feat(ssh): Add SSH agent forwarding

.github/workflows/dependency-review.yml

@@ -21,6 +21,6 @@ jobs:
         with:
           comment-summary-in-pr: always
           fail-on-severity: high
-          allow-licenses: MIT, MIT-0, Apache-2.0, BSD-3-Clause, BSD-3-Clause-Clear, ISC, BSD-2-Clause, Unlicense, CC0-1.0, 0BSD, X11, MPL-2.0, MPL-1.0, MPL-1.1, MPL-2.0, OFL-1.1, Zlib, BlueOak-1.0.0, Ubuntu-font-1.0, Artistic-2.0, Python-2.0, EPL-2.0
+          allow-licenses: MIT, MIT-0, Apache-2.0, BSD-3-Clause, BSD-3-Clause-Clear, ISC, BSD-2-Clause, Unlicense, CC0-1.0, 0BSD, X11, MPL-2.0, MPL-1.0, MPL-1.1, MPL-2.0, OFL-1.1, Zlib, BlueOak-1.0.0, LicenseRef-scancode-dco-1.1, Ubuntu-font-1.0, Artistic-2.0, Python-2.0, EPL-2.0
           fail-on-scopes: development, runtime
           allow-dependencies-licenses: 'pkg:npm/caniuse-lite, pkg:npm/path-is-inside, pkg:npm/unicode-match-property-value-ecmascript, pkg:npm/unicode-property-aliases-ecmascript, pkg:npm/uri-js'

.gitignore

@@ -271,8 +271,14 @@ website/.docusaurus
 # Jetbrains IDE
 .idea
 
+# Test SSH keys (generated during tests)
+test/keys/
+test/.ssh/
+
 # VS COde IDE
 .vscode/settings.json
 
 # Generated from testing
 /test/fixtures/test-package/package-lock.json
+.ssh/
+

README.md

@@ -40,7 +40,7 @@
 
 ## What is GitProxy
 
-GitProxy is an application that stands between developers and a Git remote endpoint (e.g., `github.com`). It applies rules and workflows (configurable as `plugins`) to all outgoing `git push` operations to ensure they are compliant.
+GitProxy is an application that stands between developers and a Git remote endpoint (e.g., `github.com`). It applies rules and workflows (configurable as `plugins`) to all outgoing `git push` operations to ensure they are compliant. GitProxy supports both **HTTP/HTTPS** and **SSH** protocols with identical security scanning and validation.
 
 The main goal of GitProxy is to marry the defacto standard Open Source developer experience (git-based workflow of branching out, submitting changes and merging back) with security and legal requirements that firms have to comply with, when operating in highly regulated industries like financial services.
 
@@ -68,8 +68,9 @@ $ npx -- @finos/git-proxy
 
 Clone a repository, set the remote to the GitProxy URL and push your changes:
 
+### Using HTTPS
+
 ```bash
-# Only HTTPS cloning is supported at the moment, see https://github.com/finos/git-proxy/issues/27.
 $ git clone https://github.com/octocat/Hello-World.git && cd Hello-World
 # The below command is using the GitHub official CLI to fork the repo that is cloned.
 # You can also fork on the GitHub UI. For usage details on the CLI, see https://github.com/cli/cli
@@ -81,8 +82,54 @@ $ git remote add proxy http://localhost:8000/yourGithubUser/Hello-World.git
 $ git push proxy $(git symbolic-ref refs/remotes/origin/HEAD | sed 's@^refs/remotes/origin/@@')
 ```
 
+### Using SSH
+
+```bash
+$ git clone https://github.com/octocat/Hello-World.git && cd Hello-World
+$ gh repo fork
+✓ Created fork yourGithubUser/Hello-World
+...
+# Configure Git remote for SSH proxy
+$ git remote add proxy ssh://git@localhost:2222/github.com/yourGithubUser/Hello-World.git
+# Enable SSH agent forwarding (required)
+$ git config core.sshCommand "ssh -A"
+# Push through the proxy
+$ git push proxy $(git symbolic-ref refs/remotes/origin/HEAD | sed 's@^refs/remotes/origin/@@')
+```
+
+📖 **Full SSH setup guide**: [docs/SSH_SETUP.md](docs/SSH_SETUP.md)
+
+---
+
 Using the default configuration, GitProxy intercepts the push and _blocks_ it. To enable code pushing to your fork via GitProxy, add your repository URL into the GitProxy config file (`proxy.config.json`). For more information, refer to [our documentation](https://git-proxy.finos.org).
 
+## Protocol Support
+
+GitProxy supports both **HTTP/HTTPS** and **SSH** protocols with identical security features:
+
+### HTTP/HTTPS Support
+
+- ✅ Basic authentication and JWT tokens
+- ✅ Pack data extraction via middleware
+- ✅ Full security scanning and validation
+- ✅ Manual and auto-approval workflows
+
+### SSH Support
+
+- ✅ SSH key-based authentication
+- ✅ SSH agent forwarding (uses client's SSH keys securely)
+- ✅ Pack data capture from SSH streams
+- ✅ Same 16-processor security chain as HTTPS
+- ✅ Complete feature parity with HTTPS
+
+Both protocols provide the same level of security scanning, including:
+
+- Secret detection (gitleaks)
+- Commit message and author validation
+- Hidden commit detection
+- Pre-receive hooks
+- Comprehensive audit logging
+
 ## Documentation
 
