From 3fb0d4322166fcee9a65c2cfad791ca44f1ba8c8 Mon Sep 17 00:00:00 2001 From: Andrey Kondratev <81143241+cockroach-eater@users.noreply.github.com> Date: Fri, 29 Aug 2025 10:21:18 +0500 Subject: [PATCH] sec fixes --- .github/workflows/ci.yml | 2 ++ .github/workflows/security.yml | 5 ----- .serena/memories/sarif_upload_removal.md | 12 ++++++++++++ package.json | 3 +++ src/database.ts | 2 +- src/server.ts | 3 ++- yarn.lock | 25 +++++++++++++++--------- 7 files changed, 36 insertions(+), 16 deletions(-) create mode 100644 .serena/memories/sarif_upload_removal.md diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b9d95c0..3c8c04e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -115,6 +115,8 @@ jobs: sed -i 's|build:|#build:|g' docker-compose.yml sed -i 's|context: .|#context: .|g' docker-compose.yml sed -i 's|dockerfile: Dockerfile|#dockerfile: Dockerfile|g' docker-compose.yml + # Remove any existing image lines and add new one + sed -i '/quixotic-app:/,/container_name:/{/image:/d}' docker-compose.yml sed -i '/quixotic-app:/a \ \ \ \ image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest' docker-compose.yml # Deploy with zero downtime diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index cc831e0..35d0b8c 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -60,8 +60,3 @@ jobs: format: 'sarif' output: 'trivy-results.sarif' - - name: Upload Trivy scan results - uses: github/codeql-action/upload-sarif@v3 - if: always() - with: - sarif_file: 'trivy-results.sarif' \ No newline at end of file diff --git a/.serena/memories/sarif_upload_removal.md b/.serena/memories/sarif_upload_removal.md new file mode 100644 index 0000000..07bd80e --- /dev/null +++ b/.serena/memories/sarif_upload_removal.md @@ -0,0 +1,12 @@ +# SARIF Upload Removal + +## Issue +Docker Security Scan workflow was failing because code scanning is not enabled for the repository and the button to enable it doesn't work. + +## Solution +Removed the SARIF upload step from `.github/workflows/security.yml`: +- Removed the "Upload Trivy scan results" step that was using `github/codeql-action/upload-sarif@v3` +- This prevents the workflow failure while keeping the actual Trivy security scanning functionality intact + +## Result +The Docker security scan will now run without trying to upload results to GitHub's code scanning feature, eliminating the failure point. \ No newline at end of file diff --git a/package.json b/package.json index 8384951..60976d7 100644 --- a/package.json +++ b/package.json @@ -48,5 +48,8 @@ }, "engines": { "node": ">=16.0.0" + }, + "resolutions": { + "axios": ">=0.30.0" } } diff --git a/src/database.ts b/src/database.ts index 86c4402..0c47880 100644 --- a/src/database.ts +++ b/src/database.ts @@ -23,7 +23,7 @@ export class Database { const connectionString = process.env.DATABASE_URL || 'postgresql://quixotic:quixotic123@localhost:5432/quixotic'; this.pool = new Pool({ connectionString, - ssl: process.env.NODE_ENV === 'production' ? { rejectUnauthorized: false } : false + ssl: process.env.DATABASE_SSL === 'true' ? { rejectUnauthorized: false } : false }); this.init(); } diff --git a/src/server.ts b/src/server.ts index 1b4d11d..e598a99 100644 --- a/src/server.ts +++ b/src/server.ts @@ -1,4 +1,5 @@ import express, { Request, Response } from 'express'; +import express, { Request, Response } from 'express'; import path from 'path'; import fs from 'fs'; import ffmpeg from 'fluent-ffmpeg'; @@ -198,7 +199,7 @@ app.get('/health', (req: Request, res: Response) => { }); // Error handler -app.use((err: Error, req: Request, res: Response) => { +app.use((err: Error, req: Request, res: Response, next: any) => { console.error(err.stack); res.status(500).json({ error: 'Something went wrong!' }); }); diff --git a/yarn.lock b/yarn.lock index 2243fd2..118e923 100644 --- a/yarn.lock +++ b/yarn.lock @@ -573,12 +573,14 @@ aws4@^1.8.0: resolved "https://registry.npmjs.org/aws4/-/aws4-1.13.2.tgz" integrity sha512-lHe62zvbTB5eEABUVi/AwVh0ZKY9rMMDhmm+eeyuuUQbQ3+J+fONVQOZyj+DdrvD4BY33uYniyRJ4UJIaSKAfw== -axios@^0.21.0: - version "0.21.4" - resolved "https://registry.npmjs.org/axios/-/axios-0.21.4.tgz" - integrity sha512-ut5vewkiu8jjGBdqpM44XxjuCjq9LAKeHVmoVfHVzy8eHgxxq8SbAVQNovDA8mVi05kP0Ea/n/UzcSHcTJQfNg== +axios@>=0.30.0, axios@^0.21.0: + version "1.11.0" + resolved "https://registry.yarnpkg.com/axios/-/axios-1.11.0.tgz#c2ec219e35e414c025b2095e8b8280278478fdb6" + integrity sha512-1Lx3WLFQWm3ooKDYZD1eXmoGO9fxYQjrycfHFC8P0sCfQVXyROp0p9PFWBehewBOdCwHc+f/b8I0fMto5eSfwA== dependencies: - follow-redirects "^1.14.0" + follow-redirects "^1.15.6" + form-data "^4.0.4" + proxy-from-env "^1.1.0" balanced-match@^1.0.0: version "1.0.2" @@ -1287,9 +1289,9 @@ fluent-ffmpeg@^2.1.2: async "^0.2.9" which "^1.1.1" -follow-redirects@^1.14.0: +follow-redirects@^1.15.6: version "1.15.11" - resolved "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.11.tgz" + resolved "https://registry.yarnpkg.com/follow-redirects/-/follow-redirects-1.15.11.tgz#777d73d72a92f8ec4d2e410eb47352a56b8e8340" integrity sha512-deG2P0JfjrTxl50XGCDyfI97ZGVCxIpfKYmfyrQ54n5FO/0gfIES8C/Psl6kWVDolizcaaxZJnTS0QSMxvnsBQ== for-each@^0.3.3, for-each@^0.3.5: @@ -1316,9 +1318,9 @@ form-data@^2.5.5: mime-types "^2.1.35" safe-buffer "^5.2.1" -form-data@~4.0.4: +form-data@^4.0.4, form-data@~4.0.4: version "4.0.4" - resolved "https://registry.npmjs.org/form-data/-/form-data-4.0.4.tgz" + resolved "https://registry.yarnpkg.com/form-data/-/form-data-4.0.4.tgz#784cdcce0669a9d68e94d11ac4eea98088edd2c4" integrity sha512-KrGhL9Q4zjj0kiUt5OO4Mr/A/jlI2jDYs5eHBpYHPcBEVSiipAvn2Ko2HnPe20rmcuuvMHNdZFp+4IlGTMF0Ow== dependencies: asynckit "^0.4.0" @@ -2196,6 +2198,11 @@ proxy-addr@~2.0.7: forwarded "0.2.0" ipaddr.js "1.9.1" +proxy-from-env@^1.1.0: + version "1.1.0" + resolved "https://registry.yarnpkg.com/proxy-from-env/-/proxy-from-env-1.1.0.tgz#e102f16ca355424865755d2c9e8ea4f24d58c3e2" + integrity sha512-D+zkORCbA9f1tdWRK0RaCR3GPv50cMxcrz4X8k5LTSUD1Dkw47mKJEZQNunItRTkWwgtaUSo1RVFRIG9ZXiFYg== + psl@^1.1.33: version "1.15.0" resolved "https://registry.npmjs.org/psl/-/psl-1.15.0.tgz"