generated from nhcarrigan/template
Compare commits
12 Commits
v1.0.0
...
dependenci
| Author | SHA1 | Date | |
|---|---|---|---|
| 688bff7095 | |||
| c836ea636f | |||
| 5876686754 | |||
| fba3af6f22 | |||
| be563eb608 | |||
| 12b82907dc | |||
| b1afed5ef2 | |||
| 271ebd1e64 | |||
| 54c53f322a | |||
| cc07a86807 | |||
| fc9ca35a55 | |||
| 9f041454c0 |
@@ -8,8 +8,9 @@ on:
|
||||
- main
|
||||
|
||||
jobs:
|
||||
lint:
|
||||
name: Lint and Test
|
||||
ci:
|
||||
name: CI
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
- name: Checkout Source Files
|
||||
@@ -25,14 +26,22 @@ jobs:
|
||||
with:
|
||||
version: 10
|
||||
|
||||
- name: Ensure Dependencies are Pinned
|
||||
uses: naomi-lgbt/dependency-pin-check@main
|
||||
with:
|
||||
language: javascript
|
||||
dev-dependencies: true
|
||||
peer-dependencies: true
|
||||
optional-dependencies: true
|
||||
|
||||
- name: Install Dependencies
|
||||
run: pnpm install
|
||||
|
||||
- name: Verify Build
|
||||
run: pnpm run build
|
||||
|
||||
- name: Lint Source Files
|
||||
run: pnpm run lint
|
||||
|
||||
- name: Verify Build
|
||||
run: pnpm run build
|
||||
|
||||
- name: Run Tests
|
||||
run: pnpm run test
|
||||
|
||||
177
.gitea/workflows/security.yml
Normal file
177
.gitea/workflows/security.yml
Normal file
@@ -0,0 +1,177 @@
|
||||
name: Security Scan and Upload
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ main ]
|
||||
pull_request:
|
||||
branches: [ main ]
|
||||
schedule:
|
||||
- cron: '0 0 * * 1'
|
||||
workflow_dispatch:
|
||||
|
||||
jobs:
|
||||
security-audit:
|
||||
name: Security & DefectDojo Upload
|
||||
runs-on: ubuntu-latest
|
||||
continue-on-error: true
|
||||
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
|
||||
# --- AUTO-SETUP PROJECT ---
|
||||
- name: Ensure DefectDojo Product Exists
|
||||
env:
|
||||
DD_URL: ${{ secrets.DD_URL }}
|
||||
DD_TOKEN: ${{ secrets.DD_TOKEN }}
|
||||
PRODUCT_NAME: ${{ github.repository }}
|
||||
PRODUCT_TYPE_ID: 1
|
||||
run: |
|
||||
sudo apt-get install jq -y > /dev/null
|
||||
|
||||
echo "Checking connection to $DD_URL..."
|
||||
|
||||
# Check if product exists - capture HTTP code to debug connection issues
|
||||
RESPONSE=$(curl --write-out "%{http_code}" --silent --output /tmp/response.json \
|
||||
-H "Authorization: Token $DD_TOKEN" \
|
||||
"$DD_URL/api/v2/products/?name=$PRODUCT_NAME")
|
||||
|
||||
# If response is not 200, print error
|
||||
if [ "$RESPONSE" != "200" ]; then
|
||||
echo "::error::Failed to query DefectDojo. HTTP Code: $RESPONSE"
|
||||
cat /tmp/response.json
|
||||
exit 1
|
||||
fi
|
||||
|
||||
COUNT=$(cat /tmp/response.json | jq -r '.count')
|
||||
|
||||
if [ "$COUNT" = "0" ]; then
|
||||
echo "Creating product '$PRODUCT_NAME'..."
|
||||
curl -s -X POST "$DD_URL/api/v2/products/" \
|
||||
-H "Authorization: Token $DD_TOKEN" \
|
||||
-H "Content-Type: application/json" \
|
||||
-d '{ "name": "'"$PRODUCT_NAME"'", "description": "Auto-created by Gitea Actions", "prod_type": '$PRODUCT_TYPE_ID' }'
|
||||
else
|
||||
echo "Product '$PRODUCT_NAME' already exists."
