MokoConsulting/MokoGitea-Fork

feat: code security scanner with OWASP pattern detection (#552) #716

Merged

jmiller merged 7 commits from feature/code-scanner into dev

2026-06-28 16:08:31 +00:00

Author	SHA1	Message	Date
jmiller	66aea89b40	docs: update README to reflect code security scanner Universal: PR Check / Branch Policy (pull_request) Successful in 2s Details PR RC Release / Build RC Release (pull_request) Successful in 3s Details Universal: PR Check / Validate PR (pull_request) Successful in 12s Details Universal: Auto Version Bump / Version Bump (push) Successful in 18s Details Generic: Project CI / Lint & Validate (pull_request) Successful in 39s Details Universal: PR Check / Secret Scan (pull_request) Successful in 59s Details Generic: Project CI / Tests (pull_request) Has been cancelled Details Universal: PR Check / Build RC Package (pull_request) Has been cancelled Details Universal: PR Check / Report Issues (pull_request) Has been cancelled Details RC Revert / Rename rc/ back to dev/ (pull_request) Has been skipped Details Branch Cleanup / Delete merged branch (pull_request) Successful in 2s Details Claude-Session: https://claude.ai/code/session_011AAFzotGMf3ayvXhEmStCd	2026-06-28 08:20:23 -05:00
jmiller	7c75133ef1	feat: code security scanner with OWASP pattern detection (#552 ) Universal: Auto Version Bump / Version Bump (push) Successful in 13s Details Universal: PR Check / Branch Policy (pull_request) Successful in 1s Details PR RC Release / Build RC Release (pull_request) Successful in 2s Details Universal: PR Check / Validate PR (pull_request) Successful in 12s Details Generic: Project CI / Lint & Validate (pull_request) Successful in 37s Details Universal: PR Check / Secret Scan (pull_request) Successful in 1m20s Details Generic: Project CI / Tests (pull_request) Has been cancelled Details Universal: PR Check / Build RC Package (pull_request) Has been cancelled Details Universal: PR Check / Report Issues (pull_request) Has been cancelled Details Implements the code analysis scanner module that detects insecure patterns across Go, PHP, Python, JavaScript, and TypeScript: - SQL injection (CWE-89): string concat in queries across 4 languages - XSS (CWE-79): innerHTML, document.write, unescaped output, dangerouslySetInnerHTML - Command injection (CWE-78): exec with variables, shell=True, os.system - Path traversal (CWE-22): unsanitized path joins, file open with user input - Insecure deserialization (CWE-502): unserialize(), yaml.load() - Hardcoded credentials (CWE-798): password assignments in source - Weak cryptography (CWE-327): MD5/SHA-1 usage 22 rules total, language-filtered by file extension. Wired into the existing scanner orchestrator via the CodeScanner config toggle. API updated to expose code_scanner in GET/PATCH security config. Claude-Session: https://claude.ai/code/session_011AAFzotGMf3ayvXhEmStCd	2026-06-28 08:15:34 -05:00
jmiller	37a62b5ab7	Merge pull request 'fix: pr-check platform detection queries metadata API' (#715 ) from fix/pr-check-platform-detection into main Deploy MokoGitea / deploy (push) Failing after 5m4s Details	2026-06-28 11:10:36 +00:00
jmiller	35ebbef489	docs: update README with new features from latest release Universal: PR Check / Branch Policy (pull_request) Successful in 2s Details Generic: Repo Health / Site Health (pull_request) Has been skipped Details Generic: Repo Health / Access control (pull_request) Successful in 2s Details Universal: PR Check / Validate PR (pull_request) Successful in 13s Details Generic: Project CI / Lint & Validate (pull_request) Successful in 35s Details Universal: Pre-Release / Build Pre-Release (${{ inputs.stability \|\| github.ref_name }}) (push) Failing after 1m24s Details Universal: PR Check / Secret Scan (pull_request) Successful in 1m30s Details RC Revert / Rename rc/ back to dev/ (pull_request) Has been skipped Details Branch