nodejs-quickstart-structure 1.17.0 → 1.18.0

package/CHANGELOG.md

@@ -5,6 +5,21 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.18.0] - 2026-03-25
+
+### Added
+- **Enterprise-Grade Security Hardening**: Integrated **Snyk (SCA)** and **SonarQube (SAST)** into the project scaffolding, providing "Big Tech" industry-standard security analysis out of the box.
+- **Automated Security Workflows**: Pre-configured CI/CD stages for security scanning across GitHub Actions, GitLab CI, and Jenkins.
+- **Pre-commit Security Gates**: Integrated **Husky** and **lint-staged** to automatically enforce code quality and security standards locally before every commit.
+- **Security Standard Enforcement**: Added a standardized `SECURITY.md` policy and automated quality gates to ensure code resilience.
+- **Comprehensive Security Guide**: Created a new documentation guide detailing the setup and operational workflows for the enterprise security features.
+
+### Changed
+- **Matrix Expansion**: Updated the CLI to support over **1,680+ project combinations** by adding a conditional security hardening layer across all CI/CD providers.
+
+### Fixed
+- **Docker Node Version**: Updated Docker node version to 22.22.2-trixie-slim
+
 ## [1.17.0] - 2026-03-23
 
 ### Added

package/README.md

@@ -1,135 +1,144 @@
-# Node.js Quickstart Generator
-
-[![npm version](https://img.shields.io/npm/v/nodejs-quickstart-structure.svg?style=flat-square)](https://www.npmjs.com/package/nodejs-quickstart-structure)
-[![npm total downloads](https://img.shields.io/npm/dt/nodejs-quickstart-structure.svg?style=flat-square)](https://www.npmjs.com/package/nodejs-quickstart-structure)
-[![npm monthly downloads](https://img.shields.io/npm/dm/nodejs-quickstart-structure.svg?style=flat-square)](https://www.npmjs.com/package/nodejs-quickstart-structure)
-[![License: ISC](https://img.shields.io/badge/License-ISC-blue.svg?style=flat-square)](https://opensource.org/licenses/ISC)
-
-A powerful CLI tool to scaffold production-ready Node.js microservices with built-in best practices, allowing you to choose between **MVC** or **Clean Architecture**, **JavaScript** or **TypeScript**, and your preferred database.
-
-![Demo](docs/demo.gif)
-
-## Features
-
-- **Interactive CLI**: Easy-to-use prompts to configure your project.
-- **Multiple Architectures**: Supports both **MVC** (Model-View-Controller) and **Clean Architecture**.
-- **Language Support**: Choose between **JavaScript** and **TypeScript**.
-- **Database Integration**: Pre-configured setup for **MySQL**, **PostgreSQL**, or **MongoDB**.
-- **Communication Flow**: Scaffold APIs using **REST**, **GraphQL** (with Apollo Server), or **Kafka** (event-driven).
-- **Caching Layer**: Choose between **Redis** or built-in **Memory Cache** for data caching.
-- **Centralized Error Handling**: Every project ships with a global error handler, custom error classes and structured JSON error responses — consistent across REST & GraphQL.
-- **Dockerized**: Automatically generates `docker-compose.yml` for DB, Kafka, and Redis.
-- **Database Migrations/Schemas**: Integrated **Flyway** for SQL migrations or **Mongoose** schemas for MongoDB.
-- **Professional Standards**: Generated projects come with highly professional, industry-standard tooling.
-
-## 🌟 Why developers love this?
-
-- **Community Trusted**: Over **3,000+** projects bootstrapped within the first month.
-- **Actively Maintained**: Constant updates and optimizations (30+ versions released) based on real-world developer feedback.
-- **Resilience First**: Unlike basic boilerplates, our generated code focuses on infrastructure stability (Retry logic, Health checks, and Graceful shutdowns).
-
-## 🏆 Professional Standards (New)
-
-We don't just generate boilerplate; we generate **production-ready** foundations. Every project includes:
-
--   **🔍 Code Quality**: Pre-configured `Eslint` and `Prettier` for consistent coding standards.
--   **🛡️ Security**: Built-in `Helmet`, `HPP`, `CORS`, and Rate-Limiting middleware.
--   **🚨 Error Handling**: Centralized global error middleware with custom error classes and structured JSON responses. GraphQL uses Apollo's `formatError` hook; REST uses Express error middleware.
--   **🧪 Testing Excellence**: Integrated `Jest` and `Supertest`. Every generated project maintains **>80% Unit Test coverage** for controllers, services, and resolvers out of the box.
--   **🔄 CI/CD Integration**: Pre-configured workflows for **GitHub Actions**, **Jenkins**, and **GitLab CI**.
--   **⚓ Git Hooks**: `Husky` and `Lint-Staged` to ensure no bad code is ever committed.
--   **🤝 Reliability**: Health Checks (`/health`) with deep database pings, Infrastructure Retry Logic (handling Docker startup delays), and Graceful Shutdown workflows.
