release: code security scanner (#552) #717

Merged
jmiller merged 3 commits from dev into main 2026-06-28 19:00:45 +00:00
Owner

Summary

  • Code security scanner with 22 OWASP pattern detection rules across 7 CWE categories
  • Language-filtered scanning for Go, PHP, Python, JS/TS, Java, C#, Ruby
  • Wired into scanner orchestrator via existing CodeScanner config toggle
  • API: code_scanner field added to GET/PATCH /security/config
  • Web UI toggle already existed in settings template

Rules by Category

Category CWE Rules Languages
SQL Injection CWE-89 4 Go, PHP, Python, JS/TS
XSS CWE-79 4 JS/TS, PHP, React
Command Injection CWE-78 5 Go, PHP, JS/TS, Python
Path Traversal CWE-22 3 Go, JS/TS, Python, PHP
Insecure Deserialization CWE-502 2 PHP, Python
Hardcoded Credentials CWE-798 1 All
Weak Cryptography CWE-327 2 Go, Python, C#, Java

Closes

Test plan

  • Enable code scanner via API: PATCH /security/config {"code_scanner": true}
  • Trigger scan: POST /security/scan
  • Verify alerts appear for repos with known patterns
  • Verify comment lines are skipped
  • Verify binary/vendor/node_modules files are skipped

https://claude.ai/code/session_011AAFzotGMf3ayvXhEmStCd

## Summary - Code security scanner with 22 OWASP pattern detection rules across 7 CWE categories - Language-filtered scanning for Go, PHP, Python, JS/TS, Java, C#, Ruby - Wired into scanner orchestrator via existing `CodeScanner` config toggle - API: `code_scanner` field added to GET/PATCH `/security/config` - Web UI toggle already existed in settings template ### Rules by Category | Category | CWE | Rules | Languages | |----------|-----|-------|-----------| | SQL Injection | CWE-89 | 4 | Go, PHP, Python, JS/TS | | XSS | CWE-79 | 4 | JS/TS, PHP, React | | Command Injection | CWE-78 | 5 | Go, PHP, JS/TS, Python | | Path Traversal | CWE-22 | 3 | Go, JS/TS, Python, PHP | | Insecure Deserialization | CWE-502 | 2 | PHP, Python | | Hardcoded Credentials | CWE-798 | 1 | All | | Weak Cryptography | CWE-327 | 2 | Go, Python, C#, Java | ## Closes - #552 ## Test plan - [ ] Enable code scanner via API: `PATCH /security/config {"code_scanner": true}` - [ ] Trigger scan: `POST /security/scan` - [ ] Verify alerts appear for repos with known patterns - [ ] Verify comment lines are skipped - [ ] Verify binary/vendor/node_modules files are skipped https://claude.ai/code/session_011AAFzotGMf3ayvXhEmStCd
jmiller added 3 commits 2026-06-28 18:50:01 +00:00
feat: code security scanner with OWASP pattern detection (#552)
Universal: Auto Version Bump / Version Bump (push) Successful in 13s
Universal: PR Check / Branch Policy (pull_request) Successful in 1s
PR RC Release / Build RC Release (pull_request) Successful in 2s
Universal: PR Check / Validate PR (pull_request) Successful in 12s
Generic: Project CI / Lint & Validate (pull_request) Successful in 37s
Universal: PR Check / Secret Scan (pull_request) Successful in 1m20s
Generic: Project CI / Tests (pull_request) Has been cancelled
Universal: PR Check / Build RC Package (pull_request) Has been cancelled
Universal: PR Check / Report Issues (pull_request) Has been cancelled
7c75133ef1
Implements the code analysis scanner module that detects insecure
patterns across Go, PHP, Python, JavaScript, and TypeScript:

- SQL injection (CWE-89): string concat in queries across 4 languages
- XSS (CWE-79): innerHTML, document.write, unescaped output, dangerouslySetInnerHTML
- Command injection (CWE-78): exec with variables, shell=True, os.system
- Path traversal (CWE-22): unsanitized path joins, file open with user input
- Insecure deserialization (CWE-502): unserialize(), yaml.load()
- Hardcoded credentials (CWE-798): password assignments in source
- Weak cryptography (CWE-327): MD5/SHA-1 usage

22 rules total, language-filtered by file extension. Wired into the
existing scanner orchestrator via the CodeScanner config toggle.
API updated to expose code_scanner in GET/PATCH security config.

Claude-Session: https://claude.ai/code/session_011AAFzotGMf3ayvXhEmStCd
docs: update README to reflect code security scanner
Universal: PR Check / Branch Policy (pull_request) Successful in 2s
PR RC Release / Build RC Release (pull_request) Successful in 3s
Universal: PR Check / Validate PR (pull_request) Successful in 12s
Universal: Auto Version Bump / Version Bump (push) Successful in 18s
Generic: Project CI / Lint & Validate (pull_request) Successful in 39s
Universal: PR Check / Secret Scan (pull_request) Successful in 59s
Generic: Project CI / Tests (pull_request) Has been cancelled
Universal: PR Check / Build RC Package (pull_request) Has been cancelled
Universal: PR Check / Report Issues (pull_request) Has been cancelled
RC Revert / Rename rc/ back to dev/ (pull_request) Has been skipped
Branch Cleanup / Delete merged branch (pull_request) Successful in 2s
66aea89b40
Claude-Session: https://claude.ai/code/session_011AAFzotGMf3ayvXhEmStCd
Merge pull request 'feat: code security scanner with OWASP pattern detection (#552)' (#716) from feature/code-scanner into dev
Universal: Pre-Release / Build Pre-Release (${{ inputs.stability || github.ref_name }}) (push) Failing after 1m5s
Deploy MokoGitea (Dev) / Build & Deploy to Dev (push) Failing after 1m8s
Universal: PR Check / Branch Policy (pull_request) Successful in 2s
Universal: PR Check / Validate PR (pull_request) Successful in 13s
Generic: Repo Health / Access control (pull_request) Successful in 1s
Generic: Repo Health / Site Health (pull_request) Has been skipped
Generic: Project CI / Lint & Validate (pull_request) Successful in 58s
Universal: PR Check / Secret Scan (pull_request) Successful in 1m22s
PR RC Release / Build RC Release (pull_request) Failing after 2m13s
Branch Cleanup / Delete merged branch (pull_request) Has been skipped
RC Revert / Rename rc/ back to dev/ (pull_request) Has been skipped
Universal: Build & Release / Promote to RC (pull_request) Has been skipped
Universal: Build & Release / Build & Release Pipeline (pull_request) Failing after 1m35s
Generic: Project CI / Tests (pull_request) Has been cancelled
Universal: PR Check / Build RC Package (pull_request) Has been cancelled
Universal: PR Check / Report Issues (pull_request) Has been cancelled
Generic: Repo Health / Scripts governance (pull_request) Has been cancelled
Generic: Repo Health / Repository health (pull_request) Has been cancelled
Generic: Repo Health / Report: Scripts Governance (pull_request) Has been cancelled
Generic: Repo Health / Report: Repository Health (pull_request) Has been cancelled
Universal: Workflow Sync Trigger / Sync workflows to live repos (pull_request) Failing after 25m8s
Universal: Auto Version Bump / Version Bump (push) Has been skipped
87f92fe1ab
jmiller merged commit f8a91ed34e into main 2026-06-28 19:00:45 +00:00
Sign in to join this conversation.