Skip to content

feat(security): add security scanning system with multi-scanner support and frontend UI#144

Merged
XiaoSeS merged 17 commits intomainfrom
security
Mar 23, 2026
Merged

feat(security): add security scanning system with multi-scanner support and frontend UI#144
XiaoSeS merged 17 commits intomainfrom
security

Conversation

@XiaoSeS
Copy link
Collaborator

@XiaoSeS XiaoSeS commented Mar 22, 2026

Summary

Add a complete security scanning pipeline for skill packages — from backend infrastructure to frontend display. Skills are automatically scanned during the publish flow, and results are surfaced to reviewers and skill owners.

What's Included

Backend — Domain & Infrastructure

  • Domain model: SecurityAudit, SecurityFinding, SecurityVerdict, ScannerType entities with soft-delete support
  • Scan integration: Automatic security scanning triggered during skill publish flow
  • Multi-scanner support: Pluggable scanner architecture (semgrep, skill-vetter, etc.)
  • Redis stream consumers: Async scan task production and consumption via Redis Streams
  • REST API: GET /api/v1/skills/{skillId}/versions/{versionId}/security-audit — returns latest active audit records per scanner
  • DB migration: V35__security_audit.sql

Backend — Configuration & Deployment

  • Scanner config with full analyzer options (SkillScannerProperties)
  • Docker Compose and Kubernetes manifests for scanner service
  • Application profile configs for local/test/prod

Frontend — Security Audit UI

  • Review detail page: Full SecurityAuditSection with per-scanner cards, verdict badges, severity badges, and collapsible findings sorted by severity
  • Skill detail sidebar: Compact SecurityAuditSummary card with dialog for full details (visible to skill owners via canManageLifecycle)
  • Edge case handling: 404/empty → returns null (no flicker), retry: false, no loading shimmer for supplementary data
  • Dialog UX: Fixed header with scrollable content area, proper width override for findings display
  • i18n: Full en/zh translations for securityAudit.* keys

Documentation & Tooling

  • Scanner documentation suite (configuration, custom rules, monitoring, failure analysis)
  • Skill-vetter custom rule examples (YARA + signature rules)
  • Scanner verification script

UI Layout

Review detail page — full audit section before skill detail:

[Review Info Card]
[Review Actions Card]
[Security Audit Card]        ← NEW
[Skill Detail Section]

Skill detail sidebar — compact summary above labels:

[Download Button]
[Security Audit Summary]     ← NEW (with dialog)
[Label Panel]
[Lifecycle Card]             ← buttons now separated with divider
[Promotion Card]
[Governance Card]

Testing

  • make typecheck-web
  • make build-web
  • Backend unit tests for controller, domain service, infra adapters, stream consumers

Files Changed

  • 81 files changed, ~6950 insertions
  • 7 new frontend files in web/src/features/security-audit/
  • 4 modified frontend files (review-detail, skill-detail, en.json, zh.json)

XiaoSeS added 17 commits March 22, 2026 14:53
@XiaoSeS
feat(security): extend scanner config with full analyzer options
51b8f90 
Integrate skill-scanner's 8 analysis engines and policy configuration
into SkillHub's config system. Operators can now control behavioral,
LLM, Meta, AI Defense, VirusTotal, and trigger analyzers via
application.yml or environment variables.

Changes:
- Add Analyzers and Policy nested classes to SkillScannerProperties
- Create ScanOptions record to encapsulate analyzer flags
- Update SkillScannerService to pass options in /scan body and /scan-upload query params
- Wire ScanOptions through SkillScannerConfig and SkillScannerAdapter
- Extend application.yml with full scanner config block and env var overrides
- Update all tests to verify new configuration flow

