-
Notifications
You must be signed in to change notification settings - Fork 0
Add quality/hardening: optional heavy deps, config validation, pre-commit hooks, Renovate, SBOM, telemetry #12
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
f238c88
3af878d
e1bf9ef
0867e27
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,120 @@ | ||||||||||||||||||||||||||
| name: Security Scanning and SBOM | ||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||
| on: | ||||||||||||||||||||||||||
| push: | ||||||||||||||||||||||||||
| branches: [ main ] | ||||||||||||||||||||||||||
| pull_request: | ||||||||||||||||||||||||||
| branches: [ main ] | ||||||||||||||||||||||||||
| schedule: | ||||||||||||||||||||||||||
| # Run weekly on Monday at 2 AM UTC | ||||||||||||||||||||||||||
| - cron: '0 2 * * 1' | ||||||||||||||||||||||||||
| workflow_dispatch: | ||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||
| jobs: | ||||||||||||||||||||||||||
| sbom-generation: | ||||||||||||||||||||||||||
| name: Generate SBOM | ||||||||||||||||||||||||||
| runs-on: ubuntu-latest | ||||||||||||||||||||||||||
| permissions: | ||||||||||||||||||||||||||
| contents: read | ||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||
| steps: | ||||||||||||||||||||||||||
| - name: Checkout repository | ||||||||||||||||||||||||||
| uses: actions/checkout@v4 | ||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||
| - name: Install Syft | ||||||||||||||||||||||||||
| run: | | ||||||||||||||||||||||||||
| curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin | ||||||||||||||||||||||||||
|
||||||||||||||||||||||||||
| curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin | |
| set -euo pipefail | |
| SYFT_VERSION="v1.6.0" | |
| TARBALL="syft_${SYFT_VERSION#v}_linux_amd64.tar.gz" | |
| CHECKSUMS_FILE="syft_${SYFT_VERSION#v}_checksums.txt" | |
| curl -sSfL "https://github.com/anchore/syft/releases/download/${SYFT_VERSION}/${TARBALL}" -o "${TARBALL}" | |
| curl -sSfL "https://github.com/anchore/syft/releases/download/${SYFT_VERSION}/${CHECKSUMS_FILE}" -o "${CHECKSUMS_FILE}" | |
| grep " ${TARBALL}\$" "${CHECKSUMS_FILE}" | sha256sum -c - | |
| sudo tar -xzf "${TARBALL}" -C /usr/local/bin syft |
Copilot
AI
Feb 7, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Using aquasecurity/trivy-action@master is not pinned and can change unexpectedly (supply-chain/reproducibility risk). Pin to a stable release tag or, ideally, a full commit SHA.
Copilot
AI
Feb 7, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Second Trivy invocation is also using aquasecurity/trivy-action@master and should be pinned to a release tag or commit SHA for reproducibility/supply-chain safety.
| Original file line number | Diff line number | Diff line change | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,4 @@ | ||||||||||||
| #!/usr/bin/env sh | ||||||||||||
| . "$(dirname -- "$0")/_/husky.sh" | ||||||||||||
|
||||||||||||
| . "$(dirname -- "$0")/_/husky.sh" | |
| HUSKY_SH="$(dirname -- "$0")/_/husky.sh" | |
| if [ -f "$HUSKY_SH" ]; then | |
| . "$HUSKY_SH" | |
| fi |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -56,6 +56,29 @@ This repository integrates with: | |
| - n8n webhook URL | ||
| - Cloudflare API token | ||
|
|
||
| ### Optional Heavy Dependencies | ||
|
|
||
| This project supports optional heavy ML/AI dependencies via npm's `optionalDependencies`. These are not installed by default to keep the base installation lightweight: | ||
|
|
||
| - **@huggingface/transformers** - Hugging Face transformers for local ML models | ||
| - **@pinecone-database/pinecone** - Pinecone vector database client | ||
| - **weaviate-ts-client** - Weaviate vector database client | ||
| - **@opentelemetry/*** - OpenTelemetry instrumentation (see Telemetry section) | ||
|
Comment on lines
+61
to
+66
|
||
|
|
||
| **Note**: ChromaDB is available separately but may require additional configuration due to OpenAI SDK version compatibility. | ||
