MokoConsulting/MokoGitea-APP
1
0
Fork 0
Code Issues 158 Pull Requests 3 Releases 96 Wiki Activity

feat(security): built-in security scanning platform for repositories #508

New Issue
Closed
opened 2026-06-06 14:44:43 +00:00 by jmiller · 1 comment
jmiller commented 2026-06-06 14:44:43 +00:00
Owner
Copy Link
Copy Source

Priority: HIGH

Summary

Add built-in secret scanning as a core MokoGitea feature that:

  1. Scans every push for accidentally committed secrets (API keys, tokens, passwords, private keys)
  2. Repo settings screen showing scan results, false positive management, and alert history
  3. Push rejection (optional) blocking pushes that contain detected secrets
  4. Dashboard for org admins showing secret exposure across all repos

Scope

1. Secret Detection Engine

Built into MokoGitea (not an external tool), scanning:

  • API keys (AWS, GCP, Azure, Stripe, etc.)
  • Tokens (GitHub/Gitea personal access tokens, OAuth tokens, JWTs)
  • Passwords in connection strings (database URLs, SMTP, Redis)
  • Private keys (SSH, PGP, TLS certificates)
  • Custom patterns defined at org level

Detection uses regex patterns with entropy analysis to reduce false positives.

2. Repo Settings Screen

Add a Security tab in repo settings showing:

  • Active alerts (secrets found, not yet resolved)
  • Resolved alerts (acknowledged false positives or rotated secrets)
  • Scan history (last scan date, commits scanned)
  • Allow/block list for specific patterns
  • Toggle for push rejection mode

3. Push-Time Scanning

On every push (via the pre-receive hook or post-receive processing):

  • Scan new commits for secrets
  • If push rejection is enabled: block the push and return an error message explaining which file/line contains the secret
  • If push rejection is disabled: allow the push but create an alert
  • Send notification to repo admins

4. Org-Level Dashboard

Org settings page showing:

  • Total alerts across all repos
  • Most common secret types found
  • Repos with unresolved alerts
  • Custom pattern management (org-wide regex patterns)

5. API

    • list alerts
    • resolve/dismiss alert
    • org-wide alert summary

Built-In Patterns

Pattern Example Match
AWS Access Key
AWS Secret Key 40-char base64 after aws_secret
GitHub/Gitea Token , , token patterns
Private Key
Generic Password
Connection String
JWT

Motivation

Secret leaks are one of the most common and damaging security incidents. GitHub has this feature built-in. Making it inherent to MokoGitea (not an optional plugin) ensures all repos are protected by default.

Authored by Jonathan Miller (@jmiller)

## Priority: HIGH ## Summary Add built-in secret scanning as a core MokoGitea feature that: 1. **Scans every push** for accidentally committed secrets (API keys, tokens, passwords, private keys) 2. **Repo settings screen** showing scan results, false positive management, and alert history 3. **Push rejection** (optional) blocking pushes that contain detected secrets 4. **Dashboard** for org admins showing secret exposure across all repos ## Scope ### 1. Secret Detection Engine Built into MokoGitea (not an external tool), scanning: - API keys (AWS, GCP, Azure, Stripe, etc.) - Tokens (GitHub/Gitea personal access tokens, OAuth tokens, JWTs) - Passwords in connection strings (database URLs, SMTP, Redis) - Private keys (SSH, PGP, TLS certificates) - Custom patterns defined at org level Detection uses regex patterns with entropy analysis to reduce false positives. ### 2. Repo Settings Screen Add a **Security** tab in repo settings showing: - Active alerts (secrets found, not yet resolved) - Resolved alerts (acknowledged false positives or rotated secrets) - Scan history (last scan date, commits scanned) - Allow/block list for specific patterns - Toggle for push rejection mode ### 3. Push-Time Scanning On every push (via the pre-receive hook or post-receive processing): - Scan new commits for secrets - If push rejection is enabled: block the push and return an error message explaining which file/line contains the secret - If push rejection is disabled: allow the push but create an alert - Send notification to repo admins ### 4. Org-Level Dashboard Org settings page showing: - Total alerts across all repos - Most common secret types found - Repos with unresolved alerts - Custom pattern management (org-wide regex patterns) ### 5. API - - list alerts - - resolve/dismiss alert - - org-wide alert summary ## Built-In Patterns | Pattern | Example Match | |---------|---------------| | AWS Access Key | | | AWS Secret Key | 40-char base64 after aws_secret | | GitHub/Gitea Token | , , token patterns | | Private Key | | | Generic Password | | | Connection String | | | JWT | | ## Motivation Secret leaks are one of the most common and damaging security incidents. GitHub has this feature built-in. Making it inherent to MokoGitea (not an optional plugin) ensures all repos are protected by default. --- *Authored by Jonathan Miller (@jmiller)*
jmiller changed title from feat(security): built-in secret scanning for repositories to feat(security): built-in security scanning platform for repositories 2026-06-06 21:14:46 +00:00
jmiller commented 2026-06-06 21:14:46 +00:00
Author
Owner
Copy Link
Copy Source

