Sharang Parnerkar
bec47f8c7d
CI / Check (pull_request) Successful in 8m7s
CI / Detect Changes (pull_request) Has been skipped
CI / Deploy Agent (pull_request) Has been skipped
CI / Deploy Dashboard (pull_request) Has been skipped
CI / Deploy Docs (pull_request) Has been skipped
CI / Deploy MCP (pull_request) Has been skipped
The dashboard stored a refresh_token in the session at login (auth.rs)
but never used it. Once the access_token's 5-minute lifespan ran out,
every subsequent agent call failed with 401 ExpiredSignature. The UI
showed "unable to load X" until the user logged out and back in.
Fix: before attaching the bearer, decode the JWT's `exp` claim and
proactively refresh via the stored refresh_token if the token is
expired or within REFRESH_SKEW_SECS (30s) of expiry. Updates the
session with the new access_token (and rotated refresh_token if KC
sends one). Refresh failures fall through with the stale token so the
agent's 401 surfaces to the UI rather than failing the request at the
dashboard layer.
Why "proactive" instead of "retry on 401"
- Saves a wasted round-trip on every agent call once the token has
aged past 5 min.
- Doesn't require cloning RequestBuilder bodies for retry.
- Same end state — fresh token reaches the agent.
Test plan
- cargo test -p compliance-dashboard --features server
--no-default-features infrastructure::agent_client::tests — 5 pass:
* expired JWT → refresh
* near-expiry within skew window → refresh
* fresh JWT → no refresh
* malformed/empty JWT → refresh (defensive)
* JWT without exp claim → refresh (defensive)
- Manual after deploy: dashboard works past the 5-min token lifespan
without manual re-login.
Note
- The refresh code addresses the ExpiredSignature failure mode. The
separate "JWT is missing tenant_id claim" 401 is a Keycloak realm
config issue (the user logging in lacks the M7.1 attributes that
the protocol mappers consume) and is fixed by realm/attribute
config, not by this PR.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Compliance Scanner
Autonomous security and compliance scanning agent for git repositories
About
Compliance Scanner is an autonomous agent that continuously monitors git repositories for security vulnerabilities, GDPR/OAuth compliance patterns, and dependency risks. It creates issues in external trackers (GitHub/GitLab/Jira/Gitea) with evidence and remediation suggestions, reviews pull requests with multi-pass LLM analysis, runs autonomous penetration tests, and exposes a Dioxus-based dashboard for visualization.
How it works: The agent runs as a lazy daemon -- it only scans when new commits are detected, triggered by cron schedules or webhooks. LLM-powered triage filters out false positives and generates actionable remediation with multi-language awareness.
Features
| Area | Capabilities |
|---|---|
| SAST Scanning | Semgrep-based static analysis with auto-config rules |
| SBOM Generation | Syft + cargo-audit for complete dependency inventory |
| CVE Monitoring | OSV.dev batch queries, NVD CVSS enrichment, SearXNG context |
| GDPR Patterns | Detect PII logging, missing consent, hardcoded retention, missing deletion |
| OAuth Patterns | Detect implicit grant, missing PKCE, token in localStorage, token in URLs |
| LLM Triage | Multi-language-aware confidence scoring (Rust, Python, Go, Java, Ruby, PHP, C++) |
| Issue Creation | Auto-create issues in GitHub, GitLab, Jira, or Gitea with dedup via fingerprints |
| PR Reviews | Multi-pass security review (logic, security, convention, complexity) with dedup |
