code-scan add

.github/workflows/code-scans.yaml

@@ -0,0 +1,98 @@
+name: SDLE Scans
+
+on:
+  workflow_dispatch:
+    inputs:
+      PR_number:
+        description: 'Pull request number'
+        required: true
+  push:
+    branches: [ main ]
+  pull_request:
+    types: [opened, synchronize, reopened, ready_for_review]
+
+concurrency:
+  group: sdle-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+
+# -----------------------------
+# 1) Trivy Scan (fixed)
+# -----------------------------
+  trivy_scan:
+    name: Trivy Vulnerability Scan
+    runs-on: ubuntu-latest
+    env:
+      TRIVY_REPORT_FORMAT: table
+      TRIVY_SCAN_TYPE: fs
+      TRIVY_SCAN_PATH: .
+      TRIVY_EXIT_CODE: '1'
+      TRIVY_VULN_TYPE: os,library
+      TRIVY_SEVERITY: CRITICAL,HIGH
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Create report directory
+        run: mkdir -p trivy-reports
+
+      - name: Run Trivy FS Scan
+        uses: aquasecurity/trivy-action@0.24.0
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          scanners: 'vuln,misconfig,secret,license'
+          ignore-unfixed: true
+          format: 'table'
+          exit-code: '1'
+          output: 'trivy-reports/trivy_scan_report.txt'
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+
+      - name: Upload Trivy Report
+        uses: actions/upload-artifact@v4
+        with:
+          name: trivy-report
+          path: trivy-reports/trivy_scan_report.txt
+      - name: Show Trivy Report in Logs
+        if: failure()
+        run: |
+          echo "========= TRIVY FINDINGS ========="
+          cat trivy-reports/trivy_scan_report.txt
+          echo "================================="
+
+# -----------------------------
+# 2) Bandit Scan
+# -----------------------------
+  bandit_scan:
+    name: Bandit security scan
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+      with:
+        submodules: 'recursive'
+        fetch-depth: 0
+    - uses: actions/setup-python@v5
+      with:
+        python-version: "3.x"
+    - name: Install Bandit
+      run: pip install bandit
+    - name: Create Bandit configuration
+      run: |
+        cat > .bandit << 'EOF'
+        [bandit]
+        exclude_dirs = tests,test,venv,.venv,node_modules
+        skips = B101
+        EOF
+      shell: bash
+    - name: Run Bandit scan
+      run: |
+        bandit -r . -ll -iii -f screen
+        bandit -r . -ll -iii -f html -o bandit-report.html
+    - name: Upload Bandit Report
+      uses: actions/upload-artifact@v4
+      with:
+        name: bandit-report
+        path: bandit-report.html
+        retention-days: 30

Dockerfile

@@ -1,18 +1,24 @@
-FROM python:3.9-slim
-
-# Set the working directory in the container
-WORKDIR /app
-
-# Copy the requirements file first to leverage Docker layer caching
-COPY requirements.txt .
-
-RUN pip install -r requirements.txt
-
-# Copy the rest of the application files into the container
-COPY simple_backend.py .
-
-# Expose the port the service runs on
-EXPOSE 8000
+FROM python:3.11-slim
+
+# Set the working directory in the container
+WORKDIR /app
+
+# Create non-root runtime user
+RUN addgroup --system app && adduser --system --ingroup app app
+
+# Copy the requirements file first to leverage Docker layer caching
+COPY requirements.txt .
+
+RUN pip install -r requirements.txt
+
+# Copy the rest of the application files into the container
+COPY simple_backend.py .
+RUN chown -R app:app /app
+
+USER app
+
+# Expose the port the service runs on
+EXPOSE 8000
 
 # Command to run the application
-CMD ["python", "-m", "uvicorn", "simple_backend:app", "--host", "0.0.0.0", "--port", "8000"]
+CMD ["python", "-m", "uvicorn", "simple_backend:app", "--host", "0.0.0.0", "--port", "8000"]

api/llm-service/Dockerfile

@@ -1,20 +1,26 @@
-FROM python:3.9-slim
+FROM python:3.11-slim
+
+# Set the working directory in the container
+WORKDIR /app
+
+# Create non-root runtime user
+RUN addgroup --system app && adduser --system --ingroup app app
+
+# Copy the requirements file into the container
+COPY requirements.txt .
 
-# Set the working directory in the container
-WORKDIR /app
 
-# Copy the requirements file into the container
-COPY requirements.txt .
-
-
-# Install Python dependencies
-RUN pip install -r requirements.txt
-
-# Copy the rest of the application files into the container
-COPY . .
-
-# Expose the port the service runs on
-EXPOSE 8002
+# Install Python dependencies
+RUN pip install -r requirements.txt
+
+# Copy the rest of the application files into the container
+COPY . .
+RUN chown -R app:app /app
+
+USER app
+
+# Expose the port the service runs on
+EXPOSE 8002
 
