Web Source

[kashifkhan0771]

Description:

Adds a new web source that crawls and scans websites for exposed secrets. The source uses the Colly framework to fetch pages starting from one or more seed URLs, with configurable crawl depth, per-domain request delay, and a per-URL timeout. Link following is opt-in via --crawl, robots.txt is respected by default, and linked JavaScript files are enqueued alongside HTML pages since they are a common location for hardcoded credentials. Each scanned page produces a chunk carrying the page title, URL, content type, crawl depth, and a UTC timestamp in the metadata.

Checklist:

• Tests passing (make test-community)?
• Lint passing (make lint this requires golangci-lint)?

---

Note

Medium Risk
Adds a new networked crawling source and CLI command that fetches and scans arbitrary URLs, introducing operational risk (traffic/timeout/robots handling) and new third-party scraping dependencies.

Overview
Adds a new web scan mode that can fetch one or more URLs and optionally crawl same-domain links (including linked scripts) to emit page content as chunks for secret scanning.

Wires the source end-to-end: new CLI command/flags in main.go, engine entrypoint ScanWeb, new sourcespb/source_metadata protobuf types (with validation stubs) and WebConfig for configuration, plus Prometheus metric web_urls_scanned. Includes a full pkg/sources/web implementation with timeout/delay/depth/robots controls and comprehensive unit tests, and updates go.mod/go.sum with Colly and HTML parsing dependencies.

^{Reviewed by Cursor Bugbot for commit 7564078. Bugbot is set up for automated code reviews on this repo. Configure here.}

[cursor]

Timeout blocks indefinitely waiting for Colly cleanup

Medium Severity

When the context timeout fires, crawlURL enters the <-ctx.Done() case and then blocks on <-done, waiting for collector.Wait() to return. However, Colly's async collector has no context-awareness and no per-request HTTP timeout configured, so collector.Wait() blocks until all in-flight HTTP requests naturally complete. Against a slow or unresponsive server, this effectively makes the --timeout flag unreliable and can cause the crawl to hang well beyond the configured duration.

 

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

There are 2 total unresolved issues (including 1 from previous review).

[cursor]

URL validation too permissive to catch invalid input

Medium Severity

The URL validation uses url.Parse, which succeeds for almost any string — including empty strings, relative paths, and bare words like "not-a-url". This means truly invalid inputs pass validation silently, leading to confusing runtime failures instead of clear init-time errors. Checking for a non-empty scheme (e.g., http or https) and host would catch these cases.

 

[MuneebUllahKhan222]

Just need address couple of small changes.

[MuneebUllahKhan222]

Need to add this line to enforce max number of go routines eg.SetLimit(s.concurrency)

[MuneebUllahKhan222]

I think we should log error even when err does not satisfies colly.AlreadyVisitedError

[MuneebUllahKhan222]

it should be defer close(done) outside the go routine.

[MuneebUllahKhan222]

I think we remove this to avoid probable miss-use.

[MuneebUllahKhan222]

Not sure but I think we can avoid this logic by doing

c := colly.NewCollector(
	colly.AllowedDomains("foo.com", "bar.com"),
)