Implement comprehensive CI/CD pipeline for Healthy System

.github/workflows/pr-validation.yml

@@ -10,6 +10,7 @@ env:
   SOLUTION_PATH: './Healthy/Healthy.sln'
   API_PROJECT_PATH: './Healthy/Healthy.Api/Healthy.Api.csproj'
   TEST_PROJECT_PATH: './Healthy/Healthy.Tests.Unit/Healthy.Tests.Unit.csproj'
+  INFRASTRUCTURE_PROJECT_PATH: './Healthy/Healthy.Infrastructure/Healthy.Infrastructure.csproj'
 
 jobs:
   changes:

.gitignore

@@ -545,7 +545,6 @@ temp/
 
 # Docker
 .dockerignore
-Dockerfile
 docker-compose.yml
 docker-compose.override.yml
 

Healthy/Healthy.Api/Dockerfile

@@ -0,0 +1,54 @@
+# Build stage
+FROM mcr.microsoft.com/dotnet/sdk:9.0 AS build
+WORKDIR /src
+
+# Copy solution file and all project files for dependency resolution
+COPY ["Healthy.sln", "./"]
+COPY ["Healthy.Api/Healthy.Api.csproj", "Healthy.Api/"]
+COPY ["Healthy.Application/Healthy.Application.csproj", "Healthy.Application/"]
+COPY ["Healthy.Domain/Healthy.Domain.csproj", "Healthy.Domain/"]
+COPY ["Healthy.Infrastructure/Healthy.Infrastructure.csproj", "Healthy.Infrastructure/"]
+COPY ["Healthy.Tests.Unit/Healthy.Tests.Unit.csproj", "Healthy.Tests.Unit/"]
+
+# Restore dependencies
+RUN dotnet restore "Healthy.Api/Healthy.Api.csproj"
+
+# Copy source code
+COPY . .
+
+# Build the application
+WORKDIR "/src/Healthy.Api"
+RUN dotnet build "Healthy.Api.csproj" -c Release -o /app/build
+
+# Publish stage
+FROM build AS publish
+RUN dotnet publish "Healthy.Api.csproj" -c Release -o /app/publish /p:UseAppHost=false
+
+# Runtime stage
+FROM mcr.microsoft.com/dotnet/aspnet:9.0 AS runtime
+WORKDIR /app
+
+# Create a non-root user for security
+RUN groupadd -r healthyuser && useradd --no-log-init -r -g healthyuser healthyuser
+
+# Copy published application
+COPY --from=publish /app/publish .
+
+# Set ownership to the non-root user
+RUN chown -R healthyuser:healthyuser /app
+USER healthyuser
+
+# Configure ports
+EXPOSE 8080
+EXPOSE 8081
+
+# Configure environment
+ENV ASPNETCORE_URLS=http://+:8080
+ENV ASPNETCORE_ENVIRONMENT=Production
+
+# Health check
+HEALTHCHECK --interval=30s --timeout=10s --start-period=60s --retries=3 \
+    CMD curl -f http://localhost:8080/health || exit 1
+
+# Set the entry point
+ENTRYPOINT ["dotnet", "Healthy.Api.dll"]

Healthy/Healthy.Api/Program.cs

@@ -11,6 +11,9 @@
 // Add services to the container
 builder.Services.AddControllers();
 
+// Add health checks
+builder.Services.AddHealthChecks();
+
 // Add custom CORS
 builder.Services.AddCustomCors(builder.Environment);
 
@@ -67,6 +70,9 @@
 
 app.MapControllers();
 
+// Add health check endpoint
+app.MapHealthChecks("/health");
+
 // Print startup information
 ApplicationExtensions.PrintStartupInfo(app.Environment);
 

README.md

@@ -143,13 +143,25 @@ healthy-system/
 
 ## 🔧 Development Workflow
 
+### 🛠️ Quick Start Scripts
+```bash
+# Setup development environment
+./scripts/setup-dev.sh
+
+# Validate CI/CD pipeline
+./scripts/validate-cicd.sh
+```
+
 ### 🛠️ Initial Setup (First Time)
 1. **Clone**: `git clone <repository-url>`
 2. **Navigate**: `cd healthy-system`
-3. **Environment**: Copy `.env.example` → `.env.development`
-4. **Database**: `docker-compose -f docker-compose.dev.yml up -d`
-5. **Migrate**: `dotnet ef database update --project Healthy.Infrastructure`
-6. **Run**: `cd Healthy && dotnet run --project Healthy.Api`
+3. **Run Setup**: `./scripts/setup-dev.sh` (automated setup)
+
+   Or manual setup:
+4. **Environment**: Copy `.env.example` → `.env.development`
+5. **Database**: `docker-compose -f docker-compose.dev.yml up -d`
+6. **Migrate**: `dotnet ef database update --project Healthy.Infrastructure`
+7. **Run**: `cd Healthy && dotnet run --project Healthy.Api`
 
