Sharang Parnerkar
0f6dd1135e
CI / Check (pull_request) Successful in 10m33s
CI / Detect Changes (pull_request) Has been skipped
CI / Deploy Agent (pull_request) Has been skipped
CI / Deploy Dashboard (pull_request) Has been skipped
CI / Deploy Docs (pull_request) Has been skipped
CI / Deploy MCP (pull_request) Has been skipped
Closes the loop on M7.2 isolation for paths that don't have a JWT
context: scheduler, webhooks, and the agent's `run_scan` / `run_pr_review`
helpers all now take a `tenant_id` at the boundary and resolve to a
tenant-scoped `Database` via `db_pool.for_tenant_id(...)`. Internal
orchestrators (PipelineOrchestrator, PentestOrchestrator) and pipeline
helpers were already DB-agnostic — they take `db: Database` at
construction and don't care which tenant it points to.
Changes
- DatabasePool::for_tenant_id(&str) — same as for_tenant but accepts
a bare tenant_id. Background paths don't have a full TenantContext.
for_tenant is now a thin wrapper that delegates.
- agent.run_scan(tenant_id, repo_id, trigger) — pulls the tenant
database before constructing the PipelineOrchestrator. Was:
run_scan(repo_id, trigger) reading agent.db.
- agent.run_pr_review(tenant_id, repo_id, ...) — same shape.
- Webhook routes change: /webhook/{tenant_id}/{platform}/{repo_id}.
Tenant is part of the URL path because webhooks arrive without a
JWT — they're authenticated via per-repo HMAC, not the tenant gate.
The dashboard surfaces the full per-tenant URL when the repo is
registered. All three handlers (gitea, github, gitlab) updated.
- scheduler.rs — iterates tenants from $SCHEDULER_TENANT_IDS
(comma-separated env), or DEV_TENANT_ID's `dev` default. Both
scan_all_repos and monitor_cves now run once per configured
tenant. M7.2-D will replace this static config with a pull from
the tenant-registry.
- api/handlers/repos.rs::trigger_scan now passes tenant.0.tenant_id.
What's unchanged because it didn't need to change
- PipelineOrchestrator, PentestOrchestrator: take `db: Database` at
construction — they're tenant-DB-agnostic by design. The caller
picks the tenant DB.
- pipeline/{dedup,graph_build,issue_creation,sbom/mod}.rs,
pentest/{context,report/html/*}.rs, trackers/jira.rs, llm/triage.rs:
take `&Database` or `&mongodb::Database` as args, transitively
tenant-scoped via the caller.
Test plan
- cargo fmt --all clean
- cargo clippy --workspace --exclude compliance-dashboard
-- -D warnings clean
- cargo test -p compliance-core --lib — 7 pass
- cargo test -p compliance-agent --lib — 228 pass
- cargo test -p compliance-agent --test tenant_isolation — 5 pass
- cargo test -p compliance-agent --test tenant_status_middleware
— 6 pass
What's left (PR-D)
- Drop the transitional agent.db field — no remaining call sites
(verified by `grep -rn "agent\.db\b" compliance-agent/src`).
- main.rs / TestServer stop building the legacy Database; only the
pool remains.
- Add cross-tenant admin helpers (list tenants, drop tenant DB) on
the pool for offboarding flows.
- Pull tenants from the tenant-registry instead of an env var.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Compliance Scanner
Autonomous security and compliance scanning agent for git repositories
About
Compliance Scanner is an autonomous agent that continuously monitors git repositories for security vulnerabilities, GDPR/OAuth compliance patterns, and dependency risks. It creates issues in external trackers (GitHub/GitLab/Jira/Gitea) with evidence and remediation suggestions, reviews pull requests with multi-pass LLM analysis, runs autonomous penetration tests, and exposes a Dioxus-based dashboard for visualization.
How it works: The agent runs as a lazy daemon -- it only scans when new commits are detected, triggered by cron schedules or webhooks. LLM-powered triage filters out false positives and generates actionable remediation with multi-language awareness.
