Added automated security scans and dependabot

.github/dependabot.yml

@@ -0,0 +1,19 @@
+version: 2
+updates:
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10
+    
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+    
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5

.github/workflows/codeql.yml

@@ -0,0 +1,31 @@
+name: CodeQL
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+  schedule:
+    - cron: '0 2 * * 1'  # Weekly on Mondays
+
+jobs:
+  analyze:
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v3
+      with:
+        languages: javascript
+
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v3
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v3

.github/workflows/security.yml

@@ -0,0 +1,53 @@
+name: Security
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+  schedule:
+    - cron: '0 6 * * 1'  # Weekly on Mondays
+
+jobs:
+  dependency-scan:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    
+    - name: Setup Node.js
+      uses: actions/setup-node@v4
+      with:
+        node-version: '22'
+        
+    - name: Setup pnpm
+      uses: pnpm/action-setup@v4
+      with:
+        version: latest
+        
+    - name: Install dependencies
+      run: pnpm install
+      
+    - name: Run security audit
+      run: pnpm audit --audit-level moderate
+
+  container-scan:
+    runs-on: ubuntu-latest
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    steps:
+    - uses: actions/checkout@v4
+    
+    - name: Build Docker image
+      run: docker build -t test-image .
+      
+    - name: Run Trivy vulnerability scanner
+      uses: aquasecurity/trivy-action@master
+      with:
+        image-ref: 'test-image'
+        format: 'sarif'
+        output: 'trivy-results.sarif'
+        
+    - name: Upload Trivy scan results
+      uses: github/codeql-action/upload-sarif@v3
+      if: always()
+      with:
+        sarif_file: 'trivy-results.sarif'

Dockerfile

@@ -1,18 +1,33 @@
 FROM node:22-alpine
 
+# Create non-root user
+RUN addgroup -g 1001 -S nodejs && \
+    adduser -S appuser -u 1001 -G nodejs
+
 RUN npm install -g pnpm
 
 WORKDIR /app
 
+# Copy package files
 COPY package*.json pnpm-lock.yaml ./
 RUN pnpm install --frozen-lockfile
 
+# Copy source and build
 COPY tsconfig.json ./
 COPY src/ ./src/
 RUN pnpm build
 
-RUN pnpm prune --prod
+# Remove dev dependencies and clean up
+RUN pnpm prune --prod && \
+    rm -rf src/ tsconfig.json && \
+    npm cache clean --force
 
-USER node
+# Change ownership and switch to non-root user
+RUN chown -R appuser:nodejs /app
+USER appuser
+
+# Health check
+HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
+  CMD node -e "console.log('healthy')" || exit 1
 
 CMD ["pnpm", "start"]

SECURITY.md

@@ -0,0 +1,44 @@
+# Security Policy
+
+## Supported Versions
+
+We actively support the latest version of ArrQueueCleaner with security updates.
+
+| Version | Supported          |
+| ------- | ------------------ |
+| latest  | :white_check_mark: |
+| < 1.0   | :x:                |
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in ArrQueueCleaner, please report it responsibly:
+
+### How to Report
+- **GitHub Security Advisories**: Use the "Security" tab in this repository to report privately
+- **Email**: Contact the maintainer directly through GitHub
+- **Do NOT** create public issues for security vulnerabilities
+
+### What to Include
+- Description of the vulnerability
+- Steps to reproduce the issue
+- Potential impact assessment
+- Suggested fix (if available)
+
+### Response Timeline
+- **Initial Response**: Within 48 hours
+- **Status Updates**: Weekly until resolved
+- **Fix Timeline**: Critical issues within 7 days, others within 30 days
+
+### What to Expect
+- **Accepted**: We'll work on a fix and coordinate disclosure
+- **Declined**: We'll explain why it's not considered a security issue
+- **Credit**: Security researchers will be credited in release notes (unless anonymity is requested)
+
+## Security Best Practices
+
+When using ArrQueueCleaner:
+- Keep your Sonarr API keys secure and rotate them regularly
+- Use environment variables for sensitive configuration
+- Run the container with minimal privileges
+- Keep the Docker image updated to the latest version
+- Monitor logs for unusual activity