 ### � Daily Development
 1. **Pull latest**: `git pull origin main`
@@ -163,6 +175,15 @@ healthy-system/
 2. **Deploy**: `docker-compose -f docker-compose.prod.yml up -d`
 3. **Verify**: Check health endpoints and logs
 
+### 🤖 CI/CD Pipeline
+- **Automated Building**: .NET 9.0 with comprehensive testing
+- **Security Scanning**: SAST, dependency checks, container scanning
+- **Performance Testing**: Artillery load testing
+- **Multi-Environment**: Development and production deployments
+- **Quality Gates**: Code coverage, security, and performance thresholds
+
+For detailed CI/CD information, see [docs/CI-CD.md](docs/CI-CD.md)
+
 ---
 
 ## 🎯 Key Features & Capabilities
@@ -183,13 +204,16 @@ healthy-system/
 - 🔍 **Advanced Filtering** and pagination
 - � **RESTful API Design** with OpenAPI/Swagger
 
-### 🏗️ Technical Stack
+### 🔧 Technical Stack
 - ⚡ **Clean Architecture** with CQRS pattern
 - 🎯 **MediatR** for command/query handling  
 - 🗄️ **Entity Framework Core** with SQL Server
-- 🐳 **Docker** containerization
+- 🐳 **Docker** containerization with multi-stage builds
 - 🔄 **Database Migrations** with versioning
 - 🧪 **Unit Testing** with xUnit
+- 🚀 **CI/CD Pipeline** with GitHub Actions
+- 🛡️ **Security Scanning** with CodeQL, Snyk, and Trivy
+- ⚡ **Performance Testing** with Artillery
 
 ---
 
@@ -205,6 +229,9 @@ healthy-system/
 | **Migrations** | [README.Migrations.md](README.Migrations.md) | Database versioning & updates |
 | **Environment** | [README.Environment.md](README.Environment.md) | Configuration management |
 | **Docker** | [README.Docker.md](README.Docker.md) | Containerization & deployment |
+| **CI/CD Pipeline** | [docs/CI-CD.md](docs/CI-CD.md) | Complete CI/CD pipeline documentation |
+| **Performance Testing** | [performance-tests/README.md](performance-tests/README.md) | Load testing and performance monitoring |
+| **Security Policy** | [SECURITY.md](SECURITY.md) | Security guidelines and vulnerability reporting |
 
 ---
 
@@ -220,7 +247,9 @@ healthy-system/
 - **Documentation**: Start with relevant README files above
 - **Issues**: Create GitHub issue with detailed description
 - **Architecture Questions**: Refer to [README.Architecture.md](README.Architecture.md)
-- **Security Concerns**: See [README.Authorization.md](README.Authorization.md)
+- **Security Concerns**: See [README.Authorization.md](README.Authorization.md) and [SECURITY.md](SECURITY.md)
+- **CI/CD Help**: Check [docs/CI-CD.md](docs/CI-CD.md)
+- **Performance Issues**: See [performance-tests/README.md](performance-tests/README.md)
 
 ---
 

SECURITY.md

@@ -0,0 +1,177 @@
+# 🛡️ Security Policy
+
+## 📋 Supported Versions
+
+We actively maintain and provide security updates for the following versions:
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 1.x.x   | ✅ Yes             |
+| < 1.0   | ❌ No              |
+
+## 🚨 Reporting a Vulnerability
+
+We take the security of the Healthy System seriously. If you believe you have found a security vulnerability, please report it to us as described below.
+
+### 📧 How to Report
+
+**Please do NOT report security vulnerabilities through public GitHub issues.**
+
+Instead, please send an email to: **[email protected]** (or create a private issue if this email is not available)
+
+Include the following information:
+- Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
+- Full paths of source file(s) related to the manifestation of the issue
+- The location of the affected source code (tag/branch/commit or direct URL)
+- Any special configuration required to reproduce the issue
+- Step-by-step instructions to reproduce the issue
+- Proof-of-concept or exploit code (if possible)
+- Impact of the issue, including how an attacker might exploit the issue
+
+### 🔒 What to Expect
+
+You can expect the following process:
+
+1. **Acknowledgment**: We will acknowledge receipt of your report within 48 hours
+2. **Investigation**: We will investigate and validate the vulnerability within 7 days
+3. **Resolution**: We will work on a fix and aim to release it within 30 days for high/critical issues
+4. **Disclosure**: We will coordinate disclosure timing with you
+5. **Credit**: We will credit you in our security advisory (unless you prefer to remain anonymous)
+
+## 🛡️ Security Measures
+
+### Authentication & Authorization
+- JWT-based authentication with secure token generation
+- Role-based access control (RBAC)
+- Owner-based resource access validation
+- Password hashing using BCrypt
+
+### Data Protection
+- HTTPS/TLS encryption in transit
+- Secure database connections
+- Environment variable protection
+- Input validation and sanitization
+
+### Infrastructure Security
+- Container security scanning with Trivy
+- Dependency vulnerability scanning
+- Code analysis with CodeQL
+- Secrets scanning with TruffleHog
+
+### Development Security
+- Automated security scans in CI/CD pipeline
+- Dependency updates via Dependabot
+- Code review requirements
+- Branch protection rules
+
+## 🔍 Security Testing
+
+### Automated Scans
+- **SAST**: Static Application Security Testing with CodeQL
+- **Dependency Scanning**: Snyk and dotnet security audits
+- **Container Scanning**: Trivy vulnerability scanner
+- **Secrets Detection**: TruffleHog for exposed secrets
+- **License Compliance**: Package license validation
+
+### Manual Testing
+- Regular penetration testing
+- Code security reviews
+- Infrastructure assessments
+
+## 📋 Security Guidelines for Contributors
+
+### Code Security
+- Never commit secrets, passwords, or API keys
+- Use parameterized queries to prevent SQL injection
+- Implement proper input validation
+- Follow principle of least privilege
+- Use secure defaults
+
+### Dependencies
+- Keep dependencies up to date
+- Review dependency licenses
+- Avoid dependencies with known vulnerabilities
+- Use package lock files
+
+### Environment Security
+- Use environment variables for configuration
+- Separate development and production environments
+- Implement proper logging (without sensitive data)
+- Use secure communication channels
+
+## 🚫 Security Anti-Patterns to Avoid
+
+### ❌ Don't Do This
+- Hard-code secrets in source code
+- Use default passwords
+- Disable security features for convenience
+- Trust user input without validation
+- Store sensitive data in logs
+- Use HTTP in production
+- Commit `.env` files with real secrets
+
+### ✅ Do This Instead
+- Use secure secret management
+- Generate strong, unique passwords
+- Enable all security features
+- Validate and sanitize all inputs
+- Use structured logging without PII
+- Use HTTPS everywhere
+- Use `.env.example` with placeholder values
+
+## 🔧 Security Configuration
+
+### Environment Variables
+Ensure these security-related environment variables are properly configured:
+
+```bash
+# JWT Configuration
+JWT_SECRET_KEY=<strong-random-key>
+JWT_ISSUER=HealthySystem
+JWT_AUDIENCE=HealthySystemUsers
+JWT_EXPIRY_MINUTES=60
+
+# Database Security
+DB_CONNECTION_STRING=<encrypted-connection>
+DB_PASSWORD=<strong-password>
+
+# Application Security
+ASPNETCORE_ENVIRONMENT=Production
+ASPNETCORE_HTTPS_PORT=443
+```
+
+### Recommended Security Headers
+The application should implement these security headers:
+
+```
+Strict-Transport-Security: max-age=31536000; includeSubDomains
+Content-Security-Policy: default-src 'self'
+X-Content-Type-Options: nosniff
+X-Frame-Options: DENY
+X-XSS-Protection: 1; mode=block
+Referrer-Policy: strict-origin-when-cross-origin
+```
+
+## 📚 Security Resources
+
+### Documentation
+- [OWASP Top 10](https://owasp.org/www-project-top-ten/)
+- [.NET Security Guidelines](https://docs.microsoft.com/en-us/dotnet/standard/security/)
+- [ASP.NET Core Security](https://docs.microsoft.com/en-us/aspnet/core/security/)
+
+### Tools Used
+- [CodeQL](https://codeql.github.com/)
+- [Snyk](https://snyk.io/)
+- [Trivy](https://trivy.dev/)
+- [TruffleHog](https://trufflesecurity.com/)
+
+## 📞 Contact
+
+For security-related questions or concerns:
+- Email: [email protected]
+- Security Team: @security-team
+- Documentation: [Security Documentation](./README.md#security--authentication)
+
+## 📄 License
+
+This security policy is licensed under the same terms as the main project.