Features
| Area | Capabilities |
|---|---|
| SAST Scanning | Semgrep-based static analysis with auto-config rules |
| SBOM Generation | Syft + cargo-audit for complete dependency inventory |
| CVE Monitoring | OSV.dev batch queries, NVD CVSS enrichment, SearXNG context |
| GDPR Patterns | Detect PII logging, missing consent, hardcoded retention, missing deletion |
| OAuth Patterns | Detect implicit grant, missing PKCE, token in localStorage, token in URLs |
| LLM Triage | Multi-language-aware confidence scoring (Rust, Python, Go, Java, Ruby, PHP, C++) |
| Issue Creation | Auto-create issues in GitHub, GitLab, Jira, or Gitea with dedup via fingerprints |
| PR Reviews | Multi-pass security review (logic, security, convention, complexity) with dedup |
| DAST Scanning | Black-box security testing with endpoint discovery and parameter fuzzing |
| AI Pentesting | Autonomous LLM-orchestrated penetration testing with encrypted reports |
| Code Graph | Interactive code knowledge graph with impact analysis |
| AI Chat (RAG) | Natural language Q&A grounded in repository source code |
| Help Assistant | Documentation-grounded help chat accessible from every dashboard page |
| MCP Server | Expose live security data to Claude, Cursor, and other AI tools |
| Dashboard | Fullstack Dioxus UI with findings, SBOM, issues, DAST, pentest, and graph |
| Webhooks | GitHub, GitLab, and Gitea webhook receivers for push/PR events |
| Finding Dedup | SHA-256 fingerprint dedup for SAST, CWE-based dedup for DAST findings |
Architecture
┌──────────────────────────────────────────────────────────────────────────┐
│ Cargo Workspace │
├──────────────┬──────────────────┬──────────────┬──────────┬─────────────┤
│ compliance- │ compliance- │ compliance- │ complian-│ compliance- │
│ core (lib) │ agent (bin) │ dashboard │ ce-graph │ mcp (bin) │
│ │ │ (bin) │ (lib) │ │
│ Models │ Scan Pipeline │ Dioxus 0.7 │ Tree- │ MCP Server │
│ Traits │ LLM Client │ Fullstack UI │ sitter │ Live data │
│ Config │ Issue Trackers │ Help Chat │ Graph │ for AI │
│ Errors │ Pentest Engine │ Server Fns │ Embedds │ tools │
│ │ DAST Tools │ │ RAG │ │
│ │ REST API │ │ │ │
│ │ Webhooks │ │ │ │
└──────────────┴──────────────────┴──────────────┴──────────┴─────────────┘
│
MongoDB (shared)
Scan Pipeline (7 Stages)
- Change Detection --
git2fetch, compare HEAD SHA with last scanned commit - Semgrep SAST -- CLI wrapper with JSON output parsing
- SBOM Generation -- Syft (CycloneDX) + cargo-audit vulnerability merge
- CVE Scanning -- OSV.dev batch + NVD CVSS enrichment + SearXNG context
- Pattern Scanning -- Regex-based GDPR and OAuth compliance checks
- LLM Triage -- LiteLLM confidence scoring, filter findings < 3/10
- Issue Creation -- Dedup via SHA-256 fingerprint, create tracker issues
Tech Stack
| Layer | Technology |
|---|---|
| Shared Library | compliance-core -- models, traits, config |
| Agent | Axum REST API, git2, tokio-cron-scheduler, Semgrep, Syft |
| Dashboard | Dioxus 0.7.3 fullstack, Tailwind CSS 4 |
| Code Graph | compliance-graph -- tree-sitter parsing, embeddings, RAG |
| MCP Server | compliance-mcp -- Model Context Protocol for AI tools |
| DAST | compliance-dast -- dynamic application security testing |
| Database | MongoDB with typed collections |
| LLM | LiteLLM (OpenAI-compatible API for chat, triage, embeddings) |
| Issue Trackers | GitHub (octocrab), GitLab (REST v4), Jira (REST v3), Gitea |
| CVE Sources | OSV.dev, NVD, SearXNG |
| Auth | Keycloak (OAuth2/PKCE, SSO) |
| Browser Automation | Chromium (headless, for pentesting and PDF generation) |
Getting Started
Prerequisites
- Rust 1.94+
- Dioxus CLI (
dx) - MongoDB
- Docker & Docker Compose (optional)
Optional External Tools
- Semgrep -- for SAST scanning
- Syft -- for SBOM generation
- cargo-audit -- for Rust dependency auditing
Setup
# Clone the repository
git clone <repo-url>
cd compliance-scanner
# Start MongoDB + SearXNG
docker compose up -d mongo searxng
# Configure environment
cp .env.example .env
# Edit .env with your LiteLLM, tracker tokens, and MongoDB settings
# Run the agent
cargo run -p compliance-agent
# Run the dashboard (separate terminal)
dx serve --features server --platform web
Docker Compose (Full Stack)
docker compose up -d
This starts MongoDB, SearXNG, the agent (port 3001), and the dashboard (port 8080).
REST API
The agent exposes a REST API on port 3001:
| Method | Endpoint | Description |
|---|---|---|
GET |
/api/v1/health |
Health check |
GET |
/api/v1/stats/overview |
Summary statistics and trends |
GET |
/api/v1/repositories |
List tracked repositories |
POST |
/api/v1/repositories |
Add a repository to track |
POST |
/api/v1/repositories/:id/scan |
Trigger a manual scan |
GET |
/api/v1/findings |
List findings (filterable) |
GET |
/api/v1/findings/:id |
Get finding with code evidence |
PATCH |
/api/v1/findings/:id/status |
Update finding status |
GET |
/api/v1/sbom |
List dependencies |
GET |
/api/v1/issues |
List cross-tracker issues |
GET |
/api/v1/scan-runs |
Scan execution history |
GET |
/api/v1/graph/:repo_id |
Code knowledge graph |
POST |
/api/v1/graph/:repo_id/build |
Trigger graph build |
GET |
/api/v1/dast/targets |
List DAST targets |
POST |
/api/v1/dast/targets |
Add DAST target |
GET |
/api/v1/dast/findings |
List DAST findings |
POST |
/api/v1/chat/:repo_id |
RAG-powered code chat |
POST |
/api/v1/help/chat |
Documentation-grounded help chat |
POST |
/api/v1/pentest/sessions |
Create pentest session |
POST |
/api/v1/pentest/sessions/:id/export |
Export encrypted pentest report |
POST |
/webhook/github |
GitHub webhook (HMAC-SHA256) |
POST |
/webhook/gitlab |
GitLab webhook (token verify) |
POST |
/webhook/gitea |
Gitea webhook |
Dashboard Pages
| Page | Description |
|---|---|
| Overview | Stat cards, severity distribution, AI chat cards, MCP status |
| Repositories | Add/manage tracked repos, trigger scans, webhook config |
| Findings | Filterable table by severity, type, status, scanner |
| Finding Detail | Code evidence, remediation, suggested fix, linked issue |
| SBOM | Dependency inventory with vulnerability badges, license summary |
| Issues | Cross-tracker view (GitHub + GitLab + Jira + Gitea) |
| Code Graph | Interactive architecture visualization, impact analysis |
| AI Chat | RAG-powered Q&A about repository code |
| DAST | Dynamic scanning targets, findings, and scan history |
| Pentest | AI-driven pentest sessions, attack chain visualization |
| MCP Servers | Model Context Protocol server management |
| Help Chat | Floating assistant (available on every page) for product Q&A |
Project Structure
compliance-scanner/
├── compliance-core/ Shared library (models, traits, config, errors)
├── compliance-agent/ Agent daemon (pipeline, LLM, trackers, API, webhooks)
│ └── src/
│ ├── pipeline/ 7-stage scan pipeline, dedup, PR reviews, code review
│ ├── llm/ LiteLLM client, triage, descriptions, fixes, review prompts
│ ├── trackers/ GitHub, GitLab, Jira, Gitea integrations
│ ├── pentest/ AI-driven pentest orchestrator, tools, reports
│ ├── rag/ RAG pipeline, chunking, embedding
│ ├── api/ REST API (Axum), help chat
│ └── webhooks/ GitHub, GitLab, Gitea webhook receivers
├── compliance-dashboard/ Dioxus fullstack dashboard
│ └── src/
│ ├── components/ Reusable UI (sidebar, help chat, attack chain, etc.)
│ ├── infrastructure/ Server functions, DB, config, auth
│ └── pages/ Full page views (overview, DAST, pentest, graph, etc.)
├── compliance-graph/ Code knowledge graph (tree-sitter, embeddings, RAG)
├── compliance-dast/ Dynamic application security testing
├── compliance-mcp/ Model Context Protocol server
├── docs/ VitePress documentation site
├── assets/ Static assets (CSS, icons)
└── styles/ Tailwind input stylesheet
External Services
| Service | Purpose | Default URL |
|---|---|---|
| MongoDB | Persistence | mongodb://localhost:27017 |
| LiteLLM | LLM proxy (chat, triage, embeddings) | http://localhost:4000 |
| SearXNG | CVE context search | http://localhost:8888 |
| Keycloak | Authentication (OAuth2/PKCE, SSO) | http://localhost:8080 |
| Semgrep | SAST scanning | CLI tool |
| Syft | SBOM generation | CLI tool |
| Chromium | Headless browser (pentesting, PDF) | Managed via Docker |
Built with Rust, Dioxus, and a commitment to automated security compliance.