 For detailed step-by-step instructions for how to install, deploy & configure GitProxy and

config.schema.json

@@ -7,7 +7,7 @@
   "properties": {
     "proxyUrl": {
       "type": "string",
-      "description": "Deprecated: Used in early versions of git proxy to configure the remote host that traffic is proxied to. In later versions, the repository URL is used to determine the domain proxied, allowing multiple hosts to be proxied by one instance.",
+      "description": "Deprecated: Used in early versions of GitProxy to configure the remote host that traffic is proxied to. In later versions, the repository URL is used to determine the domain proxied, allowing multiple hosts to be proxied by one instance.",
       "deprecated": true
     },
     "cookieSecret": { "type": "string" },
@@ -240,7 +240,7 @@
       "required": []
     },
     "domains": {
-      "description": "Provide custom URLs for the git proxy interfaces in case it cannot determine its own URL",
+      "description": "Provide custom URLs for the GitProxy interfaces in case it cannot determine its own URL",
       "type": "object",
       "properties": {
         "proxy": {
@@ -311,6 +311,17 @@
         "$ref": "#/definitions/authorisedRepo"
       }
     },
+    "limits": {
+      "description": "Configuration for various limits",
+      "type": "object",
+      "properties": {
+        "maxPackSizeBytes": {
+          "type": "number",
+          "description": "Maximum size of a pack file in bytes (default 1GB)"
+        }
+      },
+      "additionalProperties": false
+    },
     "sink": {
       "description": "List of database sources. The first source in the configuration with enabled=true will be used.",
       "type": "array",
@@ -388,6 +399,55 @@
         }
       }
     },
+    "ssh": {
+      "description": "SSH proxy server configuration. The proxy uses SSH agent forwarding to authenticate with remote Git servers (GitHub, GitLab, etc.) using the client's SSH keys. The proxy's own host key is auto-generated and only used to identify the proxy to connecting clients.",
+      "type": "object",
+      "properties": {
+        "enabled": {
+          "type": "boolean",
+          "description": "Enable SSH proxy server. When enabled, clients can connect via SSH and the proxy will forward their SSH agent to authenticate with remote Git servers."
+        },
+        "port": {
+          "type": "number",
+          "description": "Port for SSH proxy server to listen on. Clients connect to this port instead of directly to GitHub/GitLab.",
+          "default": 2222
+        },
+        "agentForwardingErrorMessage": {
+          "type": "string",
+          "description": "Custom error message shown when SSH agent forwarding is not enabled or no keys are loaded in the client's SSH agent. If not specified, a default message with git config commands will be shown. This allows organizations to customize instructions based on their security policies."
+        },
+        "debug": {
+          "type": "boolean",
+          "description": "Enable verbose SSH protocol debug logging (both for the local SSH server and for outbound connections to remote Git servers). Emits one log line per SSH packet, so leave disabled in production.",
+          "default": false
+        },
+        "hostKey": {
+          "type": "object",
+          "description": "Custom SSH host key paths. If not specified, a host key is auto-generated at .ssh/proxy_host_key.",
+          "properties": {
+            "privateKeyPath": {
+              "type": "string",
+              "description": "Path to the private key file (e.g. /etc/git-proxy/host_key)"
+            },
+            "publicKeyPath": {
+              "type": "string",
+              "description": "Path to the public key file (e.g. /etc/git-proxy/host_key.pub)"
+            }
+          },
+          "required": ["privateKeyPath", "publicKeyPath"],
+          "additionalProperties": false
+        },
+        "knownHosts": {
+          "type": "object",
+          "description": "SSH host key fingerprints for verifying remote Git servers, merged with built-in defaults for github.com and gitlab.com.",
+          "additionalProperties": {
+            "type": "string"
+          }
+        }
+      },
+      "required": ["enabled"],
+      "additionalProperties": false
+    },
     "upstreamProxy": {
       "description": "Configuration for routing outbound requests to upstream Git hosts via an HTTP(S) proxy.",
       "type": "object",
@@ -494,7 +554,7 @@
             },
             "userGroup": {
               "type": "string",
-              "description": "Group that indicates that a user should be able to login to the Git Proxy UI and can work as a reviewer"
+              "description": "Group that indicates that a user should be able to login to the GitProxy UI and can work as a reviewer"
             },
             "domain": { "type": "string", "description": "Active Directory domain" },
             "adConfig": {

cypress/e2e/login.cy.js

@@ -19,7 +19,7 @@ describe('Login page', () => {
     cy.visit('/login');
   });
 
-  it('should have git proxy logo', () => {
+  it('should have GitProxy logo', () => {
     cy.get('[data-test="git-proxy-logo"]').should('exist');
   });
 

package.json

@@ -147,6 +147,7 @@
     "react-html-parser": "^2.0.2",
     "react-router-dom": "6.30.3",
     "simple-git": "^3.30.0",
+    "ssh2": "~1.17.0",
     "uuid": "^13.0.0",
     "validator": "^13.15.26",
     "yargs": "^17.7.2"
@@ -173,6 +174,7 @@
     "@types/passport-local": "^1.0.38",
     "@types/react-dom": "^17.0.26",
     "@types/react-html-parser": "^2.0.7",
+    "@types/ssh2": "^1.15.5",
     "@types/supertest": "^6.0.3",
     "@types/validator": "^13.15.10",
     "@types/yargs": "^17.0.35",