--   **🐳 DevOps**: Highly optimized **Multi-Stage Dockerfile** for small, secure production images.
--   **🚀 Deployment**: Ship confidently with an integrated **PM2 Ecosystem Configuration** for zero-downtime reloads and robust process management.
-
-## 🧩 480+ Project Combinations
-
-The CLI supports a massive number of configurations to fit your exact needs:
-
--   **240 Core Combinations**:
-    -   **MVC Architecture**: 180 variants (Languages × View Engines × Databases × Communication Patterns × Caching)
-    -   **Clean Architecture**: 60 variants (Languages × Databases × Communication Patterns × Caching)
--   **480 Total Scenarios**:
-    -   Every combination can be generated with or without (**GitHub Actions CI/CD** / **Jenkins** or **GitLab CI**), tripling the possibilities.
-    -   Every single one of these 480 scenarios is verified to be compatible with our 80% Coverage Threshold policy.
-
-For a detailed list of all supported cases, check out [docs/generateCase.md](docs/generateCase.md).
-
-## Installation
-
-You can install the tool globally directly from npm:
-
-```bash
-npm install -g nodejs-quickstart-structure
-```
-
-## Usage
-
-Once installed, simply run the following command in any directory where you want to create a new project:
-
-```bash
-nodejs-quickstart init
-```
-
-## Quick Start (Recommended)
-
-You can run the generator directly without installing it globally:
-
-```bash
-npx nodejs-quickstart-structure@latest init
-```
-
-### Configuration Options
-
-The CLI will guide you through the following steps:
-
-1.  **Project Name**: The name of the folder to create.
-2.  **Language**: `JavaScript` or `TypeScript`.
-3.  **Architecture**: `MVC` or `Clean Architecture`.
-4.  **Database**: `MySQL`, `PostgreSQL`, or `MongoDB`.
-5.  **Database Name**: The name of the initial database.
-6.  **Communication**: `REST APIs` (default), `GraphQL`, or `Kafka`.
-7.  **Caching**: `None`, `Redis`, or `Memory Cache`.
-8.  **CI/CD**: `GitHub Actions`, `Jenkins`, `GitLab CI` or `None`.
-
-## Generated Project Structure
-
-The generated project will include:
-
--   `src/`: Source code (controllers, routes, services/use-cases).
--   `src/errors/`: Custom error classes — `ApiError`, `NotFoundError`, `BadRequestError`.
--   `flyway/sql/`: SQL migration scripts (if SQL database selected).
--   `docker-compose.yml`: Services configuration for DB, Flyway, and Kafka.
--   `package.json`: Dependencies and scripts (`start`, `dev`, `build`).
--   `tsconfig.json`: (If TypeScript is selected) Type checking configuration.
-
-### Getting Started with the Generated App
-
-```bash
-cd <your-project-name>
-
-# Start infrastructure (DB, etc.)
-npm install
-
-docker-compose up
-```
-
-## ❤️ Support the Project
-
-We just hit **3,000 downloads**! If this tool helped you save hours of setup time, please consider:
-- Giving us a ⭐ on [GitHub](https://github.com/paudang/nodejs-quickstart-structure) to help others find it.
-- Following the [Medium Article](https://medium.com/@paudang/nodejs-quickstart-generator-93c276d60e0b) for deep-dive tutorials.
-
-## License
-
-ISC
-
-## 🚀 Roadmap & Upcoming Features
-
-We are constantly working to improve `nodejs-quickstart-structure` and make it the most robust boilerplate generator for Node.js. 
-
-You can track our current progress, see what features are being worked on, and vote for your favorites on our public Trello board:
-
-👉 **[View our Public Roadmap on Trello](https://trello.com/b/TPTo8ylF/nodejs-quickstart-structure-product)**
-
-If you have a feature request or want to contribute, feel free to check the board and open an issue or pull request!
+# Node.js Quickstart Generator
+
+[![npm version](https://img.shields.io/npm/v/nodejs-quickstart-structure.svg?style=flat-square)](https://www.npmjs.com/package/nodejs-quickstart-structure)
+[![npm total downloads](https://img.shields.io/npm/dt/nodejs-quickstart-structure?style=flat-square&color=emerald&label=Downloads)](https://www.npmjs.com/package/nodejs-quickstart-structure)
+[![npm monthly downloads](https://img.shields.io/npm/dm/nodejs-quickstart-structure.svg?style=flat-square)](https://www.npmjs.com/package/nodejs-quickstart-structure)
+[![License: ISC](https://img.shields.io/badge/License-ISC-blue.svg?style=flat-square)](https://opensource.org/licenses/ISC)
+
+A powerful CLI tool to scaffold production-ready Node.js microservices with built-in best practices, allowing you to choose between **MVC** or **Clean Architecture**, **JavaScript** or **TypeScript**, and your preferred database.
+
+![Demo](docs/demo.gif)
+
+---
+
+## 📌 Table of Contents
+
+- [🚀 Quick Start](#-quick-start)
+- [✨ Key Features](#-key-features)
+- [🛡️ Professional Standards](#-professional-standards)
