feat: Add Academy, Whistleblower, Incidents SDK modules, pitch-deck, blog and CI/CD config

- Academy, Whistleblower, Incidents frontend pages with API proxies and types - Vendor compliance API proxy route - Go backend handlers and models for all new SDK modules - Investor pitch-deck app with interactive slides - Blog section with DSGVO, AI Act, NIS2, glossary articles - MkDocs documentation site - CI/CD pipelines (Woodpecker, GitHub Actions), security scanning config - Planning and implementation documentation Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-13 21:12:16 +01:00
parent d7ba705562
commit 557305db5d
208 changed files with 141969 additions and 5680 deletions
--- a/admin-v2/.github/workflows/security.yml
+++ b/admin-v2/.github/workflows/security.yml
@@ -0,0 +1,222 @@
+name: Security Scanning
+
+on:
+  push:
+    branches: [main, develop]
+  pull_request:
+    branches: [main, develop]
+  schedule:
+    # Run security scans weekly on Sundays at midnight
+    - cron: '0 0 * * 0'
+
+jobs:
+  # ==========================================
+  # Secret Scanning
+  # ==========================================
+  secret-scan:
+    name: Secret Scanning
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: TruffleHog Secret Scan
+        uses: trufflesecurity/trufflehog@main
+        with:
+          extra_args: --only-verified
+
+      - name: GitLeaks Secret Scan
+        uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        continue-on-error: true
+
+  # ==========================================
+  # Dependency Vulnerability Scanning
+  # ==========================================
+  dependency-scan:
+    name: Dependency Vulnerability Scan
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Run Trivy vulnerability scanner (filesystem)
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          severity: 'CRITICAL,HIGH'
+          format: 'sarif'
+          output: 'trivy-fs-results.sarif'
+        continue-on-error: true
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-fs-results.sarif'
+        continue-on-error: true
+
+  # ==========================================
+  # Go Security Scan
+  # ==========================================
+  go-security:
+    name: Go Security Scan
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: '1.21'
+
+      - name: Run Gosec Security Scanner
+        uses: securego/gosec@master
+        with:
+          args: '-no-fail -fmt sarif -out gosec-results.sarif ./consent-service/...'
+        continue-on-error: true
+
+      - name: Upload Gosec results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'gosec-results.sarif'
+        continue-on-error: true
+
+      - name: Run govulncheck
+        working-directory: ./consent-service
+        run: |
+          go install golang.org/x/vuln/cmd/govulncheck@latest
+          govulncheck ./... || true
+
+  # ==========================================
+  # Python Security Scan
+  # ==========================================
+  python-security:
+    name: Python Security Scan
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+
+      - name: Install safety
+        run: pip install safety bandit
+
+      - name: Run Safety (dependency check)
+        working-directory: ./backend
+        run: safety check -r requirements.txt --full-report || true
+
+      - name: Run Bandit (code security scan)
+        working-directory: ./backend
+        run: bandit -r . -f sarif -o bandit-results.sarif --exit-zero
+
+      - name: Upload Bandit results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: './backend/bandit-results.sarif'
+        continue-on-error: true
+
+  # ==========================================
+  # Node.js Security Scan
+  # ==========================================
+  node-security:
+    name: Node.js Security Scan
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: Install dependencies
+        working-directory: ./website
+        run: npm ci
+
+      - name: Run npm audit
+        working-directory: ./website
+        run: npm audit --audit-level=high || true
+
+  # ==========================================
+  # Docker Image Scanning
+  # ==========================================
+  docker-security:
+    name: Docker Image Security
+    runs-on: ubuntu-latest
+    needs: [go-security, python-security, node-security]
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Build consent-service image
+        run: docker build -t breakpilot/consent-service:scan ./consent-service
+
+      - name: Run Trivy on consent-service
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'breakpilot/consent-service:scan'
+          severity: 'CRITICAL,HIGH'
+          format: 'sarif'
+          output: 'trivy-consent-results.sarif'
+        continue-on-error: true
+
+      - name: Build backend image
+        run: docker build -t breakpilot/backend:scan ./backend
+
+      - name: Run Trivy on backend
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'breakpilot/backend:scan'
+          severity: 'CRITICAL,HIGH'
+          format: 'sarif'
+          output: 'trivy-backend-results.sarif'
+        continue-on-error: true
+
+      - name: Upload Trivy results
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-consent-results.sarif'
+        continue-on-error: true
+
+  # ==========================================
+  # Security Summary
+  # ==========================================
+  security-summary:
+    name: Security Summary
+    runs-on: ubuntu-latest
+    needs: [secret-scan, dependency-scan, go-security, python-security, node-security, docker-security]
+    if: always()
+
+    steps:
+      - name: Create security summary
+        run: |
+          echo "## Security Scan Results" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "| Scan Type | Status |" >> $GITHUB_STEP_SUMMARY
+          echo "|-----------|--------|" >> $GITHUB_STEP_SUMMARY
+          echo "| Secret Scanning | ${{ needs.secret-scan.result }} |" >> $GITHUB_STEP_SUMMARY
+          echo "| Dependency Scanning | ${{ needs.dependency-scan.result }} |" >> $GITHUB_STEP_SUMMARY
+          echo "| Go Security | ${{ needs.go-security.result }} |" >> $GITHUB_STEP_SUMMARY
+          echo "| Python Security | ${{ needs.python-security.result }} |" >> $GITHUB_STEP_SUMMARY
+          echo "| Node.js Security | ${{ needs.node-security.result }} |" >> $GITHUB_STEP_SUMMARY
+          echo "| Docker Security | ${{ needs.docker-security.result }} |" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "### Notes" >> $GITHUB_STEP_SUMMARY
+          echo "- Results are uploaded to the GitHub Security tab" >> $GITHUB_STEP_SUMMARY
+          echo "- Weekly scheduled scans run on Sundays" >> $GITHUB_STEP_SUMMARY