes (pull_request) Has been skipped

Details

CI / Deploy Agent (pull_request) Has been skipped

Details

CI / Deploy Dashboard (pull_request) Has been skipped

Details

CI / Deploy Docs (pull_request) Has been skipped

Details

CI / Deploy MCP (pull_request) Has been skipped

Details

9ff3b9305c

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

sharang added 1 commit 2026-05-12 10:47:18 +00:00

fix: resolve cargo audit failures

CI / Check (pull_request) Successful in 10m35s

Details

CI / Detect Changes (pull_request) Has been skipped

Details

CI / Deploy Agent (pull_request) Has been cancelled

Details

CI / Deploy Dashboard (pull_request) Has been cancelled

Details

CI / Deploy Docs (pull_request) Has been cancelled

Details

CI / Deploy MCP (pull_request) Has been cancelled

Details

3edd1d50ac

- Update rustls-webpki 0.103.10 → 0.103.13 (fixes RUSTSEC-2026-0098,
  RUSTSEC-2026-0099, RUSTSEC-2026-0104)
- Update mongodb 3.5.1 → 3.6.0 (latest compatible 3.x)
- Add .cargo/audit.toml ignoring two hickory-proto advisories that cannot
  be fixed: mongodb 3.x pins hickory-resolver 0.25.x which pins
  hickory-proto 0.25.x; RUSTSEC-2026-0118 has no upstream fix at all,
  RUSTSEC-2026-0119 requires hickory-proto >=0.26.1 which mongodb does
  not yet support. Both are DNS-layer DoS vectors requiring control of
  the DNS server responding to MongoDB's hostname resolution.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

sharang merged commit df0063abc0 into main

2026-05-12 11:27:25 +00:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: sharang/compliance-scanner-agent#78