+- [🧩 1,680+ Project Combinations](#-1680-project-combinations)
+- [⚙️ Configuration Options](#-configuration-options)
+- [🏗️ Generated Project Structure](#-generated-project-structure)
+- [📖 Documentation](#-documentation)
+- [🗺️ Roadmap & Support](#️-roadmap--support)
+
+---
+
+## 🚀 Quick Start
+
+Generate your professional Node.js project in seconds without installing anything globally:
+
+```bash
+npx nodejs-quickstart-structure@latest init
+```
+
+### Installation (Optional)
+
+If you prefer to install it globally:
+
+```bash
+npm install -g nodejs-quickstart-structure
+# Then run:
+nodejs-quickstart init
+```
+
+---
+
+## ✨ Key Features
+
+- **Interactive CLI**: Smooth, guided configuration process.
+- **Multiple Architectures**: Supports both **MVC** and **Clean Architecture**.
+- **Modern Languages**: Choice of **JavaScript** or **TypeScript**.
+- **Database Ready**: Pre-configured for **MySQL**, **PostgreSQL**, or **MongoDB**.
+- **Communication Patterns**: Supports **REST**, **GraphQL** (Apollo), and **Kafka** (Event-driven).
+- **Multi-layer Caching**: Integrated **Redis** or built-in **Memory Cache**.
+- **AI-Native Optimized**: specifically designed for **Cursor** and AI agents, including built-in `.cursorrules` and Agent Skill prompts. 🚀
+
+---
+
+## 🛡️ Professional Standards
+
+We don't just generate boilerplate; we generate **production-ready** foundations. Every project includes:
+
+- **🔍 Code Quality**: Pre-configured `Eslint` and `Prettier`.
+- **🛡️ Enterprise Security**: Integrated **Snyk (SCA)**, **SonarCloud (SAST)**, `Helmet`, `HPP`, and Rate-Limiting.
+- **🚨 Robust Error Handling**: Centralized global error middleware with custom error classes (`ApiError`, `NotFoundError`, etc.) — consistent across REST & GraphQL.
+- **🧪 Testing Excellence**: Integrated `Jest` and `Supertest` with **>80% Unit Test coverage** out of the box.
+- **🔄 DevOps & CI/CD**: Optimized **Multi-Stage Dockerfiles**, health checks, infrastructure retry logic, and workflows for **GitHub Actions**, **Jenkins**, and **GitLab CI**.
+- **🚀 Scalable Deployment**: Integrated **PM2 Ecosystem** config for zero-downtime reloads.
+
+---
+
+## 🧩 1,680+ Project Combinations
+
+The CLI supports a massive number of configurations to fit your exact needs:
+
+- **240 Core Combinations**:
+  - **MVC Architecture**: 180 variants (Languages × View Engines × Databases × Communication Patterns × Caching)
+  - **Clean Architecture**: 60 variants (Languages × Databases × Communication Patterns × Caching)
+- **1,680+ Total Scenarios**:
+  - Every combination can be generated across 3 CI/CD providers.
+  - Optional **Enterprise-Grade Security Hardening** doubles the scenarios.
+  - Every single scenario is verified to be compatible with our **80% Coverage Threshold** policy.
+
+---
+
+## ⚙️ Configuration Options
+
+The CLI will guide you through:
+1. **Project Name**
+2. **Language**: `JavaScript` | `TypeScript`
+3. **Architecture**: `MVC` | `Clean Architecture`
+4. **View Engine**: (MVC only) `None` | `EJS` | `Pug`
+5. **Database**: `MySQL` | `PostgreSQL` | `MongoDB`
+6. **Communication**: `REST` | `GraphQL` | `Kafka`
+7. **Caching**: `None` | `Redis` | `Memory Cache`
+8. **CI/CD**: `GitHub Actions` | `Jenkins` | `GitLab CI`
+9. **Security**: (Optional) Snyk & SonarCloud Hardening
+
+---
+
+## 🏗️ Generated Project Structure
+
+A typical generated project (TypeScript + Clean Architecture) looks like this:
+
+```text
+.
+├── src/
+│   ├── application/     # Use cases & Business logic
+│   ├── domain/          # Entities & Repository interfaces
+│   ├── infrastructure/  # DB, External services, Repositories
+│   ├── interfaces/      # Controllers, Routes, GraphQL, Kafka
+│   ├── errors/          # Custom Error Classes
+│   └── index.ts         # Entry point
+├── flyway/sql/          # SQL migrations (if applicable)
+├── docker-compose.yml   # Infrastructure services
+├── package.json         # Scripts and dependencies
+├── tsconfig.json        # TypeScript config
+└── .cursorrules         # AI assistance rules
+```
+
+---
+
+## 📖 Documentation
+
+For full guides, architecture deep-dives, and feature references, visit our **[Official Documentation Site](https://paudang.github.io/nodejs-quickstart-structure/)**.
+
+---
+
+## ❤️ Support & 🗺️ Roadmap
+
+### Support the Project
+We just hit **3,000+ downloads**! If this tool helped you, please:
+- Give us a ⭐ on [GitHub](https://github.com/paudang/nodejs-quickstart-structure).
+- Read our [Medium Article](https://medium.com/@paudang/nodejs-quickstart-generator-93c276d60e0b) for tutorials.
+
+### Roadmap
+Track our progress and vote for features on our public board:
+👉 **[View our Public Roadmap on Trello](https://trello.com/b/TPTo8ylF/nodejs-quickstart-structure-product)**
+
+---
+
+## License
+
+ISC

