Skip to content

feat(security): add repowise security scan --history for full git-history secret/risk scanning #818

Description

@Ayush7614

Summary

Add a repowise security scan --history command that runs the existing SecurityScanner (packages/core/src/repowise/core/analysis/security_scan.py) over the entire git history of a repo, not just the working tree, and persists hits into the existing security_findings table.

Today SecurityScanner only runs during indexing (packages/core/src/repowise/core/pipeline/persist.py) against the current checked-out files. Secrets, tokens, and dangerous patterns committed in the past — even if later removed — are never surfaced. A full-history mode closes that gap from inside the product (distinct from the CI secret-scanning PRs, which operate on diffs/CI gates).

Motivation

  • Leaked credentials often live in old commits and are "fixed" by deleting them in a later commit. They remain in history and remain a risk.
  • The pattern registry, severity model, and DB persistence already exist; only the scan target (working tree vs. full history) is missing.
  • Surfacing these in the same security_findings table means the existing API (GET /api/repos/{id}/security) and UI (findings table, severity×directory matrix) light up automatically with no new storage.

Proposed design

  1. New CLI subcommand security scan --history [--since <rev>] [--to <rev>] in packages/cli/src/repowise/cli/commands/ that:
    • Iterates commits in the range (default git rev-list --all or configurable).
    • For each commit, checks out the tree's blob content (or uses git show <rev>:<path>) for tracked source files.
    • Applies the existing _PATTERNS / _SYMBOL_KEYWORDS checks via SecurityScanner.scan_file.
    • Persists findings with the commit SHA + author date attached (extend the security_findings schema with commit_sha / commit_at columns, nullable for working-tree scans).
  2. Reuse, don't fork: keep SecurityScanner's regex registry and persist() logic; add an optional commit_sha/commit_at field rather than a parallel implementation.
  3. Dedup + severity rollup: same (repo_id, file_path, kind, line, commit_sha) should not be double-inserted on re-runs; provide a clear summary (counts by severity, by kind) on stdout and JSON --output.
  4. UI/API: show a "found in history" badge/filter so users can tell working-tree findings from historical ones, and optionally emit remediation guidance (rotate, purge via filter-repo/BFG).

Out of scope (to avoid duplicating active work)

Acceptance criteria

  • repowise security scan --history scans all historical revisions of tracked source files.
  • Findings persist to security_findings with commit provenance and appear in the existing security API/UI.
  • Re-runs are idempotent (no duplicate rows).
  • --since/--to range limiting and --output json are supported.
  • Unit tests cover history iteration + dedup, mirroring existing security_scan test patterns.

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions