Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

1 create project boilerplate #2

Merged
merged 13 commits into from
Oct 30, 2024
Merged

1 create project boilerplate #2

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
dfd77e6
build: install packages
Behzad-rabiei Oct 30, 2024
334fa13
build: add husky
Behzad-rabiei Oct 30, 2024
0519702
build: install packages
Behzad-rabiei Oct 30, 2024
7bcf462
build: add configs
Behzad-rabiei Oct 30, 2024
9fd041a
build: add docker files
Behzad-rabiei Oct 30, 2024
417cb12
build: add docker files
Behzad-rabiei Oct 30, 2024
e987da8
check husky
Behzad-rabiei Oct 30, 2024
bc914f4
build: remove jest config from package.json
Behzad-rabiei Oct 30, 2024
c5611c8
ci: edit ci pipeline
Behzad-rabiei Oct 30, 2024
11211c2
ci: update build-push workflow
Behzad-rabiei Oct 30, 2024
6d1c97f
ci: update lint ci
Behzad-rabiei Oct 30, 2024
4317008
ci: update lint ci
Behzad-rabiei Oct 30, 2024
cc838f9
docs: update readme
Behzad-rabiei Oct 30, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 25 additions & 0 deletions .eslintrc.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
module.exports = {
parser: '@typescript-eslint/parser',
parserOptions: {
project: 'tsconfig.json',
tsconfigRootDir: __dirname,
sourceType: 'module',
},
plugins: ['@typescript-eslint/eslint-plugin'],
extends: [
'plugin:@typescript-eslint/recommended',
'plugin:prettier/recommended',
],
root: true,
env: {
node: true,
jest: true,
},
ignorePatterns: ['.eslintrc.js'],
rules: {
'@typescript-eslint/interface-name-prefix': 'off',
'@typescript-eslint/explicit-function-return-type': 'off',
'@typescript-eslint/explicit-module-boundary-types': 'off',
'@typescript-eslint/no-explicit-any': 'off',
},
};
34 changes: 34 additions & 0 deletions .github/workflows/build-push.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
on:
workflow_call:

env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}

Comment on lines +1 to +7
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Consider adding manual trigger and environment protection.

While the workflow_call trigger enables reusability, consider adding:

  1. workflow_dispatch trigger for manual runs
  2. Environment protection rules for production deployments
 on:
   workflow_call:
+  workflow_dispatch:
 
 env:
   REGISTRY: ghcr.io
   IMAGE_NAME: ${{ github.repository }}
+  # Consider adding environment-specific variables
+  ENVIRONMENT: ${{ inputs.environment || 'production' }}

Committable suggestion was skipped due to low confidence.

jobs:
build-push:
name: Build + Push Image
runs-on: ubuntu-latest
permissions:
contents: read
packages: write

Comment on lines +8 to +15
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Add job-level controls for better resource management.

Consider adding timeout and concurrency controls to prevent long-running or overlapping builds.

 jobs:
   build-push:
     name: Build + Push Image
     runs-on: ubuntu-latest
+    timeout-minutes: 15
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.ref }}
+      cancel-in-progress: true
     permissions:
       contents: read
       packages: write
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
jobs:
build-push:
name: Build + Push Image
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
jobs:
build-push:
name: Build + Push Image
runs-on: ubuntu-latest
timeout-minutes: 15
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions:
contents: read
packages: write

steps:
- uses: actions/checkout@v4
- uses: docker/setup-buildx-action@v3
- uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- uses: docker/metadata-action@v5
id: meta
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
- uses: docker/build-push-action@v5
with:
context: .
target: production
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
Comment on lines +1 to +34
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codebase verification

Pin base images using SHA digests for enhanced security

The Dockerfile uses the floating tag node:20-alpine which could lead to supply chain attacks. Replace it with a SHA digest:

  • In Dockerfile, update the base image: 
    FROM node:20-alpine@sha256:a1f9d027912b58a7c75be7716c97cfbc6d3099f3a97ed84aa490be9dee20e787

This ensures reproducible builds and prevents potential supply chain attacks through compromised image tags.

🔗 Analysis chain

Implement additional security measures.

While the workflow is generally secure, consider these security enhancements:

  1. Pin base images in Dockerfile using SHA digests
  2. Add SBOM generation for better dependency tracking
  3. Consider implementing signing of container images

Let's verify if the Dockerfile uses explicit image versions:

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check if Dockerfile uses explicit image versions
rg -l '^\s*FROM\s+\w+(/\w+)*:(latest|\d+)'

Length of output: 55

Script:

#!/bin/bash
# Let's check the actual FROM statements in the Dockerfile
rg '^\s*FROM' Dockerfile -A 1

Length of output: 209

Comment on lines +16 to +34
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Enhance build security and performance.

