Benjamin_Boenisch/breakpilot-pwa
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: Restore all files lost during destructive rebase

Browse Source 
A previous `git pull --rebase origin main` dropped 177 local commits,
losing 3400+ files across admin-v2, backend, studio-v2, website,
klausur-service, and many other services. The partial restore attempt
(660295e2) only recovered some files.

This commit restores all missing files from pre-rebase ref 98933f5e
while preserving post-rebase additions (night-scheduler, night-mode UI,
NightModeWidget dashboard integration).

Restored features include:
- AI Module Sidebar (FAB), OCR Labeling, OCR Compare
- GPU Dashboard, RAG Pipeline, Magic Help
- Klausur-Korrektur (8 files), Abitur-Archiv (5+ files)
- Companion, Zeugnisse-Crawler, Screen Flow
- Full backend, studio-v2, website, klausur-service
- All compliance SDKs, agent-core, voice-service
- CI/CD configs, documentation, scripts

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Benjamin Admin
2026-02-09 09:51:32 +01:00
parent f7487ee240
commit 21a844cb8a
1986 changed files with 744143 additions and 1731 deletions
Download Patch File Download Diff File Expand all files Collapse all files

314
.woodpecker/security.yml Normal file
View File

@@ -0,0 +1,314 @@
# Woodpecker CI Security Pipeline
# Dedizierte Security-Scans fuer DevSecOps
#
# Laeuft taeglich via Cron und bei jedem PR
when:
- event: cron
cron: "0 3 * * *" # Taeglich um 3:00 Uhr
- event: pull_request
clone:
git:
image: woodpeckerci/plugin-git
settings:
depth: 1
extra_hosts:
- macmini:192.168.178.100
steps:
# ========================================
# Static Analysis
# ========================================
semgrep-scan:
image: returntocorp/semgrep:latest
commands:
- semgrep scan --config auto --json -o semgrep-results.json . || true
- |
if [ -f semgrep-results.json ]; then
echo "=== Semgrep Findings ==="
cat semgrep-results.json | head -100
fi
when:
event: [pull_request, cron]
bandit-python:
image: python:3.12-slim
commands:
- pip install --quiet bandit
- bandit -r backend/ -f json -o bandit-results.json || true
- |
if [ -f bandit-results.json ]; then
echo "=== Bandit Findings ==="
cat bandit-results.json | head -50
fi
when:
event: [pull_request, cron]
gosec-go:
image: securego/gosec:latest
commands:
- gosec -fmt json -out gosec-consent.json ./consent-service/... || true
- gosec -fmt json -out gosec-billing.json ./billing-service/... || true
- echo "Go Security Scan abgeschlossen"
when:
event: [pull_request, cron]
# ========================================
# Secrets Detection
# ========================================
gitleaks-scan:
image: zricethezav/gitleaks:latest
commands:
- gitleaks detect --source . --report-format json --report-path gitleaks-report.json || true
- |
if [ -s gitleaks-report.json ]; then
echo "=== WARNUNG: Potentielle Secrets gefunden ==="
cat gitleaks-report.json
else
echo "Keine Secrets gefunden"
fi
trufflehog-scan:
image: trufflesecurity/trufflehog:latest
commands:
- trufflehog filesystem . --json > trufflehog-results.json 2>&1 || true
- echo "TruffleHog Scan abgeschlossen"
# ========================================
# Dependency Vulnerabilities
# ========================================
npm-audit:
image: node:20-alpine
commands:
- cd website && npm audit --json > ../npm-audit-website.json || true
- cd ../studio-v2 && npm audit --json > ../npm-audit-studio.json || true
- cd ../admin-v2 && npm audit --json > ../npm-audit-admin.json || true
- echo "NPM Audit abgeschlossen"
when:
event: [pull_request, cron]
pip-audit:
image: python:3.12-slim
commands:
- pip install --quiet pip-audit
- pip-audit -r backend/requirements.txt --format json -o pip-audit-backend.json || true
- pip-audit -r voice-service/requirements.txt --format json -o pip-audit-voice.json || true
- echo "Pip Audit abgeschlossen"
when:
event: [pull_request, cron]
go-vulncheck:
image: golang:1.21-alpine
commands:
- go install golang.org/x/vuln/cmd/govulncheck@latest
- cd consent-service && govulncheck ./... || true
- cd ../billing-service && govulncheck ./... || true
- echo "Go Vulncheck abgeschlossen"
when:
event: [pull_request, cron]
# ========================================
# Container Security
# ========================================
trivy-filesystem:
image: aquasec/trivy:latest
commands:
- trivy fs --severity HIGH,CRITICAL --format json -o trivy-fs.json . || true
- echo "Trivy Filesystem Scan abgeschlossen"
when:
event: cron
# ========================================
# SBOM Generation (taeglich)
# ========================================
daily-sbom:
