Merge pull request #65 from bartstc/chore/static-code-analysis

chore: setup SNYK and sonar cube

Author: bartstc

.github/workflows/ci.yml

@@ -4,16 +4,46 @@ on:
   push:
     branches:
       - core
-      - basic
   pull_request:
     branches:
       - core
-      - basic
 
 env:
   NODE_VERSION: "22.x"
 
+  # ----- Static analysis toggles & config -----
+  # Flip to "false" to disable a tool.
+  SNYK_ENABLED: "true"
+  SONARCLOUD_ENABLED: "true"
+
+  # The branch on which static-analysis jobs run (push or PR target).
+  # Fork users: change to your default branch (e.g. "main").
+  STATIC_ANALYSIS_BRANCH: "core"
+
+  # Fork users: replace these with your own SonarCloud org slug and project key.
+  # Find the project key in SonarCloud:
+  #   - the `id=...` value in the project page URL, OR
+  #   - Project -> Administration -> Information -> Key.
+  # GitHub-imported projects typically use "<org>_<repo>"; manually-created ones may differ.
+  SONAR_ORGANIZATION: "bartstc"
+  SONAR_PROJECT_KEY: "bartstc_vite-ts-react-template"
+
 jobs:
+  # Exposes workflow-level env vars as outputs so they can be referenced in
+  # job-level `if:` expressions (the `env` context is not available there).
+  config:
+    runs-on: ubuntu-latest
+    outputs:
+      snyk_enabled: ${{ steps.set.outputs.snyk_enabled }}
+      sonarcloud_enabled: ${{ steps.set.outputs.sonarcloud_enabled }}
+      static_analysis_branch: ${{ steps.set.outputs.static_analysis_branch }}
+    steps:
+      - id: set
+        run: |
+          echo "snyk_enabled=$SNYK_ENABLED" >> "$GITHUB_OUTPUT"
+          echo "sonarcloud_enabled=$SONARCLOUD_ENABLED" >> "$GITHUB_OUTPUT"
+          echo "static_analysis_branch=$STATIC_ANALYSIS_BRANCH" >> "$GITHUB_OUTPUT"
+
   lint-tests:
     uses: ./.github/workflows/run-tests.yml
     with:
@@ -163,6 +193,96 @@ jobs:
           name: storybook-coverage-report
           path: coverage/**/*
 
+  snyk:
+    needs: config
+    if: >
+      ${{ needs.config.outputs.snyk_enabled == 'true'
+          && (github.ref_name == needs.config.outputs.static_analysis_branch
+              || github.base_ref == needs.config.outputs.static_analysis_branch) }}
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Enable corepack
+        run: corepack enable
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+          cache: "pnpm"
+
+      - name: Install dependencies
+        run: pnpm install --no-frozen-lockfile --ignore-scripts
+
+      - name: Install Snyk CLI
+        run: npm install -g snyk
+
+      - name: Snyk Open Source (SCA)
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        run: |
+          snyk test \
+            --all-projects \
+            --strict-out-of-sync=false \
+            --severity-threshold=high \
+            --sarif-file-output=snyk-deps.sarif
+
+      - name: Snyk Code (SAST)
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        run: |
+          snyk code test \
+            --severity-threshold=high \
+            --sarif-file-output=snyk-code.sarif
+
+      - name: Upload Snyk SARIF to GitHub Security
+        if: always()
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: .
+          category: snyk
+
+  sonarcloud:
+    needs: [config, unit-tests, storybook-tests]
+    if: >
+      ${{ needs.config.outputs.sonarcloud_enabled == 'true'
+          && (github.ref_name == needs.config.outputs.static_analysis_branch
+              || github.base_ref == needs.config.outputs.static_analysis_branch) }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0 # full history for blame & new-code detection
+
+      - name: Download coverage artifacts
+        uses: actions/download-artifact@v4
+        with:
+          pattern: "*-coverage-report"
+
+      - name: Rewrite LCOV source paths for Sonar
+        run: |
+          # vitest's `projectRoot: "./src"` makes SF: paths relative to src/.
+          # Sonar expects paths relative to repo root, so prepend src/.
+          sed -i 's|^SF:|SF:src/|' \
+            unit-coverage-report/lcov.info \
+            storybook-coverage-report/lcov.info
+
+      - name: SonarCloud Scan
+        uses: SonarSource/sonarqube-scan-action@v4
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+        with:
+          args: >
+            -Dsonar.projectKey=${{ env.SONAR_PROJECT_KEY }}
+            -Dsonar.organization=${{ env.SONAR_ORGANIZATION }}
+
   build:
     needs:
       [

