feat(hexaflow): implement security gate workflow#3
Open
JuanDiegoRV wants to merge 8 commits into
Open
Conversation
❌ HexaFlow Security Gate — REJECTEDScanned: Vulnerability summary
Ollama AI Risk AnalysisRisk interpretationThe PR does not introduce any critical, high, medium, or low vulnerabilities based on the HexaFlow scan results. However, the code analysis is blocked, which may pose potential risks if not addressed. Current PR actions
Next sprint backlog
Code analysis
Code analysis: 1 critical vulnerability/ies found in source code — push blocked. Code AI provider: Code recommendations:
Summary:
|
- Add multi-stage Dockerfile for Gamification.Api (.NET 10) - Add .dockerignore to exclude build artifacts and docs - Update docker-compose.yml to include the API service with infrastructure dependencies - Add GitHub Actions workflow (docker-publish.yml) to build and push image to ghcr.io on push to main, develop and feature/HexaFlow_Impl
- Replace Alpine addgroup/adduser with Debian groupadd/useradd (aspnet:10.0 is Debian-based) - Install curl for HEALTHCHECK and combine RUN layers to reduce image size - Add HEALTHCHECK instruction (resolves SonarQube S6504) - Remove hardcoded credentials from docker-compose (resolves SonarQube security hotspot) - All secrets now sourced from environment variables; mandatory ones use :? to fail fast - Add .env.example as reference for required variables
- Remove hardcoded DB credentials from appsettings.Development.json;
app already reads individual POSTGRES_* env vars from Program.cs
- Replace full connection string (Password=) in docker-compose with
individual POSTGRES_HOST/PORT/DB/USER/PASSWORD env vars to avoid
credential patterns in config files (resolves HexaFlow critical finding)
- Add AddHealthChecks() + MapHealthChecks("/health") to Program.cs
so the Dockerfile HEALTHCHECK has a valid endpoint to probe
Ubuntu 24.04 base had 46 CVEs (25 MEDIUM, 21 LOW) in OS packages. Alpine 3.23.5 with apk upgrade produces 0 vulnerabilities across all targets. - Replace aspnet:10.0 (Ubuntu) with aspnet:10.0-alpine - Use apk upgrade --no-cache to apply all available security patches - Replace curl (8 CVEs) with wget (busybox, 0 CVEs) for HEALTHCHECK - Use Alpine addgroup/adduser syntax instead of Debian groupadd/useradd Trivy result: 0 CRITICAL, 0 HIGH, 0 MEDIUM, 0 LOW
- Use explicit alpine3.23 tag to document the intended Alpine version - Pin both SDK and runtime images to SHA256 digest for fully reproducible builds regardless of future tag mutations - Addresses HexaFlow warning about potential future risks from unversioned floating base image tags
Default CODE_EXTENSIONS and CODE_PATHS were set for a TypeScript/NestJS project (.ts .tsx .js .jsx .yml and NestJS config files). This caused the Dockerfile to be analyzed as application code, generating false positive security findings from Ollama. For a .NET project: - CODE_EXTENSIONS: .cs .csproj (C# source and project files only) - CODE_PATHS: src (application source directory only) The Dockerfile is already covered by the image gate (Trivy + HexaFlow image analysis), so excluding it from code analysis removes duplicate and inaccurate AI findings without losing security coverage.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.




No description provided.