kvaes · Copilot · Jun 3, 2025 · Jun 3, 2025 · Jun 3, 2025
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -0,0 +1,43 @@
+{
+  "name": "Event Management System",
+  "image": "mcr.microsoft.com/devcontainers/universal:2",
+  "features": {
+    "ghcr.io/devcontainers/features/dotnet:2": {
+      "version": "8.0"
+    },
+    "ghcr.io/devcontainers/features/node:1": {
+      "version": "20"
+    },
+    "ghcr.io/devcontainers/features/azure-cli:1": {}
+  },
+  "postCreateCommand": "npm install -g azure-functions-core-tools@4 --unsafe-perm true && cd frontend/events-app && npm install && cd ../../backend/EventsApi && dotnet restore",
+  "forwardPorts": [5173, 7071],
+  "portsAttributes": {
+    "5173": {
+      "label": "Frontend",
+      "protocol": "https"
+    },
+    "7071": {
+      "label": "Backend API", 
+      "protocol": "https"
+    }
+  },
+  "customizations": {
+    "vscode": {
+      "extensions": [
+        "ms-vscode.vscode-typescript-next",
+        "ms-dotnettools.csharp",
+        "ms-azuretools.vscode-azurefunctions",
+        "Vue.volar",
+        "esbenp.prettier-vscode",
+        "ms-vscode.vscode-eslint"
+      ],
+      "settings": {
+        "terminal.integrated.defaultProfile.linux": "bash"
+      }
+    }
+  },
+  "remoteEnv": {
+    "VITE_API_BASE_URL": "https://${CODESPACE_NAME}-7071.${GITHUB_CODESPACES_PORT_FORWARDING_DOMAIN}/api"
+  }
+}
diff --git a/.github/SECURITY.md b/.github/SECURITY.md
@@ -0,0 +1,90 @@
+# Security Policy
+
+## Supported Versions
+
+We are committed to maintaining the security of our event management system. Security updates will be provided for the following versions:
+
+| Version | Supported          |
+| ------- | ------------------ |
+| Latest  | :white_check_mark: |
+| < Latest| :x:                |
+
+## Reporting a Vulnerability
+
+We take security seriously. If you discover a security vulnerability, please report it responsibly.
+
+### How to Report
+
+1. **Do not** open a public GitHub issue for security vulnerabilities
+2. Email security concerns to: [security@example.com] (replace with actual email)
+3. Include the following information:
+   - Description of the vulnerability
+   - Steps to reproduce the issue
+   - Potential impact
+   - Any suggested fixes
+
+### What to Expect
+
+- **Response Time**: We will acknowledge receipt within 48 hours
+- **Investigation**: We will investigate and assess the severity within 5 business days
+- **Updates**: We will provide updates on the progress every 5 business days
+- **Resolution**: Critical vulnerabilities will be patched within 7 days, others within 30 days
+
+### Security Best Practices
+
+#### For Backend (C# Azure Functions)
+- All user inputs are validated and sanitized
+- CORS is properly configured
+- Authentication/authorization should be implemented for production
+- Secrets should be stored in Azure Key Vault or environment variables
+- Use HTTPS in production environments
+- Implement rate limiting to prevent abuse
+- Regular dependency updates via Dependabot
+
+#### For Frontend (VueJS)
+- Input validation on all forms
+- XSS protection through proper data binding
+- Content Security Policy (CSP) headers
+- Secure cookie settings
+- Regular dependency updates via Dependabot
+- Environment variables for configuration
+- Build-time security scanning
+
+#### Infrastructure Security
+- Container images are scanned for vulnerabilities
+- Runtime security monitoring
+- Network security groups for access control
+- Regular security audits
+- Backup and disaster recovery procedures
+
+### Security Features
+
+#### Currently Implemented
+- CORS configuration in Azure Functions
+- Input validation on API endpoints
+- Error handling without information disclosure
+- Basic form validation in frontend
+- Security headers in nginx configuration
+- Automated dependency updates
+
+#### Planned Security Enhancements
+- Authentication and authorization
+- API rate limiting
+- Audit logging
+- Security scanning in CI/CD pipeline
+- Penetration testing
+- Security training for developers
+
+### Responsible Disclosure
+
+We are committed to working with security researchers to verify, reproduce, and respond to legitimate reported vulnerabilities. We will publicly acknowledge your responsible disclosure if you wish.