|
||||
fi
|
||||
|
||||
# --- 1. TRIVY (Dependencies & Misconfig) ---
|
||||
- name: Install Trivy
|
||||
run: |
|
||||
sudo apt-get install wget apt-transport-https gnupg lsb-release -y
|
||||
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
|
||||
echo "deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
|
||||
sudo apt-get update && sudo apt-get install trivy -y
|
||||
|
||||
- name: Run Trivy (FS Scan)
|
||||
run: |
|
||||
trivy fs . --scanners vuln,misconfig --format json --output trivy-results.json --exit-code 0
|
||||
|
||||
- name: Upload Trivy to DefectDojo
|
||||
env:
|
||||
DD_URL: ${{ secrets.DD_URL }}
|
||||
DD_TOKEN: ${{ secrets.DD_TOKEN }}
|
||||
run: |
|
||||
echo "Uploading Trivy results..."
|
||||
# Generate today's date in YYYY-MM-DD format
|
||||
TODAY=$(date +%Y-%m-%d)
|
||||
|
||||
HTTP_CODE=$(curl --write-out "%{http_code}" --output response.txt --silent -X POST "$DD_URL/api/v2/import-scan/" \
|
||||
-H "Authorization: Token $DD_TOKEN" \
|
||||
-F "active=true" \
|
||||
-F "verified=true" \
|
||||
-F "scan_type=Trivy Scan" \
|
||||
-F "engagement_name=CI/CD Pipeline" \
|
||||
-F "product_name=${{ github.repository }}" \
|
||||
-F "scan_date=$TODAY" \
|
||||
-F "auto_create_context=true" \
|
||||
-F "file=@trivy-results.json")
|
||||
|
||||
if [[ "$HTTP_CODE" != "200" && "$HTTP_CODE" != "201" ]]; then
|
||||
echo "::error::Upload Failed with HTTP $HTTP_CODE"
|
||||
echo "--- SERVER RESPONSE ---"
|
||||
cat response.txt
|
||||
echo "-----------------------"
|
||||
exit 1
|
||||
else
|
||||
echo "Upload Success!"
|
||||
fi
|
||||
|
||||
# --- 2. GITLEAKS (Secrets) ---
|
||||
- name: Install Gitleaks
|
||||
run: |
|
||||
wget -qO gitleaks.tar.gz https://github.com/gitleaks/gitleaks/releases/download/v8.18.0/gitleaks_8.18.0_linux_x64.tar.gz
|
||||
tar -xzf gitleaks.tar.gz
|
||||
sudo mv gitleaks /usr/local/bin/ && chmod +x /usr/local/bin/gitleaks
|
||||
|
||||
- name: Run Gitleaks
|
||||
run: gitleaks detect --source . -v --report-path gitleaks-results.json --report-format json --no-git || true
|
||||
|
||||
- name: Upload Gitleaks to DefectDojo
|
||||
env:
|
||||
DD_URL: ${{ secrets.DD_URL }}
|
||||
DD_TOKEN: ${{ secrets.DD_TOKEN }}
|
||||
run: |
|
||||
echo "Uploading Gitleaks results..."
|
||||
TODAY=$(date +%Y-%m-%d)
|
||||
|
||||
HTTP_CODE=$(curl --write-out "%{http_code}" --output response.txt --silent -X POST "$DD_URL/api/v2/import-scan/" \
|
||||
-H "Authorization: Token $DD_TOKEN" \
|
||||
-F "active=true" \
|
||||
-F "verified=true" \
|
||||
-F "scan_type=Gitleaks Scan" \
|
||||
-F "engagement_name=CI/CD Pipeline" \
|
||||
-F "product_name=${{ github.repository }}" \
|
||||
-F "scan_date=$TODAY" \
|
||||
-F "auto_create_context=true" \
|
||||
-F "file=@gitleaks-results.json")
|
||||
|
||||
if [[ "$HTTP_CODE" != "200" && "$HTTP_CODE" != "201" ]]; then
|
||||
echo "::error::Upload Failed with HTTP $HTTP_CODE"
|
||||
echo "--- SERVER RESPONSE ---"
|
||||
cat response.txt
|
||||
echo "-----------------------"
|
||||
exit 1
|
||||
else
|
||||
echo "Upload Success!"