package/bin/index.js

@@ -29,7 +29,8 @@ program
     .option('-d, --database <database>', 'Database (MySQL, PostgreSQL)')
     .option('--db-name <name>', 'Database name')
     .option('-c, --communication <communication>', 'Communication (REST APIs, GraphQL, Kafka)')
-    .option('--ci-provider <provider>', 'CI/CD Provider (None, GitHub Actions, Jenkins)')
+    .option('--ci-provider <provider>', 'CI/CD Provider (None, GitHub Actions, Jenkins, GitLab CI)')
+    .option('--include-security', 'Include Enterprise Security Hardening')
     .option('--caching <type>', 'Caching Layer (None/Redis)')
     .action(async (options) => {
         // Fix for Commander camelCase conversion
@@ -83,6 +84,7 @@ program
             process.exit(1);
         }
     });
+
 program.parse(process.argv);
 
 if (!process.argv.slice(2).length) {

package/lib/generator.js

@@ -16,9 +16,10 @@ export const generateProject = async (config) => {
         viewEngine: 'None',
         caching: 'None',
         dbName: 'demo',
-        ciProvider: 'None',
+        ciProvider: 'GitHub Actions',
         communication: 'REST APIs',
         database: 'None',
+        includeSecurity: false,
         ...config
     };
 
@@ -112,7 +113,7 @@ export const generateProject = async (config) => {
       ----------------------------------------------------
       ✅  Linting & Formatting: Eslint + Prettier configured
       ✅  Git Hooks: Husky + Lint-Staged ready
-      ✅  Security: Helmet, CORS, Rate-Limiting added
+      ✅  Security: Helmet, CORS, Rate-Limiting added${config.includeSecurity ? '\n      ✅  Enterprise Security: Snyk (SCA) & SonarCloud (SAST) integration' : ''}
       ✅  Testing: Jest setup for Unit/Integration tests
       ✅  Docker: Production-ready multi-stage build
       ${config.ciProvider !== 'None' ? `✅  CI/CD: ${config.ciProvider} Workflow ready` : '❌  CI/CD: Skipped (User preferred)'}

package/lib/modules/config-files.js

@@ -52,6 +52,20 @@ export const renderProfessionalConfig = async (templatesDir, targetDir, config)
     const jestE2eTemplate = await fs.readFile(path.join(templatesDir, 'common', 'jest.e2e.config.js.ejs'), 'utf-8');
     const jestE2eContent = ejs.render(jestE2eTemplate, { ...config });
     await fs.writeFile(path.join(targetDir, 'jest.e2e.config.js'), jestE2eContent);
+
+    // 1. Setup Husky pre-commit (Always for Professional Standard)
+    const huskyDir = path.join(targetDir, '.husky');
+    await fs.ensureDir(huskyDir);
+    await fs.copy(path.join(templatesDir, 'common', '_husky', 'pre-commit'), path.join(huskyDir, 'pre-commit'));
+
+    // 2. Enterprise Security Hardening (Optional)
+    if (config.includeSecurity) {
+        await fs.copy(path.join(templatesDir, 'common', 'SECURITY.md'), path.join(targetDir, 'SECURITY.md'));
+        
+        const sonarTemplate = await fs.readFile(path.join(templatesDir, 'common', 'sonar-project.properties.ejs'), 'utf-8');
+        const sonarContent = ejs.render(sonarTemplate, { ...config });
+        await fs.writeFile(path.join(targetDir, 'sonar-project.properties'), sonarContent);
+    }
 };
 
 export const renderAiNativeFiles = async (templatesDir, targetDir, config) => {
@@ -80,10 +94,20 @@ export const renderAiNativeFiles = async (templatesDir, targetDir, config) => {
 };
 
