fix: fixed code scanning alerts (#6)

Author: chrisleekr

.github/workflows/docker-build.yml

@@ -24,6 +24,10 @@ on:
         type: boolean
         default: false
 
+# Refer: https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds#generating-artifact-attestations-for-your-builds
+permissions:
+  contents: read
+
 jobs:
   docker:
     name: Build & Push Docker Image
@@ -111,8 +115,8 @@ jobs:
           platforms: linux/amd64,linux/arm64
           push: true
           target: production
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+          cache-from: type=registry,ref=chrisleekr/mcp-server-boilerplate:cache
+          cache-to: type=registry,mode=max,ref=chrisleekr/mcp-server-boilerplate:cache
           build-args: |
             PACKAGE_VERSION=${{ env.PACKAGE_VERSION }}
             GIT_HASH=${{ env.GIT_HASH }}
@@ -129,8 +133,8 @@ jobs:
           platforms: linux/amd64,linux/arm64
           push: true
           target: production
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+          cache-from: type=registry,ref=chrisleekr/mcp-server-boilerplate:cache
+          cache-to: type=registry,mode=max,ref=chrisleekr/mcp-server-boilerplate:cache
           build-args: |
             PACKAGE_VERSION=${{ env.PACKAGE_VERSION }}
             GIT_HASH=${{ env.GIT_HASH }}

package-lock.json

@@ -55,6 +55,7 @@
     "crypto-js": "^4.2.0",
     "dotenv": "^16.5.0",
     "express": "^5.1.0",
+    "express-rate-limit": "^7.5.1",
     "helmet": "^8.1.0",
     "iovalkey": "^0.3.3",
     "jsonwebtoken": "^9.0.2",

package.json

@@ -7,31 +7,31 @@ export default {
     'main',
     {
       name: 'feat/*',
-      prerelease: `dev.${process.env.GITHUB_SHA?.slice(0, 7) || 'local'}`,
+      prerelease: `dev-${process.env.GITHUB_SHA?.slice(0, 7) || 'local'}`,
 
       channel: 'dev',
     },
     {
       name: 'fix/*',
-      prerelease: `dev.${process.env.GITHUB_SHA?.slice(0, 7) || 'local'}`,
+      prerelease: `dev-${process.env.GITHUB_SHA?.slice(0, 7) || 'local'}`,
 
       channel: 'dev',
     },
     {
       name: 'refactor/*',
-      prerelease: `dev.${process.env.GITHUB_SHA?.slice(0, 7) || 'local'}`,
+      prerelease: `dev-${process.env.GITHUB_SHA?.slice(0, 7) || 'local'}`,
 
       channel: 'dev',
     },
     {
       name: 'perf/*',
-      prerelease: `dev.${process.env.GITHUB_SHA?.slice(0, 7) || 'local'}`,
+      prerelease: `dev-${process.env.GITHUB_SHA?.slice(0, 7) || 'local'}`,
 
       channel: 'dev',
     },
     {
       name: 'revert/*',
-      prerelease: `dev.${process.env.GITHUB_SHA?.slice(0, 7) || 'local'}`,
+      prerelease: `dev-${process.env.GITHUB_SHA?.slice(0, 7) || 'local'}`,
 
       channel: 'dev',
     },

release.config.dev.mjs

@@ -1,5 +1,6 @@
 import bodyParser from 'body-parser';
 import { Application, NextFunction, Request, Response } from 'express';
+import { rateLimit } from 'express-rate-limit';
 import helmet from 'helmet';
 import pinoHttp from 'pino-http';
 import { v4 as uuidv4 } from 'uuid';
@@ -11,6 +12,23 @@ import { AsyncLocalStorageLoggingContext, loggingContext } from './context';
 
 export function setupMiddleware(app: Application): void {
   app.use(helmet());
+
+  // Rate limit requests globally
+  app.use(
+    // Refer: https://express-rate-limit.mintlify.app/reference/configuration
+    rateLimit({
+      windowMs: 1 * 60 * 1000, // 1 minute
+      max: 100, // Limit each IP to 100 requests per `windowMs`
+      standardHeaders: true,
+      legacyHeaders: false,
+      // Can use `store` to use a database to store the rate limit data
+      skip: (req: Request) => {
+        // Skip rate limiting for kube-probe requests
+        return req.headers['user-agent']?.includes('kube-probe') ?? false;
+      },
+    })
+  );
+
   app.use(bodyParser.json());
   app.use(bodyParser.urlencoded({ extended: true }));