|
||||
fi
|
||||
|
||||
# --- 3. SEMGREP (SAST) ---
|
||||
- name: Install Semgrep (via pipx)
|
||||
run: |
|
||||
sudo apt-get install pipx -y
|
||||
pipx install semgrep
|
||||
# Add pipx binary path to GITHUB_PATH so next steps can see 'semgrep'
|
||||
echo "$HOME/.local/bin" >> $GITHUB_PATH
|
||||
|
||||
- name: Run Semgrep
|
||||
run: semgrep scan --config=p/security-audit --config=p/owasp-top-ten --json --output semgrep-results.json . || true
|
||||
|
||||
- name: Upload Semgrep to DefectDojo
|
||||
env:
|
||||
DD_URL: ${{ secrets.DD_URL }}
|
||||
DD_TOKEN: ${{ secrets.DD_TOKEN }}
|
||||
run: |
|
||||
echo "Uploading Semgrep results..."
|
||||
TODAY=$(date +%Y-%m-%d)
|
||||
|
||||
HTTP_CODE=$(curl --write-out "%{http_code}" --output response.txt --silent -X POST "$DD_URL/api/v2/import-scan/" \
|
||||
-H "Authorization: Token $DD_TOKEN" \
|
||||
-F "active=true" \
|
||||
-F "verified=true" \
|
||||
-F "scan_type=Semgrep JSON Report" \
|
||||
-F "engagement_name=CI/CD Pipeline" \
|
||||
-F "product_name=${{ github.repository }}" \
|
||||
-F "scan_date=$TODAY" \
|
||||
-F "auto_create_context=true" \
|
||||
-F "file=@semgrep-results.json")
|
||||
|
||||
if [[ "$HTTP_CODE" != "200" && "$HTTP_CODE" != "201" ]]; then
|
||||
echo "::error::Upload Failed with HTTP $HTTP_CODE"
|
||||
echo "--- SERVER RESPONSE ---"
|
||||
cat response.txt
|
||||
echo "-----------------------"
|
||||
exit 1
|
||||
else
|
||||
echo "Upload Success!"
|
||||
fi
|
||||
25
.npmrc
Normal file
25
.npmrc
Normal file
@@ -0,0 +1,25 @@
|
||||
# Package Manager Configuration
|
||||
# Force pnpm usage - breaks npm/yarn intentionally
|
||||
node-linker=pnpm
|
||||
|
||||
# Security: Disable all lifecycle scripts
|
||||
ignore-scripts=true
|
||||
enable-pre-post-scripts=false
|
||||
|
||||
# Security: Require packages to be 10+ days old before installation
|
||||
minimum-release-age=14400
|
||||
|
||||
# Security: Verify package integrity hashes
|
||||
verify-store-integrity=true
|
||||
|
||||
# Security: Enforce strict trust policies
|
||||
trust-policy=strict
|
||||
|
||||
# Security: Strict peer dependency resolution
|
||||
strict-peer-dependencies=true
|
||||
|
||||
# Performance: Use symlinks for node_modules
|
||||
symlink=true
|
||||
|
||||
# Lockfile: Ensure lockfile is not modified during install
|
||||
frozen-lockfile=false
|
||||
@@ -18,7 +18,7 @@ This page is currently deployed. [View the live website.]
|
||||
|
||||
## Feedback and Bugs
|
||||
|
||||
If you have feedback or a bug report, please feel free to open a GitHub issue!
|
||||
If you have feedback or a bug report, please [log a ticket on our forum](https://support.nhcarrigan.com).
