feat(security): add repowise security scan --history for full git-history secret scanning#821
feat(security): add repowise security scan --history for full git-history secret scanning#821Ayush7614 wants to merge 1 commit into
Conversation
…tory secret scanning Implements repowise-dev#818. Reuses the existing SecurityScanner pattern registry and the shared security_findings table rather than forking a new subsystem. Changes: - security_scan: extend persist() to carry commit_sha/commit_at and make re-runs idempotent via ON CONFLICT DO NOTHING / INSERT OR IGNORE. - history_scan: new HistorySecurityScanner that scans unique git blobs (git rev-list --objects --all, deduped by blob SHA) once each and attributes hits to the first-introducing commit. Defaults to the secret-oriented patterns (hardcoded_password/hardcoded_secret) to avoid code-smell noise. - models + migration 0037: add nullable commit_sha/commit_at and a uq_security_finding_provenance unique constraint for dedup. - CLI: repowise security scan --history [--since <rev>] [--to <rev>] [--all-patterns] [--output json]. - server: GET /security gains a history filter; responses include commit_sha + found_in_history so the UI can tell history from working tree. Addresses maintainer review: idempotent persist, mandatory schema migration, symbol scan disabled in history (no parsed symbols on raw blobs), secret-only gate, and blob-dedup scan strategy.
|
✅ Health: 7.6 (unchanged) 📋 At a glance 🚨 Change risk: high (riskier than 70% of this repo's commits · raw 9.4/10)
🩹 Review priority (files here with the most recent bug-fix history — defects cluster, so review these first)
🔎 More signals (3)🔥 Hotspots touched (4)
1 more
🔗 Hidden coupling (1 file)
💀 Dead code (1 finding)
📊 Full report · ⭐ Star Repowise · 📥 Install bot · Last updated 2026-07-13 10:31 UTC |
Summary
Implements #818. Reuses the existing
SecurityScannerpattern registry and the sharedsecurity_findingstable rather than forking a new subsystem.
Changes
persist()to carrycommit_sha/commit_atand make re-runs idempotent viaON CONFLICT DO NOTHING/INSERT OR IGNORE.HistorySecurityScannerthat scans unique git blobs (git rev-list --objects --all,deduped by blob SHA) once each and attributes hits to the first-introducing commit. Defaults to the secret-ori
ented patterns (
hardcoded_password/hardcoded_secret) to avoid code-smell noise.commit_sha/commit_atand auq_security_finding_provenanceunique constraint for dedup.
repowise security scan --history [--since <rev>] [--to <rev>] [--all-patterns] [--output json].GET /securitygains a history filter; responses includecommit_sha+found_in_historyso the UI can tell history from working tree.
no parsed symbols on raw blobs), secret-only gate, and blob-dedup scan strategy.
Related Issues
Closes #818
Test Plan
pytest tests/unit/analysis/test_security_scan_history.py)ruff check .)0037→0036)Checklist