image: anchore/syft:latest
commands:
- mkdir -p sbom-reports
- syft dir:. -o cyclonedx-json > sbom-reports/sbom-full-$(date +%Y%m%d).json
- echo "SBOM generiert"
when:
event: cron
# ========================================
# AUTO-FIX: Dependency Vulnerabilities
# Laeuft nur bei Cron (nightly), nicht bei PRs
# ========================================
auto-fix-npm:
image: node:20-alpine
commands:
- apk add --no-cache git
- |
echo "=== Auto-Fix: NPM Dependencies ==="
FIXES_APPLIED=0
for dir in website studio-v2 admin-v2 h5p-service; do
if [ -d "$dir" ] && [ -f "$dir/package.json" ]; then
echo "Pruefe $dir..."
cd $dir
# Speichere Hash vor Fix
BEFORE=$(md5sum package-lock.json 2>/dev/null || echo "none")
# npm audit fix (ohne --force fuer sichere Updates)
npm audit fix --package-lock-only 2>/dev/null || true
# Pruefe ob Aenderungen
AFTER=$(md5sum package-lock.json 2>/dev/null || echo "none")
if [ "$BEFORE" != "$AFTER" ]; then
echo " -> Fixes angewendet in $dir"
FIXES_APPLIED=$((FIXES_APPLIED + 1))
fi
cd ..
fi
done
echo "NPM Auto-Fix abgeschlossen: $FIXES_APPLIED Projekte aktualisiert"
echo "NPM_FIXES=$FIXES_APPLIED" >> /tmp/autofix-results.env
when:
event: cron
auto-fix-python:
image: python:3.12-slim
commands:
- apt-get update && apt-get install -y git
- pip install --quiet pip-audit
- |
echo "=== Auto-Fix: Python Dependencies ==="
FIXES_APPLIED=0
for reqfile in backend/requirements.txt voice-service/requirements.txt klausur-service/backend/requirements.txt; do
if [ -f "$reqfile" ]; then
echo "Pruefe $reqfile..."
DIR=$(dirname $reqfile)
# pip-audit mit --fix (aktualisiert requirements.txt)
pip-audit -r $reqfile --fix 2>/dev/null || true
# Pruefe ob requirements.txt geaendert wurde
if git diff --quiet $reqfile 2>/dev/null; then
echo " -> Keine Aenderungen in $reqfile"
else
echo " -> Fixes angewendet in $reqfile"
FIXES_APPLIED=$((FIXES_APPLIED + 1))
fi
fi
done
echo "Python Auto-Fix abgeschlossen: $FIXES_APPLIED Dateien aktualisiert"
echo "PYTHON_FIXES=$FIXES_APPLIED" >> /tmp/autofix-results.env
when:
event: cron
auto-fix-go:
image: golang:1.21-alpine
commands:
- apk add --no-cache git
- |
echo "=== Auto-Fix: Go Dependencies ==="
FIXES_APPLIED=0
for dir in consent-service billing-service school-service edu-search ai-compliance-sdk; do
if [ -d "$dir" ] && [ -f "$dir/go.mod" ]; then
echo "Pruefe $dir..."
cd $dir
# Go mod tidy und update
go get -u ./... 2>/dev/null || true
go mod tidy 2>/dev/null || true
# Pruefe ob go.mod/go.sum geaendert wurden
if git diff --quiet go.mod go.sum 2>/dev/null; then
echo " -> Keine Aenderungen in $dir"
else
echo " -> Updates angewendet in $dir"
FIXES_APPLIED=$((FIXES_APPLIED + 1))
fi
cd ..
fi
done
echo "Go Auto-Fix abgeschlossen: $FIXES_APPLIED Module aktualisiert"
echo "GO_FIXES=$FIXES_APPLIED" >> /tmp/autofix-results.env
when:
event: cron
# ========================================
# Commit & Push Auto-Fixes
# ========================================
commit-security-fixes:
image: alpine/git:latest
commands:
- |
echo "=== Commit Security Fixes ==="
# Git konfigurieren
git config --global user.email "security-bot@breakpilot.de"
git config --global user.name "Security Bot"
git config --global --add safe.directory /woodpecker/src
# Pruefe ob es Aenderungen gibt
if git diff --quiet && git diff --cached --quiet; then
echo "Keine Security-Fixes zum Committen"
exit 0
fi
# Zeige was geaendert wurde
echo "Geaenderte Dateien:"
git status --short
# Stage alle relevanten Dateien
git add -A \
*/package-lock.json \
*/requirements.txt \
*/go.mod \
*/go.sum \
2>/dev/null || true
# Commit erstellen
TIMESTAMP=$(date +%Y-%m-%d)
git commit -m "fix(security): auto-fix vulnerable dependencies [$TIMESTAMP]
Automatische Sicherheitsupdates durch CI/CD Pipeline:
- npm audit fix fuer Node.js Projekte
- pip-audit --fix fuer Python Projekte
- go get -u fuer Go Module
Co-Authored-By: Security Bot <security-bot@breakpilot.de>" || echo "Nichts zu committen"
# Push zum Repository
git push origin HEAD:main || echo "Push fehlgeschlagen - manueller Review erforderlich"
echo "Security-Fixes committed und gepusht"
when:
event: cron
status: success
# ========================================
# Report to Dashboard
# ========================================
update-security-dashboard:
image: curlimages/curl:latest
commands:
- |
curl -X POST "http://backend:8000/api/security/scan-results" \
-H "Content-Type: application/json" \
-d "{
\"scan_type\": \"daily\",
\"timestamp\": \"$(date -Iseconds)\",
\"tools\": [\"semgrep\", \"bandit\", \"gosec\", \"gitleaks\", \"trivy\"]
}" || true
when:
status: [success, failure]
event: cron