Conversation
There was a problem hiding this comment.
Copilot wasn't able to review any files in this pull request.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| WORKDIR /app | ||
|
|
||
| COPY package*.json ./ | ||
| ADD package*.json ./ |
Check failure
Code scanning / Hadolint
Use COPY instead of ADD for files and folders Error
|
|
||
| COPY tsconfig.json ./ | ||
| COPY src ./src | ||
| ADD tsconfig.json ./ |
Check failure
Code scanning / Hadolint
Use COPY instead of ADD for files and folders Error
| COPY tsconfig.json ./ | ||
| COPY src ./src | ||
| ADD tsconfig.json ./ | ||
| ADD src ./src |
Check failure
Code scanning / Hadolint
Use COPY instead of ADD for files and folders Error
| # Build stage | ||
| FROM node:20-alpine AS builder | ||
| # Build stage - intentionally bad for Hadolint testing | ||
| FROM node:latest AS builder |
Check warning
Code scanning / Hadolint
Using latest is prone to errors if the image will ever update. Pin the version explicitly to a release tag Warning
| # Build stage - intentionally bad for Hadolint testing | ||
| FROM node:latest AS builder | ||
|
|
||
| RUN cd /app || mkdir /app |
Check warning
Code scanning / Hadolint
Use WORKDIR to switch to a directory Warning
| # Production stage | ||
| FROM node:20-alpine | ||
|
|
||
| RUN apk add curl wget |
Check warning
Code scanning / Hadolint
Pin versions in apk add. Instead of apk add <package> use apk add <package>=<version> Warning
| EXPOSE 3000 | ||
|
|
||
| CMD ["node", "dist/index.js"] | ||
| CMD node dist/index.js |
Check warning
Code scanning / Hadolint
Use arguments JSON notation for CMD and ENTRYPOINT arguments Warning
| # Production stage | ||
| FROM node:20-alpine | ||
|
|
||
| RUN apk add curl wget |
Check notice
Code scanning / Hadolint
Use the --no-cache switch to avoid the need to use --update and remove /var/cache/apk/* when done installing packages Note
| "node_modules/axios": { | ||
| "version": "0.21.1", | ||
| "resolved": "https://registry.npmjs.org/axios/-/axios-0.21.1.tgz", | ||
| "integrity": "sha512-dKQiRHxGD9PPRIUNIWvZhPTPpl1rf/OxTYKsqKUDjBwYylTvV7SjSHJb9ratfyzM6wCdLCOYLzs73qpg5c4iGA==", | ||
| "license": "MIT", | ||
| "dependencies": { | ||
| "follow-redirects": "^1.10.0" | ||
| } | ||
| }, |
Check failure
Code scanning / Trivy
nodejs-axios: Regular expression denial of service in trim function High
| "node_modules/axios": { | ||
| "version": "0.21.1", | ||
| "resolved": "https://registry.npmjs.org/axios/-/axios-0.21.1.tgz", | ||
| "integrity": "sha512-dKQiRHxGD9PPRIUNIWvZhPTPpl1rf/OxTYKsqKUDjBwYylTvV7SjSHJb9ratfyzM6wCdLCOYLzs73qpg5c4iGA==", | ||
| "license": "MIT", | ||
| "dependencies": { | ||
| "follow-redirects": "^1.10.0" | ||
| } | ||
| }, |
Check failure
Code scanning / Trivy
axios: Possible SSRF and Credential Leakage via Absolute URL in axios Requests High
| "node_modules/jsonwebtoken": { | ||
| "version": "8.5.1", | ||
| "resolved": "https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-8.5.1.tgz", | ||
| "integrity": "sha512-XjwVfRS6jTMsqYs0EsuJ4LGxXV14zQybNd4L2r0UvbVnSF9Af8x7p5MzbJ90Ioz/9TI41/hTCvznF/loiSzn8w==", | ||
| "license": "MIT", | ||
| "dependencies": { | ||
| "jws": "^3.2.2", | ||
| "lodash.includes": "^4.3.0", | ||
| "lodash.isboolean": "^3.0.3", | ||
| "lodash.isinteger": "^4.0.4", | ||
| "lodash.isnumber": "^3.0.3", | ||
| "lodash.isplainobject": "^4.0.6", | ||
| "lodash.isstring": "^4.0.1", | ||
| "lodash.once": "^4.0.0", | ||
| "ms": "^2.1.1", | ||
| "semver": "^5.6.0" | ||
| }, | ||
| "engines": { | ||