| DAST Scanning | Black-box security testing with endpoint discovery and parameter fuzzing |
| AI Pentesting | Autonomous LLM-orchestrated penetration testing with encrypted reports |
| Code Graph | Interactive code knowledge graph with impact analysis |
| AI Chat (RAG) | Natural language Q&A grounded in repository source code |
| Help Assistant | Documentation-grounded help chat accessible from every dashboard page |
| MCP Server | Expose live security data to Claude, Cursor, and other AI tools |
| Dashboard | Fullstack Dioxus UI with findings, SBOM, issues, DAST, pentest, and graph |
| Webhooks | GitHub, GitLab, and Gitea webhook receivers for push/PR events |
| Finding Dedup | SHA-256 fingerprint dedup for SAST, CWE-based dedup for DAST findings |
Architecture
┌──────────────────────────────────────────────────────────────────────────┐
│ Cargo Workspace │
├──────────────┬──────────────────┬──────────────┬──────────┬─────────────┤
│ compliance- │ compliance- │ compliance- │ complian-│ compliance- │
│ core (lib) │ agent (bin) │ dashboard │ ce-graph │ mcp (bin) │
│ │ │ (bin) │ (lib) │ │
│ Models │ Scan Pipeline │ Dioxus 0.7 │ Tree- │ MCP Server │
│ Traits │ LLM Client │ Fullstack UI │ sitter │ Live data │
│ Config │ Issue Trackers │ Help Chat │ Graph │ for AI │
│ Errors │ Pentest Engine │ Server Fns │ Embedds │ tools │
│ │ DAST Tools │ │ RAG │ │
│ │ REST API │ │ │ │
│ │ Webhooks │ │ │ │
└──────────────┴──────────────────┴──────────────┴──────────┴─────────────┘
│
MongoDB (shared)
Scan Pipeline (7 Stages)
- Change Detection --
git2fetch, compare HEAD SHA with last scanned commit - Semgrep SAST -- CLI wrapper with JSON output parsing
- SBOM Generation -- Syft (CycloneDX) + cargo-audit vulnerability merge
- CVE Scanning -- OSV.dev batch + NVD CVSS enrichment + SearXNG context
- Pattern Scanning -- Regex-based GDPR and OAuth compliance checks
- LLM Triage -- LiteLLM confidence scoring, filter findings < 3/10
- Issue Creation -- Dedup via SHA-256 fingerprint, create tracker issues
Tech Stack
| Layer | Technology |
|---|---|
| Shared Library | compliance-core -- models, traits, config |
| Agent | Axum REST API, git2, tokio-cron-scheduler, Semgrep, Syft |
| Dashboard | Dioxus 0.7.3 fullstack, Tailwind CSS 4 |
| Code Graph | compliance-graph -- tree-sitter parsing, embeddings, RAG |
| MCP Server | compliance-mcp -- Model Context Protocol for AI tools |
| DAST | compliance-dast -- dynamic application security testing |
| Database | MongoDB with typed collections |
| LLM | LiteLLM (OpenAI-compatible API for chat, triage, embeddings) |
| Issue Trackers | GitHub (octocrab), GitLab (REST v4), Jira (REST v3), Gitea |
| CVE Sources | OSV.dev, NVD, SearXNG |
| Auth | Keycloak (OAuth2/PKCE, SSO) |
| Browser Automation | Chromium (headless, for pentesting and PDF generation) |
Getting Started
Prerequisites
- Rust 1.94+
- Dioxus CLI (
dx) - MongoDB
- Docker & Docker Compose (optional)
Optional External Tools
- Semgrep -- for SAST scanning
- Syft -- for SBOM generation
- cargo-audit -- for Rust dependency auditing
Setup
# Clone the repository
git clone <repo-url>
cd compliance-scanner
# Start MongoDB + SearXNG
docker compose up -d mongo searxng
# Configure environment
cp .env.example .env
# Edit .env with your LiteLLM, tracker tokens, and MongoDB settings
# Run the agent
cargo run -p compliance-agent
# Run the dashboard (separate terminal)
dx serve --features server --platform web
Docker Compose (Full Stack)
docker compose up -d
This starts MongoDB, SearXNG, the agent (port 3001), and the dashboard (port 8080).
