verifywise-ai · MuhammadKhalilzadeh · Jan 28, 2026 · Jan 26, 2026 · Jan 26, 2026 · Jan 26, 2026
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,98 @@
+version: 2
+updates:
+  # Frontend (Clients) - npm dependencies
+  - package-ecosystem: "npm"
+    directory: "/Clients"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    open-pull-requests-limit: 10
+    reviewers:
+      - "bluewave-labs/verifywise-maintainers"
+    labels:
+      - "dependencies"
+      - "security"
+    commit-message:
+      prefix: "deps(frontend):"
+    groups:
+      # Group minor and patch updates together
+      frontend-minor-patch:
+        patterns:
+          - "*"
+        update-types:
+          - "minor"
+          - "patch"
+
+  # Backend (Servers) - npm dependencies
+  - package-ecosystem: "npm"
+    directory: "/Servers"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    open-pull-requests-limit: 10
+    reviewers:
+      - "bluewave-labs/verifywise-maintainers"
+    labels:
+      - "dependencies"
+      - "security"
+    commit-message:
+      prefix: "deps(backend):"
+    groups:
+      backend-minor-patch:
+        patterns:
+          - "*"
+        update-types:
+          - "minor"
+          - "patch"
+
+  # EvaluationModule - Python dependencies
+  - package-ecosystem: "pip"
+    directory: "/EvaluationModule"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    open-pull-requests-limit: 5
+    reviewers:
+      - "bluewave-labs/verifywise-maintainers"
+    labels:
+      - "dependencies"
+      - "security"
+      - "python"
+    commit-message:
+      prefix: "deps(eval):"
+
+  # GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    open-pull-requests-limit: 5
+    reviewers:
+      - "bluewave-labs/verifywise-maintainers"
+    labels:
+      - "dependencies"
+      - "ci/cd"
+    commit-message:
+      prefix: "ci:"
+
+  # Docker dependencies
+  - package-ecosystem: "docker"
+    directory: "/Clients"
+    schedule:
+      interval: "weekly"
+    labels:
+      - "dependencies"
+      - "docker"
+    commit-message:
+      prefix: "docker(frontend):"
+
+  - package-ecosystem: "docker"
+    directory: "/Servers"
+    schedule:
+      interval: "weekly"
+    labels:
+      - "dependencies"
+      - "docker"
+    commit-message:
+      prefix: "docker(backend):"
diff --git a/.github/workflows/backend-checks.yml b/.github/workflows/backend-checks.yml
@@ -1,15 +1,22 @@
 name: Backend Checks
+
 permissions:
   contents: read
+  security-events: write
 
 on:
   pull_request:
     branches: ['master', 'develop']
     paths:
       - 'Servers/**'
+  push:
+    branches: ['master', 'develop']
+    paths:
+      - 'Servers/**'
+
 jobs:
-  build-check:
-    name: Backend Checks / build-check
+  security-audit:
+    name: Security Audit
     runs-on: ubuntu-latest
     defaults:
       run:
@@ -26,8 +33,53 @@ jobs:
       - name: Install dependencies
         run: npm ci
 
-      - name: Build
+      - name: Run npm audit
+        run: npm audit --audit-level=high
+        continue-on-error: true
+
+      - name: Run npm audit (JSON output for review)
+        run: npm audit --json > ../audit-results.json || true
+
+      - name: Upload audit results
+        uses: actions/upload-artifact@v4
+        with:
+          name: backend-npm-audit-results
+          path: audit-results.json
+          retention-days: 30
+
+  lint-and-build:
+    name: Lint and Build
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: Servers
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: TypeScript type check
         run: npm run build
 
-      - name: Run Tests
+      - name: Run tests
         run: npm test
+
+  dependency-review:
+    name: Dependency Review
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request'
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Dependency Review
+        uses: actions/dependency-review-action@v4
+        with:
+          fail-on-severity: high
+          deny-licenses: GPL-3.0, AGPL-3.0
diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml
@@ -6,43 +6,63 @@ on:
 
 jobs:
   build-and-push:
-    # if: ${{ !endsWith(github.event.release.tag_name, '-saas') }} 
     runs-on: ubuntu-latest
     environment: Build
 
     permissions:
       contents: read
       packages: write
+      security-events: write
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
 
       - name: Extract Tag Name
         id: get_tag
         run: echo "TAG=${GITHUB_REF##*/}" >> $GITHUB_ENV
 
-      - name: Debug GitHub Token Access
-        run: |
-          if [ -z "${{ secrets.GITHUB_TOKEN }}" ]; then
-            echo "GITHUB_TOKEN is NOT available"
-            exit 1
-          else
-            echo "GITHUB_TOKEN is available"
-          fi
-
       - name: Log in to GitHub Container Registry
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
+      # Build Frontend image
+      - name: Build Clients image (for scanning)
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: ./Clients/Dockerfile
+          platforms: linux/amd64
+          push: false
+          load: true
+          tags: verifywise-frontend:scan
+          build-args: |
+            VITE_SLACK_CLIENT_ID=${{ secrets.SLACK_CLIENT_ID }}
+            VITE_APP_VERSION=${{ env.TAG }}
+
+      - name: Scan Frontend image with Trivy
+        uses: aquasecurity/trivy-action@0.28.0
+        with:
+          image-ref: 'verifywise-frontend:scan'
+          format: 'sarif'
+          output: 'frontend-trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+          exit-code: '0'
+
+      - name: Upload Frontend Trivy scan results to GitHub Security
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'frontend-trivy-results.sarif'
+          category: 'container-frontend'
+
       - name: Build and push Clients image
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v5
         with:
           context: .
           file: ./Clients/Dockerfile
@@ -55,8 +75,33 @@ jobs:
             VITE_SLACK_CLIENT_ID=${{ secrets.SLACK_CLIENT_ID }}
             VITE_APP_VERSION=${{ env.TAG }}
 
+      # Build Backend image
+      - name: Build Servers image (for scanning)
+        uses: docker/build-push-action@v5
+        with:
+          context: ./Servers
+          platforms: linux/amd64
+          push: false
+          load: true
+          tags: verifywise-backend:scan
+
+      - name: Scan Backend image with Trivy
+        uses: aquasecurity/trivy-action@0.28.0
+        with:
+          image-ref: 'verifywise-backend:scan'
+          format: 'sarif'
+          output: 'backend-trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+          exit-code: '0'
+
+      - name: Upload Backend Trivy scan results to GitHub Security
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'backend-trivy-results.sarif'
+          category: 'container-backend'
+
       - name: Build and push Servers image
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v5
         with:
           context: ./Servers
           platforms: linux/amd64,linux/arm64
@@ -78,8 +123,34 @@ jobs:
           sudo rm -rf /usr/share/dotnet
           sudo rm -rf "$AGENT_TOOLSDIRECTORY"
 
+      # Build EvalServer image
+      - name: Build EvalServer image (for scanning)
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: ./EvalServer/Dockerfile
+          platforms: linux/amd64
+          push: false
+          load: true
+          tags: verifywise-eval-server:scan
+
+      - name: Scan EvalServer image with Trivy
+        uses: aquasecurity/trivy-action@0.28.0
+        with:
+          image-ref: 'verifywise-eval-server:scan'
+          format: 'sarif'
+          output: 'evalserver-trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+          exit-code: '0'
+
+      - name: Upload EvalServer Trivy scan results to GitHub Security
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'evalserver-trivy-results.sarif'
+          category: 'container-evalserver'
+
       - name: Build and push EvalServer image
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v5
         with:
           context: .
           file: ./EvalServer/Dockerfile