feat: Add security improvements (IP whitelist, API key rotation, audit workflows)#168
Merged
Merged
Conversation
Add a dedicated dependency-audit job to the CI workflow that runs npm audit at high severity level and generates a summary report. The job uses continue-on-error for reporting and fails the build only when high/critical vulnerabilities are detected. Refs Heliobond#114
Add a weekly security audit GitHub Actions workflow that includes: - Dependency vulnerability scanning with npm audit - Code vulnerability scanning with Trivy - Secret detection with Gitleaks - License compliance reporting - Security headers verification Runs every Monday at 06:00 UTC and on manual dispatch. Refs Heliobond#115
Enhance the API key system with: - Configurable rotation intervals (rotation_interval_days) - Graceful key transition with configurable grace period - Old key validation during grace period window - Rotation notification callbacks with structured logging - Scheduled rotation checks via hourly cron job - Rotation status and manual trigger endpoints - Extended key details with rotation metadata Refs Heliobond#116
Add IP whitelist middleware with: - Configurable IP list via ADMIN_IP_WHITELIST env var - CIDR notation support for IP ranges - Private/internal network bypass (configurable) - Structured logging for blocked requests - IPv4-mapped IPv6 address handling - Applied to all admin-protected routes Refs Heliobond#117
Add comprehensive test suites: - API key rotation: scheduled rotation, grace period, notifications - IP whitelist: CIDR matching, private network bypass, edge cases All 31 security-related tests passing. Refs Heliobond#116, Heliobond#117
|
@DeFiVC Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits. You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #114, Closes #115, Closes #116, Closes #117
Type of Change
Summary
This PR addresses all 4 security-related issues by implementing dependency vulnerability scanning, a comprehensive security audit workflow, API key rotation with scheduling, and IP whitelist protection for admin endpoints. All changes are backward-compatible with sensible defaults.
Motivation / Context
The Helibond backend needs enhanced security posture across multiple areas: automated vulnerability detection in dependencies, regular security audits, secure API key lifecycle management, and network-level access control for administrative endpoints.
Issue #114 — Dependency Vulnerability Scanning:
dependency-auditjob to the CI pipelinenpm auditat high severity level on every push/PRIssue #115 — Security Audit Workflow:
Issue #116 — API Key Rotation Mechanism:
rotation_interval_days) for API keys/admin/api-keys/rotation/statusand/admin/api-keys/rotation/triggerendpointsIssue #117 — IP Whitelist for Admin Endpoints:
ADMIN_IP_WHITELISTenvironment variableADMIN_IP_WHITELIST_BYPASS_PRIVATE)/v1/adminand legacy/api/admin)Closes #114, Closes #115, Closes #116, Closes #117