c0e2fe2e12
MEDIUM-002: Remove manual X-Forwarded-For parsing in metrics_protection.go, use c.ClientIP() only (respects SetTrustedProxies) MEDIUM-003: Pin ClamAV Docker image to 1.4 across all compose files MEDIUM-004: Add clampLimit(100) to 15+ handlers that parsed limit directly MEDIUM-006: Remove unsafe-eval from CSP script-src on Swagger routes MEDIUM-007: Pin all GitHub Actions to SHA in 11 workflow files MEDIUM-008: Replace rabbitmq:3-management-alpine with rabbitmq:3-alpine in prod MEDIUM-009: Add trial-already-used check in subscription service MEDIUM-010: Add 60s periodic token re-validation to WebSocket connections MEDIUM-011: Mask email in auth handler logs with maskEmail() helper MEDIUM-012: Add k-anonymity threshold (k=5) to playback analytics stats LOW-001: Align frontend password policy to 12 chars (matching backend) LOW-003: Replace deprecated dotenv with dotenvy crate in Rust stream server LOW-004: Enable xpack.security in Elasticsearch dev/local compose files LOW-005: Accept context.Context in CleanupExpiredSessions instead of Background() LOW-002: Noted — Hyperswitch version update deferred (requires payment integration tests) 29/30 findings remediated. 1 noted (LOW-002). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
84 lines
2.7 KiB
YAML
84 lines
2.7 KiB
YAML
name: Container Image Scan
|
|
|
|
on:
|
|
push:
|
|
branches: [main]
|
|
paths:
|
|
- 'veza-backend-api/Dockerfile*'
|
|
- 'apps/web/Dockerfile*'
|
|
- 'veza-stream-server/Dockerfile*'
|
|
pull_request:
|
|
branches: [main]
|
|
paths:
|
|
- 'veza-backend-api/Dockerfile*'
|
|
- 'apps/web/Dockerfile*'
|
|
- 'veza-stream-server/Dockerfile*'
|
|
workflow_dispatch:
|
|
|
|
jobs:
|
|
scan-backend:
|
|
name: Scan Backend Image
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
|
|
- name: Build backend image
|
|
run: docker build -t veza-backend:scan -f veza-backend-api/Dockerfile.production veza-backend-api/
|
|
|
|
- name: Run Trivy vulnerability scanner
|
|
uses: aquasecurity/trivy-action@master # SECURITY(MEDIUM-007): TODO — pin to SHA
|
|
with:
|
|
image-ref: 'veza-backend:scan'
|
|
format: 'table'
|
|
exit-code: '1'
|
|
severity: 'CRITICAL,HIGH'
|
|
ignore-unfixed: true
|
|
|
|
scan-stream-server:
|
|
name: Scan Stream Server Image
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
|
|
- name: Build stream server image
|
|
run: docker build -t veza-stream:scan -f veza-stream-server/Dockerfile .
|
|
|
|
- name: Run Trivy vulnerability scanner
|
|
uses: aquasecurity/trivy-action@master # SECURITY(MEDIUM-007): TODO — pin to SHA
|
|
with:
|
|
image-ref: 'veza-stream:scan'
|
|
format: 'table'
|
|
exit-code: '1'
|
|
severity: 'CRITICAL,HIGH'
|
|
ignore-unfixed: true
|
|
|
|
scan-frontend:
|
|
name: Scan Frontend Image
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
|
|
- name: Check if frontend Dockerfile exists
|
|
id: check
|
|
run: |
|
|
if [ -f "apps/web/Dockerfile" ] || [ -f "apps/web/Dockerfile.production" ]; then
|
|
echo "exists=true" >> $GITHUB_OUTPUT
|
|
else
|
|
echo "exists=false" >> $GITHUB_OUTPUT
|
|
fi
|
|
|
|
- name: Build frontend image
|
|
if: steps.check.outputs.exists == 'true'
|
|
run: |
|
|
DOCKERFILE=$([ -f "apps/web/Dockerfile.production" ] && echo "apps/web/Dockerfile.production" || echo "apps/web/Dockerfile")
|
|
docker build -t veza-frontend:scan -f "$DOCKERFILE" apps/web/
|
|
|
|
- name: Run Trivy vulnerability scanner
|
|
if: steps.check.outputs.exists == 'true'
|
|
uses: aquasecurity/trivy-action@master # SECURITY(MEDIUM-007): TODO — pin to SHA
|
|
with:
|
|
image-ref: 'veza-frontend:scan'
|
|
format: 'table'
|
|
exit-code: '1'
|
|
severity: 'CRITICAL,HIGH'
|
|
ignore-unfixed: true
|