Mixeway-Academy · pietrewi · Dec 16, 2025 · Dec 16, 2025 · Dec 16, 2025 · Dec 16, 2025
diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
@@ -0,0 +1,32 @@
+name: Security Scan
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+
+jobs:
+  security-tests:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v2
+
+      - name: Build Docker image
+        run: |
+          docker build -t myapp:latest .
+      - name: Run Trivy scan
+        uses: aquasecurity/trivy-action@0.33.1
+        with:
+          image-ref: 'myapp:latest'
+          vuln-type: 'os,library'
+          format: 'table'
+
+      - name: Install Semgrep
+        run: |
+          sudo pip install semgrep --ignore-installed
+      - name: Run Semgrep SAST
+        run: |
+          semgrep --config p/security-audit --error --json .
diff --git a/Dockerfile b/Dockerfile
@@ -13,7 +13,7 @@ COPY pom.xml /app
 RUN mvn clean install -DskipTests
 
 # ---- Deploy Stage ----
-FROM openjdk:11-jdk-slim
+FROM openjdk:11.0.13-jdk-slim
 
 # Copy the built JAR from the build stage
 COPY --from=build /app/target/thymeleaf-0.0.1-SNAPSHOT.jar /app.jar

diff --git a/semgrep.txt b/semgrep.txt
@@ -0,0 +1,182 @@
+ Scanning 1793 files tracked by git with 1063 Code rules:
+
+  Language      Rules   Files          Origin      Rules
+ ─────────────────────────────        ───────────────────
+  <multilang>      62    1793          Community    1063
+  js              156      13
+  java            118      13
+  html              1       8
+  yaml             31       6
+  json              4       6
+  dockerfile        6       2
+  ruby             72       1
+  bash              4       1
+
+
+
+┌──────────────────┐
+│ 24 Code Findings │
+└──────────────────┘
+
+    Dockerfile
+   ❯❯❱ dockerfile.security.missing-user-entrypoint.missing-user-entrypoint
+          By not specifying a USER, a program in the container may run as 'root'. This is a security hazard.
+          If an attacker can control a process running as root, they may have control over the container.
+          Ensure that the last USER in a Dockerfile is a USER other than 'root'.
+          Details: https://sg.run/k281
+
+           ▶▶┆ Autofix ▶ USER non-root ENTRYPOINT ["java", "-jar", "/app.jar"]
+           22┆ ENTRYPOINT ["java", "-jar", "/app.jar"]
+
+    src/main/resources/static/vendors/bootstrap/js/bootstrap.bundle.js
+    ❯❱ javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp
+          RegExp() called with a `configTypes` function argument, this might allow an attacker to cause a
+          Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main
+          thread. For this reason, it is recommended to use hardcoded regexes instead. If your regex is run on
+          user-controlled input, consider performing input validation or use a regex checking/sanitization
+          library such as https://www.npmjs.com/package/recheck to verify that the regex does not appear
+          vulnerable to ReDoS.
+          Details: https://sg.run/gr65
+
+          213┆ if (!new RegExp(expectedTypes).test(valueType)) {
+            ⋮┆----------------------------------------
+    ❯❱ javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp
+          RegExp() called with a `property` function argument, this might allow an attacker to cause a Regular
+          Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For
+          this reason, it is recommended to use hardcoded regexes instead. If your regex is run on user-
+          controlled input, consider performing input validation or use a regex checking/sanitization library
+          such as https://www.npmjs.com/package/recheck to verify that the regex does not appear vulnerable to
+          ReDoS.
+          Details: https://sg.run/gr65
+
+          213┆ if (!new RegExp(expectedTypes).test(valueType)) {
+
+   ❯❯❱ javascript.browser.security.insecure-document-method.insecure-document-method
+          User controlled data in methods like `innerHTML`, `outerHTML` or `document.write` is an anti-pattern
+          that can lead to XSS vulnerabilities
+          Details: https://sg.run/LwA9
+
+          5547┆ element.innerHTML = this._config.template;
+            ⋮┆----------------------------------------
+          5583┆ element.innerHTML = content;
+
+    src/main/resources/static/vendors/bootstrap/js/bootstrap.esm.js
+    ❯❱ javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp
+          RegExp() called with a `configTypes` function argument, this might allow an attacker to cause a
+          Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main
+          thread. For this reason, it is recommended to use hardcoded regexes instead. If your regex is run on
+          user-controlled input, consider performing input validation or use a regex checking/sanitization
+          library such as https://www.npmjs.com/package/recheck to verify that the regex does not appear
+          vulnerable to ReDoS.
+          Details: https://sg.run/gr65
+
+          209┆ if (!new RegExp(expectedTypes).test(valueType)) {
+            ⋮┆----------------------------------------
+    ❯❱ javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp
+          RegExp() called with a `property` function argument, this might allow an attacker to cause a Regular
+          Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For
+          this reason, it is recommended to use hardcoded regexes instead. If your regex is run on user-
+          controlled input, consider performing input validation or use a regex checking/sanitization library
+          such as https://www.npmjs.com/package/recheck to verify that the regex does not appear vulnerable to
+          ReDoS.
+          Details: https://sg.run/gr65
+
+          209┆ if (!new RegExp(expectedTypes).test(valueType)) {
+
+   ❯❯❱ javascript.browser.security.insecure-document-method.insecure-document-method
+          User controlled data in methods like `innerHTML`, `outerHTML` or `document.write` is an anti-pattern
+          that can lead to XSS vulnerabilities
+          Details: https://sg.run/LwA9
+
+          3789┆ element.innerHTML = this._config.template;
+            ⋮┆----------------------------------------
+          3825┆ element.innerHTML = content;
+
+    src/main/resources/static/vendors/bootstrap/js/bootstrap.js
+    ❯❱ javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp
+          RegExp() called with a `configTypes` function argument, this might allow an attacker to cause a
+          Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main
+          thread. For this reason, it is recommended to use hardcoded regexes instead. If your regex is run on
+          user-controlled input, consider performing input validation or use a regex checking/sanitization
+          library such as https://www.npmjs.com/package/recheck to verify that the regex does not appear
+          vulnerable to ReDoS.
+          Details: https://sg.run/gr65
+
+          235┆ if (!new RegExp(expectedTypes).test(valueType)) {
+            ⋮┆----------------------------------------
+    ❯❱ javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp
+          RegExp() called with a `property` function argument, this might allow an attacker to cause a Regular
+          Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For
+          this reason, it is recommended to use hardcoded regexes instead. If your regex is run on user-
+          controlled input, consider performing input validation or use a regex checking/sanitization library
+          such as https://www.npmjs.com/package/recheck to verify that the regex does not appear vulnerable to
+          ReDoS.
+          Details: https://sg.run/gr65
+
+          235┆ if (!new RegExp(expectedTypes).test(valueType)) {
+
+   ❯❯❱ javascript.browser.security.insecure-document-method.insecure-document-method
+          User controlled data in methods like `innerHTML`, `outerHTML` or `document.write` is an anti-pattern
+          that can lead to XSS vulnerabilities
+          Details: https://sg.run/LwA9
+
+          3815┆ element.innerHTML = this._config.template;
+            ⋮┆----------------------------------------
+          3851┆ element.innerHTML = content;
+
+    src/main/resources/static/vendors/fontawesome/js/fontawesome.js
+   ❯❯❱ javascript.browser.security.insecure-document-method.insecure-document-method
+          User controlled data in methods like `innerHTML`, `outerHTML` or `document.write` is an anti-pattern
+          that can lead to XSS vulnerabilities
+          Details: https://sg.run/LwA9
+
+          630┆ style.innerHTML = css;
+            ⋮┆----------------------------------------
+          1360┆ node.outerHTML = newOuterHTML + (config.keepOriginalSource && node.tagName.toLowerCase()
+               !== 'svg' ? "<!-- ".concat(node.outerHTML, " Font Awesome fontawesome.com -->") : '');
+            ⋮┆----------------------------------------
+          1364┆ newNode.outerHTML = newOuterHTML;
+            ⋮┆----------------------------------------
+          1397┆ node.innerHTML = newInnerHTML;
+            ⋮┆----------------------------------------
+          2056┆ element.outerHTML = abstract.map(function (a) {
+          2057┆   return toHtml(a);
+          2058┆ }).join('\n');
+            ⋮┆----------------------------------------
+          2190┆ container.innerHTML = val.html;
+
+    src/main/resources/static/vendors/jquery-mask/Dockerfile
+   ❯❯❱ dockerfile.security.missing-user.missing-user
+          By not specifying a USER, a program in the container may run as 'root'. This is a security hazard.
+          If an attacker can control a process running as root, they may have control over the container.
+          Ensure that the last USER in a Dockerfile is a USER other than 'root'.
+          Details: https://sg.run/Gbvn
+
+           ▶▶┆ Autofix ▶ USER non-root CMD ["/sbin/my_init"]
+            4┆ CMD ["/sbin/my_init"]
+
+    src/main/resources/static/vendors/jquery-mask/deploy.rb
+    ❯❱ ruby.lang.security.dangerous-subshell.dangerous-subshell
+          Detected non-static command inside `...`. If unverified user data can reach this call site, this is
+          a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary
+          code.
+          Details: https://sg.run/NrxL
+
+           44┆ `git commit -am 'generating jquery mask files #{JMASK_VERSION}'`
+
+    src/main/resources/static/vendors/jquery-mask/src/jquery.mask.js
+    ❯❱ javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp
+          RegExp() called with a `mask` function argument, this might allow an attacker to cause a Regular
+          Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For
+          this reason, it is recommended to use hardcoded regexes instead. If your regex is run on user-
+          controlled input, consider performing input validation or use a regex checking/sanitization library
+          such as https://www.npmjs.com/package/recheck to verify that the regex does not appear vulnerable to
+          ReDoS.
+          Details: https://sg.run/gr65
+
+          165┆ r = r.replace(new RegExp('(' + oRecursive.digit + '(.*' + oRecursive.digit + ')?)'),
+               '($1)?')
+            ⋮┆----------------------------------------
+          166┆ .replace(new RegExp(oRecursive.digit, 'g'), oRecursive.pattern);
+            ⋮┆----------------------------------------
+          169┆ return new RegExp(r);