Compliance Scanner

Autonomous security and compliance scanning agent for git repositories

---

About

Compliance Scanner is an autonomous agent that continuously monitors git repositories for security vulnerabilities, GDPR/OAuth compliance patterns, and dependency risks. It creates issues in external trackers (GitHub/GitLab/Jira) with evidence and remediation suggestions, reviews pull requests, and exposes a Dioxus-based dashboard for visualization.

How it works: The agent runs as a lazy daemon -- it only scans when new commits are detected, triggered by cron schedules or webhooks. LLM-powered triage filters out false positives and generates actionable remediation.

Features

Area	Capabilities
SAST Scanning	Semgrep-based static analysis with auto-config rules
SBOM Generation	Syft + cargo-audit for complete dependency inventory
CVE Monitoring	OSV.dev batch queries, NVD CVSS enrichment, SearXNG context
GDPR Patterns	Detect PII logging, missing consent, hardcoded retention, missing deletion
OAuth Patterns	Detect implicit grant, missing PKCE, token in localStorage, token in URLs
LLM Triage	Confidence scoring via LiteLLM to filter false positives
Issue Creation	Auto-create issues in GitHub, GitLab, or Jira with code evidence
PR Reviews	Post security review comments on pull requests
Dashboard	Fullstack Dioxus UI with findings, SBOM, issues, and statistics
Webhooks	GitHub (HMAC-SHA256) and GitLab webhook receivers for push/PR events

Architecture

┌─────────────────────────────────────────────────────────────┐
│                    Cargo Workspace                           │
├──────────────┬──────────────────┬───────────────────────────┤
│ compliance-  │ compliance-      │ compliance-               │
│ core         │ agent            │ dashboard                 │
│ (lib)        │ (bin)            │ (bin, Dioxus 0.7.3)       │
│              │                  │                           │
│ Models       │ Scan Pipeline    │ Fullstack Web UI          │
│ Traits       │ LLM Client      │ Server Functions           │
│ Config       │ Issue Trackers   │ Charts + Tables           │
│ Errors       │ Scheduler        │ Settings Page             │
│              │ REST API         │                           │
│              │ Webhooks         │                           │
└──────────────┴──────────────────┴───────────────────────────┘
                        │
                   MongoDB (shared)

Scan Pipeline (7 Stages)

1. Change Detection -- git2 fetch, compare HEAD SHA with last scanned commit
2. Semgrep SAST -- CLI wrapper with JSON output parsing
3. SBOM Generation -- Syft (CycloneDX) + cargo-audit vulnerability merge
4. CVE Scanning -- OSV.dev batch + NVD CVSS enrichment + SearXNG context
5. Pattern Scanning -- Regex-based GDPR and OAuth compliance checks
6. LLM Triage -- LiteLLM confidence scoring, filter findings < 3/10
7. Issue Creation -- Dedup via SHA-256 fingerprint, create tracker issues

Tech Stack

Layer	Technology
Shared Library	compliance-core -- models, traits, config
Agent	Axum REST API, git2, tokio-cron-scheduler, Semgrep, Syft
Dashboard	Dioxus 0.7.3 fullstack, Tailwind CSS
Database	MongoDB with typed collections
LLM	LiteLLM (OpenAI-compatible API)
Issue Trackers	GitHub (octocrab), GitLab (REST v4), Jira (REST v3)
CVE Sources	OSV.dev, NVD, SearXNG

Getting Started

Prerequisites

• Rust 1.89+
• Dioxus CLI (dx)
• MongoDB
• Docker & Docker Compose (optional)

Optional External Tools

• Semgrep -- for SAST scanning
• Syft -- for SBOM generation
• cargo-audit -- for Rust dependency auditing

Setup

# Clone the repository
git clone <repo-url>
cd compliance-scanner

# Start MongoDB + SearXNG
docker compose up -d mongo searxng

# Configure environment
cp .env.example .env
# Edit .env with your LiteLLM, tracker tokens, and MongoDB settings

# Run the agent
cargo run -p compliance-agent

# Run the dashboard (separate terminal)
dx serve --features server --platform web

Docker Compose (Full Stack)

docker compose up -d

This starts MongoDB, SearXNG, the agent (port 3001), and the dashboard (port 8080).

REST API

The agent exposes a REST API on port 3001:

Method	Endpoint	Description
GET	/api/v1/health	Health check
GET	/api/v1/stats/overview	Summary statistics and trends
GET	/api/v1/repositories	List tracked repositories
POST	/api/v1/repositories	Add a repository to track
POST	/api/v1/repositories/:id/scan	Trigger a manual scan
GET	/api/v1/findings	List findings (filterable)
GET	/api/v1/findings/:id	Get finding with code evidence
PATCH	/api/v1/findings/:id/status	Update finding status
GET	/api/v1/sbom	List dependencies
GET	/api/v1/issues	List cross-tracker issues
GET	/api/v1/scan-runs	Scan execution history
POST	/webhook/github	GitHub webhook (HMAC-SHA256)
POST	/webhook/gitlab	GitLab webhook (token verify)

Dashboard Pages

Page	Description
Overview	Stat cards, severity distribution chart
Repositories	Add/manage tracked repos, trigger scans
Findings	Filterable table by severity, type, status
Finding Detail	Code evidence, remediation, suggested fix, linked issue
SBOM	Dependency inventory with vulnerability badges
Issues	Cross-tracker view (GitHub + GitLab + Jira)
Settings	Configure LiteLLM, tracker tokens, SearXNG URL

Project Structure

compliance-scanner/
├── compliance-core/        Shared library (models, traits, config, errors)
├── compliance-agent/       Agent daemon (pipeline, LLM, trackers, API, webhooks)
│   └── src/
│       ├── pipeline/       7-stage scan pipeline
│       ├── llm/            LiteLLM client, triage, descriptions, fixes, PR review
│       ├── trackers/       GitHub, GitLab, Jira integrations
│       ├── api/            REST API (Axum)
│       └── webhooks/       GitHub + GitLab webhook receivers
├── compliance-dashboard/   Dioxus fullstack dashboard
│   └── src/
│       ├── components/     Reusable UI components
│       ├── infrastructure/ Server functions, DB, config
│       └── pages/          Full page views
├── assets/                 Static assets (CSS, icons)
├── styles/                 Tailwind input stylesheet
└── bin/                    Dashboard binary entrypoint

External Services

Service	Purpose	Default URL
MongoDB	Persistence	mongodb://localhost:27017
LiteLLM	LLM proxy for triage and generation	http://localhost:4000
SearXNG	CVE context search	http://localhost:8888
Semgrep	SAST scanning	CLI tool
Syft	SBOM generation	CLI tool

---

_{Built with Rust, Dioxus, and a commitment to automated security compliance.}