chore: replace .npmrc with pnpm-workspace.yaml

.gitea/workflows/ci.yml

@@ -8,22 +8,31 @@ on:
       - main
 
 jobs:
-  lint:
-    name: Lint and Test
+  ci:
+    name: CI
+    runs-on: ubuntu-latest
 
     steps:
       - name: Checkout Source Files
         uses: actions/checkout@v4
 
-      - name: Use Node.js v22
+      - name: Use Node.js v24
         uses: actions/setup-node@v4
         with:
-          node-version: 22
+          node-version: 24
 
       - name: Setup pnpm
         uses: pnpm/action-setup@v2
         with:
-          version: 9
+          version: 10
+
+      - name: Ensure Dependencies are Pinned
+        uses: naomi-lgbt/dependency-pin-check@main
+        with:
+          language: javascript
+          dev-dependencies: true
+          peer-dependencies: true
+          optional-dependencies: true
 
       - name: Install Dependencies
         run: pnpm install

.gitea/workflows/security.yml

@@ -0,0 +1,177 @@
+name: Security Scan and Upload
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+  schedule:
+    - cron: '0 0 * * 1'
+  workflow_dispatch:
+
+jobs:
+  security-audit:
+    name: Security & DefectDojo Upload
+    runs-on: ubuntu-latest
+    continue-on-error: true
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      # --- AUTO-SETUP PROJECT ---
+      - name: Ensure DefectDojo Product Exists
+        env:
+          DD_URL: ${{ secrets.DD_URL }}
+          DD_TOKEN: ${{ secrets.DD_TOKEN }}
+          PRODUCT_NAME: ${{ github.repository }} 
+          PRODUCT_TYPE_ID: 1 
+        run: |
+          sudo apt-get install jq -y > /dev/null
+          
+          echo "Checking connection to $DD_URL..."
+          
+          # Check if product exists - capture HTTP code to debug connection issues
+          RESPONSE=$(curl --write-out "%{http_code}" --silent --output /tmp/response.json \
+            -H "Authorization: Token $DD_TOKEN" \
+            "$DD_URL/api/v2/products/?name=$PRODUCT_NAME")
+          
+          # If response is not 200, print error
+          if [ "$RESPONSE" != "200" ]; then
+            echo "::error::Failed to query DefectDojo. HTTP Code: $RESPONSE"
+            cat /tmp/response.json
+            exit 1
+          fi
+
+          COUNT=$(cat /tmp/response.json | jq -r '.count')
+          
+          if [ "$COUNT" = "0" ]; then
+            echo "Creating product '$PRODUCT_NAME'..."
+            curl -s -X POST "$DD_URL/api/v2/products/" \
+              -H "Authorization: Token $DD_TOKEN" \
+              -H "Content-Type: application/json" \
+              -d '{ "name": "'"$PRODUCT_NAME"'", "description": "Auto-created by Gitea Actions", "prod_type": '$PRODUCT_TYPE_ID' }'
+          else
+            echo "Product '$PRODUCT_NAME' already exists."
+          fi
+
+      # --- 1. TRIVY (Dependencies & Misconfig) ---
+      - name: Install Trivy
+        run: |
+          sudo apt-get install wget apt-transport-https gnupg lsb-release -y
+          wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
+          echo "deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
+          sudo apt-get update && sudo apt-get install trivy -y
+
+      - name: Run Trivy (FS Scan)
+        run: |
+          trivy fs . --scanners vuln,misconfig --format json --output trivy-results.json --exit-code 0
+
+      - name: Upload Trivy to DefectDojo
+        env:
+          DD_URL: ${{ secrets.DD_URL }}
+          DD_TOKEN: ${{ secrets.DD_TOKEN }}
+        run: |
+          echo "Uploading Trivy results..."
+          # Generate today's date in YYYY-MM-DD format
+          TODAY=$(date +%Y-%m-%d)
+          
+          HTTP_CODE=$(curl --write-out "%{http_code}" --output response.txt --silent -X POST "$DD_URL/api/v2/import-scan/" \
+            -H "Authorization: Token $DD_TOKEN" \
+            -F "active=true" \
+            -F "verified=true" \
+            -F "scan_type=Trivy Scan" \
+            -F "engagement_name=CI/CD Pipeline" \
+            -F "product_name=${{ github.repository }}" \
+            -F "scan_date=$TODAY" \
+            -F "auto_create_context=true" \
+            -F "file=@trivy-results.json")
+          
+          if [[ "$HTTP_CODE" != "200" && "$HTTP_CODE" != "201" ]]; then
+            echo "::error::Upload Failed with HTTP $HTTP_CODE"
+            echo "--- SERVER RESPONSE ---"
+            cat response.txt
+            echo "-----------------------"
+            exit 1
+          else
+            echo "Upload Success!"
+          fi
+
+      # --- 2. GITLEAKS (Secrets) ---
+      - name: Install Gitleaks
+        run: |
+          wget -qO gitleaks.tar.gz https://github.com/gitleaks/gitleaks/releases/download/v8.18.0/gitleaks_8.18.0_linux_x64.tar.gz
+          tar -xzf gitleaks.tar.gz
+          sudo mv gitleaks /usr/local/bin/ && chmod +x /usr/local/bin/gitleaks
+
+      - name: Run Gitleaks
+        run: gitleaks detect --source . -v --report-path gitleaks-results.json --report-format json --no-git || true
+
+      - name: Upload Gitleaks to DefectDojo
+        env:
+          DD_URL: ${{ secrets.DD_URL }}
+          DD_TOKEN: ${{ secrets.DD_TOKEN }}
+        run: |
+          echo "Uploading Gitleaks results..."  
+          TODAY=$(date +%Y-%m-%d)
+
+          HTTP_CODE=$(curl --write-out "%{http_code}" --output response.txt --silent -X POST "$DD_URL/api/v2/import-scan/" \
+            -H "Authorization: Token $DD_TOKEN" \
+            -F "active=true" \
+            -F "verified=true" \
+            -F "scan_type=Gitleaks Scan" \
+            -F "engagement_name=CI/CD Pipeline" \
+            -F "product_name=${{ github.repository }}" \
+            -F "scan_date=$TODAY" \
+            -F "auto_create_context=true" \
+            -F "file=@gitleaks-results.json")
+
+          if [[ "$HTTP_CODE" != "200" && "$HTTP_CODE" != "201" ]]; then
+             echo "::error::Upload Failed with HTTP $HTTP_CODE"
+             echo "--- SERVER RESPONSE ---"
+             cat response.txt
+             echo "-----------------------"
+             exit 1
+          else
+             echo "Upload Success!"
+          fi
+
+      # --- 3. SEMGREP (SAST) ---
+      - name: Install Semgrep (via pipx)
+        run: |
+          sudo apt-get install pipx -y
+          pipx install semgrep
+          # Add pipx binary path to GITHUB_PATH so next steps can see 'semgrep'
+          echo "$HOME/.local/bin" >> $GITHUB_PATH
+
+      - name: Run Semgrep
+        run: semgrep scan --config=p/security-audit --config=p/owasp-top-ten --json --output semgrep-results.json . || true
+
+      - name: Upload Semgrep to DefectDojo
+        env:
+          DD_URL: ${{ secrets.DD_URL }}
+          DD_TOKEN: ${{ secrets.DD_TOKEN }}
+        run: |
+          echo "Uploading Semgrep results..."
+          TODAY=$(date +%Y-%m-%d)
+          
+          HTTP_CODE=$(curl --write-out "%{http_code}" --output response.txt --silent -X POST "$DD_URL/api/v2/import-scan/" \
+            -H "Authorization: Token $DD_TOKEN" \
+            -F "active=true" \
+            -F "verified=true" \
+            -F "scan_type=Semgrep JSON Report" \
+            -F "engagement_name=CI/CD Pipeline" \
+            -F "product_name=${{ github.repository }}" \
+            -F "scan_date=$TODAY" \
+            -F "auto_create_context=true" \
+            -F "file=@semgrep-results.json")
+
+          if [[ "$HTTP_CODE" != "200" && "$HTTP_CODE" != "201" ]]; then
+             echo "::error::Upload Failed with HTTP $HTTP_CODE"
+             echo "--- SERVER RESPONSE ---"
+             cat response.txt
+             echo "-----------------------"
+             exit 1
+          else
+             echo "Upload Success!"
+          fi