README.md

@@ -13,6 +13,8 @@ An opinionated, production-ready starter for **Single Page Application** develop
 - [PNPM](https://pnpm.io/) — fast, disk-efficient package manager
 - [Devcontainer](https://code.visualstudio.com/docs/devcontainers/containers) — reproducible VS Code dev environment
 - [GitHub Actions](https://docs.github.com/en/actions) CI — tests, build, coverage reports, deploy draft
+- [Snyk](https://snyk.io/) — dependency (SCA) and source code (SAST) security scanning, with SARIF results in the GitHub Security tab
+- [SonarCloud](https://sonarcloud.io/) — code quality, maintainability, and coverage gating on pull requests
 - [GitHub Copilot](https://github.com/features/copilot) — instructions, skills, and custom prompts (`.github/instructions/`, `.github/skills/`, `.github/prompts/`)
 - [Claude Code](https://docs.anthropic.com/en/docs/claude-code/overview) — project rules (`CLAUDE.md`), skills, subagents, and custom commands (`.claude/`)
 

package.json

@@ -118,5 +118,10 @@
   "msw": {
     "workerDirectory": "public"
   },
+  "pnpm": {
+    "overrides": {
+      "@fastify/static": "9.1.1"
+    }
+  },
   "packageManager": "pnpm@10.13.1"
 }

server/package.json

@@ -13,7 +13,7 @@
     "@fastify/swagger": "9.7.0",
     "@fastify/swagger-ui": "5.2.5",
     "@fastify/jwt": "10.0.0",
-    "fastify": "5.8.4",
+    "fastify": "5.8.5",
     "lowdb": "7.0.1"
   },
   "devDependencies": {

server/src/config.ts

@@ -4,7 +4,8 @@ import path from "path";
 const __dirname = path.dirname(fileURLToPath(import.meta.url));
 
 export const PORT = 3001;
-export const JWT_SECRET = "local-dev-secret-do-not-use-in-production";
+export const JWT_SECRET =
+  process.env.JWT_SECRET ?? "local-dev-secret-do-not-use-in-production";
 export const DB_PATH = path.resolve(__dirname, "db/db.json");
 
 // AIDEV-NOTE: set to false to disable auth on all mutation routes (dev convenience)

sonar-project.properties

@@ -0,0 +1,14 @@
+sonar.sources=src,server/src
+sonar.tests=src,e2e
+
+# Treat tests/stories as test code, not source
+sonar.test.inclusions=**/*.test.ts,**/*.test.tsx,**/*.spec.ts,**/*.stories.tsx
+
+# Skip generated/config noise
+sonar.exclusions=**/node_modules/**,**/dist/**,**/coverage/**,**/coverage-report/**,**/*.config.{ts,js,mjs},**/*.d.ts,public/**,reports/**
+
+# Coverage from vitest (paths post-sed in CI: see ci.yml `Rewrite LCOV source paths for Sonar`)
+sonar.javascript.lcov.reportPaths=unit-coverage-report/lcov.info,storybook-coverage-report/lcov.info
+sonar.typescript.tsconfigPath=tsconfig.json
+
+sonar.sourceEncoding=UTF-8

src/features/auth/application/auth-store.ts

@@ -1,16 +1,16 @@
 import { createContext, useContext } from "react";
 import { createStore, useStore } from "zustand";
 
+import { IS_AUTHENTICATED_STORAGE } from "@/features/auth/models/storage-keys";
 import type { User } from "@/features/auth/models/user";
 import { getUser } from "@/features/auth/providers/get-user";
 import { AUTH_TOKEN_KEY } from "@/lib/http/ky-client";
 
 import { loginUser, type ICredentials } from "../providers/login-user";
 
-const AUTH_KEY = "fake_store_is_authenticated";
-
 // could be also https://www.npmjs.com/package/zustand-persist lib for advanced use cases
-const isLoggedIn = () => localStorage.getItem(AUTH_KEY) === "true";
+const isLoggedIn = () =>
+  localStorage.getItem(IS_AUTHENTICATED_STORAGE) === "true";
 
 interface IStore {
   isAuthenticated: boolean;
@@ -72,15 +72,15 @@ export const initializeAuthStore = (preloadedState: Partial<IStore> = {}) => {
           localStorage.setItem(AUTH_TOKEN_KEY, token);
           const user = await getUser();
 
-          localStorage.setItem(AUTH_KEY, "true");
+          localStorage.setItem(IS_AUTHENTICATED_STORAGE, "true");
 
           set({
             isAuthenticated: true,
             state: "finished",
             user,
           });
         } catch (e) {
-          localStorage.setItem(AUTH_KEY, "false");
+          localStorage.setItem(IS_AUTHENTICATED_STORAGE, "false");
 
           set({
             isAuthenticated: false,
@@ -97,7 +97,7 @@ export const initializeAuthStore = (preloadedState: Partial<IStore> = {}) => {
         });
 
         return new Promise((resolve) => setTimeout(resolve, 500)).then(() => {
-          localStorage.setItem(AUTH_KEY, "false");
+          localStorage.setItem(IS_AUTHENTICATED_STORAGE, "false");
           localStorage.removeItem(AUTH_TOKEN_KEY);
           set({
             isAuthenticated: false,

src/features/auth/models/storage-keys.ts

@@ -0,0 +1 @@
+export const IS_AUTHENTICATED_STORAGE = "fake_store_is_authenticated";

src/features/authv2/application/AuthProvider.tsx

@@ -4,6 +4,7 @@ import type { PropsWithChildren } from "react";
 import { useEffect } from "react";
 import { fromPromise } from "xstate";
 
+import { IS_AUTHENTICATED_STORAGE } from "@/features/auth/models/storage-keys";
 import { getUser } from "@/features/auth/providers/get-user";
 import { loginUser } from "@/features/auth/providers/login-user";
 import { AuthContext } from "@/features/authv2/application/auth-context";
@@ -15,16 +16,16 @@ import {
 import { getRoles } from "@/features/authv2/providers/get-roles";
 import { sleep } from "@/lib/sleep";
 
-const AUTH_KEY = "fake_store_is_authenticated";
-
 export const AuthProvider = ({ children }: PropsWithChildren) => {
   const checkAuthStatus = () => {
-    return Promise.resolve(localStorage.getItem(AUTH_KEY) === "true");
+    return Promise.resolve(
+      localStorage.getItem(IS_AUTHENTICATED_STORAGE) === "true"
+    );
   };
 
   const logout = async () => {
     await sleep(500);
-    localStorage.setItem(AUTH_KEY, "false");
+    localStorage.setItem(IS_AUTHENTICATED_STORAGE, "false");
   };
 
   const authActor = useActorRef(
@@ -34,7 +35,7 @@ export const AuthProvider = ({ children }: PropsWithChildren) => {
         getUser: fromPromise(getUser),
         loginUser: fromPromise(async ({ input }) => {
           await loginUser(input);
-          localStorage.setItem(AUTH_KEY, "true");
+          localStorage.setItem(IS_AUTHENTICATED_STORAGE, "true");
         }),
         getRoles: fromPromise(getRoles),
         logout: fromPromise(logout),

src/features/authv2/application/storage-machine.ts

@@ -1,6 +1,6 @@
 import { assign, fromPromise, setup } from "xstate";
 
-const AUTH_KEY = "fake_store_is_authenticated";
+import { IS_AUTHENTICATED_STORAGE } from "@/features/auth/models/storage-keys";
 
 interface StorageMachineContext {
   isAuthenticated: boolean;
@@ -13,7 +13,9 @@ type StorageMachineEvents =
 export type StorageMachineType = typeof storageMachine;
 
 const checkAuthStatus = fromPromise(() => {
-  return Promise.resolve(localStorage.getItem(AUTH_KEY) === "true");
+  return Promise.resolve(
+    localStorage.getItem(IS_AUTHENTICATED_STORAGE) === "true"
+  );
 });
 
 export const storageMachine = setup({
@@ -27,11 +29,11 @@ export const storageMachine = setup({
   actions: {
     setAuthStorage: ({ event }) => {
       if (event.type === "SET_AUTHENTICATED") {
-        localStorage.setItem(AUTH_KEY, String(event.value));
+        localStorage.setItem(IS_AUTHENTICATED_STORAGE, String(event.value));
       }
     },
     clearAuthStorage: () => {
-      localStorage.setItem(AUTH_KEY, "false");
+      localStorage.setItem(IS_AUTHENTICATED_STORAGE, "false");
     },
   },
 }).createMachine({