Phase 1 SAST & Code Quality
Overview
Static Application Security Testing (SAST) is performed using SonarQube Community Edition. It analyses source code for security vulnerabilities, code smells, bugs, and security hotspots without executing the code.
SonarQube Setup
SonarQube is deployed as a service in the Kubernetes cluster on DigitalOcean, accessible at https://sonar.aliquest.me.
It is backed by a dedicated PostgreSQL instance on DigitalOcean (separate from the application database).
Projects Configured
| Project Key | Repository | Language |
|---|---|---|
aliquest-frontend |
aliQuest-frontend | TypeScript / React |
aliquest-backend |
aliQuest-backend | TypeScript / Node.js |
Quality Gate
The default Quality Gate is enforced on all projects. A PR cannot be merged if the Quality Gate fails. The gate checks:
- 0 new Security Issues
- 100% Security Hotspots Reviewed
- 0 new Bugs
- Duplications ≤ 3% on new code
Findings & Resolutions (Sprint 1)
Frontend aliQuest-frontend
| # | File | Issue | Severity | Resolution |
|---|---|---|---|---|
| 1 | Dockerfile |
COPY . . in build stage may include sensitive files |
Medium | Marked Safe development-only stage, never shipped to production. Final image uses selective COPY. |
| 2 | Dockerfile |
Node running as root user | Medium | Fixed added non-root user appuser with USER appuser directive |
Dockerfile Security Fixes Applied
The following security improvements were made to aliQuest-frontend/Dockerfile:
# SECURITY: Create a non-root user to run the application
RUN addgroup -S appgroup && adduser -S appuser -G appgroup
# SECURITY: Give ownership to non-root user
RUN chown -R appuser:appgroup /app
# SECURITY: Switch to non-root user
USER appuser
Additionally, the final production image now uses selective COPY instead of COPY . .:
# Only copy what's needed for production
COPY package.json package-lock.json ./
COPY --from=production-dependencies-env /app/node_modules ./node_modules
COPY --from=build-env /app/build ./build
Frontend Code Review Findings
The following security issues were identified during manual code review of the frontend. These are to be addressed when the backend API is connected.
| # | File | Issue | Risk | Action Required |
|---|---|---|---|---|
| 1 | All routes | No authentication guard | High | Implement JWT auth guard on all protected routes |
| 2 | EditReagent.tsx |
No input validation | Medium | Add zod schema validation before API calls |
| 3 | ViewReagent.tsx, EditReagent.tsx |
IDOR risk ID taken from URL without server-side verification | High | Backend must enforce ownership checks on all resource endpoints |
| 4 | EditReagent.tsx |
console.log with form data |
Low | Remove all console.log statements before production |
.gitignore Security
The following files are excluded from version control to prevent accidental secret leakage: