sec fixes

2025-08-29 10:21:18 +05:00
parent 8895639f20
commit 3fb0d43221
7 changed files with 36 additions and 16 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -115,6 +115,8 @@ jobs:
          sed -i 's|build:|#build:|g' docker-compose.yml
          sed -i 's|context: .|#context: .|g' docker-compose.yml  
          sed -i 's|dockerfile: Dockerfile|#dockerfile: Dockerfile|g' docker-compose.yml
+          # Remove any existing image lines and add new one
+          sed -i '/quixotic-app:/,/container_name:/{/image:/d}' docker-compose.yml
          sed -i '/quixotic-app:/a \ \ \ \ image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest' docker-compose.yml
          
          # Deploy with zero downtime
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -60,8 +60,3 @@ jobs:
        format: 'sarif'
        output: 'trivy-results.sarif'

-    - name: Upload Trivy scan results
-      uses: github/codeql-action/upload-sarif@v3
-      if: always()
-      with:
-        sarif_file: 'trivy-results.sarif'
--- a/.serena/memories/sarif_upload_removal.md
+++ b/.serena/memories/sarif_upload_removal.md
@@ -0,0 +1,12 @@
+# SARIF Upload Removal
+
+## Issue
+Docker Security Scan workflow was failing because code scanning is not enabled for the repository and the button to enable it doesn't work.
+
+## Solution
+Removed the SARIF upload step from `.github/workflows/security.yml`:
+- Removed the "Upload Trivy scan results" step that was using `github/codeql-action/upload-sarif@v3`
+- This prevents the workflow failure while keeping the actual Trivy security scanning functionality intact
+
+## Result
+The Docker security scan will now run without trying to upload results to GitHub's code scanning feature, eliminating the failure point.
--- a/package.json
+++ b/package.json
@@ -48,5 +48,8 @@
  },
  "engines": {
    "node": ">=16.0.0"
+  },
+  "resolutions": {
+    "axios": ">=0.30.0"
  }
 }
--- a/src/database.ts
+++ b/src/database.ts
@@ -23,7 +23,7 @@ export class Database {
        const connectionString = process.env.DATABASE_URL || 'postgresql://quixotic:quixotic123@localhost:5432/quixotic';
        this.pool = new Pool({
            connectionString,
-            ssl: process.env.NODE_ENV === 'production' ? { rejectUnauthorized: false } : false
+            ssl: process.env.DATABASE_SSL === 'true' ? { rejectUnauthorized: false } : false
        });
        this.init();
    }
--- a/src/server.ts
+++ b/src/server.ts
@@ -1,4 +1,5 @@
 import express, { Request, Response } from 'express';
+import express, { Request, Response } from 'express';
 import path from 'path';
 import fs from 'fs';
 import ffmpeg from 'fluent-ffmpeg';
@@ -198,7 +199,7 @@ app.get('/health', (req: Request, res: Response) => {
 });

 // Error handler
-app.use((err: Error, req: Request, res: Response) => {
+app.use((err: Error, req: Request, res: Response, next: any) => {
    console.error(err.stack);
    res.status(500).json({ error: 'Something went wrong!' });
 });
--- a/yarn.lock
+++ b/yarn.lock
@@ -573,12 +573,14 @@ aws4@^1.8.0:
  resolved "https://registry.npmjs.org/aws4/-/aws4-1.13.2.tgz"
  integrity sha512-lHe62zvbTB5eEABUVi/AwVh0ZKY9rMMDhmm+eeyuuUQbQ3+J+fONVQOZyj+DdrvD4BY33uYniyRJ4UJIaSKAfw==

-axios@^0.21.0:
-  version "0.21.4"
-  resolved "https://registry.npmjs.org/axios/-/axios-0.21.4.tgz"
-  integrity sha512-ut5vewkiu8jjGBdqpM44XxjuCjq9LAKeHVmoVfHVzy8eHgxxq8SbAVQNovDA8mVi05kP0Ea/n/UzcSHcTJQfNg==
+axios@>=0.30.0, axios@^0.21.0:
+  version "1.11.0"
+  resolved "https://registry.yarnpkg.com/axios/-/axios-1.11.0.tgz#c2ec219e35e414c025b2095e8b8280278478fdb6"
+  integrity sha512-1Lx3WLFQWm3ooKDYZD1eXmoGO9fxYQjrycfHFC8P0sCfQVXyROp0p9PFWBehewBOdCwHc+f/b8I0fMto5eSfwA==
  dependencies:
-    follow-redirects "^1.14.0"
+    follow-redirects "^1.15.6"
+    form-data "^4.0.4"
+    proxy-from-env "^1.1.0"

 balanced-match@^1.0.0:
  version "1.0.2"
@@ -1287,9 +1289,9 @@ fluent-ffmpeg@^2.1.2:
    async "^0.2.9"
    which "^1.1.1"

-follow-redirects@^1.14.0:
+follow-redirects@^1.15.6:
  version "1.15.11"
-  resolved "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.11.tgz"
+  resolved "https://registry.yarnpkg.com/follow-redirects/-/follow-redirects-1.15.11.tgz#777d73d72a92f8ec4d2e410eb47352a56b8e8340"
  integrity sha512-deG2P0JfjrTxl50XGCDyfI97ZGVCxIpfKYmfyrQ54n5FO/0gfIES8C/Psl6kWVDolizcaaxZJnTS0QSMxvnsBQ==

 for-each@^0.3.3, for-each@^0.3.5:
@@ -1316,9 +1318,9 @@ form-data@^2.5.5:
    mime-types "^2.1.35"
    safe-buffer "^5.2.1"

-form-data@~4.0.4:
+form-data@^4.0.4, form-data@~4.0.4:
  version "4.0.4"
-  resolved "https://registry.npmjs.org/form-data/-/form-data-4.0.4.tgz"
+  resolved "https://registry.yarnpkg.com/form-data/-/form-data-4.0.4.tgz#784cdcce0669a9d68e94d11ac4eea98088edd2c4"
  integrity sha512-KrGhL9Q4zjj0kiUt5OO4Mr/A/jlI2jDYs5eHBpYHPcBEVSiipAvn2Ko2HnPe20rmcuuvMHNdZFp+4IlGTMF0Ow==
  dependencies:
    asynckit "^0.4.0"
@@ -2196,6 +2198,11 @@ proxy-addr@~2.0.7:
    forwarded "0.2.0"
    ipaddr.js "1.9.1"

+proxy-from-env@^1.1.0:
+  version "1.1.0"
+  resolved "https://registry.yarnpkg.com/proxy-from-env/-/proxy-from-env-1.1.0.tgz#e102f16ca355424865755d2c9e8ea4f24d58c3e2"
+  integrity sha512-D+zkORCbA9f1tdWRK0RaCR3GPv50cMxcrz4X8k5LTSUD1Dkw47mKJEZQNunItRTkWwgtaUSo1RVFRIG9ZXiFYg==
+
 psl@^1.1.33:
  version "1.15.0"
  resolved "https://registry.npmjs.org/psl/-/psl-1.15.0.tgz"