Consider the following improvements:

  1. Enable build caching to speed up subsequent builds
  2. Add vulnerability scanning before pushing
  3. Add build arguments for better configuration
       - uses: docker/build-push-action@v5
         with:
           context: .
           target: production
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          build-args: |
+            NODE_ENV=production
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ${{ steps.meta.outputs.tags }}
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
steps:
- uses: actions/checkout@v4
- uses: docker/setup-buildx-action@v3
- uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- uses: docker/metadata-action@v5
id: meta
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
- uses: docker/build-push-action@v5
with:
context: .
target: production
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
steps:
- uses: actions/checkout@v4
- uses: docker/setup-buildx-action@v3
- uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- uses: docker/metadata-action@v5
id: meta
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
- uses: docker/build-push-action@v5
with:
context: .
target: production
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
build-args: |
NODE_ENV=production
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ steps.meta.outputs.tags }}
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'

14 changes: 14 additions & 0 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
name: CI Pipeline
on:
push:
pull_request:
jobs:
lint:
uses: ./.github/workflows/lint.yml

test:
uses: ./.github/workflows/test.yml

build-push:
needs: [lint, test]
uses: ./.github/workflows/build-push.yml
Comment on lines +12 to +14
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Add environment conditions and permissions for build-push job.

The build-push job should be restricted to specific environments and have explicit permissions defined.

 build-push:
   needs: [lint, test]
+  permissions:
+    contents: read
+    packages: write
   uses: ./.github/workflows/build-push.yml
+  with:
+    environment: production
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
build-push:
needs: [lint, test]
uses: ./.github/workflows/build-push.yml
build-push:
needs: [lint, test]
permissions:
contents: read
packages: write
uses: ./.github/workflows/build-push.yml
with:
environment: production

Comment on lines +1 to +14
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Consider adding workflow optimizations.

The workflow could benefit from these additional configurations:

 name: CI Pipeline
 on:
   push:
   pull_request:
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
 jobs:
   lint:
+    timeout-minutes: 10
     uses: ./.github/workflows/lint.yml
   
   test:
+    timeout-minutes: 15
     uses: ./.github/workflows/test.yml
   
   build-push:
+    timeout-minutes: 20
     needs: [lint, test]
     uses: ./.github/workflows/build-push.yml
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
name: CI Pipeline
on:
push:
pull_request:
jobs:
lint:
uses: ./.github/workflows/lint.yml
test:
uses: ./.github/workflows/test.yml
build-push:
needs: [lint, test]
uses: ./.github/workflows/build-push.yml
name: CI Pipeline
on:
push:
pull_request:
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
lint:
timeout-minutes: 10
uses: ./.github/workflows/lint.yml
test:
timeout-minutes: 15
uses: ./.github/workflows/test.yml
build-push:
timeout-minutes: 20
needs: [lint, test]
uses: ./.github/workflows/build-push.yml

26 changes: 26 additions & 0 deletions .github/workflows/lint.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
name: lint Workflow
on:
workflow_call:
jobs:
lint:
name: Lint
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Run Linter
uses: github/super-linter@v5.0.0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
TYPESCRIPT_DEFAULT_STYLE: prettier
VALIDATE_DOCKERFILE_HADOLINT: false
VALIDATE_JSCPD: false
VALIDATE_PYTHON_FLAKE8: false
VALIDATE_PYTHON_MYPY: false
VALIDATE_GIT_COMMITLINT: false
VALIDATE_MARKDOWN: false
VALIDATE_JAVASCRIPT_PRETTIER: false
VALIDATE_JAVASCRIPT_STANDARD: false
VALIDATE_NATURAL_LANGUAGE: false
VALIDATE_MARKDOWN_PRETTIER: false
10 changes: 10 additions & 0 deletions .github/workflows/test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
name: test Workflow
on:
workflow_call:
jobs:
test:
name: Test
runs-on: ubuntu-latest
steps:
Comment on lines +5 to +8
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Add timeout and concurrency limits

To prevent hanging jobs and resource contention, add timeout and concurrency controls.
[security]

Add the following configurations:

jobs:
  test:
    name: Test
    runs-on: ubuntu-latest
+   timeout-minutes: 15
+   concurrency:
+     group: ${{ github.workflow }}-${{ github.ref }}
+     cancel-in-progress: true
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
test:
name: Test
runs-on: ubuntu-latest
steps:
test:
name: Test
runs-on: ubuntu-latest
timeout-minutes: 15
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
steps:

- uses: actions/checkout@v4
- run: docker compose -f docker-compose.test.yml up --exit-code-from app
Comment on lines +9 to +10
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Enhance the test execution step

The current implementation could be improved with better error handling, caching, and test result collection.

