feat: add private repository support with PAT and SSH authentication by vbelouso · Pull Request #206 · RHEcosystemAppEng/vulnerability-analysis

vbelouso · 2026-02-26T12:07:22Z

Add support for private GitHub repository authentication using PAT and SSH keys.

Changes:

Credential-based git authentication (PAT and SSH)
Graceful fallback when credentials expire or CA bundle missing
Enhanced GitHub API with user tokens for language detection
Ecosystem fallback when API returns no languages

Review together with RHEcosystemAppEng/agent-morpheus-client#138

Testing:

For testing, you need an accessible private repository with your PAT/SSH

And a minimal SBOM, for example, as in the attachment
Update metadata.component.name and metadata.properties with the actual values.
eiq-private-clone-test.json

A test instance is available in the OpenShift project daboogie-eiq-private

Signed-off-by: Vladimir Belousov <vbelouso@redhat.com>

zvigrinberg

Hi @vbelouso
The solution is great, and meeting all expectations.

Please see my comments.

src/exploit_iq_commons/utils/source_code_git_loader.py

src/exploit_iq_commons/utils/credential_client.py

src/exploit_iq_commons/utils/source_code_git_loader.py

src/exploit_iq_commons/utils/credential_client.py

src/exploit_iq_commons/utils/source_code_git_loader.py

Signed-off-by: Vladimir Belousov <vbelouso@redhat.com>

zvigrinberg

@vbelouso LGTM , Very good job!.
Please only merge after the client side is ready for merge as well...

Thank you!.

zvigrinberg · 2026-03-04T10:10:04Z

@vbelouso Not critical, But when i tested it locally, i couldn't do it, without adding this piece of code

diff --git a/src/exploit_iq_commons/utils/credential_client.py b/src/exploit_iq_commons/utils/credential_client.py
index b611421..3ca339e 100644
--- a/src/exploit_iq_commons/utils/credential_client.py
+++ b/src/exploit_iq_commons/utils/credential_client.py
@@ -187,8 +187,12 @@ def fetch_and_decrypt_credential(
 
     logger.info("Fetching credential: credential_id=%s", credential_id)
 
-    ca_bundle = os.environ.get("CLIENT_CA_BUNDLE", "/app/certs/service-ca.crt")
-    verify_ssl = _validate_ca_bundle(ca_bundle)
+    if url.startswith("https"):
+        ca_bundle = os.environ.get("CLIENT_CA_BUNDLE", "/app/certs/service-ca.crt")
+        verify_ssl = _validate_ca_bundle(ca_bundle)
+    else:
+        verify_ssl = False
+
 
     try:
         response = requests.get(url, headers=headers, timeout=10, verify=verify_ssl)

and without adding the following 2 environment variables before running the agent

CLIENT_JWT_TOKEN=dummy_token
CLIENT_BACKEND_URL=http://localhost:8080

I Would suggest commenting out the above piece of code I've added and add comment about that this is essential for debugging or invoking the agent locally for analysis of private git repositories, and on the way, add another comment with these 2 env vars required for that purpose.

Signed-off-by: Vladimir Belousov <vbelouso@redhat.com>

vbelouso · 2026-03-08T10:51:16Z

/test vulnerability-analysis-on-pr

vbelouso · 2026-03-08T12:06:51Z

/test vulnerability-analysis-on-pr

vbelouso · 2026-03-09T07:19:11Z

/test vulnerability-analysis-on-pr

vbelouso · 2026-03-09T08:16:57Z

/test vulnerability-analysis-on-pr

feat: add private repository support with PAT and SSH authentication

4784b3e

Signed-off-by: Vladimir Belousov <vbelouso@redhat.com>

vbelouso mentioned this pull request Feb 26, 2026

feat: private Git repository authentication RHEcosystemAppEng/agent-morpheus-client#138

Merged

zvigrinberg requested changes Mar 1, 2026

View reviewed changes

vbelouso added 2 commits March 2, 2026 11:58

fix(sec): harden TLS verification and decryption error handling

87aa22c

Signed-off-by: Vladimir Belousov <vbelouso@redhat.com>

fix: improve private repo authentication robustness

78657a8

Signed-off-by: Vladimir Belousov <vbelouso@redhat.com>

vbelouso requested a review from zvigrinberg March 2, 2026 11:06

zvigrinberg approved these changes Mar 2, 2026

View reviewed changes

fix: skip SSL verification for HTTP URLs in credential client

5669258

Signed-off-by: Vladimir Belousov <vbelouso@redhat.com>

vbelouso force-pushed the feat-private-repo branch from 248c164 to 5669258 Compare March 8, 2026 10:00

vbelouso merged commit ce310fc into RHEcosystemAppEng:main Mar 9, 2026
1 check passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: add private repository support with PAT and SSH authentication#206

feat: add private repository support with PAT and SSH authentication#206
vbelouso merged 4 commits intoRHEcosystemAppEng:mainfrom
vbelouso:feat-private-repo

vbelouso commented Feb 26, 2026 •

edited

Loading

Uh oh!

zvigrinberg left a comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

zvigrinberg left a comment

Uh oh!

zvigrinberg commented Mar 4, 2026 •

edited

Loading

Uh oh!

vbelouso commented Mar 8, 2026

Uh oh!

vbelouso commented Mar 8, 2026

Uh oh!

vbelouso commented Mar 9, 2026

Uh oh!

vbelouso commented Mar 9, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

vbelouso commented Feb 26, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

zvigrinberg left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

zvigrinberg left a comment

Choose a reason for hiding this comment

Uh oh!

zvigrinberg commented Mar 4, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

vbelouso commented Mar 8, 2026

Uh oh!

vbelouso commented Mar 8, 2026

Uh oh!

vbelouso commented Mar 9, 2026

Uh oh!

vbelouso commented Mar 9, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

vbelouso commented Feb 26, 2026 •

edited

Loading

zvigrinberg commented Mar 4, 2026 •

edited

Loading