Skip to content

feat: Add Workflow Analytics Dashboards with OpenSearch integration #229

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
LuD1161 wants to merge 4 commits into
base: main
Choose a base branch
from
Open

feat: Add Workflow Analytics Dashboards with OpenSearch integration #229

LuD1161 wants to merge 4 commits into from

Conversation

@LuD1161
Copy link
Contributor

@LuD1161 LuD1161 commented Jan 22, 2026
edited
Loading

Summary

This PR adds a Security Analytics platform to ShipSec Studio that enables users to index workflow output data into OpenSearch and visualize it through dashboards. This transforms raw scan outputs into actionable intelligence for security teams.

Key Features

  • Analytics Sink Component: New workflow node (core.analytics.sink) that indexes output data from any upstream node to OpenSearch

    • Supports array and object inputs with automatic bulk indexing
    • Auto-detects asset correlation keys (host, domain, subdomain, url, ip, etc.)
    • Configurable index suffix and fail-on-error modes
    • Fire-and-forget by default with retry logic (3 attempts with exponential backoff)

  • OpenSearch Integration:

    • Daily index rotation pattern: security-findings-{orgId}-{YYYY.MM.DD}
    • Index template with standard metadata fields
    • Multi-tenant data isolation per organization

  • Analytics API:

    • POST /api/v1/analytics/query endpoint supporting OpenSearch DSL
    • Auto-scopes queries to organization's index pattern
    • Rate limiting: 100 requests/minute per user

  • Analytics Settings Page:

    • Tier-based retention configuration (Free: 30d, Pro: 90d, Enterprise: 365d)
    • Admin-only access controls

  • UI Integration:

    • "Dashboards" link in sidebar (opens OpenSearch Dashboards in same tab)
    • "Analytics Settings" page for retention configuration
    • "View Analytics" button on workflow detail page

  • Nginx Reverse Proxy:

    • Unified entry point at http://localhost
    • Routes: / (frontend), /api (backend), /analytics (OpenSearch Dashboards)
    • Proper CORS and proxy header configuration

  • OpenSearch Dashboards basePath:

    • Configured with /analytics base path for reverse proxy compatibility
    • Updated init scripts and health checks

  • Production Security Infrastructure:

    • TLS encryption for OpenSearch transport and HTTP layers
    • Security plugin with role-based access control
    • SaaS multitenancy with per-customer tenant isolation
    • Index patterns scoped by customer ID ({customer_id}-*)
    • Certificate generation script (just generate-certs)
    • Production deployment guide (docker/PRODUCTION.md)

  • Workflow Status Improvements:

    • New STALE status for orphaned run records (DB/Temporal mismatch)
    • Improved status inference from trace events when Temporal workflow not found
    • Documentation for all execution statuses

  • Component SDK Extensions:

    • generateFindingHash() utility for deduplication
    • Workflow context (workflowId, workflowName, organizationId) passed to components
    • Results output port added to nuclei, trufflehog, and supabase-scanner components
    • Support for optional inputs in components

New Commands

just dev              # Start dev with nginx reverse proxy
just prod-secure      # Start production with security & multitenancy
just generate-certs   # Generate TLS certificates for production

Files Changed

75+ files across backend, frontend, worker, component-sdk, docker, and documentation.

Test plan

  • Run npm run typecheck to verify no type errors
  • Run npm run lint to verify code quality
  • Start infrastructure: just dev or docker compose -f docker/docker-compose.infra.yml up -d
  • Run index template setup: OPENSEARCH_URL=http://localhost:9200 npm run --prefix backend setup:opensearch
  • Test Analytics API endpoint: POST /api/v1/analytics/query (requires Basic Auth: admin:admin)
  • Verify Dashboards accessible at http://localhost/analytics
  • Verify nginx routing works for all paths
  • Create workflow with Analytics Sink component and verify data indexed
  • Test production security setup with just prod-secure

chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Jan 22, 2026
View reviewed changes
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 42044b8c24