Consider these improvements:

- - uses: actions/checkout@v4
- - run: docker compose -f docker-compose.test.yml up --exit-code-from app
+ - name: Checkout repository
+   uses: actions/checkout@v4
+ 
+ - name: Set up Docker Buildx
+   uses: docker/setup-buildx-action@v3
+
+ - name: Cache Docker layers
+   uses: actions/cache@v3
+   with:
+     path: /tmp/.buildx-cache
+     key: ${{ runner.os }}-buildx-${{ github.sha }}
+     restore-keys: |
+       ${{ runner.os }}-buildx-
+
+ - name: Run tests
+   run: |
+     docker compose -f docker-compose.test.yml up --exit-code-from app --build
+   env:
+     COMPOSE_DOCKER_CLI_BUILD: 1
+     DOCKER_BUILDKIT: 1
+
+ - name: Cleanup
+   if: always()
+   run: docker compose -f docker-compose.test.yml down --volumes --remove-orphans
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- uses: actions/checkout@v4
- run: docker compose -f docker-compose.test.yml up --exit-code-from app
- name: Checkout repository
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Cache Docker layers
uses: actions/cache@v3
with:
path: /tmp/.buildx-cache
key: ${{ runner.os }}-buildx-${{ github.sha }}
restore-keys: |
${{ runner.os }}-buildx-
- name: Run tests
run: |
docker compose -f docker-compose.test.yml up --exit-code-from app --build
env:
COMPOSE_DOCKER_CLI_BUILD: 1
DOCKER_BUILDKIT: 1
- name: Cleanup
if: always()
run: docker compose -f docker-compose.test.yml down --volumes --remove-orphans

56 changes: 56 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
# compiled output
/dist
/node_modules
/build

# Logs
logs
*.log
npm-debug.log*
pnpm-debug.log*
yarn-debug.log*
yarn-error.log*
lerna-debug.log*

# OS
.DS_Store

# Tests
/coverage
/.nyc_output

# IDEs and editors
/.idea
.project
.classpath
.c9/
*.launch
.settings/
*.sublime-workspace

# IDE - VSCode
.vscode/*
!.vscode/settings.json
!.vscode/tasks.json
!.vscode/launch.json
!.vscode/extensions.json

# dotenv environment variable files
.env
.env.development.local
.env.test.local
.env.production.local
.env.local

# temp directory
.temp
.tmp

# Runtime data
pids
*.pid
*.seed
*.pid.lock

# Diagnostic reports (https://nodejs.org/api/report.html)
report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json
1 change: 1 addition & 0 deletions .husky/commit-msg
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
npx --no-install commitlint --edit $1
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Add shell interpreter and error handling.

The script should include a shell interpreter declaration and basic error handling to ensure proper execution.

Apply this diff to improve the script:

+#!/usr/bin/env sh
+. "$(dirname -- "$0")/_/husky.sh"
+
+# Ensure commitlint is available
+if ! command -v npx &> /dev/null; then
+  echo "Error: npx is not installed"
+  exit 1
+fi
+
 npx --no-install commitlint --edit $1
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
npx --no-install commitlint --edit $1
#!/usr/bin/env sh
. "$(dirname -- "$0")/_/husky.sh"
# Ensure commitlint is available
if ! command -v npx &> /dev/null; then
echo "Error: npx is not installed"
exit 1
fi
npx --no-install commitlint --edit $1

1 change: 1 addition & 0 deletions .husky/post-commit
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
git status
1 change: 1 addition & 0 deletions .husky/pre-commit
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
npx lint - staged
2 changes: 2 additions & 0 deletions .husky/pre-push
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
npm test
npx lint - staged
Comment on lines +1 to +2
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Add shebang and fix the lint-staged command.