|
|
||
| To install with optional dependencies: | ||
| ```bash | ||
| cd backend | ||
| npm install --include=optional | ||
| ``` | ||
|
|
||
| To install without optional dependencies (default): | ||
| ```bash | ||
| cd backend | ||
| npm install | ||
| ``` | ||
|
Comment on lines
+70
to
+80
|
||
|
|
||
| ### Quick Start - Full Stack Application | ||
|
|
||
| For detailed setup instructions, see [FULLSTACK_SETUP.md](FULLSTACK_SETUP.md) | ||
|
|
@@ -80,6 +103,52 @@ npm start | |
|
|
||
| Visit `http://localhost:3000` to access the application. | ||
|
|
||
| ### Configuration Validation | ||
|
|
||
| The backend uses typed configuration validation with Zod to ensure all environment variables are correctly set before the application starts: | ||
|
|
||
| ```bash | ||
| # Validate configuration without starting the server | ||
| cd backend | ||
| npm run build | ||
| npm run test:smoke | ||
| ``` | ||
|
|
||
| Configuration schema validates: | ||
| - Port numbers are valid (1-65535) | ||
| - Required API keys are present | ||
| - Database connection strings are properly formatted | ||
| - Environment is one of: development, production, test | ||
|
|
||
| If validation fails, detailed error messages will indicate which configuration values are missing or invalid. | ||
|
|
||
| ### Telemetry (Optional) | ||
|
|
||
| The application supports optional OpenTelemetry instrumentation for distributed tracing and monitoring. Telemetry is **disabled by default** and requires optional dependencies. | ||
|
|
||
| To enable telemetry: | ||
|
|
||
| 1. Install optional dependencies: | ||
| ```bash | ||
| cd backend | ||
| npm install --include=optional | ||
| ``` | ||
|
|
||
| 2. Set environment variables in `.env`: | ||
| ```env | ||
| TELEMETRY_ENABLED=true | ||
| TELEMETRY_SERVICE_NAME=time-machines-backend | ||
| OTEL_EXPORTER_OTLP_ENDPOINT=http://your-otlp-collector:4318/v1/traces | ||
| ``` | ||
|
|
||
| Supported telemetry backends: | ||
| - Jaeger | ||
| - Zipkin | ||
| - Any OTLP-compatible collector | ||
| - Cloud providers (AWS X-Ray, Google Cloud Trace, Azure Monitor) | ||
|
|
||
| **Note**: No vendor lock-in - uses OpenTelemetry standard protocol. | ||
|
|
||
| ### Quick Start - Docker | ||
|
|
||
| ```bash | ||
|
|
@@ -118,10 +187,17 @@ docker-compose logs -f | |
|
|
||
| ### CI/CD Pipeline | ||
| Runs on every push and pull request: | ||
| - Code quality and security scanning | ||
| - CodeQL analysis | ||
| - Dependency review | ||
| - Integration health checks | ||
| - **Lint and Format Check** - ESLint and Prettier validation | ||
| - **Code quality and security scanning** - CodeQL analysis | ||
| - **Dependency review** - Automated dependency vulnerability checks | ||
| - **Integration health checks** - Validates external service connections | ||
|
|
||
| ### Security Scanning and SBOM | ||
| Automated security scanning with SBOM generation: | ||
| - **Trivy scanning** - Vulnerability detection in dependencies and code | ||
| - **SBOM generation** - Software Bill of Materials in SPDX and CycloneDX formats | ||
| - **npm audit** - Regular dependency vulnerability scans | ||
| - Runs weekly and on pull requests to main branch | ||
|
|
||
| ### Cross-Repository Integration | ||
| Enables synchronization across repositories: | ||
|
|
@@ -130,10 +206,13 @@ Enables synchronization across repositories: | |
| - Coordinate updates across the ecosystem | ||
|
|
||
| ### Dependency Management | ||
| Weekly automated checks: | ||
| - Dependency updates | ||
| - Security audits | ||
| - Cross-repository synchronization | ||
| Automated dependency updates via Renovate: | ||
| - **Renovate bot** - Automated dependency updates ([renovate.json](renovate.json)) | ||
| - Weekly update schedule (Mondays before 3 AM EST) | ||
| - Grouped updates for heavy ML/AI dependencies | ||
| - Security vulnerability alerts with high priority | ||
| - Auto-merge for patch updates on dev dependencies | ||
