From a476da7cd6f31ce7a54b3a9f2a8e3050d9e671f5 Mon Sep 17 00:00:00 2001 From: Reeha Batool Date: Sat, 16 May 2026 16:41:28 +0500 Subject: [PATCH 01/18] Added Docker files for frontend --- node-express-server/.dockerignore | 4 ++++ node-express-server/Dockerfile | 13 +++++++++++++ react-client/Dockerfile | 15 +++++++++++++++ react-client/nginx.conf | 8 ++++++++ 4 files changed, 40 insertions(+) create mode 100644 node-express-server/.dockerignore create mode 100644 node-express-server/Dockerfile create mode 100644 react-client/Dockerfile create mode 100644 react-client/nginx.conf diff --git a/node-express-server/.dockerignore b/node-express-server/.dockerignore new file mode 100644 index 0000000..21c6f1a --- /dev/null +++ b/node-express-server/.dockerignore @@ -0,0 +1,4 @@ +node_modules +npm-debug.log +.git +.env \ No newline at end of file diff --git a/node-express-server/Dockerfile b/node-express-server/Dockerfile new file mode 100644 index 0000000..f394abb --- /dev/null +++ b/node-express-server/Dockerfile @@ -0,0 +1,13 @@ +# Multi-stage build for a smaller, secure image +FROM node:18-alpine AS builder +WORKDIR /app +COPY package*.json ./ +RUN npm ci --only-production +COPY . . + +FROM node:18-alpine +WORKDIR /app +COPY --from-builder /app . +EXPOSE 8080 +# Note: Based on your screenshot, the main file is server.js +CMD ["node", "server.js"] \ No newline at end of file diff --git a/react-client/Dockerfile b/react-client/Dockerfile new file mode 100644 index 0000000..1e5d79c --- /dev/null +++ b/react-client/Dockerfile @@ -0,0 +1,15 @@ +# Stage 1: Build the React app +FROM node:18-alpine AS build +WORKDIR /app +COPY package*.json ./ +RUN npm install +COPY . . +RUN npm run build + +# Stage 2: Serve using Nginx +FROM nginx:alpine +# In React apps, the build output usually goes to a folder named 'build' +COPY --from-build /app/build /usr/share/nginx/html +COPY nginx.conf /etc/nginx/conf.d/default.conf +EXPOSE 80 +CMD ["nginx", "-g", "daemon off;"] \ No newline at end of file diff --git a/react-client/nginx.conf b/react-client/nginx.conf new file mode 100644 index 0000000..333bc49 --- /dev/null +++ b/react-client/nginx.conf @@ -0,0 +1,8 @@ +server { + listen 80; + location / { + root /usr/share/nginx/html; + index index.html index.htm; + try_files $uri $uri/ /index.html; + } +} \ No newline at end of file From d4a51eda5b1db2900d28acf17e035ab4ddfcd391 Mon Sep 17 00:00:00 2001 From: Reeha33 Date: Sat, 16 May 2026 18:47:10 +0500 Subject: [PATCH 02/18] ci: add Azure Static Web Apps workflow file on-behalf-of: @Azure opensource@microsoft.com --- ...-static-web-apps-black-smoke-0e2f99000.yml | 58 +++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 .github/workflows/azure-static-web-apps-black-smoke-0e2f99000.yml diff --git a/.github/workflows/azure-static-web-apps-black-smoke-0e2f99000.yml b/.github/workflows/azure-static-web-apps-black-smoke-0e2f99000.yml new file mode 100644 index 0000000..82f09e6 --- /dev/null +++ b/.github/workflows/azure-static-web-apps-black-smoke-0e2f99000.yml @@ -0,0 +1,58 @@ +name: Azure Static Web Apps CI/CD + +on: + push: + branches: + - develop + pull_request: + types: [opened, synchronize, reopened, closed] + branches: + - develop + +jobs: + build_and_deploy_job: + if: github.event_name == 'push' || (github.event_name == 'pull_request' && github.event.action != 'closed') + runs-on: ubuntu-latest + name: Build and Deploy Job + permissions: + id-token: write + contents: read + steps: + - uses: actions/checkout@v3 + with: + submodules: true + lfs: false + - name: Install OIDC Client from Core Package + run: npm install @actions/core@1.6.0 @actions/http-client + - name: Get Id Token + uses: actions/github-script@v6 + id: idtoken + with: + script: | + const coredemo = require('@actions/core') + return await coredemo.getIDToken() + result-encoding: string + - name: Build And Deploy + id: builddeploy + uses: Azure/static-web-apps-deploy@v1 + with: + azure_static_web_apps_api_token: ${{ secrets.AZURE_STATIC_WEB_APPS_API_TOKEN_BLACK_SMOKE_0E2F99000 }} + action: "upload" + ###### Repository/Build Configurations - These values can be configured to match your app requirements. ###### + # For more information regarding Static Web App workflow configurations, please visit: https://aka.ms/swaworkflowconfig + app_location: "./react-client" # App source code path + api_location: "" # Api source code path - optional + output_location: "build" # Built app content directory - optional + github_id_token: ${{ steps.idtoken.outputs.result }} + ###### End of Repository/Build Configurations ###### + + close_pull_request_job: + if: github.event_name == 'pull_request' && github.event.action == 'closed' + runs-on: ubuntu-latest + name: Close Pull