+
+### Contact
+
+For security-related questions or concerns:
+- Email: [security@example.com]
+- GPG Key: [Link to public key if applicable]
+
+---
+
+This policy is effective as of [DATE] and will be reviewed quarterly.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,50 @@
+version: 2
+updates:
+  # Backend (.NET) dependencies
+  - package-ecosystem: "nuget"
+    directory: "/backend/EventsApi"
+    schedule:
+      interval: "daily"
+      time: "04:00"
+    open-pull-requests-limit: 10
+    reviewers:
+      - "kvaes"
+    labels:
+      - "dependencies"
+      - "backend"
+    commit-message:
+      prefix: "chore(backend)"
+      include: "scope"
+
+  # Frontend (npm) dependencies
+  - package-ecosystem: "npm"
+    directory: "/frontend/events-app"
+    schedule:
+      interval: "daily"
+      time: "04:00"
+    open-pull-requests-limit: 10
+    reviewers:
+      - "kvaes"
+    labels:
+      - "dependencies"
+      - "frontend"
+    commit-message:
+      prefix: "chore(frontend)"
+      include: "scope"
+
+  # GitHub Actions dependencies
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "04:00"
+    open-pull-requests-limit: 5
+    reviewers:
+      - "kvaes"
+    labels:
+      - "dependencies"
+      - "github-actions"
+    commit-message:
+      prefix: "chore(ci)"
+      include: "scope"
diff --git a/.github/workflows/backend.yml b/.github/workflows/backend.yml
@@ -0,0 +1,54 @@
+name: Backend CI/CD
+
+on:
+  push:
+    branches: [ main, develop ]
+    paths:
+      - 'backend/**'
+      - '.github/workflows/backend.yml'
+  pull_request:
+    branches: [ main ]
+    paths:
+      - 'backend/**'
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Setup .NET
+      uses: actions/setup-dotnet@v4
+      with:
+        dotnet-version: '8.0.x'
+
+    - name: Restore dependencies
+      run: dotnet restore backend/EventsApi/EventsApi.csproj
+
+    - name: Build
+      run: dotnet build backend/EventsApi/EventsApi.csproj --no-restore
+
+    - name: Test
+      run: dotnet test backend/EventsApi/EventsApi.csproj --no-build --verbosity normal
+
+  build-container:
+    needs: test
+    runs-on: ubuntu-latest
+    if: github.event_name == 'push'
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+
+    - name: Build Docker image
+      uses: docker/build-push-action@v5
+      with:
+        context: ./backend/EventsApi
+        file: ./backend/EventsApi/Dockerfile
+        push: false
+        tags: events-api:${{ github.sha }}
+        cache-from: type=gha
+        cache-to: type=gha,mode=max
diff --git a/.github/workflows/frontend.yml b/.github/workflows/frontend.yml
@@ -0,0 +1,67 @@
+name: Frontend CI/CD
+
+on:
+  push:
+    branches: [ main, develop ]
+    paths:
+      - 'frontend/**'
+      - '.github/workflows/frontend.yml'
+  pull_request:
+    branches: [ main ]
+    paths:
+      - 'frontend/**'
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Setup Node.js
+      uses: actions/setup-node@v4
+      with:
+        node-version: '20'
+        cache: 'npm'
+        cache-dependency-path: frontend/events-app/package-lock.json
+
+    - name: Install dependencies
+      run: |
+        cd frontend/events-app
+        npm ci
+
+    - name: Type check
+      run: |
+        cd frontend/events-app
+        npm run type-check
+
+    - name: Lint
+      run: |
+        cd frontend/events-app
+        npm run lint --if-present
+
+    - name: Build
+      run: |
+        cd frontend/events-app
+        npm run build
+
+  build-container:
+    needs: test
+    runs-on: ubuntu-latest
+    if: github.event_name == 'push'
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+
+    - name: Build Docker image
+      uses: docker/build-push-action@v5
+      with:
+        context: ./frontend/events-app
+        file: ./frontend/events-app/Dockerfile
+        push: false
+        tags: events-frontend:${{ github.sha }}
+        cache-from: type=gha
+        cache-to: type=gha,mode=max
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,54 @@
+# Dependencies
+node_modules/
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+
+# Build outputs
+backend/EventsApi/bin/
+backend/EventsApi/obj/
+frontend/events-app/dist/
+frontend/events-app/node_modules/
+
+# Environment files
+.env
+.env.local
+.env.development.local
+.env.test.local
+.env.production.local
+
+# IDE
+.vscode/
+.vs/
+*.swp
+*.swo
+*~
+
+# OS
+.DS_Store
+Thumbs.db
+
+# Temporary files
+*.tmp
+*.temp
+/tmp/
+
+# Logs
+*.log
+
+# Coverage reports
+coverage/
+*.lcov
+
+# Runtime data
+pids
+*.pid
+*.seed
+*.pid.lock
+
+# Azure Functions
+local.settings.json
+
+# Package files
+*.tgz
+*.tar.gz