 export const setupCiCd = async (templatesDir, targetDir, config) => {
-    const { ciProvider } = config;
+    const { ciProvider, includeSecurity } = config;
     if (ciProvider === 'GitHub Actions') {
-        await fs.ensureDir(path.join(targetDir, '.github/workflows'));
-        await fs.copy(path.join(templatesDir, 'common', '_github/workflows/ci.yml'), path.join(targetDir, '.github/workflows/ci.yml'));
+        const workflowsDir = path.join(targetDir, '.github/workflows');
+        await fs.ensureDir(workflowsDir);
+        
+        const ciTemplate = await fs.readFile(path.join(templatesDir, 'common', '_github/workflows/ci.yml.ejs'), 'utf-8');
+        const ciContent = ejs.render(ciTemplate, { ...config });
+        await fs.writeFile(path.join(workflowsDir, 'ci.yml'), ciContent);
+        
+        if (includeSecurity) {
+            const securityTemplate = await fs.readFile(path.join(templatesDir, 'common', '_github/workflows/security.yml.ejs'), 'utf-8');
+            const securityContent = ejs.render(securityTemplate, { ...config });
+            await fs.writeFile(path.join(workflowsDir, 'security.yml'), securityContent);
+        }
     } else if (ciProvider === 'Jenkins') {
         const jenkinsTemplate = await fs.readFile(path.join(templatesDir, 'common', 'Jenkinsfile.ejs'), 'utf-8');
         const jenkinsContent = ejs.render(jenkinsTemplate, { ...config });

package/lib/prompts.js

@@ -77,9 +77,24 @@ export const getProjectDetails = async (options = {}) => {
             choices: ['None', 'GitHub Actions', 'Jenkins', 'GitLab CI'],
             default: 'None',
             when: !options.ciProvider
+        },
+        {
+            type: 'select',
+            name: 'includeSecurity',
+            message: 'Include Enterprise Security Hardening (Big Tech Standard: Snyk, SonarQube)?',
+            choices: ['No', 'Yes'],
+            default: "No",
+            when: (answers) => !options.includeSecurity && (options.ciProvider || answers.ciProvider) !== 'None'
         }
     ];
 
     const answers = await inquirer.prompt(questions);
-    return { ...options, ...answers };
+    const result = { ...options, ...answers };
+
+    // Normalize includeSecurity to boolean if it's a string from the select prompt
+    if (typeof result.includeSecurity === 'string') {
+        result.includeSecurity = result.includeSecurity === 'Yes';
+    }
+
+    return result;
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nodejs-quickstart-structure",
-  "version": "1.17.0",
+  "version": "1.18.0",
   "type": "module",
   "description": "The ultimate nodejs quickstart structure CLI to scaffold Node.js microservices with MVC or Clean Architecture",
   "main": "bin/index.js",
@@ -12,7 +12,12 @@
     "test:e2e": "npm run test:e2e:windows",
     "test:e2e:windows": "node scripts/validate-windows.js",
     "test:e2e:linux": "node scripts/validate-linux.js",
-    "test:verify:mongo": "node scripts/verify-migration.js"
+    "test:verify:mongo": "node scripts/verify-migration.js",
+    "docs:dev": "vitepress dev docs",
+    "docs:build": "vitepress build docs",
+    "docs:preview": "vitepress preview docs",
+    "security:check": "npm audit && npm run snyk:test",
+    "snyk:test": "snyk test"
   },
   "keywords": [
     "nodejs",
@@ -45,6 +50,13 @@
     "fs-extra": "^11.3.0",
     "inquirer": "^13.3.2"
   },
+  "overrides": {
+    "esbuild": "^0.25.0"
+  },
+  "devDependencies": {
+    "snyk": "^1.1303.2",
+    "vitepress": "^1.0.0-rc.45"
+  },
   "files": [
     "bin",
     "lib",

package/templates/clean-architecture/ts/src/index.ts.ejs

@@ -1,3 +1,4 @@
+import { env } from '@/config/env';
 import express from 'express';
 import cors from 'cors';
 import helmet from 'helmet';
@@ -23,8 +24,6 @@ import { typeDefs, resolvers } from '@/interfaces/graphql';
 import { gqlContext, MyContext } from '@/interfaces/graphql/context';
 <%_ } -%>
 
-import { env } from '@/config/env';
-
 const app = express();
 const port = env.PORT;
 

package/templates/common/.gitlab-ci.yml.ejs

@@ -4,6 +4,10 @@ variables:
 stages:
   - lint
   - test
+<% if (includeSecurity) { %>
+  - security
+  - quality
+<% } %>
   - build
 
 cache:
@@ -12,19 +16,19 @@ cache:
 
 install_dependencies:
   stage: .pre
-  image: node:22-alpine
+  image: node:22-slim
   script:
     - npm ci
 
 lint_code:
   stage: lint
-  image: node:22-alpine
+  image: node:22-slim
   script:
     - npm run lint
 
 run_unit_tests:
   stage: test
-  image: node:22-alpine
+  image: node:22-slim
   script:
     - npm run test:coverage
 
@@ -37,7 +41,44 @@ run_e2e_tests:
     - apk add --no-cache nodejs npm docker-compose
     - npm ci
     - npm run test:e2e
+<% if (includeSecurity) { %>
+snyk_scan:
+  stage: security
+  image: node:22-alpine
+  script:
+    - npm ci
+    - npm run snyk:test
+  only:
+    - main
 