Request Job + steps: + - name: Close Pull Request + id: closepullrequest + uses: Azure/static-web-apps-deploy@v1 + with: + action: "close" From 0af99bd58c5d6dbb7ceb26100e66c282a4e804fa Mon Sep 17 00:00:00 2001 From: Reeha33 Date: Tue, 19 May 2026 12:06:57 +0500 Subject: [PATCH 03/18] Update http-common.js --- react-client/src/http-common.js | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/react-client/src/http-common.js b/react-client/src/http-common.js index 5b11f3e..554bcbc 100644 --- a/react-client/src/http-common.js +++ b/react-client/src/http-common.js @@ -1,8 +1,9 @@ import axios from "axios"; export default axios.create({ - baseURL: "http://localhost:8080/api", + // Make sure this points to the BACKEND domain, followed by /api + baseURL: "https://app-taskapp-backend-reeha-fnd0b7b9dqcpazh8.eastasia-01.azurewebsites.net/api", headers: { "Content-type": "application/json" } -}); \ No newline at end of file +}); From 0691b72973dad81bcae208f629aeb0db85113cab Mon Sep 17 00:00:00 2001 From: Reeha33 Date: Tue, 19 May 2026 12:07:46 +0500 Subject: [PATCH 04/18] Update Dockerfile --- react-client/Dockerfile | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/react-client/Dockerfile b/react-client/Dockerfile index 1e5d79c..48fe00a 100644 --- a/react-client/Dockerfile +++ b/react-client/Dockerfile @@ -1,15 +1,19 @@ -# Stage 1: Build the React app -FROM node:18-alpine AS build +# 1. Build Stage +FROM node:16-alpine as build WORKDIR /app COPY package*.json ./ RUN npm install COPY . . + +# --- CRUCIAL: THESE TWO LINES MUST BE RIGHT HERE (BEFORE THE BUILD RUN) --- +ARG REACT_APP_API_URL +ENV REACT_APP_API_URL=$REACT_APP_API_URL + RUN npm run build -# Stage 2: Serve using Nginx +# 2. Production Stage (Nginx) FROM nginx:alpine -# In React apps, the build output usually goes to a folder named 'build' -COPY --from-build /app/build /usr/share/nginx/html +COPY --from=build /app/build /usr/share/nginx/html COPY nginx.conf /etc/nginx/conf.d/default.conf EXPOSE 80 -CMD ["nginx", "-g", "daemon off;"] \ No newline at end of file +CMD ["nginx", "-g", "daemon off;"] From f1a36889ccecc3889cfd70ac598a295c954b4bf2 Mon Sep 17 00:00:00 2001 From: Reeha33 Date: Tue, 19 May 2026 14:55:08 +0500 Subject: [PATCH 05/18] Update db.config.js --- node-express-server/app/config/db.config.js | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/node-express-server/app/config/db.config.js b/node-express-server/app/config/db.config.js index 5fa11de..3f0be58 100644 --- a/node-express-server/app/config/db.config.js +++ b/node-express-server/app/config/db.config.js @@ -1,9 +1,15 @@ module.exports = { - HOST: "localhost", - USER: "root", - PASSWORD: "123456", - DB: "testdb", - dialect: "mysql", + HOST: "mysql-taskapp-reeha.mysql.database.azure.com", // This is your server building name + USER: "dbuser", + PASSWORD: "Devops@123456789", + DB: "flexibleserverdb", // <-- CHANGE THIS BACK TO Azure's default database room! + dialect: "mysql", + dialectOptions: { + ssl: { + require: true, + rejectUnauthorized: false + } + }, pool: { max: 5, min: 0, From 157c2a5089bed2a7e395361d610119885c70ac81 Mon Sep 17 00:00:00 2001 From: Reeha33 Date: Wed, 20 May 2026 00:35:27 +0500 Subject: [PATCH 06/18] Create sast.yml --- .github/workflows/sast.yml | 43 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 .github/workflows/sast.yml diff --git a/.github/workflows/sast.yml b/.github/workflows/sast.yml new file mode 100644 index 0000000..aafdf08 --- /dev/null +++ b/.github/workflows/sast.yml @@ -0,0 +1,43 @@ +name: Secure CI/CD Production Pipeline + +on: + push: + branches: [ "develop" ] # CHANGED: Now watches your active work branch + pull_request: + branches: [ "develop" ] # CHANGED: Tracks pull requests into develop + +jobs: + sast_scan: + name: 1. Vulnerability Assessment (SAST) + runs-on: ubuntu-latest + steps: + - name: Checkout Source Code + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Run SonarQube Scan Engine + uses: SonarSource/sonarqube-scan-action@v3 + env: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} + + - name: Enforce Custom Quality Gate Status + uses: SonarSource/sonarqube-quality-gate-action@v2 + timeout-minutes: 5 + env: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} + + deploy_production: + name: 2. Production Environment Deployment + runs-on: ubuntu-latest + needs: sast_scan + steps: + - name: Checkout Source Code + uses: actions/checkout@v4 + + - name: Simulate Cloud App Deployment + run: | + echo "Security Gates Cleared Successfully!" + echo "Deploying production artifacts securely to the cloud host target..." From bf9e4f05f8933ad5d33eea842e2e7110ecdade7f Mon Sep 17 00:00:00 2001 From: Reeha33 Date: Wed, 20 May 2026 00:50:15 +0500 Subject: [PATCH 07/18] Update sast.yml --- .github/workflows/sast.yml | 34 +++++++++++++++++++++++++++++----- 1 file changed, 29 insertions(+), 5 deletions(-) diff --git a/.github/workflows/sast.yml b/.github/workflows/sast.yml index aafdf08..ea3f51d 100644 --- a/.github/workflows/sast.yml +++ b/.github/workflows/sast.yml @@ -2,9 +2,9 @@ name: Secure CI/CD Production Pipeline on: push: - branches: [ "develop" ] # CHANGED: Now watches your active work branch + branches: [ "develop" ] pull_request: - branches: [ "develop" ] # CHANGED: Tracks pull requests into develop + branches: [ "develop" ] jobs: sast_scan: @@ -29,15 +29,39 @@ jobs: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} + sca_scan: + name: 2. Open-Source Dependency Scan (SCA) + runs-on: ubuntu-latest + needs: sast_scan # Blocks SCA until SAST clears successfully + steps: + - name: Checkout Source Code + uses: actions/checkout@v4 + + - name: Snyk - Scan Backend Dependencies + uses: snyk/actions/node@master + continue-on-error: false # Hard-fails the pipeline if high CVEs are found + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + args: --severity-threshold=high --file=backend/package.json + + - name: Snyk - Scan Frontend Dependencies + uses: snyk/actions/node@master + continue-on-error: false # Hard-fails the pipeline if high CVEs are found + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + args: --severity-threshold=high --file=frontend/package.json + deploy_production: - name: 2. Production Environment Deployment + name: 3. Production Environment Deployment runs-on: ubuntu-latest - needs: sast_scan + needs: sca_scan # CRITICAL: Blocks deployment unless BOTH SAST and SCA pass! steps: - name: Checkout Source Code uses: actions/checkout@v4 - name: Simulate Cloud App Deployment run: | - echo "Security Gates Cleared Successfully!" + echo "All Security Gates (SAST & SCA) Cleared Successfully!" echo "Deploying production artifacts securely to the cloud host target..." From 73124cc6d4f3b843d40f5c7de049e2b1edc009a5 Mon Sep 17 00:00:00 2001 From: Reeha33 Date: Wed, 20 May 2026 00:56:39 +0500 Subject: [PATCH 08/18] Update sast.yml --- .github/workflows/sast.yml | 76 +++++++++++++++++++++++++++++++++----- 1 file changed, 67 insertions(+), 9 deletions(-) diff --git a/.github/workflows/sast.yml b/.github/workflows/sast.yml index ea3f51d..ddb0b07 100644 --- a/.github/workflows/sast.yml +++ b/.github/workflows/sast.yml @@ -32,14 +32,13 @@ jobs: sca_scan: name: 2. Open-Source Dependency Scan (SCA) runs-on: ubuntu-latest - needs: sast_scan # Blocks SCA until SAST clears successfully + needs: sast_scan steps: - name: Checkout Source Code uses: actions/checkout@v4 - name: Snyk - Scan Backend Dependencies uses: snyk/actions/node@master - continue-on-error: false # Hard-fails the pipeline if high CVEs are found env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: @@ -47,21 +46,80 @@ jobs: - name: Snyk - Scan Frontend Dependencies uses: snyk/actions/node@master - continue-on-error: false # Hard-fails the pipeline if high CVEs are found env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: args: --severity-threshold=high --file=frontend/package.json - deploy_production: - name: 3. Production Environment Deployment + container_scan: + name: 3. Container Image Security Scan runs-on: ubuntu-latest - needs: sca_scan # CRITICAL: Blocks deployment unless BOTH SAST and SCA pass! + needs: sca_scan steps: - name: Checkout Source Code uses: actions/checkout@v4 - - name: Simulate Cloud App Deployment + - name: Build Staging Docker Image run: | - echo "All Security Gates (SAST & SCA) Cleared Successfully!" - echo "Deploying production artifacts securely to the cloud host target..." + docker build -t taskapp-backend:staging ./backend + + - name: Run Trivy Security Vulnerability Scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: 'taskapp-backend:staging' + format: 'table' + exit-code: '1' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' + + deploy_staging: + name: 4. Staging Environment Deployment + runs-on: ubuntu-latest + needs: container_scan + steps: + - name: Checkout Source Code + uses: actions/checkout@v4 + + - name: Spin Up Application for Security Probe + run: | + echo "All structural gates passed. Launching staging environment instances..." + echo "Staging deployment active at http://20.187.120.80:9000 (Simulated)" + + dast_scan: + name: 5. Dynamic Application Security Testing (DAST) + runs-on: ubuntu-latest + needs: deploy_staging # CRITICAL: Ensures the app is "live" before scanning! + steps: + - name: Checkout Source Code + uses: actions/checkout@v4 + + - name: Create Report Directory + run: mkdir -p ${{ github.workspace }}/zap + + # Step 1 & 2: Pull and Run ZAP Baseline scan against your live