feat: security scanning API + pre-receive hook blocking (#692) #713

2026-06-28T07:31:20Z

jmiller commented

2026-06-28 07:31:20 +00:00

Summary\n\n- Security scanning API endpoints for repos (`/security/alerts`, `/security/scan`, `/security/config`)\n- Pre-receive hook integration to block pushes containing detected secrets\n- Orchestrator service for scan coordination\n\nReplaces #711 (closed due to cross-branch contamination from parallel agent collision).\n\nRef: #692\n\n## Test plan\n- [ ] Verify security scan API returns results\n- [ ] Verify pre-receive hook blocks pushes with known secret patterns\n- [ ] Verify config endpoints work for enabling/disabling scanning\n\nhttps://claude.ai/code/session_011AAFzotGMf3ayvXhEmStCd

## Summary\n\n- Security scanning API endpoints for repos (`/security/alerts`, `/security/scan`, `/security/config`)\n- Pre-receive hook integration to block pushes containing detected secrets\n- Orchestrator service for scan coordination\n\nReplaces #711 (closed due to cross-branch contamination from parallel agent collision).\n\nRef: #692\n\n## Test plan\n- [ ] Verify security scan API returns results\n- [ ] Verify pre-receive hook blocks pushes with known secret patterns\n- [ ] Verify config endpoints work for enabling/disabling scanning\n\nhttps://claude.ai/code/session_011AAFzotGMf3ayvXhEmStCd

jmiller added 1 commit 2026-06-28 07:31:22 +00:00

feat: security scanning API endpoints + pre-receive hook blocking (#692 )

Universal: PR Check / Branch Policy (pull_request) Successful in 2s

Details

PR RC Release / Build RC Release (pull_request) Successful in 3s

Details

Universal: PR Check / Validate PR (pull_request) Failing after 11s

Details

Generic: Project CI / Lint & Validate (pull_request) Successful in 39s

Details

Universal: PR Check / Secret Scan (pull_request) Successful in 1m5s

Details

Universal: Auto Version Bump / Version Bump (push) Successful in 14s

Details

Generic: Project CI / Tests (pull_request) Has been cancelled

Details

Universal: PR Check / Build RC Package (pull_request) Has been cancelled

Details

Universal: PR Check / Report Issues (pull_request) Has been cancelled

Details

7b334f94c0

Add REST API for security alerts (list, get, update status, trigger scan)
and scanner config (get, update). Wire block_on_push into the pre-receive
hook so pushes containing detected secrets are rejected with details.

Claude-Session: https://claude.ai/code/session_011AAFzotGMf3ayvXhEmStCd

jmiller added 1 commit 2026-06-28 07:33:46 +00:00

feat: register security scanning API routes in router

PR RC Release / Build RC Release (pull_request) Successful in 3s

Details

Universal: PR Check / Branch Policy (pull_request) Successful in 2s

Details

Universal: PR Check / Validate PR (pull_request) Failing after 12s

Details

Generic: Project CI / Lint & Validate (pull_request) Successful in 36s

Details

Universal: PR Check / Secret Scan (pull_request) Successful in 1m15s

Details

Universal: Auto Version Bump / Version Bump (push) Successful in 11s

Details

Generic: Project CI / Tests (pull_request) Has been cancelled

Details

Universal: PR Check / Build RC Package (pull_request) Has been cancelled

Details

Universal: PR Check / Report Issues (pull_request) Has been cancelled

Details

84df5d7932

Adds /repos/{owner}/{repo}/security/* route group for security
alert management, scanning, and configuration endpoints.

Claude-Session: https://claude.ai/code/session_011AAFzotGMf3ayvXhEmStCd

jmiller added 1 commit 2026-06-28 07:38:23 +00:00

fix: log error when pre-receive secret scan cannot read commit

Universal: PR Check / Branch Policy (pull_request) Successful in 2s

Details

PR RC Release / Build RC Release (pull_request) Successful in 3s

Details

Universal: PR Check / Validate PR (pull_request) Failing after 9s

Details

Generic: Project CI / Lint & Validate (pull_request) Successful in 46s

Details

Universal: PR Check / Secret Scan (pull_request) Successful in 2m23s

Details

Universal: Auto Version Bump / Version Bump (push) Successful in 11s

Details

Generic: Project CI / Tests (pull_request) Has been cancelled

Details

Universal: PR Check / Build RC Package (pull_request) Has been cancelled

Details

Universal: PR Check / Report Issues (pull_request) Has been cancelled

Details

RC Revert / Rename rc/ back to dev/ (pull_request) Has been skipped

Details

Branch Cleanup / Delete merged branch (pull_request) Failing after 3s

Details

9a4aa0fafb

Previously, GetCommit failures were silently swallowed, allowing
pushes to proceed without scanning. Now logs the error so admins
can diagnose issues while still allowing the push.

Claude-Session: https://claude.ai/code/session_011AAFzotGMf3ayvXhEmStCd

jmiller merged commit 2857a1f6a1 into dev

2026-06-28 08:46:04 +00:00

jmiller deleted branch feature/secret-scanning-clean

2026-06-28 08:46:06 +00:00

Sign in to join this conversation.

Priority -

Type -

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: MokoConsulting/MokoGitea-Fork#713