@networkpro/web 1.24.2 → 1.24.4

package/.github/workflows/build-and-publish.yml

@@ -58,6 +58,10 @@ jobs:
       - name: Install jq
         run: sudo apt-get install -y jq
 
+      - name: Run npm audit
+        run: npm audit --audit-level=moderate
+        continue-on-error: true
+
       - name: Run JSDoc lint check
         id: jsdoc_lint
         continue-on-error: true

package/.github/workflows/probely-scan.yml

@@ -0,0 +1,95 @@
+# .github/workflows/probely-scan.yml
+#
+# Copyright © 2025 Network Pro Strategies (Network Pro™)
+# SPDX-License-Identifier: CC-BY-4.0 OR GPL-3.0-or-later
+# This file is part of Network Pro
+
+name: Weekly DAST Scan (Probely)
+
+on:
+  schedule:
+    - cron: '0 9 * * 2' # Every Tuesday, 9 AM UTC
+  workflow_dispatch:
+
+jobs:
+  dast-scan:
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      actions: read
+      id-token: none
+
+    env:
+      PROBELY_API_KEY: ${{ secrets.PROBELY_API_KEY }}
+      TARGET_ID: 3by8xa6kzArN
+      API_BASE: https://api.probely.com/v2 # Always include /v2
+      MAX_WAIT_MINUTES: 60 # configurable
+
+    steps:
+      - name: Start Probely Scan
+        id: start-scan
+        run: |
+          echo "🧪 Triggering Probely scan for target $TARGET_ID ..."
+          response=$(curl -s -X POST "$API_BASE/targets/$TARGET_ID/scans/" \
+            -H "Authorization: JWT $PROBELY_API_KEY" \
+            -H "Content-Type: application/json" \
+            -d '{}')
+
+          echo "Raw API response:"
+          echo "$response" | jq .
+
+          scan_id=$(echo "$response" | jq -r '.id // empty')
+
+          if [ -z "$scan_id" ]; then
+            echo "::error ::Failed to start scan — check API key, target ID, or base URL."
+            exit 1
+          fi
+
+          echo "scan_id=$scan_id" >> $GITHUB_ENV
+          echo "✅ Scan started with ID: $scan_id"
+
+      - name: Wait for Scan Completion
+        run: |
+          echo "⏳ Waiting for scan $scan_id to complete..."
+          elapsed=0
+          while [ $elapsed -lt $((MAX_WAIT_MINUTES * 60)) ]; do
+            status=$(curl -s "$API_BASE/scans/$scan_id/" \
+              -H "Authorization: JWT $PROBELY_API_KEY" | jq -r '.status // empty')
+
+            echo "⏱️  Status: $status (elapsed $elapsed sec)"
+
+            if [ "$status" = "completed" ]; then
+              echo "✅ Scan completed successfully."
+              break
+            elif [ "$status" = "failed" ]; then
+              echo "::error ::Scan failed."
+              exit 1
+            fi
+
+            sleep 60
+            elapsed=$((elapsed + 60))
+          done
+
+          if [ "$status" != "completed" ]; then
+            echo "::error ::Scan did not complete in time ($MAX_WAIT_MINUTES min timeout)."
+            exit 1
+          fi
+
+      - name: Download Probely HTML Report
+        run: |
+          echo "📥 Downloading report for scan $scan_id ..."
+          curl -s "$API_BASE/scans/$scan_id/report/" \
+            -H "Authorization: JWT $PROBELY_API_KEY" \
+            -o probely-report.html
+
+          if [ ! -s probely-report.html ]; then
+            echo "::error ::Report file is empty or missing."
+            exit 1
+          fi
+          echo "✅ Report saved as probely-report.html"
+
+      - name: Upload report artifact
+        uses: actions/upload-artifact@v5
+        with:
+          name: probely-report
+          path: probely-report.html

package/.github/workflows/secret-scan.yml

@@ -19,6 +19,8 @@ jobs:
       contents: read
       security-events: write
       issues: write
+    env:
+      CODEQL_ACTION_ANALYSIS_KEY: gitleaks
     steps:
       # ---------------------------------------------------------------------
       # Checkout the full repo history (needed for Gitleaks to scan all commits)

package/CHANGELOG.md

@@ -22,6 +22,51 @@ This project attempts to follow [Keep a Changelog](https://keepachangelog.com/en
 
 ---
 
+## [1.24.4]
+
+### Documentation
+
+- Added a **Continuous Security & Dependency Checks** section to `README.md`, outlining the automated vulnerability and dependency analysis integrated into CI/CD workflows.
+
+### Added
+
+- Introduced **non-blocking** `npm audit` **step** in the `build-and-publish.yml` workflow to automatically detect known vulnerabilities during dependency installation.
+- Introduced **[Probely](https://probely.com/) Dynamic Application Security Testing (DAST)** integration via a new GitHub Actions workflow at `.github/workflows/probely-scan.yml`.
+  - Executes **weekly automated scans** of the `audit.netwk.pro` environment every Tuesday at 09:00 UTC.
+  - Authenticates securely using a scoped **API key** stored in GitHub Secrets (`PROBELY_API_KEY`).
+  - Polls the Probely API for scan completion and retrieves the full **HTML vulnerability report**.
+  - Uploads reports as workflow **artifacts** for maintainers to review.
+  - Includes a 60-minute timeout and supports manual triggering via `workflow_dispatch`.
+  - Configured for **read-only testing** against non-production environments to safely identify potential web and API vulnerabilities.
+  - Future updates will introduce automated issue creation and alerting for high-severity findings.
+
+### Changed
+
+- Updated `static/robots.txt` to exclude redirect routes and sensitive/internal endpoints (e.g., `/api`, `/relay-*`, `/consultation`, `/contact`, `/status`, etc.) from automated crawlers and vulnerability scanners.
+- Bumped project version to `v1.24.4`.
+
+### Security
+
+- Enhanced continuous security coverage through the addition of **Probely DAST** for dynamic web and API vulnerability testing.
+- Maintained and improved **GitLeaks** secret scanning across pull requests and scheduled full-history scans.
+- Together, these workflows now provide full-spectrum coverage across **SAST** (static analysis) and **DAST** (dynamic analysis) layers within the CI/CD pipeline.
+
+---
+
+## [1.24.3]
+
+### Changed
+
+- Bumped project version to `v1.24.3`.
+- Updated `.github/workflows/secret-scan.yml` to utilize a unique `CODEQL_ACTION_ANALYSIS_KEY` to avoid conflicts with CodeQL.
+- Updated `static/robots.txt` to disallow crawling of the `/api` route.
+
+### Fixed
+
+- Corrected naming of `static/7cbb39ce-750b-43da-83b8-8980e5554d4d.txt`.
+
+---
+
 ## [1.24.2]
 
