Merge pull request #401 from Wikid82/renovate/migrate-config

chore(config): migrate Renovate config

.github/renovate.json

@@ -6,21 +6,34 @@
     ":separateMultipleMajorReleases",
     "helpers:pinGitHubActionDigests"
   ],
-  "baseBranches": ["development"],
+  "baseBranchPatterns": [
+    "development"
+  ],
   "timezone": "UTC",
   "dependencyDashboard": true,
   "prConcurrentLimit": 10,
   "prHourlyLimit": 5,
-  "labels": ["dependencies"],
+  "labels": [
+    "dependencies"
+  ],
   "rebaseWhen": "conflicted",
-  "vulnerabilityAlerts": { "enabled": true },
-  "schedule": ["every weekday"],
+  "vulnerabilityAlerts": {
+    "enabled": true
+  },
+  "schedule": [
+    "before 4am on Monday"
+  ],
   "rangeStrategy": "bump",
+  "automerge": true,
+  "automergeType": "pr",
+  "platformAutomerge": true,
   "customManagers": [
     {
       "customType": "regex",
       "description": "Track Go dependencies patched in Dockerfile for Caddy CVE fixes",
-      "fileMatch": ["^Dockerfile$"],
+      "managerFilePatterns": [
+        "/^Dockerfile$/"
+      ],
       "matchStrings": [
         "#\\s*renovate:\\s*datasource=go\\s+depName=(?<depName>[^\\s]+)\\s*\\n\\s*go get (?<depName2>[^@]+)@v(?<currentValue>[^\\s|]+)"
       ],
@@ -30,77 +43,161 @@
   ],
   "packageRules": [
     {
-      "description": "Caddy transitive dependency patches in Dockerfile",
-      "matchManagers": ["regex"],
-      "matchFileNames": ["Dockerfile"],
-      "matchPackagePatterns": ["expr-lang/expr", "quic-go/quic-go", "smallstep/certificates"],
-      "labels": ["dependencies", "caddy-patch", "security"],
+      "description": "Automerge digest updates (action pins, Docker SHAs)",
+      "matchUpdateTypes": [
+        "digest",
+        "pin"
+      ],
       "automerge": true
     },
+    {
+      "description": "Caddy transitive dependency patches in Dockerfile",
+      "matchManagers": [
+        "custom.regex"
+      ],
+      "matchFileNames": [
+        "Dockerfile"
+      ],
+      "labels": [
+        "dependencies",
+        "caddy-patch",
+        "security"
+      ],
+      "automerge": true,
+      "matchPackageNames": [
+        "/expr-lang/expr/",
+        "/quic-go/quic-go/",
+        "/smallstep/certificates/"
+      ]
+    },
     {
       "description": "Automerge safe patch updates",
-      "matchUpdateTypes": ["patch"],
+      "matchUpdateTypes": [
+        "patch"
+      ],
       "automerge": true
     },
     {
       "description": "Frontend npm: automerge minor for devDependencies",
-      "matchManagers": ["npm"],
-      "matchDepTypes": ["devDependencies"],
-      "matchUpdateTypes": ["minor", "patch"],
+      "matchManagers": [
+        "npm"
+      ],
+      "matchDepTypes": [
+        "devDependencies"
+      ],
+      "matchUpdateTypes": [
+        "minor",
+        "patch"
+      ],
       "automerge": true,
-      "labels": ["dependencies", "npm"]
+      "labels": [
+        "dependencies",
+        "npm"
+      ]
     },
     {
       "description": "Backend Go modules",
-      "matchManagers": ["gomod"],
-      "labels": ["dependencies", "go"],
-      "matchUpdateTypes": ["minor", "patch"],
-      "automerge": false
+      "matchManagers": [
+        "gomod"
+      ],
+      "labels": [
+        "dependencies",
+        "go"
+      ],
+      "matchUpdateTypes": [
+        "minor",
+        "patch"
+      ],
+      "automerge": true
     },
     {
       "description": "GitHub Actions updates",
-      "matchManagers": ["github-actions"],
-      "labels": ["dependencies", "github-actions"],
-      "matchUpdateTypes": ["minor", "patch"],
+      "matchManagers": [
+        "github-actions"
+      ],
+      "labels": [
+        "dependencies",
+        "github-actions"
+      ],
+      "matchUpdateTypes": [
+        "minor",
+        "patch"
+      ],
       "automerge": true
     },
     {
       "description": "actions/checkout",
-      "matchManagers": ["github-actions"],
-      "matchPackageNames": ["actions/checkout"],
+      "matchManagers": [
+        "github-actions"
+      ],
+      "matchPackageNames": [
+        "actions/checkout"
+      ],
       "automerge": false,
-      "matchUpdateTypes": ["minor", "patch"],
-      "labels": ["dependencies", "github-actions", "manual-review"]
+      "matchUpdateTypes": [
+        "minor",
+        "patch"
+      ],
+      "labels": [
+        "dependencies",
+        "github-actions",
+        "manual-review"
+      ]
     },
     {
       "description": "Do not auto-upgrade other github-actions majors without review",
-      "matchManagers": ["github-actions"],
-      "matchUpdateTypes": ["major"],
+      "matchManagers": [
+        "github-actions"
+      ],
+      "matchUpdateTypes": [
+        "major"
+      ],
       "automerge": false,
-      "labels": ["dependencies", "github-actions", "manual-review"],
+      "labels": [
+        "dependencies",
+        "github-actions",
+        "manual-review"
+      ],
       "prPriority": 0
     },
     {
       "description": "Docker: keep Caddy within v2 (no automatic jump to v3)",
-      "matchManagers": ["dockerfile"],
-      "matchPackageNames": ["caddy"],
+      "matchManagers": [
+        "dockerfile"
+      ],
+      "matchPackageNames": [
+        "caddy"
+      ],
       "allowedVersions": "<3.0.0",
-      "labels": ["dependencies", "docker"],
+      "labels": [
+        "dependencies",
+        "docker"
+      ],
       "automerge": true,
       "extractVersion": "^(?<version>\\d+\\.\\d+\\.\\d+)",
       "versioning": "semver"
     },
     {
       "description": "Group non-breaking npm minor/patch",
-      "matchManagers": ["npm"],
-      "matchUpdateTypes": ["minor", "patch"],
+      "matchManagers": [
+        "npm"
+      ],
+      "matchUpdateTypes": [
+        "minor",
+        "patch"
+      ],
       "groupName": "npm minor/patch",
       "prPriority": -1
     },
     {
       "description": "Group docker base minor/patch",
-      "matchManagers": ["dockerfile"],
-      "matchUpdateTypes": ["minor", "patch"],
+      "matchManagers": [
+        "dockerfile"
+      ],
+      "matchUpdateTypes": [
+        "minor",
+        "patch"
+      ],
       "groupName": "docker base updates",
       "prPriority": -1
     }