The pre-push hook has a few issues that need to be addressed:

  1. Missing shebang line for shell script execution
  2. Incorrect spacing in the lint-staged command
  3. Missing error handling

Apply this diff to fix the issues:

+#!/bin/sh
+. "$(dirname "$0")/_/husky.sh"
+
-npm test 
-npx lint - staged
+npm test || exit 1
+npx lint-staged || exit 1
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
npm test
npx lint - staged
#!/bin/sh
. "$(dirname "$0")/_/husky.sh"
npm test || exit 1
npx lint-staged || exit 1

💡 Codebase verification

Pre-push hook requires executable permissions

The pre-push hook file currently has read-write permissions (644) but lacks executable permissions required for Git hooks to function properly.

  • Change permissions to make the file executable: chmod +x .husky/pre-push
🔗 Analysis chain

Verify file permissions.

Ensure the pre-push hook is executable.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check if the pre-push hook has executable permissions
# Expected: File should have executable permissions (755 or similar)

ls -l .husky/pre-push

Length of output: 86

4 changes: 4 additions & 0 deletions .lintstagedrc.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
{
"**/*.ts": ["eslint --fix", "prettier --write"],
"**/*.md": ["prettier --write"]
}
4 changes: 4 additions & 0 deletions .prettierrc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
{
"singleQuote": true,
"trailingComma": "all"
}
17 changes: 17 additions & 0 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
FROM node:20-alpine AS base
WORKDIR /app
COPY ./package.json /app
RUN npm install
COPY . .
RUN npm run build
Comment on lines +1 to +6
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Several improvements needed for the base stage

  1. Add .dockerignore to exclude unnecessary files (node_modules, .git, etc.)
  2. Use package-lock.json for deterministic builds
  3. Optimize npm installation and caching
  4. Add security improvements

Apply these improvements:

 FROM node:20-alpine AS base
+USER node
 WORKDIR /app
-COPY ./package.json /app
+COPY --chown=node:node package*.json ./
-RUN npm install
+RUN npm ci \
+    && npm cache clean --force
-COPY . .
+COPY --chown=node:node . .
 RUN npm run build

Create a .dockerignore file:

node_modules
npm-debug.log
.git
.gitignore
.env
.dockerignore
.DS_Store
coverage
dist

Committable suggestion was skipped due to low confidence.


FROM base AS development
EXPOSE 3000
CMD ["npm", "run", "start:dev"]
Comment on lines +8 to +10
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Development stage needs hot-reloading setup

The development stage should support hot-reloading for better developer experience.

Add these configurations to your docker-compose.dev.yml:

services:
  app:
    volumes:
      - .:/app
      - /app/node_modules
    environment:
      - NODE_ENV=development


FROM base AS test
CMD [ "npx", "jest", "--coverage" ]
Comment on lines +12 to +13
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Test stage needs environment setup and coverage persistence

The test stage should have proper environment setup and preserve coverage reports.

Update the test stage:

 FROM base AS test
+ENV NODE_ENV=test
+RUN mkdir -p /app/coverage
 CMD [ "npx", "jest", "--coverage" ]

Add to your docker-compose.test.yml:

services:
  test:
    volumes:
      - ./coverage:/app/coverage


FROM base AS production
EXPOSE 3000
CMD ["node", "dist/main"]
Comment on lines +15 to +17
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Production stage needs optimization and health check

The production stage should be optimized for size and security, and include health monitoring.

Replace with a multi-stage build optimized for production:

-FROM base  AS production
+FROM node:20-alpine AS production
+USER node
+ENV NODE_ENV=production
+WORKDIR /app
+COPY --from=base --chown=node:node /app/dist ./dist
+COPY --chown=node:node package*.json ./
+RUN npm ci --only=production && \
+    npm cache clean --force
 EXPOSE 3000
+HEALTHCHECK --interval=30s --timeout=3s \
+  CMD wget --no-verbose --tries=1 --spider http://localhost:3000/health || exit 1
 CMD ["node", "dist/main"]

Don't forget to implement a /health endpoint in your NestJS application.

Committable suggestion was skipped due to low confidence.

46 changes: 45 additions & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1,45 @@
# oci-backend
## Installation

```bash
$ npm install
```

## Running the app

```bash
# development
$ npm run start

# watch mode
$ npm run start:dev

# production mode
$ npm run start:prod
```

## Test

```bash
# unit tests
$ npm run test

# e2e tests
$ npm run test:e2e

# test coverage
$ npm run test:cov
```

## Support

Nest is an MIT-licensed open source project. It can grow thanks to the sponsors and support by the amazing backers. If you'd like to join them, please [read more here](https://docs.nestjs.com/support).

