sharang/compliance-scanner-agent
1
0
Fork 0
Code Issues 51 Pull Requests 1 Actions Packages Projects Releases 1 Wiki Activity
Files
f8eb4ea84d8a8f80f03cecce84c17558e4f6bf9c
compliance-scanner-agent/compliance-agent/src/webhooks/gitlab.rs
Sharang Parnerkar 491665559f
Some checks failed
CI / Security Audit (push) Has been cancelled
Details
CI / Tests (push) Has been cancelled
Details
CI / Detect Changes (push) Has been cancelled
Details
CI / Deploy Agent (push) Has been cancelled
Details
CI / Deploy Dashboard (push) Has been cancelled
Details
CI / Deploy Docs (push) Has been cancelled
Details
CI / Deploy MCP (push) Has been cancelled
Details
CI / Clippy (push) Has been cancelled
Details
CI / Format (push) Successful in 4s
Details
feat: per-repo issue tracker, Gitea support, PR review pipeline (#10)
2026-03-11 12:13:59 +00:00

119 lines
3.6 KiB
Rust
Raw Blame History

use std::sync::Arc;
use axum::body::Bytes;
use axum::extract::{Extension, Path};
use axum::http::{HeaderMap, StatusCode};
use compliance_core::models::ScanTrigger;
use crate::agent::ComplianceAgent;
pub async fn handle_gitlab_webhook(
Extension(agent): Extension<Arc<ComplianceAgent>>,
Path(repo_id): Path<String>,
headers: HeaderMap,
body: Bytes,
) -> StatusCode {
// Look up the repo to get its webhook secret
let oid = match mongodb::bson::oid::ObjectId::parse_str(&repo_id) {
Ok(oid) => oid,
Err(_) => return StatusCode::NOT_FOUND,
};
let repo = match agent
.db
.repositories()
.find_one(mongodb::bson::doc! { "_id": oid })
.await
{
Ok(Some(repo)) => repo,
_ => {
tracing::warn!("GitLab webhook: repo {repo_id} not found");
return StatusCode::NOT_FOUND;
}
};
// GitLab sends the secret token in X-Gitlab-Token header (plain text comparison)
if let Some(secret) = &repo.webhook_secret {
let token = headers
.get("x-gitlab-token")
.and_then(|v| v.to_str().ok())
.unwrap_or("");
if token != secret {
tracing::warn!("GitLab webhook: invalid token for repo {repo_id}");
return StatusCode::UNAUTHORIZED;
}
}
let payload: serde_json::Value = match serde_json::from_slice(&body) {
Ok(v) => v,
Err(e) => {
tracing::warn!("GitLab webhook: invalid JSON: {e}");
return StatusCode::BAD_REQUEST;
}
};
let event_type = payload["object_kind"].as_str().unwrap_or("");
match event_type {
"push" => {
let agent_clone = (*agent).clone();
let repo_id = repo_id.clone();
tokio::spawn(async move {
tracing::info!("GitLab push webhook: triggering scan for {repo_id}");
if let Err(e) = agent_clone.run_scan(&repo_id, ScanTrigger::Webhook).await {
tracing::error!("Webhook-triggered scan failed: {e}");
}
});
StatusCode::OK
}
"merge_request" => handle_merge_request(agent, &repo_id, &payload).await,
_ => {
tracing::debug!("GitLab webhook: ignoring event '{event_type}'");
StatusCode::OK
}
}
}
async fn handle_merge_request(
agent: Arc<ComplianceAgent>,
repo_id: &str,
payload: &serde_json::Value,
) -> StatusCode {
let action = payload["object_attributes"]["action"]
.as_str()
.unwrap_or("");
if action != "open" && action != "update" {
return StatusCode::OK;
}
let mr_iid = payload["object_attributes"]["iid"].as_u64().unwrap_or(0);
let head_sha = payload["object_attributes"]["last_commit"]["id"]
.as_str()
.unwrap_or("");
let base_sha = payload["object_attributes"]["diff_refs"]["base_sha"]
.as_str()
.unwrap_or("");
if mr_iid == 0 || head_sha.is_empty() || base_sha.is_empty() {
tracing::warn!("GitLab MR webhook: missing required fields");
return StatusCode::BAD_REQUEST;
}
let repo_id = repo_id.to_string();
let head_sha = head_sha.to_string();
let base_sha = base_sha.to_string();
let agent_clone = (*agent).clone();
tokio::spawn(async move {
tracing::info!("GitLab MR webhook: reviewing MR !{mr_iid} on {repo_id}");
if let Err(e) = agent_clone
.run_pr_review(&repo_id, mr_iid, &base_sha, &head_sha)
.await
{
tracing::error!("MR review failed for !{mr_iid}: {e}");
}
});
StatusCode::OK
}
Reference in New Issue View Git Blame Copy Permalink