 ### Added
@@ -88,6 +133,12 @@ This project attempts to follow [Keep a Changelog](https://keepachangelog.com/en
   - `globals` `^16.4.0` → `^16.5.0`
   - `posthog-js` `^1.282.0` → `^1.284.0`
 
+### Security
+
+- Added **automated SAST scanning** via GitLeaks to prevent secrets and credentials from being committed.
+- Implemented **security event reporting** via GitHub’s Code Scanning interface (SARIF upload supported).
+- Configured **automated notifications** for detected leaks via GitHub Issues and optional ntfy alerts.
+
 ---
 
 ## [1.23.0] - 2025-10-30
@@ -1430,7 +1481,9 @@ This project attempts to follow [Keep a Changelog](https://keepachangelog.com/en
 
 <!-- Link references -->
 
-[Unreleased]: https://github.com/netwk-pro/netwk-pro.github.io/compare/v1.24.2...HEAD
+[Unreleased]: https://github.com/netwk-pro/netwk-pro.github.io/compare/v1.24.4...HEAD
+[1.24.4]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.24.4
+[1.24.3]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.24.3
 [1.24.2]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.24.2
 [1.24.1]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.24.1
 [1.24.0]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.24.0

package/README.md

@@ -36,6 +36,7 @@ All infrastructure and data flows are designed with **maximum transparency, self
 - [Repository Structure](#structure)
 - [Getting Started](#getting-started)
 - [Configuration](#configuration)
+- [Security & Dependency Checks](#security)
 - [Service Worker Utilities](#sw-utilities)
 - [Debug Mode](#debug)
 - [CSP Report Handler](#cspreport)
@@ -190,8 +191,6 @@ To implement a strict nonce-based CSP in the future:
 
 Note: Strict CSP adoption may require restructuring third-party integrations and deeper framework coordination.
 
-> 💡 The `[headers]` block in `netlify.toml` has been deprecated — all headers are now set dynamically from within SvelteKit.
-
  
 
 ### 🧭 `hooks.client.ts`
@@ -208,6 +207,27 @@ Client-side PWA logic (such as handling the `beforeinstallprompt` event, checkin
 
 ---
 
+<section id="security">
+
+## 🧩 Continuous Security & Dependency Checks
+
+Network Pro&trade; automatically performs dependency and vulnerability checks as part of its CI/CD pipeline:
+
+- **GitLeaks Secret Scanning** — detects potential secrets and credentials in commits, pull requests, and full-history scans.
+- **CodeQL Analysis** — runs static code scanning to detect code-level vulnerabilities.
+- **Probely DAST Scans** — executes weekly external scans on the audit deployment (`audit.netwk.pro`) to identify web application vulnerabilities.
+- **npm Audit** — runs during the build phase to detect known vulnerabilities in installed dependencies (`npm audit --audit-level=moderate`).
+- **Dependabot** — automatically monitors and updates outdated dependencies via pull requests.
+- **ESLint, Prettier, etc. (Local)** — enforces code quality and consistency during local development before commits.
+
+Each tool is configured to run in a safe, non-production environment to ensure reliability and protect sensitive data.
+
+</section>
+
+<sub>[Back to top](#top)</sub>
+
+---
+
 <section id="sw-utilities">
 
 ## ⚙️ Service Worker Utilities

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@networkpro/web",
   "private": false,
-  "version": "1.24.2",
+  "version": "1.24.4",
   "description": "Locking Down Networks, Unlocking Confidence™ | Security, Networking, Privacy — Network Pro Strategies",
   "keywords": [
     "advisory",

package/static/robots.txt

@@ -17,12 +17,34 @@ Disallow: /coverage/
 Disallow: /build/
 Disallow: /.lighthouseci/
 
-# Disallow stub routes that redirect externally
+# --- Dynamic / redirect handlers
+Disallow: /relay-
+Disallow: /api/
+Disallow: /api/mock-csp
+
+# --- Stub and form routes
 Disallow: /contact
 Disallow: /privacy-rights
 Disallow: /consultation
 Disallow: /links
 Disallow: /posts
+Disallow: /privacy-rights
+
+# --- Error / system routes
+Disallow: /..404
+Disallow: /status
+
+# --- Optional: service utilities or PWA
+Disallow: /service-worker
+Disallow: /service-worker.js
+Disallow: /service-worker.d.ts
+
+# --- Futureproof catch-alls
+Disallow: /admin
+Disallow: /preview
+Disallow: /redirect
+Disallow: /mock-csp
+Disallow: /csp
 
 # Allow everything else
 Allow: /