Skip to content

feat: add production-ready security infrastructure and CI/CD pipeline #142

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: add production-ready security infrastructure and CI/CD pipeline #142

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
223 changes: 223 additions & 0 deletions .github/workflows/ci-cd.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,223 @@
name: CI/CD Pipeline

on:
push:
branches: [ main, develop ]
pull_request:
branches: [ main, develop ]

jobs:
backend-lint:
name: Backend Linting
runs-on: ubuntu-latest

steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: '3.10'
Comment on lines +19 to +21
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Bump action versions to current majors.

Use newer majors to avoid runner deprecation and improve reliability.

  • actions/setup-python: v5
  • codecov/codecov-action: v4
  • actions/upload-artifact: v4

Example:

-uses: actions/setup-python@v4
+uses: actions/setup-python@v5
...
-uses: codecov/codecov-action@v3
+uses: codecov/codecov-action@v4
...
-uses: actions/upload-artifact@v3
+uses: actions/upload-artifact@v4

Based on static analysis hints

Also applies to: 78-80, 107-112, 165-168

🧰 Tools
πŸͺ› actionlint (1.7.8)

19-19: the runner of "actions/setup-python@v4" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

πŸ€– Prompt for AI Agents 
.github/workflows/ci-cd.yml around lines 19-21 (and also update occurrences at
78-80, 107-112, 165-168): the workflow uses outdated action major versions;
update actions/setup-python from v4 to v5, codecov/codecov-action to v4, and
actions/upload-artifact to v4 wherever they appear to ensure compatibility and
avoid runner deprecation β€” replace the version tags for these actions
consistently across the referenced line ranges, verify inputs remain the same
for the new majors, and run a quick workflow lint or dry run to confirm no
breaking changes in the updated action interfaces.


- name: Install Poetry
run: |
curl -sSL https://install.python-poetry.org | python3 -
echo "$HOME/.local/bin" >> $GITHUB_PATH

- name: Install dependencies
working-directory: ./backend
run: |
poetry install --with dev

- name: Run flake8
working-directory: ./backend
run: |
poetry run flake8 app integrations tests --max-line-length=120 --exclude=__pycache__

- name: Run isort check
working-directory: ./backend
run: |
poetry run isort --check-only app integrations tests

- name: Run autoflake check
working-directory: ./backend
run: |
poetry run autoflake --check --recursive app integrations tests

backend-test:
name: Backend Tests
runs-on: ubuntu-latest
needs: backend-lint

services:
weaviate:
image: cr.weaviate.io/semitechnologies/weaviate:1.31.0
ports:
- 8080:8080
env:
QUERY_DEFAULTS_LIMIT: 25
AUTHENTICATION_ANONYMOUS_ACCESS_ENABLED: 'true'
PERSISTENCE_DATA_PATH: '/var/lib/weaviate'
ENABLE_API_BASED_MODULES: 'true'
CLUSTER_HOSTNAME: 'node1'

rabbitmq:
image: rabbitmq:3-management
ports:
- 5672:5672
env:
RABBITMQ_DEFAULT_USER: guest
RABBITMQ_DEFAULT_PASS: guest

steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: '3.10'

- name: Install Poetry
run: |
curl -sSL https://install.python-poetry.org | python3 -
echo "$HOME/.local/bin" >> $GITHUB_PATH

- name: Install dependencies
working-directory: ./backend
run: |
poetry install --with dev

- name: Run pytest
working-directory: ./backend
env:
SUPABASE_URL: ${{ secrets.SUPABASE_URL }}
SUPABASE_KEY: ${{ secrets.SUPABASE_KEY }}
GEMINI_API_KEY: test_key
TAVILY_API_KEY: test_key
DISCORD_BOT_TOKEN: test_token
GITHUB_TOKEN: test_token
BACKEND_URL: http://localhost:8000
RABBITMQ_URL: amqp://guest:guest@localhost:5672/
run: |
poetry run pytest tests/ -v --cov=app --cov-report=xml

Comment on lines +92 to +105
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Avoid hardcoding Basic Auth credentials in env values.

The inline url with user:pass is flagged. Use variables and compose the URL, or reference service envs, to satisfy scanners.

       env:
         SUPABASE_URL: ${{ secrets.SUPABASE_URL }}
         SUPABASE_KEY: ${{ secrets.SUPABASE_KEY }}
         GEMINI_API_KEY: test_key
         TAVILY_API_KEY: test_key
         DISCORD_BOT_TOKEN: test_token
         GITHUB_TOKEN: test_token
         BACKEND_URL: http://localhost:8000
-        RABBITMQ_URL: amqp://guest:guest@localhost:5672/
+        RABBITMQ_USER: guest
+        RABBITMQ_PASS: guest
+        RABBITMQ_URL: amqp://${{ env.RABBITMQ_USER }}:${{ env.RABBITMQ_PASS }}@localhost:5672/