+snyk_container_scan:
+  stage: security
+  image: docker:20.10.16
+  services:
+    - docker:20.10.16-dind
+  script:
+    - apk add --no-cache nodejs npm
+    - npm install -g snyk
+    - docker build -t <%= projectName %>:latest .
+    - snyk container test <%= projectName %>:latest --file=Dockerfile --severity-threshold=high --skip-unused-projects
+
+sonarqube_check:
+  stage: quality
+  image: 
+    name: sonarsource/sonar-scanner-cli:latest
+    entrypoint: [""]
+  variables:
+    SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar"
+    GIT_DEPTH: "0"
+  cache:
+    key: "${CI_JOB_NAME}"
+    paths:
+      - .sonar/cache
+  script:
+    - sonar-scanner
+  only:
+    - main
+<% } %>
 build_app:
   stage: build
   image: node:22-alpine

package/templates/common/Dockerfile

@@ -1,7 +1,12 @@
 # ==========================================
 # Stage 1: Builder
 # ==========================================
-FROM node:22-alpine AS builder
+FROM node:22.22.2-trixie-slim AS builder
+
+# Upgrade OS packages to fix upstream vulnerabilities (Snyk-detected)
+RUN apt-get update && apt-get upgrade -y && \
+    apt-get install -y --no-install-recommends ca-certificates && \
+    rm -rf /var/lib/apt/lists/*
 
 WORKDIR /app
 ENV NPM_CONFIG_UPDATE_NOTIFIER=false
@@ -20,7 +25,12 @@ COPY . .
 # ==========================================
 # Stage 2: Production
 # ==========================================
-FROM node:22-alpine AS production
+FROM node:22.22.2-trixie-slim AS production
+
+# Upgrade OS packages to fix upstream vulnerabilities (Snyk-detected)
+RUN apt-get update && apt-get upgrade -y && \
+    apt-get install -y --no-install-recommends ca-certificates && \
+    rm -rf /var/lib/apt/lists/*
 
 WORKDIR /app
 

package/templates/common/Jenkinsfile.ejs

@@ -31,29 +31,34 @@ pipeline {
             }
         }
 
-        // stage('Build') {
-        //     steps {
-        //         sh 'npm run build'
-        //     }
-        // }
-
-        // stage('SonarQube Analysis') {
-        //     environment {
-        //         scannerHome = tool 'SonarScanner'
-        //     }
-        //     steps {
-        //         withSonarQubeEnv('SonarQube') {
-        //             sh "${scannerHome}/bin/sonar-scanner"
-        //         }
-        //     }
-        // }
+<% if (includeSecurity) { %>
+        stage('SonarQube Analysis') {
+            environment {
+                scannerHome = tool 'SonarScanner'
+            }
+            steps {
+                withSonarQubeEnv('SonarQube') {
+                    sh "${scannerHome}/bin/sonar-scanner"
+                }
+            }
+        }
 
-        // stage('Security Scan') {
-        //     steps {
-        //         sh 'npm audit --audit-level=high'
-        //     }
-        // }
+        stage('Security Scan') {
+            steps {
+                sh 'npm audit --audit-level=high'
+                sh 'npm run snyk:test'
+            }
+        }
 
+        stage('Snyk Container Scan') {
+            steps {
+                script {
+                    sh 'docker build -t <%= projectName %>:latest .'
+                    sh 'snyk container test <%= projectName %>:latest --file=Dockerfile --severity-threshold=high --skip-unused-projects'
+                }
+            }
+        }
+<% } %>
         // stage('Docker Build & Push') {
         //     steps {
         //         script {

package/templates/common/README.md.ejs

@@ -3,6 +3,10 @@
 ![Node.js](https://img.shields.io/badge/Node.js-18%2B-green.svg)
 ![License](https://img.shields.io/badge/License-ISC-blue.svg)
 <% if (language === 'TypeScript') { %>![TypeScript](https://img.shields.io/badge/Language-TypeScript-blue.svg)<% } else { %>![JavaScript](https://img.shields.io/badge/Language-JavaScript-yellow.svg)<% } %>
+<% if (includeSecurity) { %>
+[![Snyk Vulnerabilities](https://img.shields.io/snyk/vulnerabilities/github/yourusername/<%= projectName %>?style=flat-square)](https://snyk.io/)
+[![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=<%= projectName %>&metric=alert_status)](https://sonarcloud.io/)
+<% } %>
 
 A production-ready Node.js microservice generated with **<%= architecture %>** and **<%= database %>**.
 This project comes pre-configured with industry-standard tooling for **Code Quality**, **Testing**, and **Security**.
@@ -15,6 +19,7 @@ This project comes pre-configured with industry-standard tooling for **Code Qual
 -   **Quality**: Eslint, Prettier, Husky, Lint-Staged.
 -   **Testing**: Jest (Unit & Integration).
 -   **DevOps**: Multi-stage Docker build, CI/CD ready.
+<% if (includeSecurity) { %>-   **Enterprise Security**: Snyk SCA, SonarCloud SAST.<% } %>
 
 ## 🔄 CI/CD Pipeline
 <%_ if (ciProvider === 'GitHub Actions') { -%>
@@ -49,19 +54,20 @@ CI/CD is not currently configured, but the project is ready for integration.
 