README.md

@@ -8,7 +8,7 @@ This page is currently deployed. [View the live website.](https://www.npmjs.com/
 
 ## Feedback and Bugs
 
-If you have feedback or a bug report, please feel free to open a GitHub issue!
+If you have feedback or a bug report, please [log a ticket on our forum](https://support.nhcarrigan.com).
 
 ## Contributing
 

package.json

@@ -1,11 +1,12 @@
 {
   "name": "@nhcarrigan/discord-analytics",
-  "version": "0.0.1",
+  "version": "0.0.6",
   "description": "Package that pairs with our logging tool to provide analytics for our Discord bots.",
   "type": "module",
   "private": false,
   "main": "prod/index.js",
   "scripts": {
+    "prepublish": "pnpm run lint && pnpm run build",
     "lint": "eslint src --max-warnings 0",
     "build": "rm -rf prod && tsc",
     "test": "echo \"Error: no test specified\" && exit 0"
@@ -23,8 +24,8 @@
     "typescript": "5.9.3"
   },
   "peerDependencies": {
-    "discord.js": "^14.0.0",
-    "@nhcarrigan/logger": ">=1.1.0-hotfix"
+    "@nhcarrigan/logger": ">=1.1.0-hotfix",
+    "discord.js": "^14.0.0"
   },
   "dependencies": {
     "node-schedule": "2.1.1"

