A comprehensive security implementation for industrial robot fleet management systems. This repository is a demonstration project for the Pluralsight course "GitHub Advanced Security: Dependency Scanning with Dependabot".
This repository demonstrates real-world implementation of GitHub Advanced Security (GHAS) features with a focus on:
- Dependabot vulnerability alerts and security updates
- CodeQL analysis for JavaScript and Python code
- Enhanced security workflows and automations
- Multi-layered security approach for modern applications
This repo contains a working Robot Fleet Management application that can be used to demonstrate the security features.
- Docker and Docker Compose
- Node.js 18+ and npm 9+ (for local development)
The easiest way to run the application is using Docker Compose:
# Start all services
docker-compose up -d
# View logs
docker-compose logs -f app
# Access the application at http://localhost:30000
# MongoDB Express admin interface at http://localhost:8081
We've included idempotent startup scripts that handle cleaning up previous containers and freeing ports:
If you're using Windows with WSL2, you can use the Bash script:
# From WSL2 terminal
./scripts/run-docker.sh
If you prefer PowerShell:
# From PowerShell
.\scripts\run-docker.ps1
These scripts:
- Stop and remove any existing containers
- Free up required ports that might be in use
- Ensure a clean startup environment
- Provide helpful output and error messages
If you prefer to run the application without Docker:
- Install dependencies:
npm install
- Copy environment configuration:
cp .env.example .env
- Start the application:
npm start
- Access the application at http://localhost:3000
- Username:
admin
- Password:
Password1!
The application uses the following ports:
Service | Port | Description |
---|---|---|
Web Application | 30000 | Main web interface |
MongoDB | 27017 | Database |
Redis | 6379 | Cache and session storage |
MQTT | 18830 | Message broker for IoT devices |
MongoDB Express | 8081 | MongoDB admin interface |
This project implements a comprehensive dependency security approach:
-
Pre-commit Dependency Scanning
- Automatically blocks commits with critical or high-severity vulnerabilities
- Install with:
bash .github/scripts/install-hooks.sh
- Learn more: Advanced Dependency Scanning
-
Enhanced Dependency Analysis
- Automatically runs on PRs that modify dependencies
- Provides exploitability context from NVD and EPSS
- Detects actively exploited vulnerabilities with CISA KEV database
-
Automated Dependabot Alerts Enhancement
- Enriches Dependabot alerts with labels and assignments
- Creates tracking issues for organized remediation
- Learn more: Dependabot Alerts Enhancer
Our advanced code scanning integration complements dependency security:
-
Enhanced CodeQL Analysis
- Automatically scans JavaScript and Python code for vulnerabilities
- Detects insecure dependency usage patterns that may expose vulnerabilities
- Correlates code patterns with known dependency vulnerabilities
- Learn more: Code Scanning Integration
-
Cross-Language Vulnerability Detection
- Identifies security issues that span language boundaries
- Special focus on packages used in both Node.js and Python environments
- Detects tainted data flows from one language ecosystem to another
-
Contextual Severity Assessment
- Prioritizes findings based on actual exploitability
- Automatically elevates severity for actively exploited vulnerabilities
- Provides detailed remediation guidance with code examples
For security policy and vulnerability reporting, please see SECURITY.md.
- JWT token authentication
- Role-based access control (Admin, Technician, Operator)
- Rate limiting on API endpoints
- Input validation and sanitization
- Secure password hashing with bcrypt
- HTTPS support in production
To experience the security features in action:
- Install the pre-commit hooks:
bash .github/scripts/install-hooks.sh
- Try making a commit that would introduce a vulnerable dependency (the hook will block it)
- Create a branch and modify the package.json file to introduce a vulnerable dependency
- Create a pull request
- Observe the detailed dependency analysis comment added to the PR
- Create a branch and introduce a code vulnerability (like a SQL injection)
- Create a pull request
- Observe how CodeQL detects the issue and correlates it with dependency information
The repository contains several example report artifacts from previous workflow runs in the .github/examples
directory that you can review to understand the output formats.
This repository is used in the Pluralsight course "GitHub Advanced Security: Dependency Scanning with Dependabot" which teaches:
- Setting up and configuring Dependabot in GitHub repositories
- Creating custom workflows to enhance Dependabot alerts
- Implementing pre-commit hooks for early vulnerability detection
- Correlating dependency vulnerabilities with code scanning results
- Building a comprehensive security approach for real-world applications
MIT License - See LICENSE file for details
Created for educational purposes by Tim Warner