 ### 2. Quick Start
 ```bash
-# Initialize Git (Required for Husky)
+# Initialize Git (Mandatory for Husky hooks)
 git init
 
 # Install dependencies
 npm install
 
-# Setup Git Hooks (Husky)
-npm run prepare
+# Troubleshooting Husky (if skip git init)
+# npx husky install
 
 # Start Infrastructure (DB, etc.)
 docker-compose up -d
 
 # Run Development Server
+docker-compose up -d<% if (database !== 'None') { %> db<% } %><% if (caching === 'Redis') { %> redis<% } %><% if (communication === 'Kafka') { %> kafka<% } %>
 npm run dev
 ```
 
@@ -241,8 +247,12 @@ docker-compose down
 -   **CORS**: Configured for cross-origin requests.
 -   **Rate Limiting**: Protects against DDoS / Brute-force.
 -   **HPP**: Prevents HTTP Parameter Pollution attacks.
-
-
+<% if (includeSecurity) { %>
+### 🛡️ Enterprise Hardening (Big Tech Standard)
+-   **Snyk SCA**: Automated dependency vulnerability scanning.
+-   **SonarCloud**: Deep static analysis for code quality and security hotspots.
+-   **Security Policy**: Standard `SECURITY.md` for vulnerability reporting.
+<% } %>
 ## 🤖 AI-Native Development
 
 This project is "AI-Ready" out of the box. We have pre-configured industry-leading AI context files to bridge the gap between "Generated Code" and "AI-Assisted Development."

package/templates/common/SECURITY.md

@@ -0,0 +1,20 @@
+# Security Policy
+
+## Supported Versions
+
+Only the latest `main` branch is supported for security updates.
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 1.0.x   | :white_check_mark: |
+| < 1.0   | :x:                |
+
+## Reporting a Vulnerability
+
+We take the security of this project seriously. If you believe you have found a security vulnerability, please report it following these steps:
+
+1. **Do not open a public issue.**
+2. Send an email to the project maintainers (see `package.json`).
+3. Provide a detailed description of the vulnerability, including steps to reproduce.
+
+We will acknowledge your report within 48 hours and work on a fix as soon as possible.

package/templates/common/_github/workflows/{ci.yml → ci.yml.ejs}

@@ -14,17 +14,13 @@ jobs:
 
     runs-on: ubuntu-latest
 
-    strategy:
-      matrix:
-        node-version: [20.x, 22.x]
-
     steps:
     - uses: actions/checkout@v4
     
-    - name: Use Node.js ${{ matrix.node-version }}
+    - name: Use Node.js 22.x
       uses: actions/setup-node@v4
       with:
-        node-version: ${{ matrix.node-version }}
+        node-version: 22.x
         cache: 'npm'
         
     - name: Install Dependencies
@@ -41,3 +37,10 @@ jobs:
       
     - name: Build
       run: npm run build --if-present
+<% if (includeSecurity) { %>
+    - name: SonarQube Scan
+      uses: SonarSource/sonarqube-scan-action@master
+      env:
+        SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+        SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
+<% } %>

package/templates/common/_github/workflows/security.yml.ejs

@@ -0,0 +1,36 @@
+name: Enterprise Security Scan
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+  schedule:
+    - cron: '0 0 * * 1' # Weekly scan
+
+jobs:
+  node-security:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Run Snyk to check for vulnerabilities
+        uses: snyk/actions/node@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          args: --severity-threshold=high
+
+  container-security:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Build Docker image
+        run: docker build -t <%= projectName %>:latest .
+      - name: Run Snyk to check Docker image for vulnerabilities
+        uses: snyk/actions/docker@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          image: <%= projectName %>:latest
+          args: --file=Dockerfile --severity-threshold=high --skip-unused-projects

package/templates/common/_husky/pre-commit

@@ -0,0 +1,4 @@
+#!/usr/bin/env sh
+. "$(dirname -- "$0")/_/husky.sh"
+
+npx lint-staged

package/templates/common/docker-compose.yml.ejs

@@ -99,7 +99,7 @@ services:
       - mongodb_data:/data/db
 
   mongo-migrate:
-    image: node:22-alpine
+    image: node:22-slim
     working_dir: /app
     volumes:
       - .:/app

package/templates/common/kafka/js/config/kafka.js

@@ -1,8 +1,9 @@
 const { Kafka } = require('kafkajs');
+const { env } = require('./env');
 
 const kafka = new Kafka({
     clientId: 'nodejs-service',
-    brokers: [process.env.KAFKA_BROKER || 'localhost:9092']
+    brokers: [env.KAFKA_BROKER]
 });
 
 module.exports = { kafka };

package/templates/common/kafka/js/config/kafka.spec.js.ejs

@@ -9,6 +9,12 @@ jest.mock('kafkajs', () => {
     };
 });
 
