MokoConsulting/MokoGitea-Fork
1
0
Fork 0
Code Issues 123 Pull Requests Releases 96 Wiki Activity

feat: code security scanner with OWASP pattern detection (#552) #716

Merged
jmiller merged 7 commits from feature/code-scanner into dev 2026-06-28 16:08:31 +00:00
Conversation 0 Commits 7 Files Changed 6
+371 -13
jmiller commented 2026-06-28 13:16:04 +00:00
Owner
Copy Link
Copy Source

Summary

  • New services/security/code_scanner.go implementing the Scanner interface
  • 22 pattern rules covering 7 CWE categories across Go, PHP, Python, JS/TS
  • Language-filtered by file extension for targeted scanning
  • Wired into orchestrator via existing CodeScanner config toggle
  • API updated: code_scanner field in GET/PATCH /security/config
  • Web UI toggle already existed in settings template

Rules by Category

Category CWE Rules Languages
SQL Injection CWE-89 4 Go, PHP, Python, JS/TS
XSS CWE-79 4 JS/TS, PHP, React
Command Injection CWE-78 5 Go, PHP, JS/TS, Python
Path Traversal CWE-22 3 Go, JS/TS, Python, PHP
Insecure Deserialization CWE-502 2 PHP, Python
Hardcoded Credentials CWE-798 1 All
Weak Cryptography CWE-327 2 Go, Python, C#, Java

Test plan

  • Enable code scanner via API: PATCH /security/config {"code_scanner": true}
  • Trigger scan: POST /security/scan
  • Verify alerts appear for repos with known patterns
  • Verify comment lines are skipped
  • Verify binary/vendor/node_modules files are skipped

https://claude.ai/code/session_011AAFzotGMf3ayvXhEmStCd

## Summary - New `services/security/code_scanner.go` implementing the Scanner interface - 22 pattern rules covering 7 CWE categories across Go, PHP, Python, JS/TS - Language-filtered by file extension for targeted scanning - Wired into orchestrator via existing `CodeScanner` config toggle - API updated: `code_scanner` field in GET/PATCH `/security/config` - Web UI toggle already existed in settings template ### Rules by Category | Category | CWE | Rules | Languages | |----------|-----|-------|-----------| | SQL Injection | CWE-89 | 4 | Go, PHP, Python, JS/TS | | XSS | CWE-79 | 4 | JS/TS, PHP, React | | Command Injection | CWE-78 | 5 | Go, PHP, JS/TS, Python | | Path Traversal | CWE-22 | 3 | Go, JS/TS, Python, PHP | | Insecure Deserialization | CWE-502 | 2 | PHP, Python | | Hardcoded Credentials | CWE-798 | 1 | All | | Weak Cryptography | CWE-327 | 2 | Go, Python, C#, Java | ## Test plan - [ ] Enable code scanner via API: `PATCH /security/config {"code_scanner": true}` - [ ] Trigger scan: `POST /security/scan` - [ ] Verify alerts appear for repos with known patterns - [ ] Verify comment lines are skipped - [ ] Verify binary/vendor/node_modules files are skipped https://claude.ai/code/session_011AAFzotGMf3ayvXhEmStCd
jmiller added 6 commits 2026-06-28 13:16:06 +00:00
release: cascade merge, status presets, default teams, secret scanning
Deploy MokoGitea / deploy (push) Failing after 7m33s
Details
fefdf1a1ec
fix: pr-check platform detection queries metadata API instead of removed manifest.xml
Universal: PR Check / Branch Policy (pull_request) Failing after 2s
Details
Generic: Repo Health / Site Health (pull_request) Has been skipped
Details
Generic: Repo Health / Access control (pull_request) Successful in 2s
Details
Universal: PR Check / Validate PR (pull_request) Successful in 14s
Details
Generic: Project CI / Lint & Validate (pull_request) Successful in 40s
Details
Universal: Pre-Release / Build Pre-Release (${{ inputs.stability || github.ref_name }}) (push) Failing after 1m24s
Details
PR RC Release / Build RC Release (pull_request) Failing after 3m14s
Details
Universal: PR Check / Secret Scan (pull_request) Successful in 3m15s
Details
Generic: Project CI / Tests (pull_request) Has been cancelled
Details
Universal: PR Check / Build RC Package (pull_request) Has been cancelled
Details
Universal: PR Check / Report Issues (pull_request) Has been cancelled
Details
Generic: Repo Health / Scripts governance (pull_request) Has been cancelled
Details
Generic: Repo Health / Repository health (pull_request) Has been cancelled
Details
Generic: Repo Health / Report: Scripts Governance (pull_request) Has been cancelled
Details
Generic: Repo Health / Report: Repository Health (pull_request) Has been cancelled
Details
fa845164bb 
The manifest.xml file no longer exists — platform is stored in the
MokoGitea metadata API. The old sed command failed with exit 2 under
bash -e, cascading failure to all subsequent validate steps.