Optionally point at the service hostname:

-        RABBITMQ_URL: amqp://${{ env.RABBITMQ_USER }}:${{ env.RABBITMQ_PASS }}@localhost:5672/
+        RABBITMQ_URL: amqp://${{ env.RABBITMQ_USER }}:${{ env.RABBITMQ_PASS }}@rabbitmq:5672/

Based on static analysis hints

πŸ“ Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Run pytest
working-directory: ./backend
env:
SUPABASE_URL: ${{ secrets.SUPABASE_URL }}
SUPABASE_KEY: ${{ secrets.SUPABASE_KEY }}
GEMINI_API_KEY: test_key
TAVILY_API_KEY: test_key
DISCORD_BOT_TOKEN: test_token
GITHUB_TOKEN: test_token
BACKEND_URL: http://localhost:8000
RABBITMQ_URL: amqp://guest:guest@localhost:5672/
run: |
poetry run pytest tests/ -v --cov=app --cov-report=xml
- name: Run pytest
working-directory: ./backend
env:
SUPABASE_URL: ${{ secrets.SUPABASE_URL }}
SUPABASE_KEY: ${{ secrets.SUPABASE_KEY }}
GEMINI_API_KEY: test_key
TAVILY_API_KEY: test_key
DISCORD_BOT_TOKEN: test_token
GITHUB_TOKEN: test_token
BACKEND_URL: http://localhost:8000
RABBITMQ_USER: guest
RABBITMQ_PASS: guest
RABBITMQ_URL: amqp://${{ env.RABBITMQ_USER }}:${{ env.RABBITMQ_PASS }}@localhost:5672/
run: |
poetry run pytest tests/ -v --cov=app --cov-report=xml
🧰 Tools
πŸͺ› Checkov (3.2.334)

[medium] 102-103: Basic Auth Credentials

(CKV_SECRET_4)

- name: Upload coverage reports
uses: codecov/codecov-action@v3
with:
files: ./backend/coverage.xml
flags: backend
name: backend-coverage

frontend-lint:
name: Frontend Linting
runs-on: ubuntu-latest

steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Set up Node.js
uses: actions/setup-node@v4
with:
node-version: '18'
cache: 'npm'
cache-dependency-path: frontend/package-lock.json

- name: Install dependencies
working-directory: ./frontend
run: npm ci

- name: Run ESLint
working-directory: ./frontend
run: npm run lint

- name: Check TypeScript
working-directory: ./frontend
run: npx tsc --noEmit

frontend-build:
name: Frontend Build
runs-on: ubuntu-latest
needs: frontend-lint

steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Set up Node.js
uses: actions/setup-node@v4
with:
node-version: '18'
cache: 'npm'
cache-dependency-path: frontend/package-lock.json

- name: Install dependencies
working-directory: ./frontend
run: npm ci

- name: Build frontend
working-directory: ./frontend
run: npm run build

- name: Upload build artifacts
uses: actions/upload-artifact@v3
with:
name: frontend-build
path: frontend/dist

docker-build:
name: Docker Build Test
runs-on: ubuntu-latest
if: github.event_name == 'pull_request'

steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

- name: Build backend image
uses: docker/build-push-action@v5
with:
context: ./backend
file: ./backend/Dockerfile
push: false
tags: devrai-backend:test
cache-from: type=gha
cache-to: type=gha,mode=max

- name: Build frontend image
uses: docker/build-push-action@v5
with:
context: ./frontend
file: ./frontend/Dockerfile
push: false
tags: devrai-frontend:test
cache-from: type=gha
cache-to: type=gha,mode=max

security-scan:
name: Security Scanning
runs-on: ubuntu-latest

steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: '.'
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
Comment on lines +210 to +217
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

πŸ› οΈ Refactor suggestion | 🟠 Major

Pin Trivy action to a tagged release or commit.

Avoid using the moving master branch for security tooling. Pin to a stable tag (or SHA) to ensure reproducibility.

-uses: aquasecurity/trivy-action@master
+uses: aquasecurity/[email protected]
πŸ“ Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: '.'
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.20.0
with:
scan-type: 'fs'
scan-ref: '.'
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
πŸ€– Prompt for AI Agents 
.github/workflows/ci-cd.yml around lines 210 to 217: the workflow currently uses
aquasecurity/trivy-action@master which pins to a moving branch; replace that
with a specific tagged release (e.g. aquasecurity/[email protected]) or a
commit SHA to ensure reproducible runs, update any inputs if the pinned version
requires different params, run the pipeline to verify compatibility, and commit
the change so the action is no longer tracking master.


- name: Upload Trivy results to GitHub Security
uses: github/codeql-action/upload-sarif@v2
if: always()
with:
sarif_file: 'trivy-results.sarif'
Loading