.github/workflows/docker-build.yml

@@ -110,6 +110,7 @@ jobs:
           push: ${{ github.event_name != 'pull_request' }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+          pull: true  # Always pull fresh base images to get latest security patches
           cache-from: type=gha
           cache-to: type=gha,mode=max
           build-args: |

.github/workflows/docker-publish.yml

@@ -114,6 +114,8 @@ jobs:
           push: ${{ github.event_name != 'pull_request' }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+          # Always pull fresh base images to get latest security patches
+          pull: true
           cache-from: type=gha
           cache-to: type=gha,mode=max
           build-args: |

.github/workflows/release-goreleaser.yml

@@ -26,7 +26,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6
         with:
-          go-version: '1.23.x'
+          go-version: '1.25.5'
 
       - name: Set up Node.js
         uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6

.github/workflows/security-weekly-rebuild.yml

@@ -71,6 +71,7 @@ jobs:
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           no-cache: ${{ github.event_name == 'schedule' || inputs.force_rebuild }}
+          pull: true  # Always pull fresh base images to get latest security patches
           build-args: |
             VERSION=security-scan
             BUILD_DATE=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
@@ -109,7 +110,7 @@ jobs:
           severity: 'CRITICAL,HIGH,MEDIUM,LOW'
 
       - name: Upload Trivy JSON results
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: trivy-weekly-scan-${{ github.run_number }}
           path: trivy-weekly-results.json
@@ -121,8 +122,8 @@ jobs:
           echo "" >> $GITHUB_STEP_SUMMARY
           echo "Checking key security packages:" >> $GITHUB_STEP_SUMMARY
           echo '```' >> $GITHUB_STEP_SUMMARY
-          docker run --rm ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }} \
-            sh -c "apk info c-ares curl libcurl openssl" >> $GITHUB_STEP_SUMMARY
+          docker run --rm --entrypoint "" ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }} \
+            sh -c "apk update >/dev/null 2>&1 && apk info c-ares curl libcurl openssl" >> $GITHUB_STEP_SUMMARY
           echo '```' >> $GITHUB_STEP_SUMMARY
 
