compliance-agent/src/agent.rs

@@ -35,11 +35,16 @@ impl ComplianceAgent {
             config.litellm_model.clone(),
             config.litellm_embed_model.clone(),
         ));
+        let http = reqwest::Client::builder()
+            .timeout(std::time::Duration::from_secs(30))
+            .connect_timeout(std::time::Duration::from_secs(10))
+            .build()
+            .unwrap_or_default();
         Self {
             config,
             db,
             llm,
-            http: reqwest::Client::new(),
+            http,
             session_streams: Arc::new(DashMap::new()),
             session_pause: Arc::new(DashMap::new()),
             session_semaphore: Arc::new(Semaphore::new(DEFAULT_MAX_CONCURRENT_SESSIONS)),

compliance-agent/src/pipeline/orchestrator.rs

@@ -174,19 +174,26 @@ impl PipelineOrchestrator {
                 k.expose_secret().to_string()
             }),
         );
-        let cve_alerts = match async {
-            cve_scanner
-                .scan_dependencies(&repo_id, &mut sbom_entries)
-                .await
-        }
-        .instrument(tracing::info_span!("stage_cve_scanning"))
+        let cve_alerts = match tokio::time::timeout(
+            std::time::Duration::from_secs(600),
+            async {
+                cve_scanner
+                    .scan_dependencies(&repo_id, &mut sbom_entries)
+                    .await
+            }
+            .instrument(tracing::info_span!("stage_cve_scanning")),
+        )
         .await
         {
-            Ok(alerts) => alerts,
-            Err(e) => {
+            Ok(Ok(alerts)) => alerts,
+            Ok(Err(e)) => {
                 tracing::warn!("[{repo_id}] CVE scanning failed: {e}");
                 Vec::new()
             }
+            Err(_) => {
+                tracing::warn!("[{repo_id}] CVE scanning timed out after 10 minutes");
+                Vec::new()
+            }
         };
 
         // Stage 4: Pattern Scanning (GDPR + OAuth)