pnpm-workspace.yaml

@@ -0,0 +1,21 @@
+# Security
+
+# Do not execute any scripts of installed packages (project scripts still run)
+ignoreDepScripts: true
+# Do not automatically run pre/post scripts (e.g. preinstall, postbuild)
+enablePrePostScripts: false
+# Only allow packages published at least 10 days ago (reduces risk of compromised packages)
+minimumReleaseAge: 14400
+# Fail if a package's trust level has decreased compared to previous releases
+trustPolicy: no-downgrade
+# Ignore trust policy for packages published more than 1 year ago (predates provenance signing)
+trustPolicyIgnoreAfter: 525960
+# Fail if there are missing or invalid peer dependencies
+strictPeerDependencies: true
+# Prevent transitive dependencies from using exotic sources (git repos, direct tarball URLs)
+blockExoticSubdeps: true
+
+# Lockfile
+
+# Allow the lockfile to be updated during install (set to true in CI for stricter reproducibility)
+preferFrozenLockfile: false

src/index.ts

@@ -4,89 +4,25 @@
  * @author Naomi Carrigan
  */
 
-import { Logger } from "@nhcarrigan/logger";
 import { scheduleJob, type Job } from "node-schedule";
+import type { Logger } from "@nhcarrigan/logger";
 import type { Events, Client } from "discord.js";
 
-// eslint-disable-next-line complexity, max-lines-per-function, max-statements -- Justified
-const flatten = (
-  object: Record<string, unknown>,
-): Record<string, string | number | boolean> => {
-  const result: Record<string, string | number | boolean> = {};
-  for (const key in object) {
-    const value = object[key];
-    if (value === null || value === undefined) {
-      continue;
-    }
-    if (
-      typeof value === "string"
-      || typeof value === "number"
-      || typeof value === "boolean"
-    ) {
-      result[key] = value;
-      continue;
-    }
-    if (typeof value === "object" && !Array.isArray(value)) {
-      // eslint-disable-next-line @typescript-eslint/consistent-type-assertions -- Justified
-      const nested = flatten(value as Record<string, unknown>);
-      for (const nestedKey in nested) {
-        const nestedValue = nested[nestedKey];
-        if (nestedValue === undefined) {
-          continue;
-        }
-        result[`${key}_${nestedKey}`] = nestedValue;
-      }
-      continue;
-    }
-    if (Array.isArray(value)) {
-      for (const [ index, arrayValue ] of value.entries()) {
-        if (
-          typeof arrayValue === "string"
-            || typeof arrayValue === "number"
-            || typeof arrayValue === "boolean"
-        ) {
-          result[`${key}_${index.toString()}`] = arrayValue;
-          continue;
-        }
-        if (typeof arrayValue === "object" && arrayValue !== null) {
-          // eslint-disable-next-line @typescript-eslint/consistent-type-assertions -- Justified
-          const nested = flatten(arrayValue as Record<string, unknown>);
-          for (const nestedKey in nested) {
-            const nestedValue = nested[nestedKey];
-            // eslint-disable-next-line max-depth -- Justified
-            if (nestedValue === undefined) {
-              continue;
-            }
-            result[`${key}_${index.toString()}_${nestedKey}`] = nestedValue;
-          }
-        }
-      }
-      continue;
-    }
-  }
-  return result;
-};
-
 /**
  * A class for logging Discord bot analytics.
  */
 export class DiscordAnalytics {
-  private readonly logger: Logger;
   private job: Job | null = null;
 
   /**
    * Creates a new instance of the DiscordAnalytics class.
    * @param client -- The Discord client to monitor.
-   * @param name -- The name of the application.
-   * @param logToken -- Auth token for our logging service.
+   * @param logger -- Instance of @nhcarrigan/logger to use for logging.
    */
   public constructor(
     private readonly client: Client,
-    name: string,
-    logToken: string,
-  ) {
-    this.logger = new Logger(name, logToken);
-  }
+    private readonly logger: Logger,
+  ) {}
 
   /**
    * Starts a CRON job to run at midnight (system time) daily.
@@ -98,7 +34,7 @@ export class DiscordAnalytics {
     if (this.job) {
       return;
     }
-    this.job = scheduleJob("metrics", "0 * * * *", async() => {
+    this.job = scheduleJob("metrics", "0 0 * * *", async() => {
       try {
         const fakeGuilds = await this.client.guilds.fetch();
         const guilds = await Promise.all(
@@ -150,6 +86,11 @@ export class DiscordAnalytics {
     event: Events,
     payload: Record<string, unknown>,
   ): Promise<void> {
-    await this.logger.metric(event, 1, flatten(payload));
+    await this.logger.metric(
+      event,
+      1,
+      // eslint-disable-next-line @typescript-eslint/consistent-type-assertions -- We want to cast this to a specific type.
+      payload as Record<string, string | number>,
+    );
   }
 }