| "node": ">=4", | ||
| "npm": ">=1.4.28" | ||
| } | ||
| }, |
Check failure
Code scanning / Trivy
jsonwebtoken: Unrestricted key type could lead to legacy keys usagen High
| "node_modules/lodash": { | ||
| "version": "4.17.20", | ||
| "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz", | ||
| "integrity": "sha512-PlhdFcillOINfeV7Ni6oF1TAEayyZBoZ8bcshTHqOYJYlrqzRK5hagpagky5o4HfCzzd1TRkXPMFq6cKk9rGmA==", | ||
| "license": "MIT" | ||
| }, |
Check failure
Code scanning / Trivy
nodejs-lodash: command injection via template High
| "node_modules/axios": { | ||
| "version": "0.21.1", | ||
| "resolved": "https://registry.npmjs.org/axios/-/axios-0.21.1.tgz", | ||
| "integrity": "sha512-dKQiRHxGD9PPRIUNIWvZhPTPpl1rf/OxTYKsqKUDjBwYylTvV7SjSHJb9ratfyzM6wCdLCOYLzs73qpg5c4iGA==", | ||
| "license": "MIT", | ||
| "dependencies": { | ||
| "follow-redirects": "^1.10.0" | ||
| } | ||
| }, |
Check warning
Code scanning / Trivy
axios: exposure of confidential data stored in cookies Medium
| "node_modules/jsonwebtoken": { | ||
| "version": "8.5.1", | ||
| "resolved": "https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-8.5.1.tgz", | ||
| "integrity": "sha512-XjwVfRS6jTMsqYs0EsuJ4LGxXV14zQybNd4L2r0UvbVnSF9Af8x7p5MzbJ90Ioz/9TI41/hTCvznF/loiSzn8w==", | ||
| "license": "MIT", | ||
| "dependencies": { | ||
| "jws": "^3.2.2", | ||
| "lodash.includes": "^4.3.0", | ||
| "lodash.isboolean": "^3.0.3", | ||
| "lodash.isinteger": "^4.0.4", | ||
| "lodash.isnumber": "^3.0.3", | ||
| "lodash.isplainobject": "^4.0.6", | ||
| "lodash.isstring": "^4.0.1", | ||
| "lodash.once": "^4.0.0", | ||
| "ms": "^2.1.1", | ||
| "semver": "^5.6.0" | ||
| }, | ||
| "engines": { | ||
| "node": ">=4", | ||
| "npm": ">=1.4.28" | ||
| } | ||
| }, |
Check warning
Code scanning / Trivy
jsonwebtoken: Insecure default algorithm in jwt.verify() could lead to signature validation bypass Medium
| "node_modules/jsonwebtoken": { | ||
| "version": "8.5.1", | ||
| "resolved": "https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-8.5.1.tgz", | ||
| "integrity": "sha512-XjwVfRS6jTMsqYs0EsuJ4LGxXV14zQybNd4L2r0UvbVnSF9Af8x7p5MzbJ90Ioz/9TI41/hTCvznF/loiSzn8w==", | ||
| "license": "MIT", | ||
| "dependencies": { | ||
| "jws": "^3.2.2", | ||
| "lodash.includes": "^4.3.0", | ||
| "lodash.isboolean": "^3.0.3", | ||
| "lodash.isinteger": "^4.0.4", | ||
| "lodash.isnumber": "^3.0.3", | ||
| "lodash.isplainobject": "^4.0.6", | ||
| "lodash.isstring": "^4.0.1", | ||
| "lodash.once": "^4.0.0", | ||
| "ms": "^2.1.1", | ||
| "semver": "^5.6.0" | ||
| }, | ||
| "engines": { | ||
| "node": ">=4", | ||
| "npm": ">=1.4.28" | ||
| } | ||
| }, |
Check warning
Code scanning / Trivy
jsonwebtoken: Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC Medium
| "node_modules/lodash": { | ||
| "version": "4.17.20", | ||
| "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz", | ||
| "integrity": "sha512-PlhdFcillOINfeV7Ni6oF1TAEayyZBoZ8bcshTHqOYJYlrqzRK5hagpagky5o4HfCzzd1TRkXPMFq6cKk9rGmA==", | ||
| "license": "MIT" | ||
| }, |
Check warning
Code scanning / Trivy
nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions Medium
| "node_modules/lodash": { | ||
| "version": "4.17.20", | ||
| "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz", | ||
| "integrity": "sha512-PlhdFcillOINfeV7Ni6oF1TAEayyZBoZ8bcshTHqOYJYlrqzRK5hagpagky5o4HfCzzd1TRkXPMFq6cKk9rGmA==", | ||
| "license": "MIT" | ||
| }, |
Check warning
Code scanning / Trivy
lodash: prototype pollution in _.unset and _.omit functions Medium
No description provided.