       - name: Create security scan summary

.version

@@ -1 +1 @@
-0.4.0
+0.7.9

Dockerfile

@@ -18,6 +18,7 @@ ARG CADDY_VERSION=2.10.2
 ## plain Alpine base image and overwrite its caddy binary with our
 ## xcaddy-built binary in the later COPY step. This avoids relying on
 ## upstream caddy image tags while still shipping a pinned caddy binary.
+# renovate: datasource=docker depName=alpine
 ARG CADDY_IMAGE=alpine:3.23
 
 # ---- Cross-Compilation Helpers ----
@@ -158,11 +159,53 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
         rm -rf /tmp/buildenv_* /tmp/caddy-temp; \
         /usr/bin/caddy version'
 
-# ---- CrowdSec Installer ----
-# CrowdSec requires CGO (mattn/go-sqlite3), so we cannot build from source
-# with CGO_ENABLED=0. Instead, we download prebuilt static binaries for amd64
-# or install from packages. For other architectures, CrowdSec is skipped.
-FROM alpine:3.23 AS crowdsec-installer
+# ---- CrowdSec Builder ----
+# Build CrowdSec from source to ensure we use Go 1.25.5+ and avoid stdlib vulnerabilities
+# (CVE-2025-58183, CVE-2025-58186, CVE-2025-58187, CVE-2025-61729)
+FROM --platform=$BUILDPLATFORM golang:1.25-alpine AS crowdsec-builder
+COPY --from=xx / /
+
+WORKDIR /tmp/crowdsec
+
+ARG TARGETPLATFORM
+ARG TARGETOS
+ARG TARGETARCH
+# CrowdSec version - Renovate can update this
+# renovate: datasource=github-releases depName=crowdsecurity/crowdsec
+ARG CROWDSEC_VERSION=1.7.4
+
+# hadolint ignore=DL3018
+RUN apk add --no-cache git clang lld
+# hadolint ignore=DL3018,DL3059
+RUN xx-apk add --no-cache gcc musl-dev
+
+# Clone CrowdSec source
+RUN git clone --depth 1 --branch "v${CROWDSEC_VERSION}" https://github.com/crowdsecurity/crowdsec.git .
+
+# Build CrowdSec binaries for target architecture
+# hadolint ignore=DL3059
+RUN --mount=type=cache,target=/root/.cache/go-build \
+    --mount=type=cache,target=/go/pkg/mod \
+    CGO_ENABLED=1 xx-go build -o /crowdsec-out/crowdsec \
+        -ldflags "-s -w -X github.com/crowdsecurity/crowdsec/pkg/cwversion.Version=v${CROWDSEC_VERSION}" \
+        ./cmd/crowdsec && \
+    xx-verify /crowdsec-out/crowdsec
+
+# hadolint ignore=DL3059
+RUN --mount=type=cache,target=/root/.cache/go-build \
+    --mount=type=cache,target=/go/pkg/mod \
+    CGO_ENABLED=1 xx-go build -o /crowdsec-out/cscli \
+        -ldflags "-s -w -X github.com/crowdsecurity/crowdsec/pkg/cwversion.Version=v${CROWDSEC_VERSION}" \
+        ./cmd/crowdsec-cli && \
+    xx-verify /crowdsec-out/cscli
+
+# Copy config files
+RUN mkdir -p /crowdsec-out/config && \
+    cp -r config/* /crowdsec-out/config/ || true
+
+# ---- CrowdSec Fallback (for architectures where build fails) ----
+# renovate: datasource=docker depName=alpine
+FROM alpine:3.23 AS crowdsec-fallback
 
 WORKDIR /tmp/crowdsec
 
@@ -174,32 +217,27 @@ ARG CROWDSEC_VERSION=1.7.4
 # hadolint ignore=DL3018
 RUN apk add --no-cache curl tar
 