## Stay in touch

- Author - [Kamil Myśliwiec](https://kamilmysliwiec.com)
- Website - [https://nestjs.com](https://nestjs.com/)
- Twitter - [@nestframework](https://twitter.com/nestframework)

## License

Nest is [MIT licensed](LICENSE).
3 changes: 3 additions & 0 deletions commitlint.config.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
module.exports = {
extends: ['@commitlint/config-conventional'],
};
16 changes: 16 additions & 0 deletions docker-compose.dev.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
version: '3.9'
services:
app:
build:
context: .
target: development
dockerfile: Dockerfile
environment:
- NODE_ENV=development
- PORT=3000
- WALLET_PRIVATE_KEY=x
- LOG_LEVEL=info
Comment on lines +8 to +12
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Security concern: Avoid committing sensitive information.

The WALLET_PRIVATE_KEY environment variable is hardcoded with a placeholder value 'x'. This could lead to accidental commits of real private keys in the future.

Consider these improvements:

  1. Use environment file instead:
-    environment:
-      - NODE_ENV=development
-      - PORT=3000
-      - WALLET_PRIVATE_KEY=x
-      - LOG_LEVEL=info
+    env_file:
+      - .env.development
  1. Add .env.development to .gitignore
  2. Provide a .env.development.example template without sensitive values
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
environment:
- NODE_ENV=development
- PORT=3000
- WALLET_PRIVATE_KEY=x
- LOG_LEVEL=info
env_file:
- .env.development

ports:
- '3000:3000'
volumes:
- ./coverage:/project/coverage
Comment on lines +13 to +16
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Consider adding development-specific volumes.

For a development environment, you might want to mount the source code for hot-reloading.

Add source code mounting:

     volumes:
       - ./coverage:/project/coverage
+      - .:/project
+      - /project/node_modules
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
ports:
- '3000:3000'
volumes:
- ./coverage:/project/coverage
ports:
- '3000:3000'
volumes:
- ./coverage:/project/coverage
- .:/project
- /project/node_modules

14 changes: 14 additions & 0 deletions docker-compose.prod.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
version: '3.9'
services:
app:
build:
context: .
target: production
dockerfile: Dockerfile
environment:
- NODE_ENV=production
- PORT=3000
- WALLET_PRIVATE_KEY=x
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

⚠️ Security Risk: Remove hardcoded credentials

Storing sensitive credentials like WALLET_PRIVATE_KEY in plain text within version control is a significant security risk. This could lead to unauthorized access if the repository is compromised.

Consider these alternatives:

  1. Use environment variables:
-      - WALLET_PRIVATE_KEY=x
+      - WALLET_PRIVATE_KEY=${WALLET_PRIVATE_KEY}
  1. Use secrets management service in production
  2. Use Docker secrets for sensitive data
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- WALLET_PRIVATE_KEY=x
- WALLET_PRIVATE_KEY=${WALLET_PRIVATE_KEY}

- LOG_LEVEL=info
Comment on lines +8 to +12
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Use environment file for configuration

Instead of hardcoding environment variables, consider using a .env.production file (not committed to version control) for better maintainability and security.

-    environment:
-      - NODE_ENV=production
-      - PORT=3000
-      - WALLET_PRIVATE_KEY=x
-      - LOG_LEVEL=info
+    env_file:
+      - .env.production

Committable suggestion was skipped due to low confidence.

volumes:
- ./coverage:/project/coverage
Comment on lines +13 to +14
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Remove coverage volume mount in production

Mounting the coverage directory in production is unnecessary and potentially exposes internal code structure information. Coverage reports should only be generated in development/test environments.

-    volumes:
-      - ./coverage:/project/coverage
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
volumes:
- ./coverage:/project/coverage

14 changes: 14 additions & 0 deletions docker-compose.test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
version: '3.9'
services:
app:
build:
context: .
target: test
dockerfile: Dockerfile
environment:
- NODE_ENV=test
- PORT=3000
- WALLET_PRIVATE_KEY=x
- LOG_LEVEL=info
Comment on lines +8 to +12
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Security concern: Avoid hardcoding sensitive data.

The WALLET_PRIVATE_KEY environment variable contains a hardcoded value. Even in a test environment, it's better to use placeholder values from a secure source.