Expanded Scope: Full Security Scanning Platform

This is not just secret detection - it is a comprehensive security scanning tool with multiple scanner types:

Scanner Types

  1. Secret Scanner - API keys, tokens, passwords, private keys, connection strings
  2. Dependency Scanner - CVEs in go.mod, package.json, composer.json, requirements.txt
  3. Code Scanner - SQL injection, XSS, command injection, path traversal patterns
  4. Config Scanner - Insecure settings, exposed debug modes, default credentials
  5. License Scanner - License compliance, incompatible license combinations

Architecture

  • Pluggable scanner framework - each scanner type is a module
  • Runs on push (post-receive hook) and on-demand
  • Unified alert storage with severity levels (critical/high/medium/low/info)
  • Security tab in repo settings showing all findings
  • Org-level dashboard aggregating across repos
  • Custom pattern definitions at org level

Authored by Jonathan Miller (@jmiller)

## Expanded Scope: Full Security Scanning Platform This is not just secret detection - it is a comprehensive security scanning tool with multiple scanner types: ### Scanner Types 1. **Secret Scanner** - API keys, tokens, passwords, private keys, connection strings 2. **Dependency Scanner** - CVEs in go.mod, package.json, composer.json, requirements.txt 3. **Code Scanner** - SQL injection, XSS, command injection, path traversal patterns 4. **Config Scanner** - Insecure settings, exposed debug modes, default credentials 5. **License Scanner** - License compliance, incompatible license combinations ### Architecture - Pluggable scanner framework - each scanner type is a module - Runs on push (post-receive hook) and on-demand - Unified alert storage with severity levels (critical/high/medium/low/info) - Security tab in repo settings showing all findings - Org-level dashboard aggregating across repos - Custom pattern definitions at org level --- *Authored by Jonathan Miller (@jmiller)*
Sign in to join this conversation.
Labels
Clear labels
breaking-change
Breaking API or behavior change
 ci-cd
CI/CD pipeline changes
 config
Configuration changes
 dependencies
Dependency updates
 deploy-failure
Deployment failed
 docker
Docker/container changes
 documentation
Documentation changes
 good first issue
Good for newcomers
 health-check
Repo health check result
 help wanted
Extra attention needed
 mokostandards
Related to MokoStandards framework
 push-failure
Git push operation failed
 security
Security vulnerability or hardening
 size/l
200-500 lines changed
 size/m
50-200 lines changed
 size/s
10-50 lines changed
 size/xl
500+ lines changed
 size/xs
< 10 lines changed
 standards-drift
Deviates from MokoStandards
 standards-update
MokoStandards compliance update
 sync-failure
Sync or mirror failed
 tech-debt
Technical debt and TODO/FIXME items
 upstream
upstream
Inherited from upstream Gitea
 work-in-progress
Draft or incomplete work
No labels
Priority High
Type Security
Milestone
No items
No Milestone
Assignees
Clear assignees
jmiller (Jonathan Miller) moko-deploy (Moko Deploy Bot)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: MokoConsulting/MokoGitea-APP#508
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?