|
||||
|
||||
## Contributing
|
||||
|
||||
|
||||
@@ -23,7 +23,7 @@
|
||||
"typescript": "5.9.2"
|
||||
},
|
||||
"dependencies": {
|
||||
"@nhcarrigan/logger": "1.0.0",
|
||||
"@nhcarrigan/logger": "1.1.1",
|
||||
"@prisma/client": "6.13.0",
|
||||
"discord.js": "14.21.0",
|
||||
"fastify": "5.5.0"
|
||||
|
||||
10
pnpm-lock.yaml
generated
10
pnpm-lock.yaml
generated
@@ -9,8 +9,8 @@ importers:
|
||||
.:
|
||||
dependencies:
|
||||
'@nhcarrigan/logger':
|
||||
specifier: 1.0.0
|
||||
version: 1.0.0
|
||||
specifier: 1.1.1
|
||||
version: 1.1.1
|
||||
'@prisma/client':
|
||||
specifier: 6.13.0
|
||||
version: 6.13.0(prisma@6.13.0(typescript@5.9.2))(typescript@5.9.2)
|
||||
@@ -350,8 +350,8 @@ packages:
|
||||
typescript: '>=5'
|
||||
vitest: '>=2'
|
||||
|
||||
'@nhcarrigan/logger@1.0.0':
|
||||
resolution: {integrity: sha512-2e19Bie+ZKb6yKPKjhawqsENkhHatYkvBAmFZx9eToOXdOca+CYi51tldRMtejg6e0+4hOOf2bo5zdBQKmH0dw==}
|
||||
'@nhcarrigan/logger@1.1.1':
|
||||
resolution: {integrity: sha512-P6OEQFHDtf6psybYGljuCxkSW6DLQCsx1aZZ3w4YKBXHBFjDbhuvpM9K1kPhVN48hakitx2WPLEoIFr6YZELYw==}
|
||||
|
||||
'@nhcarrigan/typescript-config@4.0.0':
|
||||
resolution: {integrity: sha512-969HVha7A/Sg77fuMwOm6p14a+7C5iE6g55OD71srqwKIgksQl+Ex/hAI/pyzTQFDQ/FBJbpnHlR4Ov25QV/rw==}
|
||||
@@ -2644,7 +2644,7 @@ snapshots:
|
||||
- eslint-import-resolver-webpack
|
||||
- supports-color
|
||||
|
||||
'@nhcarrigan/logger@1.0.0': {}
|
||||
'@nhcarrigan/logger@1.1.1': {}
|
||||
|
||||
'@nhcarrigan/typescript-config@4.0.0(typescript@5.9.2)':
|
||||
dependencies:
|
||||
|
||||
@@ -9,4 +9,6 @@ export const reservedSlugs = [
|
||||
"unsub",
|
||||
"overlimit",
|
||||
"404",
|
||||
"favicon.ico",
|
||||
"robots.txt",
|
||||
];
|
||||
|
||||
@@ -16,7 +16,7 @@ export const error = `<!DOCTYPE html>
|
||||
<body>
|
||||
<main>
|
||||
<h1>Oh dear!</h1>
|
||||
<img src="https://cdn.nhcarrigan.com/new-avatars/lynira.png" width="250" alt="Lynira" />
|
||||
<img src="https://cdn.nhcarrigan.com/new-avatars/lynira-full.png" width="250" alt="Lynira" />
|
||||
<section>
|
||||
<p>Something went wrong while trying to redirect you! Please try again later.</p>
|
||||
</section>
|
||||
|
||||
@@ -16,7 +16,7 @@ export const fourOhFour = `<!DOCTYPE html>
|
||||
<body>
|
||||
<main>
|
||||
<h1>Oh no!</h1>
|
||||
<img src="https://cdn.nhcarrigan.com/new-avatars/lynira.png" width="250" alt="Lynira" />
|
||||
<img src="https://cdn.nhcarrigan.com/new-avatars/lynira-full.png" width="250" alt="Lynira" />
|
||||
<section>
|
||||
<p>It looks like that link is no longer registered! You should ask the person who shared it with you for an updated URL.</p>
|
||||
</section>
|
||||
|
||||
@@ -16,7 +16,7 @@ export const home = `<!DOCTYPE html>
|
||||
<body>
|
||||
<main>
|
||||
<h1>Lynira</h1>
|
||||
<img src="https://cdn.nhcarrigan.com/new-avatars/lynira.png" width="250" alt="Lynira" />
|
||||
<img src="https://cdn.nhcarrigan.com/new-avatars/lynira-full.png" width="250" alt="Lynira" />
|
||||
<section>
|
||||
<p>Link shortener service managed via a Discord bot.</p>
|
||||
