Skip to content

feat(security): implement security hardening and automated scanning (#15)#46

Merged
malavya1411 merged 13 commits into
CodeLabsAI29:mainfrom
Iam-jayant:feat/issue-15-security-hardening-scanning
Jul 5, 2026
Merged

feat(security): implement security hardening and automated scanning (#15)#46
malavya1411 merged 13 commits into
CodeLabsAI29:mainfrom
Iam-jayant:feat/issue-15-security-hardening-scanning

Conversation

@Iam-jayant

Copy link
Copy Markdown
Contributor

Summary

This PR implements the baseline security hardening requested in #15.

Changes

  • Added eslint-plugin-security to backend and frontend.
  • Added dedicated GitHub Actions security workflow.
  • Added automated security scanning with npm audit, Gitleaks, Trivy, and OWASP ZAP.
  • Hardened Express using Helmet.
  • Added production CORS allowlist.
  • Added request body size limits.
  • Added separate IP-based rate limiting.
  • Added SECURITY.md for vulnerability reporting.

Notes

  • Existing Docker configuration already ran as a non-root user, so no changes were required.
  • Implementation follows the project's implementation plan.

Copilot AI review requested due to automatic review settings July 4, 2026 08:13

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

- Fix line ending issues (CRLF -> LF) in backend TypeScript files
- Fix CORS configuration syntax error in server.ts
- Fix code formatting issues (method chaining indentation)
- All ESLint checks now passing with 0 errors
walunjsahil33-hub pushed a commit to walunjsahil33-hub/InboxOS that referenced this pull request Jul 4, 2026
refactor(repo): reorganize repository architecture and cleanup root d…
- Resolved merge conflicts in route files
- Kept our CORS security fixes (allows undefined origin)
- Integrated new features: reminders router, timezone & digestSchedule settings
- Moved services to actions/ directory structure
- Updated settings endpoints with new fields
- Fixed CRLF line endings in all upstream files (converted to LF)
- Fixed prefer-const ESLint error in feedback-collector.service.ts
- All ESLint checks now passing (0 errors, 48 acceptable warnings)
- Resolved conflicts with latest upstream changes
- Removed backend/package-lock.json (deleted upstream)
- Preserved security middleware: helmet, CORS, compression, rate limiting
- Integrated new features: Swagger API docs, neubrutalism design
- Kept our security enhancements while adopting upstream structure
- Fixed CRLF line endings in all upstream files
- Fixed method chaining formatting in server.ts
- All ESLint checks now passing (0 errors, 42 acceptable warnings)
@Iam-jayant

Copy link
Copy Markdown
Contributor Author

Everything is up to date now; run tests and merge it asap so that it helps me not hit more merge conflicts

@Iam-jayant

Copy link
Copy Markdown
Contributor Author

@malavya1411 @krishnasahoo11156 hey mainteners! Please have a look

@malavya1411 malavya1411 merged commit 1cef2f1 into CodeLabsAI29:main Jul 5, 2026
malavya1411 added a commit to malavya1411/Inbox_OS that referenced this pull request Jul 5, 2026
…-15-security-hardening-scanning"

This reverts commit 1cef2f1, reversing
changes made to 431954d.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants