Security & Quality

To improve the security of the application a CodeQL workflow is set up for automatic code analysis. This workflow is scheduled to run automatically every saturday (but can be triggered manually too). The workflow action used is github/codeql-action/analyze@v4.

To reduce the attack surface of our container it doesn't run as root but instead as user spring in the group spring.

SonarQube Cloud is used for an additional layer of static code analysis. Details about the current project status can be accessed through the online dashboard.

For a simplified overview the readme contains three badges: for the statuses of the last deployment and CodeQL workflows and for the last SonarCloud quality gate scan.

certbot is used to provide SSL certificates to the EC2 instance via EIP in tandem with sslip.io. The spring application terminates SSL itself by using the Spring Boot SSL bundle mechanism.

Connections are secured by utilizing the IAM mechanism. Since the project runs on AWS Academy the role "LabRole" authorizes everything.