<a href="https://discord.com/oauth2/authorize?client_id=1404593859656417320" class="social-button discord-button" style="display: inline-block; background-color: #5865F2; color: white; padding: 10px 20px; text-decoration: none; border-radius: 4px; margin: 5px;">
|
||||
|
||||
@@ -16,7 +16,7 @@ export const overlimit = `<!DOCTYPE html>
|
||||
<body>
|
||||
<main>
|
||||
<h1>Oopsie!</h1>
|
||||
<img src="https://cdn.nhcarrigan.com/new-avatars/lynira.png" width="250" alt="Lynira" />
|
||||
<img src="https://cdn.nhcarrigan.com/new-avatars/lynira-full.png" width="250" alt="Lynira" />
|
||||
<section>
|
||||
<p>It looks like the user who created this link has too many short URLs. They will need to delete some before this link works.</p>
|
||||
</section>
|
||||
|
||||
@@ -16,7 +16,7 @@ export const unsub = `<!DOCTYPE html>
|
||||
<body>
|
||||
<main>
|
||||
<h1>Oopsie!</h1>
|
||||
<img src="https://cdn.nhcarrigan.com/new-avatars/lynira.png" width="250" alt="Lynira" />
|
||||
<img src="https://cdn.nhcarrigan.com/new-avatars/lynira-full.png" width="250" alt="Lynira" />
|
||||
<section>
|
||||
<p>It looks like the user who created this link is no longer subscribed to our service! Please let them know that they will need to resubscribe before this URL works!</p>
|
||||
</section>
|
||||
|
||||
@@ -52,6 +52,16 @@ export const instantiateServer = (lynira: Lynira): void => {
|
||||
response.send(fourOhFour);
|
||||
});
|
||||
|
||||
server.get("/favicon.ico", (_request, response) => {
|
||||
response.redirect("https://cdn.nhcarrigan.com/favicon/favicon.ico");
|
||||
});
|
||||
|
||||
server.get("/robots.txt", (_request, response) => {
|
||||
response.header("Content-Type", "text/plain");
|
||||
// Allow everything
|
||||
response.send("User-agent: *\nDisallow:");
|
||||
});
|
||||
|
||||
// WILDCARD: anything static must come before this route.
|
||||
// eslint-disable-next-line max-statements -- Big function due to multiple routes.
|
||||
server.get("*", async(request, response) => {
|
||||
@@ -65,12 +75,10 @@ export const instantiateServer = (lynira: Lynira): void => {
|
||||
});
|
||||
|
||||
if (exists === null) {
|
||||
void logger.log("debug", `Link with slug "${slug}" does not exist.`);
|
||||
return await response.redirect("/404");
|
||||
}
|
||||
|
||||
if (exists.deleted) {
|
||||
void logger.log("debug", `Link with slug "${slug}" has been deleted.`);
|
||||
return await response.redirect("/404");
|
||||
}
|
||||
|
||||
@@ -108,12 +116,12 @@ export const instantiateServer = (lynira: Lynira): void => {
|
||||
}
|
||||
});
|
||||
|
||||
server.listen({ port: 5033 }, (actualError) => {
|
||||
server.listen({ port: 5044 }, (actualError) => {
|
||||
if (actualError) {
|
||||
void logger.error("instantiate server", actualError);
|
||||
return;
|
||||
}
|
||||
void logger.log("debug", "Server listening on port 5033.");
|
||||
void logger.log("debug", "Server listening on port 5044.");
|
||||
});
|
||||
} catch (actualError) {
|
||||
if (actualError instanceof Error) {
|
||||
|
||||
Reference in New Issue
Block a user