This directory contains the CI/CD pipeline and security configuration for BrainPatch.
The CI pipeline includes comprehensive security checks:
- npm audit: Scans for known vulnerabilities in dependencies
- Production Focus: High/critical vulnerabilities in production dependencies fail the build
- Development Tolerance: Moderate vulnerabilities in dev dependencies are reported but don't fail
- Multi-level Checks: Different audit levels for different dependency scopes
All code must pass these checks before merging:
- Linting & Formatting: Biome checks for code quality
- Type Checking: TypeScript strict mode validation
- Testing: Full test suite with coverage reporting
- Security Audit: Dependency vulnerability scanning
- Build Verification: Successful static export generation
lint-and-format → test → build → release (main branch only) security-audit →lint-and-format:
- Biome linting and formatting checks
- TypeScript type checking
- Fast feedback on code quality issues
test:
- Vitest test suite execution
- Coverage report generation
- Codecov integration for coverage tracking
security-audit:
npm audit --audit-level=moderatefor all dependenciesnpm audit --omit=dev --audit-level=highfor production only- Fails CI if high/critical vulnerabilities in production dependencies
build:
- Next.js static export build
- Artifact upload for deployment verification
- Build output validation
release (main branch only):
- Semantic release with conventional commits
- Automated versioning and changelog generation
- GitHub release creation
Dependabot provides:
- Weekly Updates: Every Monday at 09:00 UTC
- Grouped PRs: Related dependencies updated together
- Security Patches: Immediate updates for security vulnerabilities
- PR Limits: Maximum 5 npm + 3 GitHub Actions PRs open simultaneously
- react-ecosystem: React, Next.js, and related packages
- testing: Vitest, Testing Library, jsdom
- code-quality: Biome, ESLint, Prettier
- build-tools: Vite, Webpack, PostCSS, Tailwind
- release-tools: Semantic Release, Commitizen, Husky
- Weekly Schedule: Keep CI actions up to date
- Security Focused: Automatic updates for action vulnerabilities
- Responsible disclosure process
- 48-hour acknowledgment SLA
- Coordinated disclosure timeline
- Development: Dependency scanning, code quality, testing
- Deployment: Static export, client-side LLM, HTTPS
- Dependencies: Automated updates, audit gates, minimal deps
- Prompt Injection: Input sanitization guidelines
- Model Integrity: Checksum verification requirements
- Privacy: Client-side processing guarantees
- Resource Limits: Memory and CPU monitoring
# Basic audit npm run audit # Production dependencies only npm run audit:prod # Security check (high/critical in prod) npm run security:check # CI-level audit npm run audit:ci # Fix automatically npm run audit:fix- ✅ Production Dependencies: No high/critical vulnerabilities
⚠️ Development Dependencies: 7 moderate vulnerabilities (Vitest ecosystem)- ✅ CI Pipeline: All security checks passing
- ✅ Dependabot: Configured for automated updates
Current moderate vulnerabilities are in the Vitest/Vite ecosystem (development-only):
- esbuild development server security issue
- These do not affect production builds or runtime security
- Monitor for Vitest ecosystem updates
- Development vulnerabilities are acceptable as they don't affect production
- Production builds use Next.js static export (no development server)
- Review Dependabot PRs
- Check security audit reports
- Update vulnerability assessments
- Comprehensive dependency review
- Security policy updates
- CI/CD pipeline optimization
- Full security assessment
- Dependency cleanup and optimization
- Security training and documentation updates
- Run
npm run security:checkbefore commits - Review Dependabot PRs promptly
- Follow security guidelines in SECURITY.md
- Include security considerations in PR reviews
- Monitor CI security job failures closely
- Investigate and resolve high/critical vulnerabilities immediately
- Keep security policy updated
- Coordinate security disclosures responsibly