8af810cdd2
All checks were successful
CI / Check (pull_request) Successful in 10m59s
CI / Detect Changes (pull_request) Has been skipped
CI / Deploy Agent (pull_request) Has been skipped
CI / Deploy Dashboard (pull_request) Has been skipped
CI / Deploy Docs (pull_request) Has been skipped
CI / Deploy MCP (pull_request) Has been skipped
Code review findings are not actionable in the findings dashboard — they lack PR context and clutter the list. The PR review pipeline already posts inline comments directly on PRs (GitHub, Gitea, GitLab), which is the appropriate place for code review feedback. - Remove LLM code review stage from the scan pipeline (orchestrator) - Remove "Code Review" option from the findings type filter dropdown Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Compliance Scanner
Autonomous security and compliance scanning agent for git repositories
About
Compliance Scanner is an autonomous agent that continuously monitors git repositories for security vulnerabilities, GDPR/OAuth compliance patterns, and dependency risks. It creates issues in external trackers (GitHub/GitLab/Jira) with evidence and remediation suggestions, reviews pull requests, and exposes a Dioxus-based dashboard for visualization.
How it works: The agent runs as a lazy daemon -- it only scans when new commits are detected, triggered by cron schedules or webhooks. LLM-powered triage filters out false positives and generates actionable remediation.
Features
| Area | Capabilities |
|---|---|
| SAST Scanning | Semgrep-based static analysis with auto-config rules |
| SBOM Generation | Syft + cargo-audit for complete dependency inventory |
| CVE Monitoring | OSV.dev batch queries, NVD CVSS enrichment, SearXNG context |
| GDPR Patterns | Detect PII logging, missing consent, hardcoded retention, missing deletion |
| OAuth Patterns | Detect implicit grant, missing PKCE, token in localStorage, token in URLs |
| LLM Triage | Confidence scoring via LiteLLM to filter false positives |
| Issue Creation | Auto-create issues in GitHub, GitLab, or Jira with code evidence |
| PR Reviews | Post security review comments on pull requests |
| Dashboard | Fullstack Dioxus UI with findings, SBOM, issues, and statistics |
| Webhooks | GitHub (HMAC-SHA256) and GitLab webhook receivers for push/PR events |
Architecture
┌─────────────────────────────────────────────────────────────┐
│ Cargo Workspace │
├──────────────┬──────────────────┬───────────────────────────┤
│ compliance- │ compliance- │ compliance- │
│ core │ agent │ dashboard │
│ (lib) │ (bin) │ (bin, Dioxus 0.7.3) │
│ │ │ │
│ Models │ Scan Pipeline │ Fullstack Web UI │
│ Traits │ LLM Client │ Server Functions │
│ Config │ Issue Trackers │ Charts + Tables │
│ Errors │ Scheduler │ Settings Page │
│ │ REST API │ │
│ │ Webhooks │ │
└──────────────┴──────────────────┴───────────────────────────┘
│
MongoDB (shared)
Scan Pipeline (7 Stages)
- Change Detection --
git2fetch, compare HEAD SHA with last scanned commit - Semgrep SAST -- CLI wrapper with JSON output parsing
- SBOM Generation -- Syft (CycloneDX) + cargo-audit vulnerability merge
- CVE Scanning -- OSV.dev batch + NVD CVSS enrichment + SearXNG context
- Pattern Scanning -- Regex-based GDPR and OAuth compliance checks
- LLM Triage -- LiteLLM confidence scoring, filter findings < 3/10
- Issue Creation -- Dedup via SHA-256 fingerprint, create tracker issues
Tech Stack
| Layer | Technology |
|---|---|
| Shared Library | compliance-core -- models, traits, config |
| Agent | Axum REST API, git2, tokio-cron-scheduler, Semgrep, Syft |
| Dashboard | Dioxus 0.7.3 fullstack, Tailwind CSS |
| Database | MongoDB with typed collections |
| LLM | LiteLLM (OpenAI-compatible API) |
| Issue Trackers | GitHub (octocrab), GitLab (REST v4), Jira (REST v3) |
| CVE Sources | OSV.dev, NVD, SearXNG |
Getting Started
Prerequisites
- Rust 1.94+
- Dioxus CLI (
dx) - MongoDB
- Docker & Docker Compose (optional)
Optional External Tools
- Semgrep -- for SAST scanning
- Syft -- for SBOM generation
- cargo-audit -- for Rust dependency auditing
Setup
# Clone the repository
git clone <repo-url>
cd compliance-scanner
# Start MongoDB + SearXNG
docker compose up -d mongo searxng
# Configure environment
cp .env.example .env
# Edit .env with your LiteLLM, tracker tokens, and MongoDB settings
# Run the agent
cargo run -p compliance-agent
# Run the dashboard (separate terminal)
dx serve --features server --platform web
Docker Compose (Full Stack)
docker compose up -d
This starts MongoDB, SearXNG, the agent (port 3001), and the dashboard (port 8080).
