Skip to content

Feat skill security#45

Open
XiaoSeS wants to merge 11 commits intomainfrom
feat-skill-security
Open

Feat skill security#45
XiaoSeS wants to merge 11 commits intomainfrom
feat-skill-security

Conversation

@XiaoSeS
Copy link
Collaborator

@XiaoSeS XiaoSeS commented Mar 16, 2026 

## Summary

### What changed?

This PR adds **security scanning** and **review content display** features to SkillHub:

**1. Security Scanning Integration**
- Integrated [cisco-ai-defense/skill-scanner](https://github.com/cisco-ai-defense/skill-scanner) for automated security analysis
- Backend: Domain model, Redis Stream async processing, scanner HTTP adapter
- Frontend: Security audit panel in review detail page with findings display
- Deployment: Docker Compose profiles, K8s manifests, runtime.sh support

**2. Review Content Display**
- Reviewers can now view skill README, file tree, and file contents directly in review detail page
- Code syntax highlighting via lowlight (highlight.js)
- Markdown rendering with frontmatter stripping

**3. Access Control Fixes**
- Allow reviewers and namespace admins to view unpublished skill versions
- Fix 400 "版本未发布" errors for PENDING_REVIEW and REJECTED versions

**4. Developer Experience**
- Simplified `make dev-all` to include scanner by default
- Added `--scanner` flag to `runtime.sh` for one-line deployment
- Removed redundant Makefile targets (dev-deps, dev-server-only, dev-all-scanner)

### Why is this needed?

- **Security**: Automated scanning catches malicious code before publication
- **Governance**: Reviewers need to inspect skill content without leaving the review page
- **Usability**: Simplified deployment commands reduce friction for new contributors

## Validation

- [x] Backend tests passed (`make test`)
- [x] Frontend typecheck/build passed (`make typecheck-web`, `make build-web`)
- [x] OpenAPI SDK regenerated (`make generate-api`)
- [ ] Smoke test run when relevant

Commands run:

```bash
# Backend compilation
cd server && ./mvnw compile -DskipTests

# Frontend typecheck
make typecheck-web

# Verify Makefile syntax
make -n dev-all
make -n dev-down

Risk

  • User-facing impact:

    • New security audit panel in review detail page (additive, no breaking changes)
    • Scanner disabled by default (SKILLHUB_SECURITY_SCANNER_ENABLED=false), opt-in via env var

  • Deployment or migration impact:

    • Database migration V12 adds security_audits table (auto-applied by Flyway)
    • New optional scanner service (profile-gated, won't start unless explicitly enabled)
    • K8s deployments need to apply scanner-deployment.yaml if scanner is desired

  • Rollback approach:

    • Scanner can be disabled via SKILLHUB_SECURITY_SCANNER_ENABLED=false (default)
    • Database migration V12 is additive (no data loss on rollback)
    • Frontend changes are backward-compatible (gracefully handles missing audit data)

Notes

  • Related issue: N/A (feature development)

  • Follow-up work:

    • Add scanner to CI/CD pipeline for automated skill validation
    • Improve markdown rendering quality (deferred per user request)
    • Add scanner metrics to Grafana dashboard

  • Docs or operator runbooks updated:

    • README.md updated with scanner deployment options
    • Added docs/security-scanning.md with architecture overview
    • Added scanner/README.md and scanner/QUICKSTART.md
    • Added docs/api/skill-scanner-api.md with API reference

XiaoSeS added 11 commits March 16, 2026 10:38
@XiaoSeS
feat(review): add skill content display with syntax highlighting
81cbbed 
Add README and Files tabs to review detail page, allowing reviewers
to view skill content directly without switching to skill detail page.

- Add CodeViewer component with lowlight-based syntax highlighting
- Add Tabs UI to review-detail page showing README and file tree
- Support file content viewing with auto language detection
- Import highlight.js github-dark theme for code blocks
- Add i18n keys for skill content section

Dependencies: highlight.js, lowlight for syntax highlighting
@XiaoSeS
fix(skill): allow reviewers and admins to view unpublished versions
418f937 
Extend access control for skill file viewing to support reviewers
and namespace/platform admins viewing non-published versions.

- Expose platformRoles in AuthContextFilter request attributes
- Pass platformRoles to SkillQueryService access checks
- Allow SKILL_ADMIN and SUPER_ADMIN to view any version
- Allow namespace OWNER/ADMIN to view unpublished versions
- Allow skill owner to view any version status (not just PENDING_REVIEW)

Fixes 400 "版本未发布" errors for reviewers and rejected versions.
@XiaoSeS
fix(skill): prevent stale queries after withdrawing review
5835d5b 
Navigate away before cache cleanup to prevent refetching deleted
skill data during component unmount.

- Move navigation before removeQueries in withdraw handler
- Remove skill-specific invalidation from useWithdrawSkillReview
- Only invalidate skill list queries, not individual skill queries

Fixes 400 errors when withdrawing the only version of a skill.
@XiaoSeS
feat(security): add security audit domain model and database schema
6fcdec5 
Add domain model for security scanning with event-driven architecture
and database schema for storing audit results.

- Add SecurityAudit entity with findings and verdict
- Add SECURITY_REJECTED status to SkillVersionStatus enum
- Add security audit database migration (V12)
- Integrate security scanning into skill publish workflow
- Add WebClient dependency for HTTP communication
- Update SkillPublishService to trigger security scans

The security audit is triggered automatically when a skill version
is submitted for review and blocks publication if critical issues
are found.
@XiaoSeS
feat(security): add security scanner configuration and API integration
c663949 
Configure skill-scanner service integration and expose security audit
data in review API responses.

- Add skill-scanner service configuration in application.yml
- Add Redis Stream configuration for async scan task processing
- Include security audit data in ReviewTaskResponse DTO
- Update ReviewController to return audit results with review tasks

Reviewers can now see security scan results directly in the review
interface without additional API calls.
@XiaoSeS
feat(security): add frontend security audit display
6387613 
Add security audit API client and display security scan results
in the skill management interface.

- Add securityAuditApi client for fetching audit results
- Add SecurityAudit type definitions
- Regenerate OpenAPI schema with security audit endpoints
- Display SECURITY_REJECTED status in my-skills page

Users can now see when their skills are rejected due to security
issues and view the scan results.
@XiaoSeS
feat(security): add skill-scanner service deployment
c3914e4 
Add skill-scanner service to local and staging deployment stacks
with Docker Compose configuration.

- Add scanner service to docker-compose.yml and staging variant
- Add scanner-related make targets for development workflow
- Update README with security scanning documentation
- Add scanner directory to gitignore

The skill-scanner service runs as a separate microservice that
performs static analysis on skill packages and reports findings
via Redis Stream.
@XiaoSeS
fix(security): add scanner config to release/k8s and default to disabled
527a7d9 
Scanner was missing from production deployment files, and defaulted
to enabled in application.yml which would break startup when scanner
service is not deployed.

- Change scanner default from enabled=true to enabled=false
- Add skill-scanner service to compose.release.yml (behind profile)
- Add scanner env vars to .env.release.example
- Add scanner-tmp shared volume between server and scanner
- Create K8s scanner-deployment.yaml
- Add scanner service to K8s services.yaml
- Add scanner env vars to K8s backend-deployment.yaml
- Remove unused scanStreamKey bean from RedisStreamConfig
@XiaoSeS
feat(ops): add --scanner flag to runtime.sh
e1d5f0a 
Allow users to enable security scanner when deploying via runtime.sh.

- Add --scanner flag to start scanner service with profile
- Add --scanner-image flag to override scanner image repository
- Support scanner image in --aliyun/--mirror-registry mirror mode
- Write SKILLHUB_SECURITY_SCANNER_ENABLED=true to .env.release
- Always include scanner profile on down/clean to stop all containers

Usage:
  sh runtime.sh up --version v0.1.0 --scanner
@XiaoSeS
docs: align README with scanner deployment options
e622c3d 
Update Security Scanning, Container Runtime, and Kubernetes sections
to document all scanner enablement paths: runtime.sh --scanner,
make targets, docker compose --profile, and K8s manifests.
@XiaoSeS
feat(ops): simplify dev commands and include scanner in dev-all
d907e8c 
- dev-all now starts all services including scanner with Redis
  readiness check before launching backend
- dev also includes scanner profile for consistency
- Remove redundant targets: dev-deps, dev-server-only, dev-all-scanner
- dev-down and dev-all-reset include scanner profile for cleanup
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@XiaoSeS