Skip to content

feat(hexaflow): implement security gate workflow#3

Open
JuanDiegoRV wants to merge 8 commits into
developfrom
feature/HexaFlow_Impl
Open

feat(hexaflow): implement security gate workflow#3
JuanDiegoRV wants to merge 8 commits into
developfrom
feature/HexaFlow_Impl

Conversation

@JuanDiegoRV

Copy link
Copy Markdown

No description provided.

@github-actions

github-actions Bot commented Jun 15, 2026

Copy link
Copy Markdown

❌ HexaFlow Security Gate — REJECTED

Scanned: eciwise/gamification:05873ec3a780b7a99342b3c277b69cdbcb311597 · 2026-07-01 15:02 UTC · AI analysis: enabled (ollama:mistral)

Vulnerability summary

Severity Count
🔴 Critical 0
🟠 High 0
🟡 Medium 0
🔵 Low 0
⚪ Unknown 0

Ollama AI Risk Analysis

Risk interpretation

The PR does not introduce any critical, high, medium, or low vulnerabilities based on the HexaFlow scan results. However, the code analysis is blocked, which may pose potential risks if not addressed.

Current PR actions

  • Ensure all code files are properly reviewed and secure before merging.

Next sprint backlog

  • Unblock code analysis and address any identified issues.
  • Consider optimizing image size to reduce its current size of 143.0 MB.

Code analysis

  • Resolve the blocked code analysis status to ensure the PR meets security standards before merging.

Code analysis: 1 critical vulnerability/ies found in source code — push blocked.

Code AI provider: code:ollama:mistral

Code recommendations:

  1. Store sensitive data like database credentials in environment variables or secure configuration files, and load them at runtime. (src/Gamification.Api/Program.cs:47)

Summary:

Code gate decision: BLOCKED. Critical: 1, High: 0, Medium: 0, Low: 0.

- Add multi-stage Dockerfile for Gamification.Api (.NET 10)
- Add .dockerignore to exclude build artifacts and docs
- Update docker-compose.yml to include the API service with infrastructure dependencies
- Add GitHub Actions workflow (docker-publish.yml) to build and push image to ghcr.io on push to main, develop and feature/HexaFlow_Impl
- Replace Alpine addgroup/adduser with Debian groupadd/useradd (aspnet:10.0 is Debian-based)
- Install curl for HEALTHCHECK and combine RUN layers to reduce image size
- Add HEALTHCHECK instruction (resolves SonarQube S6504)
- Remove hardcoded credentials from docker-compose (resolves SonarQube security hotspot)
- All secrets now sourced from environment variables; mandatory ones use :? to fail fast
- Add .env.example as reference for required variables
- Remove hardcoded DB credentials from appsettings.Development.json;
  app already reads individual POSTGRES_* env vars from Program.cs
- Replace full connection string (Password=) in docker-compose with
  individual POSTGRES_HOST/PORT/DB/USER/PASSWORD env vars to avoid
  credential patterns in config files (resolves HexaFlow critical finding)
- Add AddHealthChecks() + MapHealthChecks("/health") to Program.cs
  so the Dockerfile HEALTHCHECK has a valid endpoint to probe
Ubuntu 24.04 base had 46 CVEs (25 MEDIUM, 21 LOW) in OS packages.
Alpine 3.23.5 with apk upgrade produces 0 vulnerabilities across all targets.
- Replace aspnet:10.0 (Ubuntu) with aspnet:10.0-alpine
- Use apk upgrade --no-cache to apply all available security patches
- Replace curl (8 CVEs) with wget (busybox, 0 CVEs) for HEALTHCHECK
- Use Alpine addgroup/adduser syntax instead of Debian groupadd/useradd
Trivy result: 0 CRITICAL, 0 HIGH, 0 MEDIUM, 0 LOW
- Use explicit alpine3.23 tag to document the intended Alpine version
- Pin both SDK and runtime images to SHA256 digest for fully reproducible
  builds regardless of future tag mutations
- Addresses HexaFlow warning about potential future risks from unversioned
  floating base image tags
Default CODE_EXTENSIONS and CODE_PATHS were set for a TypeScript/NestJS
project (.ts .tsx .js .jsx .yml and NestJS config files). This caused
the Dockerfile to be analyzed as application code, generating false positive
security findings from Ollama.

For a .NET project:
- CODE_EXTENSIONS: .cs .csproj (C# source and project files only)
- CODE_PATHS: src (application source directory only)

The Dockerfile is already covered by the image gate (Trivy + HexaFlow
image analysis), so excluding it from code analysis removes duplicate
and inaccurate AI findings without losing security coverage.
@sonarqubecloud

Copy link
Copy Markdown

Quality Gate Failed Quality Gate failed

Failed conditions
C Security Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants