Dev

.github/workflows/ci.yml

@@ -34,7 +34,13 @@ jobs:
         run: |
           echo "=== Checking Python syntax on scanner/rules/ ==="
           FAIL=0
-          for f in scanner/rules/az_*.py; do
+          shopt -s nullglob
+          files=(scanner/rules/az_*.py)
+          if [ ${#files[@]} -eq 0 ]; then
+            echo "ERROR: No rule files found matching scanner/rules/az_*.py"
+            exit 1
+          fi
+          for f in "${files[@]}"; do
             if ! python -m py_compile "$f" 2>&1; then
               echo "SYNTAX ERROR: $f"
               FAIL=1
@@ -137,7 +143,7 @@ jobs:
               grep -v "\.env" | \
               grep -v "os\.environ" | \
               grep -v "os\.getenv" | \
-              grep -v "#" | \
+              grep -vE '^\s*#' | \
               grep -v "example" | \
               grep -v "placeholder" || true)
 
@@ -161,7 +167,13 @@ jobs:
         run: |
           echo "=== Checking playbooks exist and are valid bash ==="
           FAIL=0
-          for rule_file in scanner/rules/az_*.py; do
+          shopt -s nullglob
+          files=(scanner/rules/az_*.py)
+          if [ ${#files[@]} -eq 0 ]; then
+            echo "ERROR: No rule files found matching scanner/rules/az_*.py"
+            exit 1
+          fi
+          for rule_file in "${files[@]}"; do
             filename=$(basename "$rule_file" .py)
             playbook="playbooks/cli/fix_${filename}.sh"
 
@@ -287,7 +299,8 @@ jobs:
                   continue
               fpath = os.path.join(framework_dir, fname)
               try:
-                  data = json.load(open(fpath))
+                  with open(fpath) as f:
+                      data = json.load(f)
               except (json.JSONDecodeError, OSError):
                   continue
 

.github/workflows/deploy.yml

@@ -0,0 +1,109 @@
+name: Deploy API to Render
+
+on:
+  push:
+    branches:
+      - dev
+      - main
+  workflow_dispatch:   # allows manual trigger from GitHub UI
+
+jobs:
+  deploy:
+    name: Deploy to Render
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Python 3.11
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+
+      # ── Dependency caching ─────────────────────────────────────────────
+      - name: Cache pip dependencies
+        uses: actions/cache@v4
+        with:
+          path: ~/.cache/pip
+          key: ${{ runner.os }}-pip-${{ hashFiles('requirements.txt') }}
+          restore-keys: |
+            ${{ runner.os }}-pip-
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r requirements.txt
+
+      # ── Secret check (Determines if smoke tests should run) ───────────
+      - name: Check for JWT_SECRET
+        id: check_config
+        run: |
+          if [ -n "${{ secrets.JWT_SECRET }}" ]; then
+            echo "is_configured=true" >> $GITHUB_OUTPUT
+          else
+            echo "is_configured=false" >> $GITHUB_OUTPUT
+          fi
+
+      # ── Wait for Render auto-deployment ────────────────────────────────
+      # Render handles the actual physical deployment when you push.
+      # We just pause the Action to let Render's servers finish building.
+      - name: Wait for app to initialise
+        run: |
+          echo "Waiting 120 seconds for Render to build and start the app..."
+          sleep 120
+
+      # ── Health gate ────────────────────────────────────────────────────
+      - name: Health gate check
+        id: health_gate
+        env:
+          # Use secret URL if provided, otherwise fallback to default
+          API_URL: ${{ secrets.API_URL || 'https://openshield-api.onrender.com' }}
+        run: |
+          MAX_RETRIES=5
+          RETRY_DELAY=15
+          URL="${API_URL}/health"
+
+          echo "Pinging health gate at: $URL"
+          for i in $(seq 1 $MAX_RETRIES); do
+            echo "Health check attempt $i of $MAX_RETRIES..."
+            HTTP_STATUS=$(curl -s -o /dev/null -w "%{http_code}" "$URL" --max-time 30) || true
+
+            if [ "$HTTP_STATUS" -eq 200 ]; then
+              echo "Health check passed (HTTP $HTTP_STATUS)"
+              exit 0
+            fi
+
+            echo "Got HTTP $HTTP_STATUS — retrying in ${RETRY_DELAY}s..."
+            sleep $RETRY_DELAY
+          done
+
+          echo "HEALTH GATE FAILED after $MAX_RETRIES attempts"
+          echo "Note: If you haven't set up Render for this fork, this is expected."
+          # Only allow failure on feature branches; fail on main/dev
+          if [[ "${{ github.ref }}" == "refs/heads/main" || "${{ github.ref }}" == "refs/heads/dev" ]]; then
+            echo "ERROR: Health check failed on protected branch. Deployment verification required."
+            exit 1
+          else
+            echo "Allowing health check failure on feature branch (infra may not be set up)"
+            exit 0
+          fi
+
+      # ── Smoke tests ────────────────────────────────────────────────────
+      - name: Run smoke tests against live deployment
+        if: steps.check_config.outputs.is_configured == 'true' || github.event_name == 'workflow_dispatch'
+        env:
+          API_URL: ${{ secrets.API_URL || 'https://openshield-api.onrender.com' }}
+          JWT_SECRET: ${{ secrets.JWT_SECRET || 'change-me-in-production' }}
+          AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
+          AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
+          AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+          RUN_REAL_SCAN: "true"
+        run: |
+          if [[ "${{ github.ref }}" == "refs/heads/main" && -z "${{ secrets.JWT_SECRET }}" ]]; then
+            echo "ERROR: Cannot run smoke tests on main branch without JWT_SECRET configured"
+            exit 1
+          fi
+          echo "Running smoke tests against: $API_URL"
+          python tests/smoke_test.py

README.md

@@ -58,6 +58,19 @@ flowchart TD
     I -->|alerts| A
 ```
 
+## Live API
+
+The OpenShield API is deployed to the Render free tier and is accessible at:
+
+**`https://openshield-api.onrender.com`**
+
+> **Note:** As this is hosted on the Render free tier, the service may spin down after 15 minutes of inactivity. The first request after a spin-down can take 30-60 seconds to complete.
+
+> [!IMPORTANT]
+> **Security Requirement:** For absolute security, any production deployment **must** override the default `JWT_SECRET` with a strong, unique value in the environment variables.
+
+---
+
 ## Tech Stack
 
 | Layer | Technology | Cost |

api/app.py

@@ -8,6 +8,8 @@
 from flask import Flask, g, jsonify, request
 from flask_cors import CORS
 
+from api.models.finding import DatabaseManager
+
 load_dotenv()
 
 logging.basicConfig(
@@ -28,14 +30,49 @@ def create_app() -> Flask:
     - JWT authentication middleware on all non-public routes
     - Blueprints for findings, scans, score, and compliance
     - JSON error handlers for 400, 401, 403, 404, and 500
+    - Global database connection teardown
     """
     app = Flask(__name__)
-    app.config["JWT_SECRET"] = os.environ.get("JWT_SECRET", "change-me-in-production")
+
+    # ------------------------------------------------------------------ #
+    # Configuration & Security                                             #
+    # ------------------------------------------------------------------ #
+    jwt_key = os.environ.get("JWT_SECRET")
+    if not jwt_key:
+        logger.warning(
+            "!!! SECURITY WARNING: JWT_SECRET NOT SET. USING INSECURE DEFAULT !!! "
+            "For production deployments, you MUST set a strong, unique JWT_SECRET."
+        )
+        jwt_key = "change-me-in-production"
+    app.config["JWT_SECRET"] = jwt_key
 
     # ------------------------------------------------------------------ #
     # CORS                                                                  #
     # ------------------------------------------------------------------ #
-    CORS(app, resources={r"/api/*": {"origins": "*"}})
+    allowed_origins_raw = os.environ.get("ALLOWED_ORIGINS", "*")
+    if allowed_origins_raw == "*":
+        logger.warning(
+            "!!! SECURITY WARNING: ALLOWED_ORIGINS NOT SET. DEFAULTING TO '*' !!! "
+            "For production deployments, set this to your specific frontend domain(s)."
+        )
+    allowed_origins = allowed_origins_raw.split(",")
+    CORS(app, resources={r"/api/*": {"origins": allowed_origins}})
+
+    # ------------------------------------------------------------------ #
+    # Database Management                                                   #
+    # ------------------------------------------------------------------ #
+
+    @app.teardown_appcontext
+    def close_db(error):
+        """Ensure the database connection is closed after the request."""
+        db = g.pop("db_conn", None)
+        if db is not None:
+            try:
+                if hasattr(db, "conn") and db.conn is not None:
+                    db.conn.close()
+                    logger.debug("Database connection closed gracefully")
+            except Exception as exc:
+                logger.error("Error closing database connection: %s", exc)
 
     # ------------------------------------------------------------------ #
     # JWT middleware                                                         #
@@ -82,9 +119,18 @@ def verify_jwt() -> None:
     app.register_blueprint(compliance_bp)
 
     # ------------------------------------------------------------------ #
-    # Health check (public)                                                 #
+    # Routes (public)                                                      #
     # ------------------------------------------------------------------ #
 
+    @app.get("/")
+    def index():
+        return jsonify({
+            "message": "Welcome to the OpenShield REST API",
+            "version": "1.0.0",
+            "docs": "/docs",
+            "status": "online"
+        })
+
     @app.get("/health")
     def health():
         return jsonify({"status": "ok"})
@@ -118,8 +164,9 @@ def internal_error(exc):
     return app
 
 
+application = create_app()
+
 if __name__ == "__main__":
-    application = create_app()
     application.run(
         host="0.0.0.0",
         port=int(os.environ.get("PORT", 5000)),

api/models/finding.py

@@ -80,10 +80,16 @@ def __init__(self, dsn: Optional[str] = None) -> None:
     # ------------------------------------------------------------------ #
 
     def connect(self) -> None:
-        """Open a persistent database connection."""
+        """Open a persistent database connection and set the search path."""
         self.conn = psycopg2.connect(self.dsn)
+        self.conn.autocommit = True  # Set to True for schema management
+        with self.conn.cursor() as cur:
+            # Ensure the openshield schema exists and is preferred in the search path.
+            # This avoids 'permission denied for schema public' in restricted environments.
+            cur.execute("CREATE SCHEMA IF NOT EXISTS openshield;")
+            cur.execute("SET search_path TO openshield, public;")
         self.conn.autocommit = False
-        logger.info("Database connection established")
+        logger.info("Database connection established (schema: openshield)")
 
     def _get_conn(self) -> Any:
         if self.conn is None or self.conn.closed:
@@ -94,6 +100,10 @@ def _get_conn(self) -> Any:
     # Schema                                                                #
     # ------------------------------------------------------------------ #
 
+    def init_db(self) -> None:
+        """Alias for create_tables to match startup script expectations."""
+        self.create_tables()
+
     def create_tables(self) -> None:
         """Create the findings, scans, and rules tables if they do not exist."""
         conn = self._get_conn()

api/routes/compliance.py

@@ -1,39 +1,46 @@
 """Compliance routes: framework-specific posture breakdown."""
 
+import logging
 import os
-from flask import Blueprint, jsonify
+from flask import Blueprint, g, jsonify
 
 from api.models.finding import DatabaseManager
 
 compliance_bp = Blueprint("compliance", __name__)
+logger = logging.getLogger(__name__)
 
 SUPPORTED_FRAMEWORKS = ("cis", "nist", "iso27001", "soc2")
 
 
 def _get_db() -> DatabaseManager:
-    db = DatabaseManager(os.environ["DATABASE_URL"])
-    db.connect()
-    return db
+    if "db_conn" not in g:
+        g.db_conn = DatabaseManager(os.environ["DATABASE_URL"])
+        g.db_conn.connect()
+    return g.db_conn
 
 
 @compliance_bp.get("/api/compliance/<framework>")
 def get_compliance(framework: str):
     """Return pass/fail compliance breakdown for a framework.
 
-  Supported frameworks: cis, nist, iso27001, soc2
+    Supported frameworks: cis, nist, iso27001, soc2
 
     Returns control-level pass/fail status mapped to current open findings.
     """
-    if framework.lower() not in SUPPORTED_FRAMEWORKS:
-        return jsonify({
-            "error": f"Unknown framework '{framework}'",
-            "supported": list(SUPPORTED_FRAMEWORKS),
-        }), 400
-
-    db = _get_db()
-    result = db.get_compliance_score(framework.lower())
-
-    if "error" in result:
-        return jsonify(result), 500
-
-    return jsonify(result)
+    try:
+        if framework.lower() not in SUPPORTED_FRAMEWORKS:
+            return jsonify({
+                "error": f"Unknown framework '{framework}'",
+                "supported": list(SUPPORTED_FRAMEWORKS),
+            }), 400
+
+        db = _get_db()
+        result = db.get_compliance_score(framework.lower())
+
+        if "error" in result:
+            return jsonify(result), 500
+
+        return jsonify(result)
+    except Exception as exc:
+        logger.error("Failed to retrieve compliance score for %s: %s", framework, exc)
+        return jsonify({"error": "Compliance calculation failed", "detail": str(exc)}), 500