contribute

.devcontainer/Dockerfile

@@ -1,3 +1,8 @@
 FROM node:16-bullseye
 
-RUN apt update -y && apt install -y zstd
+# Update packages and install security updates
+RUN apt-get update && \
+    apt-get upgrade -y && \
+    apt-get install -y --no-install-recommends zstd && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/*

.github/dependabot.yml

@@ -0,0 +1,10 @@
+version: 2
+updates:
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10
+    commit-message:
+      prefix: "deps"
+      include: "scope"

.github/workflows/accuracy-gate.yml

@@ -0,0 +1,17 @@
+name: Accuracy Gate
+on: [pull_request]
+jobs:
+  verify:
+    runs-on: ubuntu-latest
+    timeout-minutes: 25
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with: { node-version: '20', cache: 'npm' }
+      - name: Verify
+        run: |
+          chmod +x scripts/*.sh || true
+          ./scripts/verify.sh
+      - uses: actions/upload-artifact@v4
+        if: always()
+        with: { name: logs, path: logs }

.github/workflows/security-audit.yml

@@ -0,0 +1,155 @@
+name: Security Audit
+
+on:
+  push:
+    branches: [ main, master ]
+  pull_request:
+    branches: [ main, master ]
+  schedule:
+    # Run weekly on Monday at 00:00 UTC
+    - cron: '0 0 * * 1'
+  workflow_dispatch:
+
+jobs:
+  dependency-audit:
+    name: Dependency Vulnerability Scan
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v3
+
+    - name: Setup Node.js
+      uses: actions/setup-node@v3
+      with:
+        node-version: '16'
+        cache: 'yarn'
+
+    - name: Install dependencies
+      run: yarn install --frozen-lockfile
+      continue-on-error: true
+
+    - name: Run yarn audit
+      run: |
+        yarn audit --json > audit-report.json || true
+        echo "## Dependency Audit Results" >> $GITHUB_STEP_SUMMARY
+        echo "" >> $GITHUB_STEP_SUMMARY
+        yarn audit || true
+      continue-on-error: true
+
+    - name: Count vulnerabilities
+      run: |
+        CRITICAL=$(cat audit-report.json | grep -c '"severity":"critical"' || echo "0")
+        HIGH=$(cat audit-report.json | grep -c '"severity":"high"' || echo "0")
+        MODERATE=$(cat audit-report.json | grep -c '"severity":"moderate"' || echo "0")
+        LOW=$(cat audit-report.json | grep -c '"severity":"low"' || echo "0")
+
+        echo "### Vulnerability Summary" >> $GITHUB_STEP_SUMMARY
+        echo "- 🔴 Critical: $CRITICAL" >> $GITHUB_STEP_SUMMARY
+        echo "- 🟠 High: $HIGH" >> $GITHUB_STEP_SUMMARY
+        echo "- 🟡 Moderate: $MODERATE" >> $GITHUB_STEP_SUMMARY
+        echo "- 🟢 Low: $LOW" >> $GITHUB_STEP_SUMMARY
+
+        if [ "$CRITICAL" -gt "0" ] || [ "$HIGH" -gt "10" ]; then
+          echo "⚠️ **Warning**: Critical or high severity vulnerabilities detected!" >> $GITHUB_STEP_SUMMARY
+        fi
+      continue-on-error: true
+
+    - name: Upload audit report
+      uses: actions/upload-artifact@v3
+      with:
+        name: security-audit-report
+        path: audit-report.json
+      if: always()
+
+  code-security-scan:
+    name: Code Security Analysis
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v3
+
+    - name: Check for dangerous patterns
+      run: |
+        echo "## Code Security Scan" >> $GITHUB_STEP_SUMMARY
+        echo "" >> $GITHUB_STEP_SUMMARY
+
+        # Check for eval usage
+        EVAL_COUNT=$(grep -r "eval(" packages/ --include="*.ts" --include="*.tsx" --include="*.js" --include="*.jsx" 2>/dev/null | grep -v "\.min\.js" | grep -v "node_modules" | wc -l || echo "0")
+        echo "- Direct eval() calls found: $EVAL_COUNT" >> $GITHUB_STEP_SUMMARY
+
+        # Check for dangerouslySetInnerHTML
+        DANGEROUS_HTML=$(grep -r "dangerouslySetInnerHTML" packages/ --include="*.tsx" --include="*.jsx" 2>/dev/null | wc -l || echo "0")
