Open
Conversation
…m context Signed-off-by: rafi <refaei.shikho@hotmail.com>
Signed-off-by: rafi <refaei.shikho@hotmail.com>
Signed-off-by: rafi <refaei.shikho@hotmail.com>
Signed-off-by: rafi <refaei.shikho@hotmail.com>
Signed-off-by: rafi <refaei.shikho@hotmail.com>
Signed-off-by: rafi <refaei.shikho@hotmail.com>
…nfiguration Signed-off-by: rafi <refaei.shikho@hotmail.com>
Signed-off-by: rafi <refaei.shikho@hotmail.com>
Signed-off-by: rafi <refaei.shikho@hotmail.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Adds secret-scoped “shared” dependency-proxy endpoints and introduces proxy configuration enforcement (deny/allow rules + minimum package age) backed by a new dependency_proxy_secrets table/service.
Changes:
- Add secret-backed dependency-proxy URLs and a new share router (
/api/v1/dependency-proxy/:secret/...) for npm/go/pypi. - Add config loading (
dependency-proxy-configs) plus rule-based blocking andminReleaseTimeenforcement in the dependency proxy controller. - Introduce dependency-proxy secret model/repository/service with a DB migration and DI wiring.
Reviewed changes
Copilot reviewed 20 out of 20 changed files in this pull request and generated 10 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/dependency_proxy_controller_test.go | Updates controller constructor usage and adds tests for rule matching + proxy-prefix trimming. |
| shared/context_utils.go | Adds MaybeGetOrganization/Project/Asset helpers used to derive proxy secret scope. |
| shared/common_interfaces.go | Adds DependencyProxySecretRepository and DependencyProxySecretService interfaces. |
| services/providers.go | Registers the new dependency-proxy secret service with Fx. |
| services/dependency_proxy_secret_service.go | Implements secret lookup and GetOrCreate helpers for org/project/asset scopes. |
| router/share_dependency_proxy_router.go | New router exposing secret-scoped proxy endpoints. |
| router/providers.go | Wires the new share dependency proxy router. |
| router/project_router.go | Adds GET /dependency-proxy-urls/ to project scope. |
| router/org_router.go | Adds GET /dependency-proxy-urls/ to organization scope. |
| router/asset_router.go | Adds GET /dependency-proxy-urls/ to asset scope. |
| database/repositories/providers.go | Registers the new dependency-proxy secret repository with Fx. |
| database/repositories/dependency_proxy_secret_repository.go | Implements GetOrCreate, rotation, and secret lookup queries for proxy secrets. |
| database/models/dependency_proxy_secret_model.go | Adds the DependencyProxySecret model. |
| database/migrations/20260410163018_add-dependency-proxy.up.sql | Creates the dependency_proxy_secrets table. |
| database/migrations/20260410163018_add-dependency-proxy.down.sql | Drops the dependency_proxy_secrets table. |
| controllers/providers.go | Renames/provides dependency-proxy cache config provider. |
| controllers/dependency_proxy_controller.go | Adds configs/rules/min-age enforcement, secret-based config loading, and URL join fixes. |
| cmd/devguard/main.go | Invokes the new share dependency proxy router. |
| cmd/devguard-cli/commands/vulndb.go | Invokes the new share dependency proxy router in CLI migration runner. |
| .env.example | Documents DEPENDENCY_PROXY_BASE_URL. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Signed-off-by: rafi <refaei.shikho@hotmail.com>
…te path handling Signed-off-by: rafi <refaei.shikho@hotmail.com>
Signed-off-by: rafi <refaei.shikho@hotmail.com>
…dation checks for malicious packages across NPM, Go, and PyPI proxies Signed-off-by: rafi <refaei.shikho@hotmail.com>
Signed-off-by: rafi <refaei.shikho@hotmail.com>
…PM and PyPI requests Signed-off-by: rafi <refaei.shikho@hotmail.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 23 out of 23 changed files in this pull request and generated 19 comments.
Comments suppressed due to low confidence (1)
controllers/dependency_proxy_controller.go:1144
- ParsePackageFromPath(PyPIProxy) trims the leading '/', but then checks strings.HasPrefix(path, "/packages/") which can never be true. This makes version extraction for /packages/* paths unreachable; check for "packages/" (or move the TrimPrefix logic).
path = strings.TrimPrefix(path, "/")
if after, ok := strings.CutPrefix(path, "simple/"); ok {
pkgName := after
pkgName = strings.TrimSuffix(pkgName, "/")
return pkgName, ""
} else if strings.HasPrefix(path, "/packages/") {
filename := filepath.Base(path)
// Try to extract package name and version from filename
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Signed-off-by: rafi <refaei.shikho@hotmail.com>
…Checker mock Signed-off-by: rafi <refaei.shikho@hotmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.