Merge pull request #100 from timoa/develop

Update security + dependencies

Author: timoa

.github/CODEOWNERS

@@ -0,0 +1 @@
+@timoa

.github/workflows/code-review.yml

@@ -0,0 +1,33 @@
+name: Code Review
+
+on: [pull_request]
+
+jobs:
+
+  # -- ESLINT -----------------------------------------------------------------
+  eslint:
+    name: ESLint
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
+
+      - name: Run ESLint
+        uses: reviewdog/action-eslint@d3395027ea2cfc5cf8f460b1ea939b6c86fea656 # tag=v1.17.0
+        env:
+          REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  # -- DOCKER -----------------------------------------------------------------
+  hadolint:
+    name: Hadolint
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
+
+      - name: Run hadolint
+        uses: reviewdog/action-hadolint@55be5d2c4b0b80d439247b128a9ded3747f92a29 # tag=v1.33.0
+        env:
+          REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/codeql-analysis.yml

@@ -1,54 +1,61 @@
-name: "CodeQL"
+name: "CodeQL analysis"
 
 on:
   push:
-    branches: [master, ]
+    branches: [main]
   pull_request:
-    # The branches below must be a subset of the branches above
-    branches: [master]
+    branches: [main]
   schedule:
-    - cron: '0 7 * * 0'
+    #        ┌───────────── minute (0 - 59)
+    #        │  ┌───────────── hour (0 - 23)
+    #        │  │ ┌───────────── day of the month (1 - 31)
+    #        │  │ │ ┌───────────── month (1 - 12 or JAN-DEC)
+    #        │  │ │ │ ┌───────────── day of the week (0 - 6 or SUN-SAT)
+    #        │  │ │ │ │
+    #        │  │ │ │ │
+    #        │  │ │ │ │
+    #        *  * * * *
+    - cron: '30 1 * * 0'
 
 jobs:
-  analyze:
-    name: Analyze
+  CodeQL-Build:
+    # CodeQL runs on ubuntu-latest, windows-latest, and macos-latest
     runs-on: ubuntu-latest
 
+    permissions:
+      # required for all workflows
+      security-events: write
+
+      # only required for workflows in private repositories
+      actions: read
+      contents: read
+
     steps:
-    - name: Checkout repository
-      uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0
-      with:
-        # We must fetch at least the immediate parents so that if this is
-        # a pull request then we can checkout the head.
-        fetch-depth: 2
-
-    # If this run was triggered by a pull request event, then checkout
-    # the head of the pull request instead of the merge commit.
-    - run: git checkout HEAD^2
-      if: ${{ github.event_name == 'pull_request' }}
-
-    # Initializes the CodeQL tools for scanning.
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@e2cc7cc006b87d43538b16d71752753e7b85224d # tag=v1.1.8
-      # Override language selection by uncommenting this and choosing your languages
-      # with:
-      #   languages: go, javascript, csharp, python, cpp, java
-
-    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
-    # If this step fails, then you should remove it and run the build manually (see below)
-    - name: Autobuild
-      uses: github/codeql-action/autobuild@e2cc7cc006b87d43538b16d71752753e7b85224d # tag=v1.1.8
-
-    # ℹ️ Command-line programs to run using the OS shell.
-    # 📚 https://git.io/JvXDl
-
-    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
-    #    and modify them (or add more) to build your code if your project
-    #    uses a compiled language
-
-    #- run: |
-    #   make bootstrap
-    #   make release
-
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@e2cc7cc006b87d43538b16d71752753e7b85224d # tag=v1.1.8
+      - name: Checkout repository
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@2f58583a1b24a7d3c7034f6bf9fa506d23b1183b # tag=v2.1.10
+        # Override language selection by uncommenting this and choosing your languages
+        # with:
+        #   languages: go, javascript, csharp, python, cpp, java
+
+      # Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
+      # If this step fails, then you should remove it and run the build manually (see below).
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@2f58583a1b24a7d3c7034f6bf9fa506d23b1183b # tag=v2.1.10
+
+      # ℹ️ Command-line programs to run using the OS shell.
+      # 📚 https://git.io/JvXDl
+
+      # ✏️ If the Autobuild fails above, remove it and uncomment the following
+      #    three lines and modify them (or add more) to build your code if your
+      #    project uses a compiled language
+
+      #- run: |
+      #     make bootstrap
+      #     make release
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@2f58583a1b24a7d3c7034f6bf9fa506d23b1183b # tag=v2.1.10

.github/workflows/nodejs.yml

@@ -6,6 +6,7 @@ jobs:
 
   # -- TESTS ------------------------------------------------------------------
   tests:
+    name: Tests
     runs-on: ubuntu-latest
 
     strategy:
@@ -15,10 +16,10 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
 
       - name: Setup Node.js ${{ matrix.node }}
-        uses: actions/setup-node@56337c425554a6be30cdef71bf441f15be286854 # tag=v3
+        uses: actions/setup-node@56337c425554a6be30cdef71bf441f15be286854 # tag=v3.1.1
         with:
           node-version: ${{ matrix.node }}
           check-latest: true
@@ -43,12 +44,13 @@ jobs:
 
   # -- SONARCLOUD -------------------------------------------------------------
   code-quality:
+    name: Code Quality
     runs-on: ubuntu-latest
     needs: tests
 
     steps:
       - name: Checkout
-        uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
 
       - name: Download Code Coverage
         uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # tag=v3.0.0
@@ -93,14 +95,15 @@ jobs:
 
   # -- SAST SCAN --------------------------------------------------------------
   code-security:
+    name: Code Security
     runs-on: ubuntu-latest
     needs: tests
     # Skip any PR created by dependabot to avoid permission issues
     if: (github.actor != 'dependabot[bot]')
 
     steps:
       - name: Checkout
-        uses: actions/checkout@dcd71f646680f2efd8db4afa5ad64fdcba30e748 # tag=v3
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
 
       - name: Perform Scan
         uses: ShiftLeftSecurity/scan-action@master
@@ -115,8 +118,9 @@ jobs:
           name: reports
           path: reports
 
-  # -- RELEASE ----------------------------------------------------------------
-  release:
+  # -- PRE-RELEASE ------------------------------------------------------------
+  pre-release:
+    name: Prepare Release
     runs-on: ubuntu-latest
     needs:
       - code-quality
@@ -125,7 +129,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@dcd71f646680f2efd8db4afa5ad64fdcba30e748 # tag=v3
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
 
       - name: Semantic Release
         uses: cycjimmy/semantic-release-action@v3
@@ -134,17 +138,18 @@ jobs:
 
   # -- BUILD ------------------------------------------------------------------
   build:
+    name: Build & Release
     runs-on: ubuntu-latest
-    needs: release
+    needs: pre-release
     if: github.ref == 'refs/heads/master'
 
     steps:
       - name: Checkout
-        uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@e5622373a38e60fb6d795a4421e56882f2d7a681 # tag=v3.6.2
+        uses: docker/metadata-action@b2391d37b4157fa4aa2e118d643f417910ff3242 # tag=v3.8.0
         with:
           images: ${{ github.repository }}
           tags: |
@@ -161,7 +166,7 @@ jobs:
         uses: docker/setup-qemu-action@27d0a4f181a40b142cce983c5393082c365d1480 # tag=v1.2.0
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@94ab11c41e45d028884a99163086648e898eed25 # tag=v1.6.0
+        uses: docker/setup-buildx-action@f211e3e9ded2d9377c8cadc4489a4e38014bc4c9 # tag=v1.7.0
 
       - name: Login to DockerHub
         uses: docker/login-action@dd4fa0671be5250ee6f50aedf4cb05514abda2c7 # tag=v1.14.1

.releaserc

@@ -1,4 +1,5 @@
 {
+  "repositoryUrl": "https://github.com/timoa/nodejs-encryption-api-example.git",
   "branches": [
     "master",
     "develop"

Dockerfile

@@ -1,4 +1,4 @@
-FROM node:16.14.2-alpine3.15@sha256:28bed508446db2ee028d08e76fb47b935defa26a84986ca050d2596ea67fd506
+FROM node:16.15.0-alpine3.15@sha256:1a9a71ea86aad332aa7740316d4111ee1bd4e890df47d3b5eff3e5bded3b3d10
 ARG appPort=3000
 # ARG microScannerToken
 

