Skip to content

Latest commit

 

History

History
97 lines (72 loc) · 4.85 KB

File metadata and controls

97 lines (72 loc) · 4.85 KB

Contributing to CVE Radar

Thank you for helping improve CVE Radar.

Quick start

git clone https://github.com/RaminNietzsche/CVE-Radar.git
cd CVE-Radar
make setup
make dev
make check
make test
Service URL
Web UI (dev) http://localhost:5173
API health http://localhost:3001/api/health

Node 24 for local dev and CI (see .nvmrc). Production Docker image currently ships Node 20 LTS. Optional: docker compose up --build or docker pull raminnietzsche/cve-radarhttp://localhost:3001 (docs/DOCKER.md)

Documentation

Change type Edit here
Product docs (6 langs) extended-docs/docs/content/{en,fa,ar,ru,zh,fr}/ — keep same ## section count per chapter; run scripts/check-extended-docs-locale-sync.sh
README (6 langs) README.md + README.{fa,ar,ru,zh,fr}.md — same structure; run scripts/check-readme-locale-sync.sh
Glossary extended-docs/docs/glossary.md only
UI strings src/i18n/messages/*.ts (all six locales)
API behaviour / routes server/ + sync OpenAPI (below)
Shared API types shared/ — update both src/ and server/ consumers
OpenAPI spec server/openapi/spec.json and extended-docs/docs/assets/cve-openapi.json
Tests / coverage tests/README.md; extended-docs/docs/content/*/10-operations.md (×6)
ADRs docs/adr/
Deploy / Docker docs/DOCKER.md, docs/GITHUB_PAGES.md
Releases docs/RELEASE.md
GitHub Models prompts .github/prompts/README.md
Any product change Follow agent rule code-to-docs-sync — full map in agent/rules/code-to-docs-sync.mdc
npm run check:openapi   # verify both OpenAPI copies match

Cursor agent assets: optional — run npm run agent:install to sync from agent/ when present, or use committed .cursor/ locally (see AGENTS.md). Agent rule code-to-docs-sync maps code paths to doc files — apply on every product change.

Pull request checklist

Before opening the PR: local checks green; after push, all required GitHub checks green on the PR (use workflow_dispatch if path filters skipped a job). See agent rule pr-ready-ci-changelog.

  • make check passes (lint + typecheck)
  • make test passes (tests/server/, tests/client/, tests/integration/)
  • E2E (when UI/export paths change): npm run test:e2e:install once, then npm run test:e2e
  • npm run format:check (or npm run format)
  • CHANGELOG.md — at least one bullet under [Unreleased] (version bump not required)
  • i18n: en, fa, ar, ru, zh, fr if UI text changed
  • extended-docs chapters synced if behaviour or API changed (make extended-docs-check)
  • No secrets (.env, tokens, API keys)

Code style

  • TypeScript strict patterns in src/ and server/
  • Prefer small, focused PRs
  • Comments only for non-obvious logic

Branch protection (maintainers)

Ruleset main is active on the default branch (Settings → Rules → Rulesets):

Required check Workflow
App (lint · typecheck · build) CI / App
Run tests and collect coverage Quality / Codecov
SonarCloud Code Analysis Quality / SonarCloud
Trivy Security / Container scan
Analyze (javascript-typescript) Security / CodeQL
Analyze (python) CodeQL
Analyze (actions) CodeQL

Also enforced: no branch deletion, no force-push / non-fast-forward on main.

Path filters: several workflows run only when matching paths change. If a required check does not appear on a PR, push a commit that touches those paths (e.g. src/ for App/Sonar/Codecov, Dockerfile for Trivy) or use a maintainer bypass. See .github/workflows/README.md.

Optional: require Mergify Merge Protections after Mergify is enabled — .github/MERGIFY.md.

Issues

Use GitHub issue templates (bug / feature). For security, see SECURITY.md — no public issues for vulnerabilities.

Code of conduct

CODE_OF_CONDUCT.md