REST API
The agent exposes a REST API on port 3001:
| Method | Endpoint | Description |
|---|---|---|
GET |
/api/v1/health |
Health check |
GET |
/api/v1/stats/overview |
Summary statistics and trends |
GET |
/api/v1/repositories |
List tracked repositories |
POST |
/api/v1/repositories |
Add a repository to track |
POST |
/api/v1/repositories/:id/scan |
Trigger a manual scan |
GET |
/api/v1/findings |
List findings (filterable) |
GET |
/api/v1/findings/:id |
Get finding with code evidence |
PATCH |
/api/v1/findings/:id/status |
Update finding status |
GET |
/api/v1/sbom |
List dependencies |
GET |
/api/v1/issues |
List cross-tracker issues |
GET |
/api/v1/scan-runs |
Scan execution history |
GET |
/api/v1/graph/:repo_id |
Code knowledge graph |
POST |
/api/v1/graph/:repo_id/build |
Trigger graph build |
GET |
/api/v1/dast/targets |
List DAST targets |
POST |
/api/v1/dast/targets |
Add DAST target |
GET |
/api/v1/dast/findings |
List DAST findings |
POST |
/api/v1/chat/:repo_id |
RAG-powered code chat |
POST |
/api/v1/help/chat |
Documentation-grounded help chat |
POST |
/api/v1/pentest/sessions |
Create pentest session |
POST |
/api/v1/pentest/sessions/:id/export |
Export encrypted pentest report |
POST |
/webhook/github |
GitHub webhook (HMAC-SHA256) |
POST |
/webhook/gitlab |
GitLab webhook (token verify) |
POST |
/webhook/gitea |
Gitea webhook |
Dashboard Pages
| Page | Description |
|---|---|
| Overview | Stat cards, severity distribution, AI chat cards, MCP status |
| Repositories | Add/manage tracked repos, trigger scans, webhook config |
| Findings | Filterable table by severity, type, status, scanner |
| Finding Detail | Code evidence, remediation, suggested fix, linked issue |
| SBOM | Dependency inventory with vulnerability badges, license summary |
| Issues | Cross-tracker view (GitHub + GitLab + Jira + Gitea) |
| Code Graph | Interactive architecture visualization, impact analysis |
| AI Chat | RAG-powered Q&A about repository code |
| DAST | Dynamic scanning targets, findings, and scan history |
| Pentest | AI-driven pentest sessions, attack chain visualization |
| MCP Servers | Model Context Protocol server management |
| Help Chat | Floating assistant (available on every page) for product Q&A |
Project Structure
compliance-scanner/
├── compliance-core/ Shared library (models, traits, config, errors)
├── compliance-agent/ Agent daemon (pipeline, LLM, trackers, API, webhooks)
│ └── src/
│ ├── pipeline/ 7-stage scan pipeline, dedup, PR reviews, code review
│ ├── llm/ LiteLLM client, triage, descriptions, fixes, review prompts
│ ├── trackers/ GitHub, GitLab, Jira, Gitea integrations
│ ├── pentest/ AI-driven pentest orchestrator, tools, reports
│ ├── rag/ RAG pipeline, chunking, embedding
│ ├── api/ REST API (Axum), help chat
│ └── webhooks/ GitHub, GitLab, Gitea webhook receivers
├── compliance-dashboard/ Dioxus fullstack dashboard
│ └── src/
│ ├── components/ Reusable UI (sidebar, help chat, attack chain, etc.)
│ ├── infrastructure/ Server functions, DB, config, auth
│ └── pages/ Full page views (overview, DAST, pentest, graph, etc.)
├── compliance-graph/ Code knowledge graph (tree-sitter, embeddings, RAG)
├── compliance-dast/ Dynamic application security testing
├── compliance-mcp/ Model Context Protocol server
├── docs/ VitePress documentation site
├── assets/ Static assets (CSS, icons)
└── styles/ Tailwind input stylesheet
External Services
| Service | Purpose | Default URL |
|---|---|---|
| MongoDB | Persistence | mongodb://localhost:27017 |
| LiteLLM | LLM proxy (chat, triage, embeddings) | http://localhost:4000 |
| SearXNG | CVE context search | http://localhost:8888 |
| Keycloak | Authentication (OAuth2/PKCE, SSO) | http://localhost:8080 |
| Semgrep | SAST scanning | CLI tool |
| Syft | SBOM generation | CLI tool |
| Chromium | Headless browser (pentesting, PDF) | Managed via Docker |
Built with Rust, Dioxus, and a commitment to automated security compliance.