sec fixes

.github/workflows/ci.yml

@@ -115,6 +115,8 @@ jobs:
           sed -i 's|build:|#build:|g' docker-compose.yml
           sed -i 's|context: .|#context: .|g' docker-compose.yml  
           sed -i 's|dockerfile: Dockerfile|#dockerfile: Dockerfile|g' docker-compose.yml
+          # Remove any existing image lines and add new one
+          sed -i '/quixotic-app:/,/container_name:/{/image:/d}' docker-compose.yml
           sed -i '/quixotic-app:/a \ \ \ \ image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest' docker-compose.yml
           
           # Deploy with zero downtime

.github/workflows/security.yml

@@ -60,8 +60,3 @@ jobs:
         format: 'sarif'
         output: 'trivy-results.sarif'
 
-    - name: Upload Trivy scan results
-      uses: github/codeql-action/upload-sarif@v3
-      if: always()
-      with:
-        sarif_file: 'trivy-results.sarif'

.serena/memories/sarif_upload_removal.md

@@ -0,0 +1,12 @@
+# SARIF Upload Removal
+
+## Issue
+Docker Security Scan workflow was failing because code scanning is not enabled for the repository and the button to enable it doesn't work.
+
+## Solution
+Removed the SARIF upload step from `.github/workflows/security.yml`:
+- Removed the "Upload Trivy scan results" step that was using `github/codeql-action/upload-sarif@v3`
+- This prevents the workflow failure while keeping the actual Trivy security scanning functionality intact
+
+## Result
+The Docker security scan will now run without trying to upload results to GitHub's code scanning feature, eliminating the failure point.

package.json

@@ -48,5 +48,8 @@
   },
   "engines": {
     "node": ">=16.0.0"
+  },
+  "resolutions": {
+    "axios": ">=0.30.0"
   }
 }

src/database.ts

@@ -23,7 +23,7 @@ export class Database {
         const connectionString = process.env.DATABASE_URL || 'postgresql://quixotic:quixotic123@localhost:5432/quixotic';
         this.pool = new Pool({
             connectionString,
-            ssl: process.env.NODE_ENV === 'production' ? { rejectUnauthorized: false } : false
+            ssl: process.env.DATABASE_SSL === 'true' ? { rejectUnauthorized: false } : false
         });
         this.init();
     }

src/server.ts

@@ -1,4 +1,5 @@
 import express, { Request, Response } from 'express';
+import express, { Request, Response } from 'express';
 import path from 'path';
 import fs from 'fs';
 import ffmpeg from 'fluent-ffmpeg';
@@ -198,7 +199,7 @@ app.get('/health', (req: Request, res: Response) => {
 });
 
 // Error handler
-app.use((err: Error, req: Request, res: Response) => {
+app.use((err: Error, req: Request, res: Response, next: any) => {
     console.error(err.stack);
     res.status(500).json({ error: 'Something went wrong!' });
 });

yarn.lock

@@ -573,12 +573,14 @@ aws4@^1.8.0:
   resolved "https://registry.npmjs.org/aws4/-/aws4-1.13.2.tgz"
   integrity sha512-lHe62zvbTB5eEABUVi/AwVh0ZKY9rMMDhmm+eeyuuUQbQ3+J+fONVQOZyj+DdrvD4BY33uYniyRJ4UJIaSKAfw==
 
-axios@^0.21.0:
+axios@>=0.30.0, axios@^0.21.0:
-  version "0.21.4"
+  version "1.11.0"
-  resolved "https://registry.npmjs.org/axios/-/axios-0.21.4.tgz"
+  resolved "https://registry.yarnpkg.com/axios/-/axios-1.11.0.tgz#c2ec219e35e414c025b2095e8b8280278478fdb6"
-  integrity sha512-ut5vewkiu8jjGBdqpM44XxjuCjq9LAKeHVmoVfHVzy8eHgxxq8SbAVQNovDA8mVi05kP0Ea/n/UzcSHcTJQfNg==
+  integrity sha512-1Lx3WLFQWm3ooKDYZD1eXmoGO9fxYQjrycfHFC8P0sCfQVXyROp0p9PFWBehewBOdCwHc+f/b8I0fMto5eSfwA==
   dependencies:
-    follow-redirects "^1.14.0"
+    follow-redirects "^1.15.6"
+    form-data "^4.0.4"
+    proxy-from-env "^1.1.0"
 
 balanced-match@^1.0.0:
   version "1.0.2"
@@ -1287,9 +1289,9 @@ fluent-ffmpeg@^2.1.2:
     async "^0.2.9"
     which "^1.1.1"
 
-follow-redirects@^1.14.0:
+follow-redirects@^1.15.6:
   version "1.15.11"
-  resolved "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.11.tgz"
+  resolved "https://registry.yarnpkg.com/follow-redirects/-/follow-redirects-1.15.11.tgz#777d73d72a92f8ec4d2e410eb47352a56b8e8340"
   integrity sha512-deG2P0JfjrTxl50XGCDyfI97ZGVCxIpfKYmfyrQ54n5FO/0gfIES8C/Psl6kWVDolizcaaxZJnTS0QSMxvnsBQ==
 
 for-each@^0.3.3, for-each@^0.3.5:
@@ -1316,9 +1318,9 @@ form-data@^2.5.5:
     mime-types "^2.1.35"
     safe-buffer "^5.2.1"
 
-form-data@~4.0.4:
+form-data@^4.0.4, form-data@~4.0.4:
   version "4.0.4"
-  resolved "https://registry.npmjs.org/form-data/-/form-data-4.0.4.tgz"
+  resolved "https://registry.yarnpkg.com/form-data/-/form-data-4.0.4.tgz#784cdcce0669a9d68e94d11ac4eea98088edd2c4"
   integrity sha512-KrGhL9Q4zjj0kiUt5OO4Mr/A/jlI2jDYs5eHBpYHPcBEVSiipAvn2Ko2HnPe20rmcuuvMHNdZFp+4IlGTMF0Ow==
   dependencies:
     asynckit "^0.4.0"
@@ -2196,6 +2198,11 @@ proxy-addr@~2.0.7:
     forwarded "0.2.0"
     ipaddr.js "1.9.1"
 
+proxy-from-env@^1.1.0:
+  version "1.1.0"
+  resolved "https://registry.yarnpkg.com/proxy-from-env/-/proxy-from-env-1.1.0.tgz#e102f16ca355424865755d2c9e8ea4f24d58c3e2"
+  integrity sha512-D+zkORCbA9f1tdWRK0RaCR3GPv50cMxcrz4X8k5LTSUD1Dkw47mKJEZQNunItRTkWwgtaUSo1RVFRIG9ZXiFYg==
+
 psl@^1.1.33:
   version "1.15.0"
   resolved "https://registry.npmjs.org/psl/-/psl-1.15.0.tgz"