Consider these improvements:

  1. Use environment variables or a .env.test file
  2. Document the required environment variables in README.md
  3. Add .env.test to .gitignore
    environment:
      - NODE_ENV=test
      - PORT=3000
-      - WALLET_PRIVATE_KEY=x
+      - WALLET_PRIVATE_KEY=${TEST_WALLET_PRIVATE_KEY}
      - LOG_LEVEL=info
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
environment:
- NODE_ENV=test
- PORT=3000
- WALLET_PRIVATE_KEY=x
- LOG_LEVEL=info
environment:
- NODE_ENV=test
- PORT=3000
- WALLET_PRIVATE_KEY=${TEST_WALLET_PRIVATE_KEY}
- LOG_LEVEL=info

volumes:
- ./coverage:/project/coverage
Comment on lines +1 to +14
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Consider adding health check configuration.

For better container orchestration, especially in a test environment where service availability is crucial for test execution, consider adding a health check configuration.

Add the following configuration:

    volumes:
      - ./coverage:/project/coverage
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:3000/health"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 10s

Committable suggestion was skipped due to low confidence.

24 changes: 24 additions & 0 deletions docker-compose.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
version: '3.9'
services:
nginx:
container_name: nginx
image: nginx:latest
restart: unless-stopped
ports:
- 80:80
- 443:443
volumes:
- ./nginx/templates:/etc/nginx/templates:ro
- ./nginx/ssl:/etc/ssl:ro
env_file:
- ./.env.nginx
depends_on:
- app
Comment on lines +3 to +16
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codebase verification

🛠️ Refactor suggestion

⚠️ Potential issue

Review update: SSL configuration is properly implemented

The SSL configuration in nginx/templates/default.conf.template is comprehensive and follows security best practices:

  • Uses modern TLS protocols (TLSv1.2, TLSv1.3)
  • Implements secure cipher suites
  • Configures SSL session parameters
  • Properly redirects HTTP to HTTPS
  • Includes proper proxy headers for SSL termination

Let's focus on the remaining valid concerns:

Consider pinning the Nginx version for better stability

Using nginx:latest can lead to unexpected changes in production. Consider pinning to a specific version:

-    image: nginx:latest
+    image: nginx:1.24-alpine

Add health check for better container orchestration

     depends_on:
       - app
+    healthcheck:
+      test: ["CMD", "nginx", "-t"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
🔗 Analysis chain

Consider pinning the Nginx version for better stability.

Using nginx:latest can lead to unexpected changes in production. Consider pinning to a specific version (e.g., nginx:1.24-alpine).

-    image: nginx:latest
+    image: nginx:1.24-alpine

Add health check for better container orchestration.

Adding a health check helps Docker manage the container lifecycle more effectively.

     depends_on:
       - app
+    healthcheck:
+      test: ["CMD", "nginx", "-t"]
+      interval: 30s
+      timeout: 10s
+      retries: 3

Verify SSL configuration.

The SSL certificates are mounted, but ensure proper HTTPS configuration exists in the Nginx templates.

Let me analyze the nginx configuration structure before providing the final response.

Let me examine the actual nginx configuration template to provide a comprehensive response about the SSL setup.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check if SSL configuration exists in Nginx templates
rg -l "ssl_certificate" nginx/templates/

Length of output: 113

Script:

#!/bin/bash
# Check if nginx templates directory exists and list its contents
ls -la nginx/templates/

# Check for any SSL/HTTPS related configurations in nginx directory
find nginx/ -type f -exec grep -l -i "ssl\|https\|443" {} \;

# Check if .env.nginx file exists and if it contains SSL-related configurations
if [ -f .env.nginx ]; then
    grep -i "ssl\|https\|443" .env.nginx
fi

Length of output: 335

Script:

#!/bin/bash
# Let's check the content of the default.conf.template to understand the SSL configuration
cat nginx/templates/default.conf.template

Length of output: 1405


app:
build:
context: .
target: production
dockerfile: Dockerfile
env_file:
- .env
13 changes: 13 additions & 0 deletions jest.config.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
{
"moduleFileExtensions": ["js", "json", "ts"],
"rootDir": ".",
"testRegex": ".*\\.spec\\.ts$",
"transform": {
"^.+\\.(t|j)s$": "ts-jest"
},
"collectCoverage": true,
"collectCoverageFrom": ["src/**/*.ts*"],
"coverageDirectory": "./coverage",
"coverageReporters": ["json", "lcov", "text", "clover", "html"],
"testEnvironment": "node"
}
8 changes: 8 additions & 0 deletions nest-cli.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
{
"$schema": "https://json.schemastore.org/nest-cli",
"collection": "@nestjs/schematics",
"sourceRoot": "src",
"compilerOptions": {
"deleteOutDir": true
}
}
Loading