Add security scanner#168
Closed
aarnaud wants to merge 1 commit into
Closed
Conversation
aarnaud
force-pushed
the
feat/artifact-scanner-hook
branch
from
ff441f4 to
54b56f0
Compare
Runs a scanner pipeline on every successful first-time ingest (cache hits skip it). Decisions allow, warn, or block based on configurable severity thresholds; blocked artifacts are removed from storage and the request returns 451 Unavailable For Legal Reasons with X-Scanner-Severity and a JSON body listing findings. The OSV reference scanner reuses the existing enrichment service. Future byte-level scanners (Trivy, ClamAV) can plug in without touching handler call sites - Request.OpenContent exposes the stored bytes from day one. Off by default (scanners.enabled: false). Per-content-hash results are persisted to artifact_findings/artifact_scans (schema bump 1 -> 2, migration 006) so mirror runs and repeat ingests dedupe naturally. UI surfacing: - Per-artifact findings inline under each artifact row on the version detail page, with the same severity-color treatment as the OSV vulnerability panel. One bulk query (GROUP BY artifact_id in Go) avoids N+1 reads per render. - Deduped findings rolled into the top "Security Vulnerabilities" panel so it appears whenever scanner findings exist, not only when the OSV vuln cache has matching rows. Aggregation keeps the highest severity per (scanner, finding_id) and sorts critical->unknown. - Unconditional Ecosystem, Version, and Artifacts rows on the Version Info panel so it never renders empty when license / published date / integrity are all missing. - Severity-colored badge on each row of the package version list showing the scanner finding count. One LIKE query over version_purl avoids N+1 reads across the version list. Dashboard stats now count only packages / versions with at least one cached artifact (storage_path IS NOT NULL) so the headline numbers stay consistent with the recent / popular / packages-list queries when scanner blocks or aborted fetches leave package or version rows behind without an artifact. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
aarnaud
force-pushed
the
feat/artifact-scanner-hook
branch
from
54b56f0 to
167c8ee
Compare
Contributor
|
@aarnaud how come you closed this pr? Looks like an interesting addition |
Author
|
hi @andrew, I need to re-work deeper on it and also test more packages type. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.