+jest.mock('<% if (architecture === "MVC") { %>@/config/env<% } else { %>@/infrastructure/config/env<% } %>', () => ({
+    env: {
+        KAFKA_BROKER: 'localhost:9092'
+    }
+}));
+
 describe('Kafka Configuration', () => {
     beforeEach(() => {
         jest.clearAllMocks();

package/templates/common/kafka/ts/config/kafka.spec.ts.ejs

@@ -9,6 +9,12 @@ jest.mock('kafkajs', () => {
     };
 });
 
+jest.mock('@/config/env', () => ({
+    env: {
+        KAFKA_BROKER: 'localhost:9092'
+    }
+}));
+
 describe('Kafka Configuration', () => {
     beforeEach(() => {
         jest.clearAllMocks();

package/templates/common/kafka/ts/config/kafka.ts

@@ -1,6 +1,7 @@
 import { Kafka } from 'kafkajs';
+import { env } from '@/config/env';
 
 export const kafka = new Kafka({
     clientId: 'nodejs-service',
-    brokers: [process.env.KAFKA_BROKER || 'localhost:9092']
+    brokers: [env.KAFKA_BROKER]
 });

package/templates/common/package.json.ejs

@@ -11,14 +11,16 @@
     "lint": "eslint .",
     "lint:fix": "eslint . --fix",
     "format": "prettier --write .",
-    "prepare": "node -e \"try { require('child_process').execSync('husky install'); } catch (e) { console.log('Not a git repository, skipping husky install'); }\"",
+    "prepare": "node -e \"if (require('fs').existsSync('.git')) { try { require('child_process').execSync('husky install', { stdio: 'inherit' }); } catch (e) { console.error('Husky installation failed:', e.message); } }\"",
 <% if (database === 'MongoDB') { %>    "migrate": "migrate-mongo up",
 <% } -%>
     "test": "jest",
     "test:watch": "jest --watch",
     "test:coverage": "jest --coverage",
     "test:e2e:run": "jest --config ./jest.e2e.config.js --passWithNoTests",
-    "test:e2e": "node scripts/run-e2e.js"
+    "test:e2e": "node scripts/run-e2e.js"<% if (includeSecurity) { %>,
+    "security:check": "npm audit && npm run snyk:test",
+    "snyk:test": "snyk test"<% } %>
   },
   "dependencies": {
     "express": "^4.18.2",
@@ -82,7 +84,8 @@
     "eslint-plugin-import-x": "^4.6.1",
     "eslint-import-resolver-typescript": "^3.7.0",
     "husky": "^8.0.3",
-    "lint-staged": "^15.4.3"<% if (language === 'TypeScript') { %>,
+    "lint-staged": "^15.4.3",
+    "snyk": "^1.1295.0"<% if (language === 'TypeScript') { %>,
     "typescript-eslint": "^8.24.1",<%_ if (communication === 'REST APIs' || communication === 'Kafka') { %>
     "@types/swagger-ui-express": "^4.1.6",
     "@types/yamljs": "^0.2.34",<%_ } %>

package/templates/common/sonar-project.properties.ejs

@@ -0,0 +1,27 @@
+# SonarCloud/SonarQube Project Configuration
+# See https://docs.sonarqube.org/latest/analysis/analysis-parameters/
+
+sonar.projectKey=your-org-key_<%= projectName %>
+sonar.projectName=<%= projectName %>
+sonar.organization=your-org-key
+sonar.projectVersion=1.0.0
+
+# Path to the source directories
+sonar.sources=src
+# Path to the test directories
+sonar.tests=tests
+
+# Language specific settings
+sonar.javascript.environments=node
+sonar.typescript.tsconfigPath=tsconfig.json
+sonar.javascript.lcov.reportPaths=coverage/lcov.info
+
+# Exclusions
+sonar.exclusions=node_modules/**, dist/**, coverage/**, tests/**
+
+# Quality Gates
+sonar.qualitygate.wait=true
+sonar.qualitygate.timeout=300
+
+# Security Hotspots
+sonar.security.reportPaths=snyk-report.json

package/templates/mvc/js/src/index.js.ejs

@@ -1,3 +1,4 @@
+const { env } = require('./config/env');
 const express = require('express');
 const cors = require('cors');
 <%_ if (communication === 'REST APIs' || communication === 'Kafka') { -%>const apiRoutes = require('./routes/api');<%_ } %>
@@ -16,7 +17,6 @@ const { gqlContext } = require('./graphql/context');
 const swaggerUi = require('swagger-ui-express');
 const swaggerSpecs = require('./config/swagger');
 <%_ } -%>
-const { env } = require('./config/env');
 const setupGracefulShutdown = require('./utils/gracefulShutdown');
 
 const app = express();