Skip to content

feat(cloud-security): add endpoints to trigger scans and get run status#2176

Merged
Marfuen merged 5 commits intomainfrom
mariano/cloud-tests-bugged
Feb 20, 2026
Merged

feat(cloud-security): add endpoints to trigger scans and get run status#2176
Marfuen merged 5 commits intomainfrom
mariano/cloud-tests-bugged

Conversation

@Marfuen
Copy link
Contributor

@Marfuen Marfuen commented Feb 20, 2026

What does this PR do?

  • Fixes #XXXX (GitHub issue number)
  • Fixes COMP-XXXX (Linear issue number - should be visible at the bottom of the GitHub issue description)

Visual Demo (For contributors especially)

A visual demonstration is strongly recommended, for both the original and new change (video / image - any one).

Video Demo (if applicable):

  • Show screen recordings of the issue or feature.
  • Demonstrate how to reproduce the issue, the behavior before and after the change.

Image Demo (if applicable):

  • Add side-by-side screenshots of the original and updated change.
  • Highlight any significant change(s).

Mandatory Tasks (DO NOT REMOVE)

  • I have self-reviewed the code (A decent size PR without self-review might be rejected).
  • I have updated the developer docs in /docs if this PR makes changes that would require a documentation change. If N/A, write N/A here and check the checkbox.
  • I confirm automated tests are in place that prove my fix is effective or that my feature works.

How should this be tested?

  • Are there environment variables that should be set?
  • What are the minimal test data to have?
  • What is expected (happy path) to have (input and output)?
  • Any other important info that could help to test that PR

Checklist

  • I haven't read the contributing guide
  • My code doesn't follow the style guidelines of this project
  • I haven't commented my code, particularly in hard-to-understand areas
  • I haven't checked if my changes generate no new warnings

@vercel
Copy link

vercel bot commented Feb 20, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
app Ready Ready Preview, Comment Feb 20, 2026 9:23pm
portal Ready Ready Preview, Comment Feb 20, 2026 9:23pm

Request Review

@cursor
Copy link

cursor bot commented Feb 20, 2026
edited
Loading

PR Summary

Medium Risk
Introduces new guarded API routes and integrates JWT/org scoping, plus triggers and polls Trigger.dev runs; mistakes could cause unauthorized access or broken scan execution/status reporting.

Overview
Adds authenticated cloud-security endpoints to start an async scan and query Trigger.dev execution state: POST /v1/cloud-security/trigger/:connectionId and GET /v1/cloud-security/runs/:runId?connectionId=..., including org-scoped connection validation and clearer 404/400/500 error mapping.

Updates the app’s runPlatformScan server action to call the new API endpoints (building Authorization + X-Organization-Id headers via Better Auth) and extends serverApi to accept custom headers; CloudSecurityModule now imports AuthModule, and OpenAPI docs are updated accordingly.

Written by Cursor Bugbot for commit 3cfdc12. This will update automatically on new commits. Configure here.

cursor[bot]
cursor bot reviewed Feb 20, 2026
View reviewed changes
@vercel vercel bot temporarily deployed to Preview – portal February 20, 2026 21:09 Inactive
cursor[bot]
cursor bot reviewed Feb 20, 2026
View reviewed changes
@vercel vercel bot temporarily deployed to Preview – portal February 20, 2026 21:16 Inactive
@Marfuen Marfuen merged commit 4f1e87a into main Feb 20, 2026
14 checks passed
@Marfuen Marfuen deleted the mariano/cloud-tests-bugged branch February 20, 2026 21:24
cursor[bot]
cursor bot reviewed Feb 20, 2026
View reviewed changes
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 2 potential issues.

Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.

apps/api/src/cloud-security/cloud-security.service.ts
success: run.isCompleted ? run.isSuccess : false,
output: run.isCompleted ? run.output : null,
};
}
Copy link

@cursor cursor bot Feb 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IDOR: run status endpoint lacks run-to-connection authorization

High Severity

getRunStatus validates that connectionId belongs to the caller's organizationId, but never verifies that runId is actually associated with that connection. Since runs.retrieve(runId) from Trigger.dev returns any run within the project, an attacker can supply their own valid connectionId alongside another organization's runId to read that organization's scan output, including sensitive cloud security findings.

Additional Locations (1)

Fix in Cursor Fix in Web

apps/api/src/cloud-security/cloud-security.controller.ts
const message =
error instanceof Error ? error.message : 'Failed to trigger scan';
throw new HttpException(message, HttpStatus.BAD_REQUEST);
}
Copy link

@cursor cursor bot Feb 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All triggerScan errors incorrectly mapped to 400

Medium Severity

The triggerScan catch block maps every error to HttpStatus.BAD_REQUEST (400), including internal failures from tasks.trigger(...) which are server-side errors deserving a 500 status. Additionally, the service throws a plain Error for missing connections instead of the purpose-built ConnectionNotFoundError, preventing differentiated error handling like getRunStatus does.

Additional Locations (1)

Fix in Cursor Fix in Web

@Marfuen Marfuen restored the mariano/cloud-tests-bugged branch February 20, 2026 21:53
claudfuen pushed a commit that referenced this pull request Feb 20, 2026
@semantic-release-bot
chore(release): 1.84.0 [skip ci]
1676f63 
# [1.84.0](v1.83.7...v1.84.0) (2026-02-20)

### Bug Fixes

* resolve device agent sign-in loop and improve auth robustness ([#2177](#2177)) ([7de133f](7de133f))

### Features

* **cloud-security:** add endpoints to trigger scans and get run status ([#2176](#2176)) ([4f1e87a](4f1e87a))
@claudfuen
Copy link
Contributor

claudfuen commented Feb 20, 2026

🎉 This PR is included in version 1.84.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

Assignees

No one assigned

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Marfuen @claudfuen