Claude-Session: https://claude.ai/code/session_011AAFzotGMf3ayvXhEmStCd
fix: branch policy allows fix/patch branches to target main
Universal: PR Check / Branch Policy (pull_request) Successful in 2s
Details
Universal: PR Check / Validate PR (pull_request) Successful in 18s
Details
Generic: Project CI / Lint & Validate (pull_request) Successful in 1m4s
Details
Universal: Pre-Release / Build Pre-Release (${{ inputs.stability || github.ref_name }}) (push) Failing after 1m32s
Details
PR RC Release / Build RC Release (pull_request) Failing after 1m33s
Details
Universal: PR Check / Secret Scan (pull_request) Successful in 1m32s
Details
Generic: Project CI / Tests (pull_request) Has been cancelled
Details
Universal: PR Check / Build RC Package (pull_request) Has been cancelled
Details
Universal: PR Check / Report Issues (pull_request) Has been cancelled
Details
193c705c05 
The pr-check branch policy only allowed fix/* -> dev, but the actual
org policy is fix/patch branches PR to main directly. Also updated
the summary text to list all allowed merge paths correctly.

Claude-Session: https://claude.ai/code/session_011AAFzotGMf3ayvXhEmStCd
docs: update README with new features from latest release
Universal: PR Check / Branch Policy (pull_request) Successful in 2s
Details
Generic: Repo Health / Site Health (pull_request) Has been skipped
Details
Generic: Repo Health / Access control (pull_request) Successful in 2s
Details
Universal: PR Check / Validate PR (pull_request) Successful in 13s
Details
Generic: Project CI / Lint & Validate (pull_request) Successful in 35s
Details
Universal: Pre-Release / Build Pre-Release (${{ inputs.stability || github.ref_name }}) (push) Failing after 1m24s
Details
Universal: PR Check / Secret Scan (pull_request) Successful in 1m30s
Details
RC Revert / Rename rc/ back to dev/ (pull_request) Has been skipped
Details
Branch Cleanup / Delete merged branch (pull_request) Successful in 2s
Details
Universal: Workflow Sync Trigger / Sync workflows to live repos (pull_request) Successful in 6m10s
Details
Generic: Project CI / Tests (pull_request) Has been cancelled
Details
Universal: PR Check / Build RC Package (pull_request) Has been cancelled
Details
Universal: PR Check / Report Issues (pull_request) Has been cancelled
Details
Generic: Repo Health / Scripts governance (pull_request) Has been cancelled
Details
Generic: Repo Health / Repository health (pull_request) Has been cancelled
Details
Generic: Repo Health / Report: Scripts Governance (pull_request) Has been cancelled
Details
Generic: Repo Health / Report: Repository Health (pull_request) Has been cancelled
Details
35ebbef489 
Add cascade merge, secret scanning, default org teams, branch
protection delete allowlist to Key Features list.

Claude-Session: https://claude.ai/code/session_011AAFzotGMf3ayvXhEmStCd
Merge pull request 'fix: pr-check platform detection queries metadata API' (#715) from fix/pr-check-platform-detection into main
Deploy MokoGitea / deploy (push) Failing after 5m4s
Details
37a62b5ab7
feat: code security scanner with OWASP pattern detection (#552)
Universal: Auto Version Bump / Version Bump (push) Successful in 13s
Details
Universal: PR Check / Branch Policy (pull_request) Successful in 1s
Details
PR RC Release / Build RC Release (pull_request) Successful in 2s
Details
Universal: PR Check / Validate PR (pull_request) Successful in 12s
Details
Generic: Project CI / Lint & Validate (pull_request) Successful in 37s
Details
Universal: PR Check / Secret Scan (pull_request) Successful in 1m20s
Details
Generic: Project CI / Tests (pull_request) Has been cancelled
Details
Universal: PR Check / Build RC Package (pull_request) Has been cancelled
Details
Universal: PR Check / Report Issues (pull_request) Has been cancelled
Details
7c75133ef1 
Implements the code analysis scanner module that detects insecure
patterns across Go, PHP, Python, JavaScript, and TypeScript:

- SQL injection (CWE-89): string concat in queries across 4 languages
- XSS (CWE-79): innerHTML, document.write, unescaped output, dangerouslySetInnerHTML
- Command injection (CWE-78): exec with variables, shell=True, os.system
- Path traversal (CWE-22): unsanitized path joins, file open with user input
- Insecure deserialization (CWE-502): unserialize(), yaml.load()
- Hardcoded credentials (CWE-798): password assignments in source
- Weak cryptography (CWE-327): MD5/SHA-1 usage

22 rules total, language-filtered by file extension. Wired into the
existing scanner orchestrator via the CodeScanner config toggle.
API updated to expose code_scanner in GET/PATCH security config.

Claude-Session: https://claude.ai/code/session_011AAFzotGMf3ayvXhEmStCd
jmiller added 1 commit 2026-06-28 13:20:39 +00:00
docs: update README to reflect code security scanner
Universal: PR Check / Branch Policy (pull_request) Successful in 2s
Details
PR RC Release / Build RC Release (pull_request) Successful in 3s
Details
Universal: PR Check / Validate PR (pull_request) Successful in 12s
Details
Universal: Auto Version Bump / Version Bump (push) Successful in 18s
Details
Generic: Project CI / Lint & Validate (pull_request) Successful in 39s
Details
Universal: PR Check / Secret Scan (pull_request) Successful in 59s
Details
Generic: Project CI / Tests (pull_request) Has been cancelled
Details
Universal: PR Check / Build RC Package (pull_request) Has been cancelled
Details
Universal: PR Check / Report Issues (pull_request) Has been cancelled
Details
RC Revert / Rename rc/ back to dev/ (pull_request) Has been skipped
Details
Branch Cleanup / Delete merged branch (pull_request) Successful in 2s
Details
66aea89b40 
Claude-Session: https://claude.ai/code/session_011AAFzotGMf3ayvXhEmStCd
jmiller merged commit 87f92fe1ab into dev 2026-06-28 16:08:31 +00:00
jmiller deleted branch feature/code-scanner 2026-06-28 16:08:31 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
breaking-change
Breaking API or behavior change
 ci-cd
CI/CD pipeline changes
 config
Configuration changes
 dependencies
Dependency updates
 deploy-failure
Deployment failed
 docker
Docker/container changes
 documentation
Documentation changes
 feature: wiki
Wiki system enhancements
 good first issue
Good for newcomers
 health-check
Repo health check result
 help wanted
Extra attention needed
 mokostandards
Related to MokoStandards framework
 push-failure
Git push operation failed
 security
Security vulnerability or hardening
 size/l
200-500 lines changed
 size/m
50-200 lines changed
 size/s
10-50 lines changed
 size/xl
500+ lines changed
 size/xs
< 10 lines changed
 standards-drift
Deviates from MokoStandards
 standards-update
MokoStandards compliance update
 sync-failure
Sync or mirror failed
 tech-debt
Technical debt and TODO/FIXME items
 upstream
upstream
Inherited from upstream Gitea
 work-in-progress
Draft or incomplete work
No labels
Priority -
Type -
Milestone
No items
No Milestone
Assignees
Clear assignees
jmiller (Jonathan Miller) moko-deploy (Moko Deploy Bot)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: MokoConsulting/MokoGitea-Fork#716
Delete Branch "feature/code-scanner"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?