README.md

@@ -1,7 +1,9 @@
 # Encryption API endpoints with Node.js
 
+[![Latest Release][release-badge]][release-url]
 [![Build Status][github-badge]][github-url]
 [![Docker Pulls][docker-badge]][docker-url]
+
 [![Quality Gate Status][sonarcloud-status-badge]][sonarcloud-url]
 [![Security Rating][sonarcloud-security-badge]][sonarcloud-url]
 [![Maintainability Rating][sonarcloud-maintainability-badge]][sonarcloud-url]
@@ -21,17 +23,18 @@ The idea with this example is to test how to store encrypted data under a datast
 
 ## Features
 
-- API storing endpoint that encrypts data with the provided key and stores it into a MongoDB collection (AES-256-CBC encryption)
+- API storing endpoint that encrypts data with the provided key and stores it into a MongoDB collection (AES-256-GCM encryption)
 - API retrieval endpoint that decrypts data with the provided key and returns the data
-- AES-256-CBC encryption that uses a random Initialization Vector (IV)
-- IV stored with the encrypted data (separated by a `:` character)
+- AES-256-GCM encryption that uses a random Initialization Vector (IV) and Auth TAG
+- IV and Auth TAG stored with the encrypted data (separated by a `:` character)
 - Logs with correlation ID
+- Hardening of the HTTP Headers with Helmet
 - MongoDB as a data store (using Mongoose)
 - Swagger support for API specifications/documentation (WIP)
 - Health check endpoint to check if the app is still alive
 - Dockerfile to generate the Docker image
 - Docker Compose file to launch the API and MongoDB official Docker images
-- Build, test and deploy to Docker Hub with Travis CI
+- Build, test and deploy to Docker Hub with GitHub Actions
 - SonarQube code quality check (SonarCloud)
 - Unit tests and functional tests
 - Postman collection and environment
@@ -247,6 +250,8 @@ This will return an array of results:
 [postman-run-button]: https://run.pstmn.io/button.svg
 [postman-run-url]: https://app.getpostman.com/run-collection/e34aee6688c0937c6643
 [sonarcloud]: https://sonarcloud.io/about
+[release-badge]: https://img.shields.io/github/v/release/timoa/nodejs-encryption-api-example?logoColor=orange
+[release-url]: https://github.com/timoa/nodejs-encryption-api-example/releases
 [github-badge]: https://github.com/timoa/nodejs-encryption-api-example/workflows/Build/badge.svg
 [github-url]: https://github.com/timoa/nodejs-encryption-api-example/actions?query=workflow%3ABuild
 [docker-badge]: https://img.shields.io/docker/pulls/timoa/nodejs-encryption-api-example.svg
@@ -258,4 +263,4 @@ This will return an array of results:
 [sonarcloud-bugs-badge]: https://sonarcloud.io/api/project_badges/measure?project=timoa_nodejs-encryption-api-example&metric=bugs
 [sonarcloud-codesmells-badge]: https://sonarcloud.io/api/project_badges/measure?project=timoa_nodejs-encryption-api-example&metric=code_smells
 [sonarcloud-coverage-badge]: https://sonarcloud.io/api/project_badges/measure?project=timoa_nodejs-encryption-api-example&metric=coverage
-[sonarcloud-duplicated-badge]: https://sonarcloud.io/api/project_badges/measure?project=timoa_nodejs-encryption-api-example&metric=duplicated_lines_densit
+[sonarcloud-duplicated-badge]: https://sonarcloud.io/api/project_badges/measure?project=timoa_nodejs-encryption-api-example&metric=duplicated_lines_density

docker-compose.yml

@@ -2,7 +2,7 @@ version: '3.3'
 
 services:
   api:
-    image: timoa/nodejs-encryption-api-example:latest@sha256:7348a5690fde457457ef0b171c992ae877af7e2084e6b384c096c85047188f78
+    image: timoa/nodejs-encryption-api-example:latest@sha256:509d3424b92adb94f06ceedaa8044aaffed0e99015ae4b8dcb95be0a82c0a7b2
     environment:
       - NODE_ENV=production
       - NODE_HOST=0.0.0.0
@@ -17,7 +17,7 @@ services:
       - mongo
   mongo:
     container_name: mongo
-    image: mongo@sha256:1e72fdd16fc769e5200dad77eff5b2316730d42473c281d8192872698e1f8689
+    image: mongo@sha256:82a55eb6d60997007ff390087d4e064218d477e9611a7becd78664a2ab490eff
     volumes:
       - ./data:/data/db
     ports: