Compliance Scanner Logo

Compliance Scanner

Autonomous security and compliance scanning agent for git repositories

Rust Dioxus MongoDB Axum Tailwind CSS

GDPR OAuth SAST CVE Platform

--- ## About Compliance Scanner is an autonomous agent that continuously monitors git repositories for security vulnerabilities, GDPR/OAuth compliance patterns, and dependency risks. It creates issues in external trackers (GitHub/GitLab/Jira) with evidence and remediation suggestions, reviews pull requests, and exposes a Dioxus-based dashboard for visualization. > **How it works:** The agent runs as a lazy daemon -- it only scans when new commits are detected, triggered by cron schedules or webhooks. LLM-powered triage filters out false positives and generates actionable remediation. ## Features | Area | Capabilities | |------|-------------| | **SAST Scanning** | Semgrep-based static analysis with auto-config rules | | **SBOM Generation** | Syft + cargo-audit for complete dependency inventory | | **CVE Monitoring** | OSV.dev batch queries, NVD CVSS enrichment, SearXNG context | | **GDPR Patterns** | Detect PII logging, missing consent, hardcoded retention, missing deletion | | **OAuth Patterns** | Detect implicit grant, missing PKCE, token in localStorage, token in URLs | | **LLM Triage** | Confidence scoring via LiteLLM to filter false positives | | **Issue Creation** | Auto-create issues in GitHub, GitLab, or Jira with code evidence | | **PR Reviews** | Post security review comments on pull requests | | **Dashboard** | Fullstack Dioxus UI with findings, SBOM, issues, and statistics | | **Webhooks** | GitHub (HMAC-SHA256) and GitLab webhook receivers for push/PR events | ## Architecture ``` ┌─────────────────────────────────────────────────────────────┐ │ Cargo Workspace │ ├──────────────┬──────────────────┬───────────────────────────┤ │ compliance- │ compliance- │ compliance- │ │ core │ agent │ dashboard │ │ (lib) │ (bin) │ (bin, Dioxus 0.7.3) │ │ │ │ │ │ Models │ Scan Pipeline │ Fullstack Web UI │ │ Traits │ LLM Client │ Server Functions │ │ Config │ Issue Trackers │ Charts + Tables │ │ Errors │ Scheduler │ Settings Page │ │ │ REST API │ │ │ │ Webhooks │ │ └──────────────┴──────────────────┴───────────────────────────┘ │ MongoDB (shared) ``` ## Scan Pipeline (7 Stages) 1. **Change Detection** -- `git2` fetch, compare HEAD SHA with last scanned commit 2. **Semgrep SAST** -- CLI wrapper with JSON output parsing 3. **SBOM Generation** -- Syft (CycloneDX) + cargo-audit vulnerability merge 4. **CVE Scanning** -- OSV.dev batch + NVD CVSS enrichment + SearXNG context 5. **Pattern Scanning** -- Regex-based GDPR and OAuth compliance checks 6. **LLM Triage** -- LiteLLM confidence scoring, filter findings < 3/10 7. **Issue Creation** -- Dedup via SHA-256 fingerprint, create tracker issues ## Tech Stack | Layer | Technology | |-------|-----------| | Shared Library | `compliance-core` -- models, traits, config | | Agent | Axum REST API, git2, tokio-cron-scheduler, Semgrep, Syft | | Dashboard | Dioxus 0.7.3 fullstack, Tailwind CSS | | Database | MongoDB with typed collections | | LLM | LiteLLM (OpenAI-compatible API) | | Issue Trackers | GitHub (octocrab), GitLab (REST v4), Jira (REST v3) | | CVE Sources | OSV.dev, NVD, SearXNG | ## Getting Started ### Prerequisites - Rust 1.89+ - [Dioxus CLI](https://dioxuslabs.com/learn/0.7/getting_started) (`dx`) - MongoDB - Docker & Docker Compose (optional) ### Optional External Tools - [Semgrep](https://semgrep.dev/) -- for SAST scanning - [Syft](https://github.com/anchore/syft) -- for SBOM generation - [cargo-audit](https://github.com/rustsec/rustsec) -- for Rust dependency auditing ### Setup ```bash # Clone the repository git clone cd compliance-scanner # Start MongoDB + SearXNG docker compose up -d mongo searxng # Configure environment cp .env.example .env # Edit .env with your LiteLLM, tracker tokens, and MongoDB settings # Run the agent cargo run -p compliance-agent # Run the dashboard (separate terminal) dx serve --features server --platform web ``` ### Docker Compose (Full Stack) ```bash docker compose up -d ``` This starts MongoDB, SearXNG, the agent (port 3001), and the dashboard (port 8080). ## REST API The agent exposes a REST API on port 3001: | Method | Endpoint | Description | |--------|----------|-------------| | `GET` | `/api/v1/health` | Health check | | `GET` | `/api/v1/stats/overview` | Summary statistics and trends | | `GET` | `/api/v1/repositories` | List tracked repositories | | `POST` | `/api/v1/repositories` | Add a repository to track | | `POST` | `/api/v1/repositories/:id/scan` | Trigger a manual scan | | `GET` | `/api/v1/findings` | List findings (filterable) | | `GET` | `/api/v1/findings/:id` | Get finding with code evidence | | `PATCH` | `/api/v1/findings/:id/status` | Update finding status | | `GET` | `/api/v1/sbom` | List dependencies | | `GET` | `/api/v1/issues` | List cross-tracker issues | | `GET` | `/api/v1/scan-runs` | Scan execution history | | `POST` | `/webhook/github` | GitHub webhook (HMAC-SHA256) | | `POST` | `/webhook/gitlab` | GitLab webhook (token verify) | ## Dashboard Pages | Page | Description | |------|-------------| | **Overview** | Stat cards, severity distribution chart | | **Repositories** | Add/manage tracked repos, trigger scans | | **Findings** | Filterable table by severity, type, status | | **Finding Detail** | Code evidence, remediation, suggested fix, linked issue | | **SBOM** | Dependency inventory with vulnerability badges | | **Issues** | Cross-tracker view (GitHub + GitLab + Jira) | | **Settings** | Configure LiteLLM, tracker tokens, SearXNG URL | ## Project Structure ``` compliance-scanner/ ├── compliance-core/ Shared library (models, traits, config, errors) ├── compliance-agent/ Agent daemon (pipeline, LLM, trackers, API, webhooks) │ └── src/ │ ├── pipeline/ 7-stage scan pipeline │ ├── llm/ LiteLLM client, triage, descriptions, fixes, PR review │ ├── trackers/ GitHub, GitLab, Jira integrations │ ├── api/ REST API (Axum) │ └── webhooks/ GitHub + GitLab webhook receivers ├── compliance-dashboard/ Dioxus fullstack dashboard │ └── src/ │ ├── components/ Reusable UI components │ ├── infrastructure/ Server functions, DB, config │ └── pages/ Full page views ├── assets/ Static assets (CSS, icons) ├── styles/ Tailwind input stylesheet └── bin/ Dashboard binary entrypoint ``` ## External Services | Service | Purpose | Default URL | |---------|---------|-------------| | MongoDB | Persistence | `mongodb://localhost:27017` | | LiteLLM | LLM proxy for triage and generation | `http://localhost:4000` | | SearXNG | CVE context search | `http://localhost:8888` | | Semgrep | SAST scanning | CLI tool | | Syft | SBOM generation | CLI tool | ---

Built with Rust, Dioxus, and a commitment to automated security compliance.