-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
0 parents
commit c794f68
Showing
158 changed files
with
6,874 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
# Supported browsers | ||
> 2% | ||
last 2 versions | ||
IE 11 | ||
not dead |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,69 @@ | ||
# See https://help.github.com/articles/ignoring-files for more about ignoring files. | ||
# | ||
# If you find yourself ignoring temporary files generated by your text editor | ||
# or operating system, you probably want to add a global ignore instead: | ||
# git config --global core.excludesfile '~/.gitignore_global' | ||
|
||
# Ignore bundler config. | ||
/.bundle | ||
|
||
# Ignore all environment files (except templates). | ||
/.env* | ||
!/.env*.erb | ||
|
||
# Ignore all logfiles and tempfiles. | ||
/log/* | ||
/tmp/* | ||
!/log/.keep | ||
!/tmp/.keep | ||
|
||
# Ignore pidfiles, but keep the directory. | ||
/tmp/pids/* | ||
!/tmp/pids/ | ||
!/tmp/pids/.keep | ||
|
||
# Ignore storage (uploaded files in development and any SQLite databases). | ||
/storage/* | ||
!/storage/.keep | ||
/tmp/storage/* | ||
!/tmp/storage/ | ||
!/tmp/storage/.keep | ||
|
||
/public/assets | ||
|
||
# Ignore master key for decrypting credentials and more. | ||
/config/master.key | ||
|
||
# Ignore Brewfile debug info | ||
Brewfile.lock.json | ||
|
||
# Ignore local dotenv overrides | ||
.env*.local | ||
|
||
# Ignore OWASP files | ||
/zap_report.html | ||
/zap.yaml | ||
|
||
# Ignore rspec examples status file | ||
spec/examples.txt | ||
|
||
/config/credentials/production.key | ||
|
||
/app/assets/builds/* | ||
!/app/assets/builds/.keep | ||
|
||
/node_modules | ||
|
||
# Trestle working files | ||
doc/compliance/oscal/.trestle/_trash | ||
doc/compliance/oscal/.trestle/cache | ||
|
||
# Terraform | ||
.terraform.lock.hcl | ||
**/.terraform/* | ||
secrets.auto.tfvars | ||
terraform.tfstate | ||
terraform.tfstate.backup | ||
|
||
# compliance documentation | ||
/doc/compliance/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
# EditorConfig is awesome: https://EditorConfig.org | ||
|
||
[zap.conf] | ||
indent_size = 4 | ||
indent_style = tab |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
attributes: | ||
- content | ||
- timestamps | ||
filename: "doc/compliance/rendered/apps/data.logical" | ||
filetype: pdf | ||
inheritance: false | ||
orientation: horizontal | ||
polymorphism: false | ||
exclude: "ActiveRecord::InternalMetadata,ActiveRecord::SchemaMigration" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
# See https://git-scm.com/docs/gitattributes for more about git attribute files. | ||
|
||
# Mark the database schema as having been generated. | ||
db/schema.rb linguist-generated | ||
|
||
# Mark any vendored files as having been vendored. | ||
vendor/* linguist-vendored | ||
config/credentials/*.yml.enc diff=rails_credentials | ||
config/credentials.yml.enc diff=rails_credentials |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
#! /usr/bin/env bash | ||
# | ||
# This hook runs on `git commit` and will prevent you from committing without | ||
# approval from the linter and tests. | ||
# | ||
# To run, this file must be symlinked to: | ||
# .git/hooks/pre-commit | ||
# | ||
# To bypass this hook, run: | ||
# $ git commit --no-verify | ||
# $ git commit -n | ||
|
||
echo "Running linter..." | ||
bundle exec rake standard | ||
linter_status=$? | ||
|
||
if [ $linter_status -ne 0 ]; then | ||
echo "Fix above before committing. Run 'git commit -n' to bypass linter." | ||
exit 1 | ||
fi | ||
|
||
echo "Running Terraform formatter" | ||
files=$(git diff --cached --name-only terraform) | ||
for f in $files | ||
do | ||
# Format any *.tf files that were cached/staged | ||
if [ -e "$f" ] && [[ $f == *.tf ]]; then | ||
terraform fmt "$f" | ||
git add "$f" | ||
fi | ||
done |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
name: "Run rails server" | ||
description: "Run rails server in the background for scans to access" | ||
inputs: | ||
rails_env: | ||
description: RAILS_ENV to set. Defaults to ci | ||
required: false | ||
default: ci | ||
database_url: | ||
description: DATABASE_URL to set | ||
required: true | ||