REST API
The agent exposes a REST API on port 3001:
| Method | Endpoint | Description |
|---|---|---|
GET |
/api/v1/health |
Health check |
GET |
/api/v1/stats/overview |
Summary statistics and trends |
GET |
/api/v1/repositories |
List tracked repositories |
POST |
/api/v1/repositories |
Add a repository to track |
POST |
/api/v1/repositories/:id/scan |
Trigger a manual scan |
GET |
/api/v1/findings |
List findings (filterable) |
GET |
/api/v1/findings/:id |
Get finding with code evidence |
PATCH |
/api/v1/findings/:id/status |
Update finding status |
GET |
/api/v1/sbom |
List dependencies |
GET |
/api/v1/issues |
List cross-tracker issues |
GET |
/api/v1/scan-runs |
Scan execution history |
POST |
/webhook/github |
GitHub webhook (HMAC-SHA256) |
POST |
/webhook/gitlab |
GitLab webhook (token verify) |
Dashboard Pages
| Page | Description |
|---|---|
| Overview | Stat cards, severity distribution chart |
| Repositories | Add/manage tracked repos, trigger scans |
| Findings | Filterable table by severity, type, status |
| Finding Detail | Code evidence, remediation, suggested fix, linked issue |
| SBOM | Dependency inventory with vulnerability badges |
| Issues | Cross-tracker view (GitHub + GitLab + Jira) |
| Settings | Configure LiteLLM, tracker tokens, SearXNG URL |
Project Structure
compliance-scanner/
├── compliance-core/ Shared library (models, traits, config, errors)
├── compliance-agent/ Agent daemon (pipeline, LLM, trackers, API, webhooks)
│ └── src/
│ ├── pipeline/ 7-stage scan pipeline
│ ├── llm/ LiteLLM client, triage, descriptions, fixes, PR review
│ ├── trackers/ GitHub, GitLab, Jira integrations
│ ├── api/ REST API (Axum)
│ └── webhooks/ GitHub + GitLab webhook receivers
├── compliance-dashboard/ Dioxus fullstack dashboard
│ └── src/
│ ├── components/ Reusable UI components
│ ├── infrastructure/ Server functions, DB, config
│ └── pages/ Full page views
├── assets/ Static assets (CSS, icons)
├── styles/ Tailwind input stylesheet
└── bin/ Dashboard binary entrypoint
External Services
| Service | Purpose | Default URL |
|---|---|---|
| MongoDB | Persistence | mongodb://localhost:27017 |
| LiteLLM | LLM proxy for triage and generation | http://localhost:4000 |
| SearXNG | CVE context search | http://localhost:8888 |
| Semgrep | SAST scanning | CLI tool |
| Syft | SBOM generation | CLI tool |
Built with Rust, Dioxus, and a commitment to automated security compliance.