| - See [Renovate Dashboard](https://app.renovatebot.com/dashboard) for update status | ||
|
|
||
| ## 💡 Usage Examples | ||
|
|
||
|
|
@@ -163,6 +242,40 @@ We welcome contributions! Please see our [Contributing Guide](CONTRIBUTING.md) f | |
| - Integration development | ||
| - Submitting pull requests | ||
|
|
||
| ### Development Setup | ||
|
|
||
| 1. **Install dependencies**: | ||
| ```bash | ||
| cd backend | ||
| npm install | ||
| ``` | ||
|
|
||
| 2. **Set up pre-commit hooks** (optional but recommended): | ||
| ```bash | ||
| cd backend | ||
| npm run prepare # Installs Husky hooks | ||
| ``` | ||
|
|
||
| Pre-commit hooks will automatically: | ||
| - Run ESLint to check for code issues | ||
| - Run Prettier to format code | ||
| - Run on staged files only (via lint-staged) | ||
|
|
||
| 3. **Run linting and formatting**: | ||
| ```bash | ||
| cd backend | ||
| npm run lint # Check for issues | ||
| npm run lint:fix # Fix issues automatically | ||
| npm run format # Format code with Prettier | ||
| ``` | ||
|
|
||
| 4. **Run tests**: | ||
| ```bash | ||
| cd backend | ||
| npm test # Run all tests | ||
| npm run test:smoke # Run smoke tests (config validation) | ||
| ``` | ||
|
|
||
| ## 📊 Project Status | ||
|
|
||
|  | ||
|
|
@@ -176,11 +289,24 @@ We welcome contributions! Please see our [Contributing Guide](CONTRIBUTING.md) f | |
| ## 🔒 Security | ||
|
|
||
| This project uses multiple security measures: | ||
| - CodeQL analysis for vulnerabilities | ||
| - Trivy container scanning | ||
| - Dependency review on pull requests | ||
| - Secret scanning enabled | ||
| - Regular security audits | ||
| - **CodeQL analysis** - Automated code vulnerability detection | ||
| - **Trivy container scanning** - Filesystem and dependency scanning | ||
| - **SBOM generation** - Software Bill of Materials for transparency | ||
| - SPDX format for compliance | ||
| - CycloneDX format for tooling integration | ||
| - Available as CI artifacts (90-day retention) | ||
| - **Dependency review** - Automated checks on pull requests | ||
| - **Secret scanning** - Prevents credential leaks | ||
| - **Renovate** - Automated dependency updates with security alerts | ||
| - **npm audit** - Regular dependency vulnerability scans | ||
| - **Pre-commit hooks** - Lint and format checks before commit | ||
|
|
||
| ### Security Scanning | ||
|
|
||
| View security scan results: | ||
| - **GitHub Security tab** - CodeQL and Trivy SARIF results | ||
| - **Actions artifacts** - SBOM files and detailed scan reports | ||
| - **Renovate Dashboard** - Dependency update status | ||
|
|
||
| Report security issues via GitHub Security Advisories. | ||
|
|
||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,25 @@ | ||
| module.exports = { | ||
| parser: '@typescript-eslint/parser', | ||
| parserOptions: { | ||
| ecmaVersion: 2020, | ||
| sourceType: 'module', | ||
| project: './tsconfig.json', | ||
| }, | ||
| extends: [ | ||
| 'eslint:recommended', | ||
| 'plugin:@typescript-eslint/recommended', | ||
| 'plugin:prettier/recommended', | ||
| ], | ||
| plugins: ['@typescript-eslint', 'prettier'], | ||
| rules: { | ||
| 'prettier/prettier': 'error', | ||
| '@typescript-eslint/no-unused-vars': ['error', { argsIgnorePattern: '^_' }], | ||
| '@typescript-eslint/explicit-module-boundary-types': 'off', | ||
| '@typescript-eslint/no-explicit-any': 'warn', | ||
| }, | ||
| env: { | ||
| node: true, | ||
| es2020: true, | ||
| }, | ||
| ignorePatterns: ['dist', 'node_modules', '*.js'], | ||
| }; |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| dist | ||
| node_modules | ||
| coverage | ||
| *.log |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
PR description mentions scans running “Mondays 3AM EST”, but this workflow is scheduled for
0 2 * * 1(2 AM UTC), which is not 3 AM America/New_York and may even run on Sunday evening in EST/EDT. Align the cron/timezone comment with the intended schedule (or adjust the cron) to avoid surprises.