Skip to content

feat(security): add repowise security scan --history for full git-history secret scanning#821

Open
Ayush7614 wants to merge 1 commit into
repowise-dev:mainfrom
Ayush7614:feat/security-scan-history
Open

feat(security): add repowise security scan --history for full git-history secret scanning#821
Ayush7614 wants to merge 1 commit into
repowise-dev:mainfrom
Ayush7614:feat/security-scan-history

Conversation

@Ayush7614

@Ayush7614 Ayush7614 commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Summary

Implements #818. Reuses the existing SecurityScanner pattern registry and the shared security_findings tab
le rather than forking a new subsystem.

Changes

  • security_scan: extend persist() to carry commit_sha/commit_at and make re-runs idempotent via ON CONFLICT DO NOTHING / INSERT OR IGNORE.
  • history_scan: new HistorySecurityScanner that scans unique git blobs (git rev-list --objects --all,
    deduped by blob SHA) once each and attributes hits to the first-introducing commit. Defaults to the secret-ori
    ented patterns (hardcoded_password/hardcoded_secret) to avoid code-smell noise.
  • models + migration 0037: add nullable commit_sha/commit_at and a uq_security_finding_provenance un
    ique constraint for dedup.
  • CLI: repowise security scan --history [--since <rev>] [--to <rev>] [--all-patterns] [--output json].
  • server: GET /security gains a history filter; responses include commit_sha + found_in_history so t
    he UI can tell history from working tree.
  • Addresses maintainer review: idempotent persist, mandatory schema migration, symbol scan disabled in history (
    no parsed symbols on raw blobs), secret-only gate, and blob-dedup scan strategy.

Related Issues

Closes #818

Test Plan

  • Tests pass (pytest tests/unit/analysis/test_security_scan_history.py)
  • Lint passes (ruff check .)
  • Migration chain consistent (00370036)

Checklist

  • My code follows the project's code style
  • I have added tests for new functionality
  • All existing tests still pass
  • I have updated documentation if needed

…tory secret scanning

Implements repowise-dev#818. Reuses the existing SecurityScanner pattern registry and the
shared security_findings table rather than forking a new subsystem.

Changes:
- security_scan: extend persist() to carry commit_sha/commit_at and make
  re-runs idempotent via ON CONFLICT DO NOTHING / INSERT OR IGNORE.
- history_scan: new HistorySecurityScanner that scans unique git blobs
  (git rev-list --objects --all, deduped by blob SHA) once each and attributes
  hits to the first-introducing commit. Defaults to the secret-oriented
  patterns (hardcoded_password/hardcoded_secret) to avoid code-smell noise.
- models + migration 0037: add nullable commit_sha/commit_at and a
  uq_security_finding_provenance unique constraint for dedup.
- CLI: repowise security scan --history [--since <rev>] [--to <rev>]
  [--all-patterns] [--output json].
- server: GET /security gains a history filter; responses include
  commit_sha + found_in_history so the UI can tell history from working tree.

Addresses maintainer review: idempotent persist, mandatory schema migration,
symbol scan disabled in history (no parsed symbols on raw blobs), secret-only
gate, and blob-dedup scan strategy.
@repowise-bot

repowise-bot Bot commented Jul 13, 2026

Copy link
Copy Markdown

✅ Health: 7.6 (unchanged)

📋 At a glance
1 file changed health · 4 hotspots touched · 6 new findings introduced · 5 co-change pairs left out · 3 files with recent fix history · 1 dead-code finding. Scoped to packages.

🚨 Change risk: high (riskier than 70% of this repo's commits · raw 9.4/10)
This change's risk is driven by:

  • more lines added than baseline
  • more scattered than baseline

🩹 Review priority (files here with the most recent bug-fix history — defects cluster, so review these first)

File Score Δ Why
.../analysis/security_scan.py 9.0 → 8.8 ▼ -0.2 🔻 introduced primitive obsession

💡 .../analysis/security_scan.py: Introduce a parameter object. Group the related primitives passed in here into a dataclass so the type names tell the story and adding another field doesn't break every caller.

🔎 More signals (3)

🔥 Hotspots touched (4)

  • .../persistence/models.py — 20 commits/90d, 176 dependents · primary owner: Raghav Chamadiya (89%)
  • .../analysis/security_scan.py — 0 commits/90d, 1 dependents · primary owner: Raghav Chamadiya (100%)
  • .../cli/main.py — 16 commits/90d, 11 dependents · primary owner: Raghav Chamadiya (97%)
1 more
  • .../schemas/code_quality.py — 3 commits/90d, 1 dependents · primary owner: Raghav Chamadiya (100%)

🔗 Hidden coupling (1 file)

  • .../persistence/models.py co-changes with these files (not in this PR):
    • .../persistence/test_models.py (13× — 🟡 notable)
    • .../pipeline/persist.py (11× — 🟡 notable)
    • .../pipeline/orchestrator.py (9× — 🟢 routine)
    • .../persistence/__init__.py (7× — 🟢 routine)
    • .../mcp_server/tool_overview.py (5× — 🟢 routine)

💀 Dead code (1 finding)

  • 💀 .../routers/security.py (file-level) (confidence 0.80)

📊 Full report · ⭐ Star Repowise · 📥 Install bot · Last updated 2026-07-13 10:31 UTC
Silence on a single PR with [skip repowise] in the title · Per-repo toggle on repowise.dev/settings?tab=bot

@Ayush7614 Ayush7614 changed the title feat(security): add repowise security scan --history for full git-his… feat(security): add repowise security scan --history for full git-history secret scanning Jul 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

feat(security): add repowise security scan --history for full git-history secret/risk scanning

1 participant