Feedback

.env.example

@@ -0,0 +1,17 @@
+# Environment Variables Template
+# Copy this to .env and fill in your actual values
+
+# Database Configuration
+DATABASE_URL=sqlite:///users.db
+# For production, use: postgresql://user:password@localhost/dbname
+
+# Security Keys (Generate strong, unique keys for production)
+API_SECRET=your-super-secret-api-key-here-replace-me
+JWT_SECRET=your-jwt-secret-key-here-replace-me
+
+# Flask Configuration
+FLASK_ENV=development
+FLASK_DEBUG=False
+
+# Rate Limiting
+RATELIMIT_STORAGE_URL=memory://

.github/pull_request_template.md

@@ -0,0 +1,58 @@
+## 🔒 Security Checklist
+
+Before merging this PR, please ensure all security requirements are met:
+
+### 📋 Code Review
+- [ ] Code has been reviewed by at least one team member
+- [ ] No hardcoded secrets, passwords, or API keys
+- [ ] Input validation is implemented for user inputs
+- [ ] SQL queries use parameterized statements (no string concatenation)
+- [ ] Sensitive data is not logged or exposed in error messages
+- [ ] Authentication and authorization checks are in place
+
+### 🛡️ Security Scanning
+- [ ] Pre-commit hooks passed (no secrets detected)
+- [ ] Bandit security scanner passed
+- [ ] No high or critical security vulnerabilities introduced
+- [ ] Dependencies are up to date and secure
+
+### 🧪 Testing
+- [ ] Unit tests pass
+- [ ] Integration tests pass
+- [ ] Security tests pass
+- [ ] Manual testing completed
+
+### 📚 Documentation
+- [ ] Code is properly documented
+- [ ] README updated if needed
+- [ ] Security implications documented
+- [ ] Breaking changes documented
+
+## 📝 Description
+
+Brief description of changes:
+
+## 🔄 Type of Change
+- [ ] Bug fix (non-breaking change which fixes an issue)
+- [ ] New feature (non-breaking change which adds functionality)
+- [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
+- [ ] Security fix
+- [ ] Documentation update
+
+## 🧪 How Has This Been Tested?
+
+Describe the tests that you ran to verify your changes:
+
+## 📷 Screenshots (if applicable)
+
+## 📋 Additional Notes
+
+Any additional information, context, or notes for reviewers:
+
+---
+
+### 🚨 Security Notice
+This PR has been reviewed for security vulnerabilities. By merging this PR, you acknowledge that:
+- All security checks have been completed
+- No known security vulnerabilities are being introduced
+- Proper security practices have been followed

.github/workflows/ci.yml

@@ -0,0 +1,129 @@
+name: CI/CD Pipeline
+
+on:
+  push:
+    branches: [ main, develop ]
+  pull_request:
+    branches: [ main ]
+
+jobs:
+  security-scan:
+    runs-on: ubuntu-latest
+    name: Security Scanning
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Set up Python
+      uses: actions/setup-python@v4
+      with:
+        python-version: '3.11'
+
+    - name: Install dependencies
+      run: |
+        python -m pip install --upgrade pip
+        pip install bandit[toml] safety
+        if [ -f requirements.txt ]; then pip install -r requirements.txt; fi
+
+    - name: Run Bandit Security Scanner
+      run: |
+        bandit -r . -f json -o bandit-report.json || true
+        bandit -r . --severity-level medium
+
+    - name: Check dependencies for vulnerabilities
+      run: safety check --json || true
+
+    - name: Upload security scan results
+      uses: actions/upload-artifact@v3
+      if: always()
+      with:
+        name: security-reports
+        path: |
+          bandit-report.json
+
+  lint-and-format:
+    runs-on: ubuntu-latest
+    name: Code Quality Checks
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Set up Python
+      uses: actions/setup-python@v4
+      with:
+        python-version: '3.11'
+
+    - name: Install dependencies
+      run: |
+        python -m pip install --upgrade pip
+        pip install black isort flake8
+        if [ -f requirements.txt ]; then pip install -r requirements.txt; fi
+
+    - name: Run Black formatter check
+      run: black --check --diff .
+
+    - name: Run isort import sorting check
+      run: isort --check-only --diff .
+
+    - name: Run Flake8 linter
+      run: flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics
+
+    - name: Run Flake8 full check
+      run: flake8 . --count --max-complexity=10 --max-line-length=88 --statistics
+
+  test:
+    runs-on: ubuntu-latest
+    name: Run Tests
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Set up Python
+      uses: actions/setup-python@v4
+      with:
+        python-version: '3.11'
+
+    - name: Install dependencies
+      run: |
+        python -m pip install --upgrade pip
+        pip install pytest pytest-cov
+        if [ -f requirements.txt ]; then pip install -r requirements.txt; fi
+
+    - name: Run tests with pytest
+      run: |
+        pytest --cov=. --cov-report=xml --cov-report=html
+
+    - name: Upload coverage reports
+      uses: actions/upload-artifact@v3
+      with:
+        name: coverage-reports
+        path: |
+          coverage.xml
+          htmlcov/
+
+  build-and-deploy:
+    needs: [security-scan, lint-and-format, test]
+    runs-on: ubuntu-latest
+    name: Build and Deploy
+    if: github.ref == 'refs/heads/main'
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Set up Python
+      uses: actions/setup-python@v4
+      with:
+        python-version: '3.11'
+
+    - name: Install dependencies
+      run: |
+        python -m pip install --upgrade pip
+        if [ -f requirements.txt ]; then pip install -r requirements.txt; fi
+
+    - name: Run application health check
+      run: |
+        python starter-code-simple/app.py &
+        APP_PID=$!
+        sleep 5
+        curl -f http://localhost:5000/health || exit 1
+        kill $APP_PID

.gitignore

@@ -0,0 +1,160 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+pip-wheel-metadata/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py,cover
+.hypothesis/
+.pytest_cache/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+.python-version
+
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don't work, or not
+#   install all needed dependencies.
+#Pipfile.lock
+
+# PEP 582; used by e.g. github.com/David-OConnor/pyflow
+__pypackages__/
+
+# Celery stuff
+celerybeat-schedule
+celerybeat.pid
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/
+
+# VS Code
+.vscode/
+
+# PyCharm
+.idea/
+
+# Database files
+*.db
+*.sqlite
+*.sqlite3
+
+# Secrets and credentials
+.secrets/
+secrets.txt
+*.key
+*.pem
+config.ini
+
+# OS generated files
+.DS_Store
+.DS_Store?
+._*
+.Spotlight-V100
+.Trashes
+ehthumbs.db
+Thumbs.db
+
+# Application specific
+users.db
+*.log