All tests pass.
@XiaoSeS
feat(security): add domain model and integrate scan into publish flow
771f9fb 
Add SCANNING/SCAN_FAILED status to SkillVersionStatus. Introduce
SecurityScanService, SecurityScanner port, ScanTask, SecurityAudit
and related domain types. Wire scan trigger into SkillPublishService
so non-auto-publish versions enter scanning when scanner is enabled,
falling back to review task creation when disabled.
@XiaoSeS
feat(security): add infra layer for scanner HTTP client and adapters
7ec444e 
Add WebClient-based HttpClient abstraction with WebClientHttpClient
implementation. Add SkillScannerApiResponse record, SecurityScanException,
and SecurityAuditJpaRepository. Add webflux and test dependencies to
infra module.
@XiaoSeS
feat(security): add Redis stream consumers, audit API, and DB migration
349464e 
Add AbstractStreamConsumer base class, ScanTaskConsumer for processing
scan results from Redis stream, and RedisScanTaskProducer. Add
RedisStreamConfig for stream/group initialization. Add SecurityAudit
REST controller and DTO. Add V35 Flyway migration for security_audits
table.
@XiaoSeS
feat(security): add scanner config to application profiles
0c09827 
Add scanner enabled flag to application-local.yml and
application-test.yml. Enable behavioral analyzer by default
in application.yml.
@XiaoSeS
feat(deploy): add skill-scanner to docker-compose and k8s manifests
7cd56f5 
Add skill-scanner service to docker-compose.yml with health check.
Add scanner k8s deployment, service, and configmap entries. Wire
scanner env vars into Makefile dev-all flow. Add verify-scanner.sh
script for post-deploy validation.
@XiaoSeS
docs(security): add scanner documentation suite
b0f3984 
Add scanner docs: configuration guide, failure impact analysis,
monitoring guide, improvement recommendations, custom rules guide,
and skill-vetter rules conversion example. Update deployment docs
with scanner section. Add security-scanning overview and PRD.
@XiaoSeS
feat(security): add skill-vetter custom rule examples
fca015e 
Add example Regex and YARA rules derived from skill-vetter RED FLAGS
in scanner/examples/vetter-rules/. Includes 7 Regex rules
(signatures-append.yaml) and 3 YARA rules (skillhub_vetter.yara)
covering agent memory theft, IP-based exfiltration, and browser
data theft detection.
@XiaoSeS
feat(security): add scanner Docker build context
bce0b25 
Add Dockerfile for cisco-ai-skill-scanner container and
.env.example with LLM configuration placeholders.
@XiaoSeS
fix(security): align Finding mapping with scanner API response schema
d9c6de1 
SkillScannerApiResponse.Finding used incorrect field names (message,
location.file, location.line, code_snippet) that did not match the
scanner's actual JSON output (description, file_path, line_number,
snippet), causing all four fields to deserialize as null.

Flatten Finding to match scanner API: remove nested Location, rename
fields to description/file_path/line_number/snippet. Add skill_name
and timestamp to SkillScannerApiResponse. Extend SecurityFinding with
remediation, analyzer, and metadata fields to capture LLM analyzer
output. Retain 8-arg compact constructor for backward compatibility.
@XiaoSeS
chore(security): add debug logging to scanner response mapping
7b5cf62 
Log raw scanner API response and mapped SecurityFinding fields
side-by-side to help verify data consistency between scanner
output and database records.
@XiaoSeS
feat(security): add multi-scanner support and soft delete for securit…
b27f7af 
…y audits

- Add ScannerType enum for type-safe scanner identification
- Update V35 migration to support multiple scanners and soft delete
- Remove CASCADE delete, use code-level soft delete (deleted_at)
- Add repository methods for querying latest audit by scanner type
- Update SecurityScanService to handle scanner type parameter
- Integrate soft delete in SkillHardDeleteService
- Update all tests to use ScannerType enum

This enables multiple scanner integrations (skill-scanner, future LLM/compliance scanners)
and preserves complete audit history through soft deletion.
@XiaoSeS
feat(security): add security audit UI to review detail and skill deta…
cc86bf9 
…il pages

Display security scan results on the review detail page (full audit
section with collapsible findings) and the skill detail sidebar (compact
summary with dialog for details).  Handles empty/404 gracefully by
returning null, avoids loading shimmer flicker, and separates lifecycle
action buttons with a visual divider.
@XiaoSeS
Merge remote-tracking branch 'origin/main' into security
13a4d71 
# Conflicts:
#	server/skillhub-app/src/main/resources/application-local.yml
@XiaoSeS
docs(security): add security audit UI PRD
bb2dce8
@XiaoSeS
fix(security): replace LocalDateTime with Instant in security audit a…
e5c5b09 
…nd align controller test with list API

SecurityAudit and SecurityScanService used LocalDateTime.now() which
violated the project time guardrail. Replaced with Instant and
Clock.systemUTC() to match existing conventions.

Also fixed SecurityAuditControllerTest to mock the correct repository
method (findLatestActiveByVersionId) and assert against the list
response shape.
@XiaoSeS
test(security): add useQuery mock for security audit components in fr…
469c312 
…ontend tests

The SecurityAuditSummary and SecurityAuditSection components use
useQuery via useSecurityAudits hook, which was missing from the
@tanstack/react-query mocks in skill-detail and review-detail tests.
@XiaoSeS XiaoSeS merged commit 26a5723 into main Mar 23, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@XiaoSeS