You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Add a repowise security scan --history command that runs the existingSecurityScanner (packages/core/src/repowise/core/analysis/security_scan.py) over the entire git history of a repo, not just the working tree, and persists hits into the existing security_findings table.
Today SecurityScanner only runs during indexing (packages/core/src/repowise/core/pipeline/persist.py) against the current checked-out files. Secrets, tokens, and dangerous patterns committed in the past — even if later removed — are never surfaced. A full-history mode closes that gap from inside the product (distinct from the CI secret-scanning PRs, which operate on diffs/CI gates).
Motivation
Leaked credentials often live in old commits and are "fixed" by deleting them in a later commit. They remain in history and remain a risk.
The pattern registry, severity model, and DB persistence already exist; only the scan target (working tree vs. full history) is missing.
Surfacing these in the same security_findings table means the existing API (GET /api/repos/{id}/security) and UI (findings table, severity×directory matrix) light up automatically with no new storage.
Proposed design
New CLI subcommandsecurity scan --history [--since <rev>] [--to <rev>] in packages/cli/src/repowise/cli/commands/ that:
Iterates commits in the range (default git rev-list --all or configurable).
For each commit, checks out the tree's blob content (or uses git show <rev>:<path>) for tracked source files.
Applies the existing _PATTERNS / _SYMBOL_KEYWORDS checks via SecurityScanner.scan_file.
Persists findings with the commit SHA + author date attached (extend the security_findings schema with commit_sha / commit_at columns, nullable for working-tree scans).
Reuse, don't fork: keep SecurityScanner's regex registry and persist() logic; add an optional commit_sha/commit_at field rather than a parallel implementation.
Dedup + severity rollup: same (repo_id, file_path, kind, line, commit_sha) should not be double-inserted on re-runs; provide a clear summary (counts by severity, by kind) on stdout and JSON --output.
UI/API: show a "found in history" badge/filter so users can tell working-tree findings from historical ones, and optionally emit remediation guidance (rotate, purge via filter-repo/BFG).
Summary
Add a
repowise security scan --historycommand that runs the existingSecurityScanner(packages/core/src/repowise/core/analysis/security_scan.py) over the entire git history of a repo, not just the working tree, and persists hits into the existingsecurity_findingstable.Today
SecurityScanneronly runs during indexing (packages/core/src/repowise/core/pipeline/persist.py) against the current checked-out files. Secrets, tokens, and dangerous patterns committed in the past — even if later removed — are never surfaced. A full-history mode closes that gap from inside the product (distinct from the CI secret-scanning PRs, which operate on diffs/CI gates).Motivation
security_findingstable means the existing API (GET /api/repos/{id}/security) and UI (findings table, severity×directory matrix) light up automatically with no new storage.Proposed design
security scan --history [--since <rev>] [--to <rev>]inpackages/cli/src/repowise/cli/commands/that:git rev-list --allor configurable).git show <rev>:<path>) for tracked source files._PATTERNS/_SYMBOL_KEYWORDSchecks viaSecurityScanner.scan_file.security_findingsschema withcommit_sha/commit_atcolumns, nullable for working-tree scans).SecurityScanner's regex registry andpersist()logic; add an optionalcommit_sha/commit_atfield rather than a parallel implementation.(repo_id, file_path, kind, line, commit_sha)should not be double-inserted on re-runs; provide a clear summary (counts by severity, by kind) on stdout and JSON--output.Out of scope (to avoid duplicating active work)
Acceptance criteria
repowise security scan --historyscans all historical revisions of tracked source files.security_findingswith commit provenance and appear in the existing security API/UI.--since/--torange limiting and--output jsonare supported.security_scantest patterns.References
packages/core/src/repowise/core/analysis/security_scan.pypackages/core/src/repowise/core/pipeline/persist.py:633packages/server/src/repowise/server/routers/security.py