-# Download static binaries (only available for amd64)
+# Download static binaries as fallback (only available for amd64)
 # For other architectures, create empty placeholder files so COPY doesn't fail
 # hadolint ignore=DL3059,SC2015
 RUN set -eux; \
     mkdir -p /crowdsec-out/bin /crowdsec-out/config; \
     if [ "$TARGETARCH" = "amd64" ]; then \
-        echo "Downloading CrowdSec binaries for amd64..."; \
+        echo "Downloading CrowdSec binaries for amd64 (fallback)..."; \
         curl -fSL "https://github.com/crowdsecurity/crowdsec/releases/download/v${CROWDSEC_VERSION}/crowdsec-release.tgz" \
             -o /tmp/crowdsec.tar.gz && \
         tar -xzf /tmp/crowdsec.tar.gz -C /tmp && \
-        # Binaries are in cmd/crowdsec-cli/cscli and cmd/crowdsec/crowdsec
         cp "/tmp/crowdsec-v${CROWDSEC_VERSION}/cmd/crowdsec-cli/cscli" /crowdsec-out/bin/ && \
         cp "/tmp/crowdsec-v${CROWDSEC_VERSION}/cmd/crowdsec/crowdsec" /crowdsec-out/bin/ && \
         chmod +x /crowdsec-out/bin/* && \
-        # Copy config files from the release tarball
         if [ -d "/tmp/crowdsec-v${CROWDSEC_VERSION}/config" ]; then \
             cp -r "/tmp/crowdsec-v${CROWDSEC_VERSION}/config/"* /crowdsec-out/config/; \
         fi && \
-        echo "CrowdSec binaries installed successfully"; \
+        echo "CrowdSec fallback binaries installed successfully"; \
     else \
         echo "CrowdSec binaries not available for $TARGETARCH - skipping"; \
-        # Create empty placeholder so COPY doesn't fail
         touch /crowdsec-out/bin/.placeholder /crowdsec-out/config/.placeholder; \
-    fi; \
-    # Show what we have
-    ls -la /crowdsec-out/bin/ /crowdsec-out/config/ || true
+    fi
 
 # ---- Final Runtime with Caddy ----
 FROM ${CADDY_IMAGE}
@@ -220,18 +258,19 @@ RUN mkdir -p /app/data/geoip && \
 # Copy Caddy binary from caddy-builder (overwriting the one from base image)
 COPY --from=caddy-builder /usr/bin/caddy /usr/bin/caddy
 
-# Copy CrowdSec binaries from the crowdsec-installer stage (optional - only amd64)
-# The installer creates placeholders for non-amd64 architectures
-COPY --from=crowdsec-installer /crowdsec-out/bin/* /usr/local/bin/
-COPY --from=crowdsec-installer /crowdsec-out/config /etc/crowdsec.dist
+# Copy CrowdSec binaries from the crowdsec-builder stage (built with Go 1.25.5+)
+# This ensures we don't have stdlib vulnerabilities from older Go versions
+COPY --from=crowdsec-builder /crowdsec-out/crowdsec /usr/local/bin/crowdsec
+COPY --from=crowdsec-builder /crowdsec-out/cscli /usr/local/bin/cscli
+COPY --from=crowdsec-builder /crowdsec-out/config /etc/crowdsec.dist
 
-# Clean up placeholder files and verify CrowdSec (if available)
-RUN rm -f /usr/local/bin/.placeholder /etc/crowdsec.dist/.placeholder 2>/dev/null || true; \
+# Verify CrowdSec binaries
+RUN chmod +x /usr/local/bin/crowdsec /usr/local/bin/cscli 2>/dev/null || true; \
     if [ -x /usr/local/bin/cscli ]; then \
-        echo "CrowdSec installed:"; \
+        echo "CrowdSec installed (built from source with Go 1.25):"; \
         cscli version || echo "CrowdSec version check failed"; \
     else \
-        echo "CrowdSec not available for this architecture - skipping verification"; \
+        echo "CrowdSec not available for this architecture"; \
     fi
 
 # Create required CrowdSec directories in runtime image

backend/go.mod

@@ -1,6 +1,6 @@
 module github.com/Wikid82/charon/backend
 
-go 1.25
+go 1.25.5
 
 require (
 	github.com/containrrr/shoutrrr v0.8.0

frontend/src/components/__tests__/LiveLogViewer.test.tsx

@@ -406,7 +406,7 @@ describe('LiveLogViewer', () => {
       // Use findBy queries (built-in waiting) instead of single waitFor with multiple assertions
       // This avoids race conditions where one failing assertion causes the entire block to retry
       await screen.findByText('10.0.0.1');
-      await screen.findByText(/BLOCKED: SQL injection detected/);
+      await screen.findByText(/🚫 BLOCKED: SQL injection detected/);
       await screen.findByText(/\[SQL injection detected\]/);
 
       // For getAllByText, keep in waitFor but separate from other assertions

go.work

@@ -1,3 +1,3 @@
-go 1.25
+go 1.25.5
 
 use ./backend

go.work.sum

@@ -42,6 +42,7 @@ github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyua
 github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f h1:KUppIJq7/+SVif2QVs3tOP0zanoHgBEVAwHxUSIzRqU=
 github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
+github.com/oschwald/maxminddb-golang/v2 v2.1.1/go.mod h1:PLdx6PR+siSIoXqqy7C7r3SB3KZnhxWr1Dp6g0Hacl8=
 github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
 github.com/prometheus/client_golang v1.20.4/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE=
 github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=