NexaPG 0.2.4 - Milestone update "v1.0 - Stability, Reliability & Security (P0)"
Container CVE Scan (development) / Scan backend/frontend images for CVEs (push) Waiting to run
Migration Safety / Alembic upgrade/downgrade safety (push) Successful in 2m43s
PostgreSQL Compatibility Matrix / PG14 smoke (push) Successful in 8s
PostgreSQL Compatibility Matrix / PG15 smoke (push) Successful in 8s
PostgreSQL Compatibility Matrix / PG16 smoke (push) Successful in 8s
PostgreSQL Compatibility Matrix / PG17 smoke (push) Successful in 7s
PostgreSQL Compatibility Matrix / PG18 smoke (push) Successful in 7s
Proxy Profile Validation / validate (push) Successful in 3s
Python Dependency Security / pip-audit (block high/critical) (push) Successful in 26s
Docker Publish (Release) / Build and Push Docker Images (release) Successful in 1m41s
Stable
nessi
released this
2026-02-15 11:36:40 +00:00
| 0 commits to main since this release
Security & CI Hardening
NX-202: Python dependency vulnerability gate
- Added dedicated CI workflow:
.github/workflows/python-dependency-security.yml
- Added
pip-audit policy gate:
- blocks unresolved
HIGH / CRITICAL findings
- treats missing severity metadata conservatively as
HIGH
- Added auditable allowlist support:
ops/security/pip-audit-allowlist.json
- Added allowlist validation rules:
- required metadata fields
- expiry enforcement (expired entries fail CI)
- Added dependency scan artifacts upload in CI.
Release pipeline enforcement
- Added dependency security gate to release publishing workflow:
.github/workflows/docker-release.yml
- Release image build/push now stops if unresolved high/critical Python dependency vulnerabilities exist.
Proxy & Production Deployment Profile
NX-203: Secure and repeatable HTTPS reverse-proxy profile
- Added production profile examples:
ops/profiles/prod/.env.production.exampleops/profiles/prod/nginx/nexapg.conf
- Added deployment documentation:
docs/deployment/proxy-production-profile.md
- Documented:
- CORS recommendations per environment (
dev, staging, prod)
- required reverse-proxy forwarding headers
- API path forwarding (
/api/ -> backend)
- mixed-content prevention for HTTPS deployments.
Proxy guardrail validation in CI
- Added workflow:
.github/workflows/proxy-profile-validation.yml
- Added validation script:
ops/scripts/validate_proxy_profile.sh
- CI now verifies:
- relative frontend API base defaults
- required API proxy config and forwarded headers
- mixed-content guard presence
- production profile avoids wildcard CORS.
Secret Management Guidance
NX-204: Secure secret handling documentation
- Added:
docs/security/secret-management.md
- Includes:
- secure handling guidance for
JWT_SECRET_KEY, ENCRYPTION_KEY, DB_PASSWORD, SMTP credentials
- clear Do / Don’t section
- recommended secret providers (Vault/cloud/orchestrator/CI runtime injection)
- rotation basics and operational checklist.
- Updated:
README.md (TOC + security references).env.example, ops/.env.example with stronger production warnings (no hardcoding, rotate secrets).
Configuration Consistency
- Corrected frontend port mapping documentation/comments in env templates to match runtime behavior:
- frontend container port remains
8080.
Notes
- No database migration required.
- Redeploy recommended to apply updated CI/release/security workflow behavior and documentation alignment.
- For production HTTPS deployments, use the provided proxy profile and keep API routing under
/api/.
Downloads