Skip to content

feat: Add security improvements (IP whitelist, API key rotation, audit workflows)#168

Merged
AbelOsaretin merged 5 commits into
Heliobond:mainfrom
DeFiVC:feat/security-improvements
Jun 30, 2026
Merged

feat: Add security improvements (IP whitelist, API key rotation, audit workflows)#168
AbelOsaretin merged 5 commits into
Heliobond:mainfrom
DeFiVC:feat/security-improvements

Conversation

@DeFiVC

@DeFiVC DeFiVC commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Closes #114, Closes #115, Closes #116, Closes #117

Type of Change

  • New feature (non-breaking change that adds functionality)
  • Refactoring (no functional or behavioral changes)

Summary

This PR addresses all 4 security-related issues by implementing dependency vulnerability scanning, a comprehensive security audit workflow, API key rotation with scheduling, and IP whitelist protection for admin endpoints. All changes are backward-compatible with sensible defaults.

Motivation / Context

The Helibond backend needs enhanced security posture across multiple areas: automated vulnerability detection in dependencies, regular security audits, secure API key lifecycle management, and network-level access control for administrative endpoints.

Issue #114 — Dependency Vulnerability Scanning:

  • Added a dependency-audit job to the CI pipeline
  • Runs npm audit at high severity level on every push/PR
  • Generates a summary report with vulnerability counts by severity
  • Fails the build only when high/critical vulnerabilities are detected

Issue #115 — Security Audit Workflow:

  • Created a comprehensive weekly security audit GitHub Actions workflow
  • Includes dependency scanning, code vulnerability scanning (Trivy), secret detection (Gitleaks), license compliance, and security headers verification
  • Runs every Monday at 06:00 UTC and on manual dispatch
  • Generates detailed reports with artifact uploads

Issue #116 — API Key Rotation Mechanism:

  • Added configurable rotation intervals (rotation_interval_days) for API keys
  • Implemented graceful key transition with configurable grace periods (old key remains valid during window)
  • Added rotation notification callbacks with structured logging
  • Created hourly cron job to check and execute scheduled rotations
  • Added /admin/api-keys/rotation/status and /admin/api-keys/rotation/trigger endpoints
  • Extended key details API with rotation metadata

Issue #117 — IP Whitelist for Admin Endpoints:

  • Created IP whitelist middleware with CIDR notation support
  • Configurable via ADMIN_IP_WHITELIST environment variable
  • Private/internal network bypass enabled by default (configurable via ADMIN_IP_WHITELIST_BYPASS_PRIVATE)
  • Structured logging for blocked requests
  • Applied to all admin-protected routes (both /v1/admin and legacy /api/admin)
  • Supports IPv4-mapped IPv6 addresses

Closes #114, Closes #115, Closes #116, Closes #117

DeFiVC added 5 commits June 30, 2026 08:12
Add a dedicated dependency-audit job to the CI workflow that runs
npm audit at high severity level and generates a summary report.
The job uses continue-on-error for reporting and fails the build
only when high/critical vulnerabilities are detected.

Refs Heliobond#114
Add a weekly security audit GitHub Actions workflow that includes:
- Dependency vulnerability scanning with npm audit
- Code vulnerability scanning with Trivy
- Secret detection with Gitleaks
- License compliance reporting
- Security headers verification

Runs every Monday at 06:00 UTC and on manual dispatch.

Refs Heliobond#115
Enhance the API key system with:
- Configurable rotation intervals (rotation_interval_days)
- Graceful key transition with configurable grace period
- Old key validation during grace period window
- Rotation notification callbacks with structured logging
- Scheduled rotation checks via hourly cron job
- Rotation status and manual trigger endpoints
- Extended key details with rotation metadata

Refs Heliobond#116
Add IP whitelist middleware with:
- Configurable IP list via ADMIN_IP_WHITELIST env var
- CIDR notation support for IP ranges
- Private/internal network bypass (configurable)
- Structured logging for blocked requests
- IPv4-mapped IPv6 address handling
- Applied to all admin-protected routes

Refs Heliobond#117
Add comprehensive test suites:
- API key rotation: scheduled rotation, grace period, notifications
- IP whitelist: CIDR matching, private network bypass, edge cases

All 31 security-related tests passing.

Refs Heliobond#116, Heliobond#117
@drips-wave

drips-wave Bot commented Jun 30, 2026

Copy link
Copy Markdown

@DeFiVC Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

@AbelOsaretin AbelOsaretin merged commit 78b5caa into Heliobond:main Jun 30, 2026
0 of 2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add IP whitelist for admin endpoints Add API key rotation mechanism Add security audit workflow Add dependency vulnerability scanning

2 participants