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@LuD1161 LuD1161 force-pushed the eng-42/workflow-analytics-dashboards branch 12 times, most recently from 0284482 to 8c83d0b Compare January 23, 2026 02:39
@LuD1161 LuD1161 requested a review from betterclever January 23, 2026 02:44
@LuD1161 LuD1161 force-pushed the eng-42/workflow-analytics-dashboards branch 2 times, most recently from 801f152 to f9a14b3 Compare January 25, 2026 01:52
@LuD1161
fix: bug fixes and component improvements
3429811 
- Fix webhook URLs to include global API prefix (ENG-115)
- Add proper connectionType for list variable types in logic-script
- Allow components with optional inputs to proceed without values
- Add tests for optional input handling

Signed-off-by: Aseem Shrey <LuD1161@users.noreply.github.com>
@LuD1161
feat(analytics): add Security Analytics platform with OpenSearch inte…
3c2a259 
…gration

Add a comprehensive analytics system that transforms workflow scan outputs
into searchable, visualizable security intelligence:

**Analytics Sink Component** (`core.analytics.sink`):
- Indexes output data from any upstream node to OpenSearch
- Auto-detects asset correlation keys (host, domain, url, ip, etc.)
- Fire-and-forget with retry logic (3 attempts, exponential backoff)
- Configurable index suffix and fail-on-error modes

**OpenSearch Integration**:
- Daily index rotation: `security-findings-{orgId}-{YYYY.MM.DD}`
- Index template with standard metadata fields
- Multi-tenant data isolation per organization

**Analytics API**:
- POST /api/v1/analytics/query - OpenSearch DSL queries
- Auto-scopes queries to organization's index pattern
- Rate limiting: 100 req/min per user

**UI Integration**:
- Analytics Settings page with tier-based retention
- Results output port on nuclei, trufflehog, supabase-scanner
- Workflow context passed to all components

**Component SDK Extensions**:
- generateFindingHash() for deduplication
- Workflow context (workflowId, workflowName, organizationId)

Signed-off-by: Aseem Shrey <LuD1161@users.noreply.github.com>
@LuD1161
feat(workflows): add STALE status and improve status inference
4f039a2 
Add new execution status and improve handling of orphaned workflow runs:

**STALE Status**:
- New status for orphaned run records (DB exists, no Temporal workflow)
- Indicates data inconsistency (fresh Temporal with old DB, failed start)
- Amber badge color to draw attention

**Improved Status Inference**:
- When Temporal returns NOT_FOUND, infer status from trace events:
  - No STARTED events → STALE (orphaned record)
  - Any FAILED events → FAILED
  - All nodes COMPLETED → COMPLETED
  - Partial completion → FAILED (crashed)
- Use correct TraceEventType values (NODE_STARTED, NODE_COMPLETED, NODE_FAILED)

**Documentation**:
- Comprehensive execution status documentation
- Status transition diagram
- Frontend badge color reference

Signed-off-by: Aseem Shrey <LuD1161@users.noreply.github.com>
@LuD1161
feat(infra): add nginx reverse proxy and production security
42a405d 
Add unified entry point and production-ready deployment infrastructure:

**Nginx Reverse Proxy**:
- Unified access at http://localhost
- Routes: / (frontend), /api (backend), /analytics (OpenSearch Dashboards)
- Proper CORS and proxy headers (X-Real-IP, X-Forwarded-*)

**OpenSearch Dashboards basePath**:
- Configured with /analytics base path for reverse proxy
- Updated init scripts and health checks

**Production Security** (docker-compose.prod.yml):
- TLS encryption for transport and HTTP layers
- Security plugin with role-based access control
- SaaS multitenancy with per-customer tenant isolation
- Index patterns scoped by customer ID ({customer_id}-*)
- Certificate generation script (just generate-certs)

**New Commands**:
- just dev - Start with nginx reverse proxy
- just prod-secure - Start with security & multitenancy
- just generate-certs - Generate TLS certificates

**Documentation**:
- docker/PRODUCTION.md - Deployment guide with customer provisioning

Signed-off-by: Aseem Shrey <LuD1161@users.noreply.github.com>
@LuD1161 LuD1161 force-pushed the eng-42/workflow-analytics-dashboards branch from f9a14b3 to 42a405d Compare January 25, 2026 01:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

@betterclever betterclever Awaiting requested review from betterclever

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@LuD1161