+        echo "- dangerouslySetInnerHTML usage: $DANGEROUS_HTML" >> $GITHUB_STEP_SUMMARY
+
+        # Check for hardcoded secrets patterns
+        SECRET_PATTERNS=$(grep -rE "(password|secret|key|token)\s*=\s*['\"][^'\"]{8,}" packages/ --include="*.ts" --include="*.tsx" --include="*.js" --include="*.jsx" 2>/dev/null | grep -v "node_modules" | grep -v "test" | wc -l || echo "0")
+        echo "- Potential hardcoded secrets: $SECRET_PATTERNS" >> $GITHUB_STEP_SUMMARY
+
+        if [ "$EVAL_COUNT" -gt "20" ] || [ "$DANGEROUS_HTML" -gt "10" ]; then
+          echo "⚠️ **Warning**: High usage of potentially dangerous patterns detected!" >> $GITHUB_STEP_SUMMARY
+        fi
+      continue-on-error: true
+
+  docker-security-scan:
+    name: Docker Security Scan
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v3
+
+    - name: Check Dockerfile security
+      run: |
+        echo "## Docker Security Scan" >> $GITHUB_STEP_SUMMARY
+        echo "" >> $GITHUB_STEP_SUMMARY
+
+        # Check for outdated base images
+        for dockerfile in $(find . -name "Dockerfile"); do
+          echo "### $dockerfile" >> $GITHUB_STEP_SUMMARY
+
+          # Extract base image
+          BASE_IMAGE=$(grep "^FROM" "$dockerfile" | head -1 | awk '{print $2}')
+          echo "- Base Image: \`$BASE_IMAGE\`" >> $GITHUB_STEP_SUMMARY
+
+          # Check for apt/yum update
+          if grep -q "apt.*update\|yum.*update" "$dockerfile"; then
+            echo "  ✅ Package manager update found" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "  ⚠️ No package manager update found" >> $GITHUB_STEP_SUMMARY
+          fi
+
+          # Check for cleanup
+          if grep -q "rm -rf.*apt\|yum clean" "$dockerfile"; then
+            echo "  ✅ Cleanup commands found" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "  ⚠️ No cleanup commands found" >> $GITHUB_STEP_SUMMARY
+          fi
+
+          echo "" >> $GITHUB_STEP_SUMMARY
+        done
+      continue-on-error: true
+
+  security-report:
+    name: Generate Security Report
+    runs-on: ubuntu-latest
+    needs: [dependency-audit, code-security-scan, docker-security-scan]
+    if: always()
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v3
+
+    - name: Create security summary
+      run: |
+        echo "# 🔒 Security Audit Summary" >> $GITHUB_STEP_SUMMARY
+        echo "" >> $GITHUB_STEP_SUMMARY
+        echo "**Date**: $(date -u +"%Y-%m-%d %H:%M:%S UTC")" >> $GITHUB_STEP_SUMMARY
+        echo "**Branch**: ${{ github.ref_name }}" >> $GITHUB_STEP_SUMMARY
+        echo "**Commit**: ${{ github.sha }}" >> $GITHUB_STEP_SUMMARY
+        echo "" >> $GITHUB_STEP_SUMMARY
+        echo "For detailed security information, see [SECURITY_AUDIT.md](./SECURITY_AUDIT.md)" >> $GITHUB_STEP_SUMMARY
+        echo "" >> $GITHUB_STEP_SUMMARY
+        echo "---" >> $GITHUB_STEP_SUMMARY
+        echo "💡 **Tip**: Run \`yarn audit\` locally to see detailed vulnerability information." >> $GITHUB_STEP_SUMMARY

.gitignore

@@ -32,4 +32,11 @@ standalone-packages/monaco-editor-core
 .next
 .cache-loader
 
-packages/app/static/js/env-config.js
+packages/app/static/js/env-config.js
+# Security
+audit-report.json
+security-report.json
+*.env.local
+*.env.production
+secrets.json
+.secrets

.mergify.yml

@@ -0,0 +1,17 @@
+pull_request_rules:
+  - name: automatic merge on CI success
+    conditions:
+      - "status-success=CI"
+      - "label!=do-not-merge"
+      - "author!=dependabot[bot]"
+      - "#approved-reviews-by>=1"
+    actions:
+      merge:
+        method: squash
+  - name: assign reviewers
+    conditions:
+      - "label=needs-review"
+    actions:
+      request_reviews:
+        users:
+          - ivan09069

Dockerfile

@@ -1,4 +1,4 @@
-FROM nginx:1.25.3-alpine
+FROM nginx:1.29.1-alpine
 
 WORKDIR /var/www/codesandbox
 COPY www ./