Cleanup / Delete merged branch (pull_request) Successful in 2s Details Universal: Workflow Sync Trigger / Sync workflows to live repos (pull_request) Successful in 6m10s Details Generic: Project CI / Tests (pull_request) Has been cancelled Details Universal: PR Check / Build RC Package (pull_request) Has been cancelled Details Universal: PR Check / Report Issues (pull_request) Has been cancelled Details Generic: Repo Health / Scripts governance (pull_request) Has been cancelled Details Generic: Repo Health / Repository health (pull_request) Has been cancelled Details Generic: Repo Health / Report: Scripts Governance (pull_request) Has been cancelled Details Generic: Repo Health / Report: Repository Health (pull_request) Has been cancelled Details Add cascade merge, secret scanning, default org teams, branch protection delete allowlist to Key Features list. Claude-Session: https://claude.ai/code/session_011AAFzotGMf3ayvXhEmStCd	2026-06-28 06:02:28 -05:00
jmiller	193c705c05	fix: branch policy allows fix/patch branches to target main Universal: PR Check / Branch Policy (pull_request) Successful in 2s Details Universal: PR Check / Validate PR (pull_request) Successful in 18s Details Generic: Project CI / Lint & Validate (pull_request) Successful in 1m4s Details Universal: Pre-Release / Build Pre-Release (${{ inputs.stability \|\| github.ref_name }}) (push) Failing after 1m32s Details PR RC Release / Build RC Release (pull_request) Failing after 1m33s Details Universal: PR Check / Secret Scan (pull_request) Successful in 1m32s Details Generic: Project CI / Tests (pull_request) Has been cancelled Details Universal: PR Check / Build RC Package (pull_request) Has been cancelled Details Universal: PR Check / Report Issues (pull_request) Has been cancelled Details The pr-check branch policy only allowed fix/* -> dev, but the actual org policy is fix/patch branches PR to main directly. Also updated the summary text to list all allowed merge paths correctly. Claude-Session: https://claude.ai/code/session_011AAFzotGMf3ayvXhEmStCd	2026-06-28 06:00:56 -05:00
jmiller	fa845164bb	fix: pr-check platform detection queries metadata API instead of removed manifest.xml Universal: PR Check / Branch Policy (pull_request) Failing after 2s Details Generic: Repo Health / Site Health (pull_request) Has been skipped Details Generic: Repo Health / Access control (pull_request) Successful in 2s Details Universal: PR Check / Validate PR (pull_request) Successful in 14s Details Generic: Project CI / Lint & Validate (pull_request) Successful in 40s Details Universal: Pre-Release / Build Pre-Release (${{ inputs.stability \|\| github.ref_name }}) (push) Failing after 1m24s Details PR RC Release / Build RC Release (pull_request) Failing after 3m14s Details Universal: PR Check / Secret Scan (pull_request) Successful in 3m15s Details Generic: Project CI / Tests (pull_request) Has been cancelled Details Universal: PR Check / Build RC Package (pull_request) Has been cancelled Details Universal: PR Check / Report Issues (pull_request) Has been cancelled Details Generic: Repo Health / Scripts governance (pull_request) Has been cancelled Details Generic: Repo Health / Repository health (pull_request) Has been cancelled Details Generic: Repo Health / Report: Scripts Governance (pull_request) Has been cancelled Details Generic: Repo Health / Report: Repository Health (pull_request) Has been cancelled Details The manifest.xml file no longer exists — platform is stored in the MokoGitea metadata API. The old sed command failed with exit 2 under bash -e, cascading failure to all subsequent validate steps. Claude-Session: https://claude.ai/code/session_011AAFzotGMf3ayvXhEmStCd	2026-06-28 05:59:14 -05:00
jmiller	fefdf1a1ec	release: cascade merge, status presets, default teams, secret scanning Deploy MokoGitea / deploy (push) Failing after 7m33s Details	2026-06-28 09:41:22 +00:00