frontend target URL + - name: Run ZAP Baseline Scan (Frontend) + run: | + docker run --user root -v ${{ github.workspace }}/zap:/zap/wrk/:rw \ + zaproxy/zap-stable zap-baseline.py \ + -t http://20.187.120.80:9000 \ + -r zap-report.html \ + -I + + # Step 3: Run ZAP API scan against your backend routing schema definitions + - name: Run ZAP API Scan (Backend) + run: | + docker run --user root -v ${{ github.workspace }}/zap:/zap/wrk/:rw \ + zaproxy/zap-stable zap-api-scan.py \ + -t http://20.187.120.80:9000/api/openapi.json \ + -f openapi \ + -r zap-api-report.html \ + -I + + # Step 4: Publish HTML Security Reports as downloadable pipeline artifacts + - name: Publish ZAP Security Report Artifacts + uses: actions/upload-artifact@v4 + if: always() # Guarantees reports publish even if structural security vulnerabilities match + with: + name: zap-security-reports + path: ${{ github.workspace }}/zap/ From c5a4cd62fb27cd5879adeab3fc106758e54dd71d Mon Sep 17 00:00:00 2001 From: Reeha33 Date: Wed, 20 May 2026 01:11:09 +0500 Subject: [PATCH 09/18] Update sast.yml --- .github/workflows/sast.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sast.yml b/.github/workflows/sast.yml index ddb0b07..81dc39f 100644 --- a/.github/workflows/sast.yml +++ b/.github/workflows/sast.yml @@ -23,7 +23,7 @@ jobs: SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} - name: Enforce Custom Quality Gate Status - uses: SonarSource/sonarqube-quality-gate-action@v2 + uses: SonarSource/sonarqube-quality-gate-action@master timeout-minutes: 5 env: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} From 56e76b3dfed73221f87dcf281ecaedc8c1d0e1c0 Mon Sep 17 00:00:00 2001 From: Reeha33 Date: Wed, 20 May 2026 01:13:55 +0500 Subject: [PATCH 10/18] Update sast.yml --- .github/workflows/sast.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sast.yml b/.github/workflows/sast.yml index 81dc39f..d7c7713 100644 --- a/.github/workflows/sast.yml +++ b/.github/workflows/sast.yml @@ -23,7 +23,7 @@ jobs: SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} - name: Enforce Custom Quality Gate Status - uses: SonarSource/sonarqube-quality-gate-action@master + uses: SonarSource/sonarqube-quality-gate-action@develop timeout-minutes: 5 env: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} From b684900224ec0b13fe9b1319b3e6dc9ffd78822b Mon Sep 17 00:00:00 2001 From: Reeha33 Date: Wed, 20 May 2026 01:20:19 +0500 Subject: [PATCH 11/18] Update sast.yml --- .github/workflows/sast.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sast.yml b/.github/workflows/sast.yml index d7c7713..62ccca6 100644 --- a/.github/workflows/sast.yml +++ b/.github/workflows/sast.yml @@ -23,7 +23,7 @@ jobs: SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} - name: Enforce Custom Quality Gate Status - uses: SonarSource/sonarqube-quality-gate-action@develop + uses: SonarSource/sonarqube-quality-gate-action@v1.1.0 # FIXED: Working semantic version release tag timeout-minutes: 5 env: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} From 6648627f6169db4df77989a5f1f0a24d3968a6ed Mon Sep 17 00:00:00 2001 From: Reeha33 Date: Wed, 20 May 2026 01:24:13 +0500 Subject: [PATCH 12/18] Update sast.yml --- .github/workflows/sast.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/sast.yml b/.github/workflows/sast.yml index 62ccca6..33a0268 100644 --- a/.github/workflows/sast.yml +++ b/.github/workflows/sast.yml @@ -21,9 +21,14 @@ jobs: env: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} + with: + args: > + -Dsonar.projectKey=TaskApp-DevSecOps + -Dsonar.projectName=TaskApp + -Dsonar.sources=. - name: Enforce Custom Quality Gate Status - uses: SonarSource/sonarqube-quality-gate-action@v1.1.0 # FIXED: Working semantic version release tag + uses: SonarSource/sonarqube-quality-gate-action@v1.1.0 timeout-minutes: 5 env: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} From 2abc227525f578d832830ff25d278c02b49e78a2 Mon Sep 17 00:00:00 2001 From: Reeha33 Date: Wed, 20 May 2026 01:30:40 +0500 Subject: [PATCH 13/18] Update sast.yml --- .github/workflows/sast.yml | 13 +++---------- 1 file changed, 3 insertions(+), 10 deletions(-) diff --git a/.github/workflows/sast.yml b/.github/workflows/sast.yml index 33a0268..8392ac2 100644 --- a/.github/workflows/sast.yml +++ b/.github/workflows/sast.yml @@ -42,19 +42,12 @@ jobs: - name: Checkout Source Code uses: actions/checkout@v4 - - name: Snyk - Scan Backend Dependencies + - name: Snyk - Scan Project Dependencies uses: snyk/actions/node@master env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: - args: --severity-threshold=high --file=backend/package.json - - - name: Snyk - Scan Frontend Dependencies - uses: snyk/actions/node@master - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - with: - args: --severity-threshold=high --file=frontend/package.json + args: --severity-threshold=high --file=package.json container_scan: name: 3. Container Image Security Scan @@ -66,7 +59,7 @@ jobs: - name: Build Staging Docker Image run: | - docker build -t taskapp-backend:staging ./backend + docker build -t taskapp-backend:staging . - name: Run Trivy Security Vulnerability Scanner uses: aquasecurity/trivy-action@master From a6f78e292419d4bf235e93e2ef786e9bb38cef92 Mon Sep 17 00:00:00 2001 From: Reeha33 Date: Wed, 20 May 2026 01:44:56 +0500 Subject: [PATCH 14/18] Update server.js --- node-express-server/server.js | 2 ++ 1 file changed, 2 insertions(+) diff --git a/node-express-server/server.js b/node-express-server/server.js index 54c7e21..ba83f44 100644 --- a/node-express-server/server.js +++ b/node-express-server/server.js @@ -1,5 +1,7 @@ const express = require("express"); const cors = require("cors"); +// Test security pipeline gatekeeper parameters +const DB_ADMIN_PASSWORD = "Password123!_SuperSecretAdminToken_DoNotShare"; const app = express(); From 08720384e9db9741798e61c024a264a4404d39fe Mon Sep 17 00:00:00 2001 From: Reeha33 Date: Wed, 20 May 2026 01:52:56 +0500 Subject: [PATCH 15/18] Update server.js --- node-express-server/server.js | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/node-express-server/server.js b/node-express-server/server.js index ba83f44..2932b57 100644 --- a/node-express-server/server.js +++ b/node-express-server/server.js @@ -1,7 +1,6 @@ const express = require("express"); const cors = require("cors"); -// Test security pipeline gatekeeper parameters -const DB_ADMIN_PASSWORD = "Password123!_SuperSecretAdminToken_DoNotShare"; + const app = express(); From c7d832b72379f2c98001e9969766aa680c8c89b5 Mon Sep 17 00:00:00 2001 From: Reeha33 Date: Wed, 20 May 2026 22:48:38 +0500 Subject: [PATCH 16/18] Update README.md --- README.md | 94 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 94 insertions(+) diff --git a/README.md b/README.md index f8426eb..3966612 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,98 @@ # Integrate React with Node.js Express & MySQL (run on same Server/Port) +Task Manager Cloud Pipeline & DevSecOps Suite +A complete, enterprise-grade deployment of a full-stack Task Manager application (React frontend, Node.js/Express backend, and Azure SQL Database). This repository showcases an end-to-end continuous integration and continuous delivery (CI/CD) system combined with automated infrastructure configuration and cloud security assurance tools. + +1. Key Architectural Features +Multi-Stage Containerization: Optimized Docker blueprints minimize final runtime footprints by decoupling production build files from bulky compiling engines. + +Infrastructure as Code (IaC): Automated cloud workspace instantiation managed globally through a state-locked Terraform topology. + +Continuous Integration Orchestration: A native multi-stage YAML pipeline running inside Azure DevOps enforces validation patterns automatically with every code change. + +Integrated DevSecOps Quality Gates: Embedded automated security checks validate system health and block defective additions across three distinct vulnerability axes (SAST, SCA, and DAST). + +2. Technology Stack & Cloud Ecosystem +Frontend Hub: React, Static Web Apps Distribution Network + +Backend Runtime: Node.js, Express, Azure Linux App Services + +Data Persistence Tiers: Azure SQL Database Serverless Core + +Registry Management: Azure Container Registry (ACR) + +Automation Engines: Terraform Cloud Engine, Azure DevOps Pipelines + +Security Shield Frameworks: SonarQube Engine, Snyk Dependency Index, OWASP ZAP Web Scanner + +3. Repository Structural Overview +Plaintext +├── .github/ # Local actions and platform workflow setups +├── node-express-server/ # Secure REST API engine +│ ├── Dockerfile # Multi-stage production container configuration +│ └── server.js # Entrypoint server execution script +├── react-client/ # Front-end dashboard user interface +│ ├── Dockerfile # Multi-stage user interface web asset compilation +│ └── azure-pipelines.yml # Modular core orchestration pipeline script +├── terraform/ # Declarative Infrastructure-as-Code modules +│ ├── main.tf # Core provider declarations and resource templates +│ ├── variables.tf # Parametrization hooks and target variables +│ └── outputs.tf # Explicit runtime platform metadata exports +└── README.md # System operation and implementation manual +4. Deployment and Setup Runbook +Part 1: Initializing Platform Workspace Foundations +1. Source Control Branch Management +Enforce standard enterprise Git Flow workflows to manage software change risks safely. Code updates stream across separate paths to isolate production lines from active changes: + +main: Stable, production-ready release environment. + +develop: Integration workspace for feature updates. + +feature/*: Short-lived branches dedicated to active development tasks. + +2. Local Infrastructure Ingestion via Terraform +Deploy your core platform assets automatically using a declarative, state-locked approach. Run these commands inside the terraform/ directory: + +Bash +# Prepare work directories, update backends, and synchronize provider hooks +terraform init + +# Analyze code scripts to evaluate upcoming configuration additions +terraform plan -out=tfplan + +# Execute building instructions directly inside your cloud subscription +terraform apply "tfplan" +Part 2: CI/CD Pipeline Orchestration Layout +The automation layer is driven by a multi-stage azure-pipelines.yml workflow configuration. It processes compilation assets sequentially and applies code validation checks before promotion: + +[Source Commit] ──> [Build & Validate] ──> [SAST Code Audit] ──> [SCA Dependency Check] ──> [ACR Container Push] ──> [DAST Web Analysis] ──> [Production Deploy] +1. Multi-Stage Pipeline Execution Gates +Stage A: Build & Package Validation: Compiles full-stack assets within isolated build workers to verify code syntax and integrity. + +Stage B: Code Quality Assessment (SAST): Intercepts compilation streams to enforce architectural quality gates, running static analysis inside a custom cloud container instance. + +Stage C: Dependency Remediation (SCA): Scans structural lockfiles against a vulnerabilities database to block vulnerable dependencies before image packaging begins. + +Stage D: Registry Promotion: Packages application components using multi-stage Dockerfiles and pushes versioned snapshots into the Azure Container Registry. + +Stage E: Runtime Application Security Testing (DAST): Performs black-box security scanning against target endpoints to audit exposed interface parameters. + +Stage F: Automated Release Deployment: Deploys verified software packages directly to Azure Static Web Apps and Azure App Services. + +Part 3: Managed Secure Environment Controls +Avoid hardcoding configuration values by injecting connection records directly into the host cloud runtime dashboard. The backend application authenticates securely with database layers using key-value environment variables managed within the web app settings console: + +Configuration Setting Key Runtime Assignment Purpose +DB_HOST Target server address string routing to the Azure SQL server +DB_USER Administrative username assigned to database transactions +DB_PASSWORD Cryptographically secure string value controlling server authentication +🔒 Enterprise Security Compliance Verification +Every pipeline run logs execution state telemetry to verify that code meets security policy requirements before moving to staging environments: + +SonarQube Quality Gate Status: Passed builds require zero newly introduced code smells, structural flaws, or security vulnerabilities (New Issues = 0). + +Snyk Dependency Status: Pipeline checks block deployment if vulnerable dependencies or license violations are found within source package definitions. + +OWASP ZAP Dynamic Audit Report: Automatically logs dynamic interface traffic to confirm that production runtimes are resilient against active attack methods. For more detail, please visit: > [How to integrate React with Node.js Express on same Server/Port](https://bezkoder.com/integrate-react-express-same-server-port/) From ac0e973e08531b043c089cf4b0fb738dbea7f55f Mon Sep 17 00:00:00 2001 From: Reeha33 Date: Wed, 20 May 2026 22:55:15 +0500 Subject: [PATCH 17/18] Update README.md --- README.md | 45 ++++++++++----------------------------------- 1 file changed, 10 insertions(+), 35 deletions(-) diff --git a/README.md b/README.md index 3966612..d378f5c 100644 --- a/README.md +++ b/README.md @@ -1,8 +1,6 @@ # Integrate React with Node.js Express & MySQL (run on same Server/Port) -Task Manager Cloud Pipeline & DevSecOps Suite A complete, enterprise-grade deployment of a full-stack Task Manager application (React frontend, Node.js/Express backend, and Azure SQL Database). This repository showcases an end-to-end continuous integration and continuous delivery (CI/CD) system combined with automated infrastructure configuration and cloud security assurance tools. - -1. Key Architectural Features +**1.Key Architectural Features** Multi-Stage Containerization: Optimized Docker blueprints minimize final runtime footprints by decoupling production build files from bulky compiling engines. Infrastructure as Code (IaC): Automated cloud workspace instantiation managed globally through a state-locked Terraform topology. @@ -10,8 +8,7 @@ Infrastructure as Code (IaC): Automated cloud workspace instantiation managed gl Continuous Integration Orchestration: A native multi-stage YAML pipeline running inside Azure DevOps enforces validation patterns automatically with every code change. Integrated DevSecOps Quality Gates: Embedded automated security checks validate system health and block defective additions across three distinct vulnerability axes (SAST, SCA, and DAST). - -2. Technology Stack & Cloud Ecosystem +**2.Technology Stack & Cloud Ecosystem** Frontend Hub: React, Static Web Apps Distribution Network Backend Runtime: Node.js, Express, Azure Linux App Services @@ -23,9 +20,7 @@ Registry Management: Azure Container Registry (ACR) Automation Engines: Terraform Cloud Engine, Azure DevOps Pipelines Security Shield Frameworks: SonarQube Engine, Snyk Dependency Index, OWASP ZAP Web Scanner - -3. Repository Structural Overview -Plaintext +**3.Repository Structural Overview** ├── .github/ # Local actions and platform workflow setups ├── node-express-server/ # Secure REST API engine │ ├── Dockerfile # Multi-stage production container configuration @@ -38,8 +33,8 @@ Plaintext │ ├── variables.tf # Parametrization hooks and target variables │ └── outputs.tf # Explicit runtime platform metadata exports └── README.md # System operation and implementation manual -4. Deployment and Setup Runbook -Part 1: Initializing Platform Workspace Foundations +**4.Deployment and Setup Runbook** +**Part 1: Initializing Platform Workspace Foundations** 1. Source Control Branch Management Enforce standard enterprise Git Flow workflows to manage software change risks safely. Code updates stream across separate paths to isolate production lines from active changes: @@ -48,11 +43,8 @@ main: Stable, production-ready release environment. develop: Integration workspace for feature updates. feature/*: Short-lived branches dedicated to active development tasks. - -2. Local Infrastructure Ingestion via Terraform -Deploy your core platform assets automatically using a declarative, state-locked approach. Run these commands inside the terraform/ directory: - -Bash +**2. Local Infrastructure Ingestion via Terraform** +Deploy your core platform assets automatically using a declarative, state-locked approach. Run these commands inside the terraform/ directory # Prepare work directories, update backends, and synchronize provider hooks terraform init @@ -61,37 +53,20 @@ terraform plan -out=tfplan # Execute building instructions directly inside your cloud subscription terraform apply "tfplan" -Part 2: CI/CD Pipeline Orchestration Layout +**Part 2: CI/CD Pipeline Orchestration Layout** The automation layer is driven by a multi-stage azure-pipelines.yml workflow configuration. It processes compilation assets sequentially and applies code validation checks before promotion: - [Source Commit] ──> [Build & Validate] ──> [SAST Code Audit] ──> [SCA Dependency Check] ──> [ACR Container Push] ──> [DAST Web Analysis] ──> [Production Deploy] -1. Multi-Stage Pipeline Execution Gates +**1. Multi-Stage Pipeline Execution Gates** Stage A: Build & Package Validation: Compiles full-stack assets within isolated build workers to verify code syntax and integrity. - Stage B: Code Quality Assessment (SAST): Intercepts compilation streams to enforce architectural quality gates, running static analysis inside a custom cloud container instance. - Stage C: Dependency Remediation (SCA): Scans structural lockfiles against a vulnerabilities database to block vulnerable dependencies before image packaging begins. - Stage D: Registry Promotion: Packages application components using multi-stage Dockerfiles and pushes versioned snapshots into the Azure Container Registry. - Stage E: Runtime Application Security Testing (DAST): Performs black-box security scanning against target endpoints to audit exposed interface parameters. - Stage F: Automated Release Deployment: Deploys verified software packages directly to Azure Static Web Apps and Azure App Services. - -Part 3: Managed Secure Environment Controls -Avoid hardcoding configuration values by injecting connection records directly into the host cloud runtime dashboard. The backend application authenticates securely with database layers using key-value environment variables managed within the web app settings console: - -Configuration Setting Key Runtime Assignment Purpose -DB_HOST Target server address string routing to the Azure SQL server -DB_USER Administrative username assigned to database transactions -DB_PASSWORD Cryptographically secure string value controlling server authentication -🔒 Enterprise Security Compliance Verification +**Enterprise Security Compliance Verification** Every pipeline run logs execution state telemetry to verify that code meets security policy requirements before moving to staging environments: - SonarQube Quality Gate Status: Passed builds require zero newly introduced code smells, structural flaws, or security vulnerabilities (New Issues = 0). - Snyk Dependency Status: Pipeline checks block deployment if vulnerable dependencies or license violations are found within source package definitions. - OWASP ZAP Dynamic Audit Report: Automatically logs dynamic interface traffic to confirm that production runtimes are resilient against active attack methods. For more detail, please visit: From cceaf7c01a0fbecacf2cd248b5f0fb3b5ef9dc4c Mon Sep 17 00:00:00 2001 From: Reeha33 Date: Wed, 20 May 2026 22:57:20 +0500 Subject: [PATCH 18/18] Update README.md --- README.md | 32 +++++++++++++++++--------------- 1 file changed, 17 insertions(+), 15 deletions(-) diff --git a/README.md b/README.md index d378f5c..e755b04 100644 --- a/README.md +++ b/README.md @@ -21,18 +21,18 @@ Automation Engines: Terraform Cloud Engine, Azure DevOps Pipelines Security Shield Frameworks: SonarQube Engine, Snyk Dependency Index, OWASP ZAP Web Scanner **3.Repository Structural Overview** -├── .github/ # Local actions and platform workflow setups -├── node-express-server/ # Secure REST API engine -│ ├── Dockerfile # Multi-stage production container configuration -│ └── server.js # Entrypoint server execution script -├── react-client/ # Front-end dashboard user interface -│ ├── Dockerfile # Multi-stage user interface web asset compilation -│ └── azure-pipelines.yml # Modular core orchestration pipeline script -├── terraform/ # Declarative Infrastructure-as-Code modules -│ ├── main.tf # Core provider declarations and resource templates -│ ├── variables.tf # Parametrization hooks and target variables -│ └── outputs.tf # Explicit runtime platform metadata exports -└── README.md # System operation and implementation manual +├── .github/ +├── node-express-server/ +│ ├── Dockerfile +│ └── server.js +├── react-client/ +│ ├── Dockerfile +│ └── azure-pipelines.yml +├── terraform/ +│ ├── main.tf +│ ├── variables.tf +│ └── outputs.tf +└── README.md **4.Deployment and Setup Runbook** **Part 1: Initializing Platform Workspace Foundations** 1. Source Control Branch Management @@ -45,17 +45,17 @@ develop: Integration workspace for feature updates. feature/*: Short-lived branches dedicated to active development tasks. **2. Local Infrastructure Ingestion via Terraform** Deploy your core platform assets automatically using a declarative, state-locked approach. Run these commands inside the terraform/ directory -# Prepare work directories, update backends, and synchronize provider hooks terraform init -# Analyze code scripts to evaluate upcoming configuration additions terraform plan -out=tfplan -# Execute building instructions directly inside your cloud subscription terraform apply "tfplan" + **Part 2: CI/CD Pipeline Orchestration Layout** The automation layer is driven by a multi-stage azure-pipelines.yml workflow configuration. It processes compilation assets sequentially and applies code validation checks before promotion: + [Source Commit] ──> [Build & Validate] ──> [SAST Code Audit] ──> [SCA Dependency Check] ──> [ACR Container Push] ──> [DAST Web Analysis] ──> [Production Deploy] + **1. Multi-Stage Pipeline Execution Gates** Stage A: Build & Package Validation: Compiles full-stack assets within isolated build workers to verify code syntax and integrity. Stage B: Code Quality Assessment (SAST): Intercepts compilation streams to enforce architectural quality gates, running static analysis inside a custom cloud container instance. @@ -63,7 +63,9 @@ Stage C: Dependency Remediation (SCA): Scans structural lockfiles against a vuln Stage D: Registry Promotion: Packages application components using multi-stage Dockerfiles and pushes versioned snapshots into the Azure Container Registry. Stage E: Runtime Application Security Testing (DAST): Performs black-box security scanning against target endpoints to audit exposed interface parameters. Stage F: Automated Release Deployment: Deploys verified software packages directly to Azure Static Web Apps and Azure App Services. + **Enterprise Security Compliance Verification** + Every pipeline run logs execution state telemetry to verify that code meets security policy requirements before moving to staging environments: SonarQube Quality Gate Status: Passed builds require zero newly introduced code smells, structural flaws, or security vulnerabilities (New Issues = 0). Snyk Dependency Status: Pipeline checks block deployment if vulnerable dependencies or license violations are found within source package definitions.