 # Command to run the application
 CMD ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "8002"]

api/llm-service/requirements.txt

@@ -1,6 +1,6 @@
 fastapi==0.104.1
 uvicorn[standard]==0.24.0
-python-multipart==0.0.6
+python-multipart==0.0.22
 openai==1.6.1
 pydantic==2.5.0
 pydantic-settings==2.1.0

api/pdf-service/Dockerfile

@@ -1,11 +1,14 @@
-FROM python:3.9-slim
-
-# Set the working directory in the container
-WORKDIR /app
-
-# Install system dependencies for OCR (tesseract), PDF-to-image (poppler), and file type detection (libmagic1)
-RUN apt-get update && apt-get install -y --no-install-recommends \
-    tesseract-ocr \
+FROM python:3.11-slim
+
+# Set the working directory in the container
+WORKDIR /app
+
+# Create non-root runtime user
+RUN addgroup --system app && adduser --system --ingroup app app
+
+# Install system dependencies for OCR (tesseract), PDF-to-image (poppler), and file type detection (libmagic1)
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    tesseract-ocr \
     poppler-utils \
     libmagic1 \
     antiword \
@@ -17,14 +20,17 @@ COPY requirements.txt .
 # python-magic-bin is for Windows; python-magic is for Linux. This ensures the correct library is used.
 RUN sed -i 's/python-magic-bin/python-magic/' requirements.txt
 
-# Install Python dependencies
-RUN pip install -r requirements.txt
-
-# Copy the rest of the application files into the container
-COPY . .
-
-# Expose the port the service runs on
-EXPOSE 8001
+# Install Python dependencies
+RUN pip install -r requirements.txt
+
+# Copy the rest of the application files into the container
+COPY . .
+RUN chown -R app:app /app
+
+USER app
+
+# Expose the port the service runs on
+EXPOSE 8001
 
 # Command to run the application
 CMD ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "8001"]

api/pdf-service/requirements.txt

@@ -1,10 +1,10 @@
 fastapi==0.104.1
 uvicorn[standard]==0.24.0
-python-multipart==0.0.6
+python-multipart==0.0.22
 PyPDF2==3.0.1
 pdfplumber==0.10.3
 pytesseract==0.3.10
-Pillow==10.1.0
+Pillow==12.1.1
 pdf2image==1.16.3
 python-dotenv==1.0.0
 pydantic==2.5.0

api/tts-service/Dockerfile

@@ -9,17 +9,22 @@ RUN apt-get update && apt-get install -y --no-install-recommends ffmpeg \
 COPY requirements.txt .
 RUN pip install --no-cache-dir -r requirements.txt
 
-# --- Final Stage ---
-FROM python:3.11-slim
-
-WORKDIR /app
-
-RUN apt-get update && apt-get install -y --no-install-recommends ffmpeg \
- && rm -rf /var/lib/apt/lists/*
-
-COPY --from=builder /usr/local/lib/python3.11/site-packages /usr/local/lib/python3.11/site-packages
-COPY . .
-
-EXPOSE 8003
-
-CMD ["python", "-m", "uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "8003"]
+# --- Final Stage ---
+FROM python:3.11-slim
+
+WORKDIR /app
+
+RUN addgroup --system app && adduser --system --ingroup app app
+
+RUN apt-get update && apt-get install -y --no-install-recommends ffmpeg \
+ && rm -rf /var/lib/apt/lists/*
+
+COPY --from=builder /usr/local/lib/python3.11/site-packages /usr/local/lib/python3.11/site-packages
+COPY . .
+RUN chown -R app:app /app
+
+USER app
+
+EXPOSE 8003
+
+CMD ["python", "-m", "uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "8003"]

api/tts-service/requirements.txt

@@ -1,6 +1,7 @@
 fastapi>=0.115.0
 uvicorn[standard]>=0.32.0
-python-multipart>=0.0.12
+python-multipart==0.0.22
+Pillow==12.1.1
 openai>=1.57.0
 pydantic>=2.10.0
 pydantic-settings>=2.7.0

requirements.txt

@@ -1,6 +1,6 @@
 fastapi==0.104.1
 uvicorn[standard]==0.24.0
-python-multipart==0.0.6
+python-multipart==0.0.22
 pydantic==2.5.0
 pydantic-settings==2.1.0
-httpx==0.25.2
+httpx==0.25.2

ui/Dockerfile

@@ -1,20 +1,23 @@
-FROM node:18
-
-# Set the working directory
-WORKDIR /app
-
-# Copy package.json and package-lock.json
-COPY package.json ./
-COPY package-lock.json ./
-
-# Install dependencies
-RUN npm install
-
-# Copy the rest of the application files
-COPY . .
-
-# Expose the port the app runs on
-EXPOSE 3000
+FROM node:18
+
+# Set the working directory
+WORKDIR /app
+
+# Copy package.json and package-lock.json
+COPY --chown=node:node package.json ./
+COPY --chown=node:node package-lock.json ./
+
+RUN chown -R node:node /app
+USER node
+
+# Install dependencies
+RUN npm install
+
+# Copy the rest of the application files
+COPY --chown=node:node . .
+
+# Expose the port the app runs on
+EXPOSE 3000
 
 # Command to run the application
 CMD ["npm", "run", "dev", "--", "--host", "0.0.0.0"]