runs: | ||
using: "composite" | ||
steps: | ||
- name: "Start server in background" | ||
shell: bash | ||
env: | ||
RAILS_ENV: ${{ inputs.rails_env }} | ||
DATABASE_URL: ${{ inputs.database_url }} | ||
SECRET_KEY_BASE: not-actually-secret | ||
run: bundle exec rails server & | ||
|
||
- name: "Wait for startup" | ||
shell: bash | ||
run: sleep 5 | ||
|
||
- name: "Verify response working" | ||
shell: bash | ||
run: curl http://localhost:3000 -I |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
name: Set up languages | ||
description: Set up ruby, javascript, and dependencies | ||
runs: | ||
using: composite | ||
steps: | ||
- name: Set up Ruby | ||
uses: ruby/setup-ruby@v1 | ||
with: | ||
# bundler-cache automatically installs gems | ||
bundler-cache: true | ||
cache-version: 1 | ||
|
||
- name: Set up node | ||
uses: actions/setup-node@v4 | ||
with: | ||
node-version: '20.13.1' | ||
cache: 'yarn' | ||
- name: Install yarn dependencies | ||
shell: bash | ||
run: yarn install --frozen-lockfile |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
name: Set up project with database | ||
description: Setup Ruby, Javascript, and load the database schema into a running postgres db | ||
inputs: | ||
rails_env: | ||
description: RAILS_ENV to set. Defaults to ci | ||
required: false | ||
default: ci | ||
database_url: | ||
description: DATABASE_URL to set | ||
required: false | ||
default: postgres://cidbuser:postgres@localhost:5432/continuous_monitoring_test | ||
outputs: | ||
database_url: | ||
value: ${{ inputs.database_url }} | ||
runs: | ||
using: composite | ||
steps: | ||
- name: Set up Ruby & Javascript | ||
uses: ./.github/actions/setup-languages | ||
|
||
- name: Precompile assets | ||
env: | ||
RAILS_ENV: ${{ inputs.rails_env }} | ||
SECRET_KEY_BASE: not-actually-secret | ||
shell: bash | ||
run: bundle exec rake assets:precompile | ||
|
||
- name: Set up database | ||
env: | ||
RAILS_ENV: ${{ inputs.rails_env }} | ||
SECRET_KEY_BASE: not-actually-secret | ||
DATABASE_URL: ${{ inputs.database_url }} | ||
shell: bash | ||
run: bundle exec rake db:schema:load |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
name: "Run a docker-trestle command" | ||
description: "Sets up workspace for running a single command in docker-trestle" | ||
inputs: | ||
tag: | ||
description: docker-trestle tag to use. Defaults to latest | ||
required: false | ||
default: latest | ||
cmd: | ||
description: Command to run within docker-trestle | ||
required: true | ||
runs: | ||
using: "composite" | ||
steps: | ||
- name: Enable writing to trestle directories | ||
shell: bash | ||
run: chmod -R a+w $GITHUB_WORKSPACE/doc/compliance/oscal | ||
|
||
- name: Run cmd | ||
shell: bash | ||
run: docker run -v $GITHUB_WORKSPACE/doc/compliance/oscal:/app/docs:rw ghcr.io/gsa-tts/trestle:latest ${{ inputs.cmd }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
name: Assemble SSPP updates | ||
|
||
on: | ||
workflow_dispatch: | ||
push: | ||
branches: [ main ] | ||
paths: | ||
- "doc/compliance/oscal/**" | ||
|
||
jobs: | ||
assemble_ssp: | ||
name: Assemble SSPP updates and save artifact | ||
runs-on: ubuntu-latest | ||
steps: | ||
- uses: actions/checkout@v4 | ||
|
||
- name: Assemble final SSPP | ||
uses: ./.github/actions/trestle-cmd | ||
with: | ||
cmd: trestle assemble -n continuous_monitoring system-security-plan | ||
|
||
- name: Save artifact | ||
uses: actions/upload-artifact@v4 | ||
with: | ||
name: continuous_monitoring_SSPP | ||
path: doc/compliance/oscal/dist/system-security-plans/continuous_monitoring.json |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
# This workflow uses actions that are not certified by GitHub. | ||
# They are provided by a third-party and are governed by | ||
# separate terms of service, privacy policy, and support | ||
# documentation. | ||
|
||
# This workflow integrates Brakeman with GitHub's Code Scanning feature | ||
# Brakeman is a static analysis security vulnerability scanner for Ruby on Rails applications | ||
|
||
name: Brakeman Scan | ||
|
||
on: | ||
push: | ||
branches: [ main ] | ||
paths-ignore: | ||
- 'doc/**' | ||
- 'README.md' | ||
pull_request: | ||
# The branches below must be a subset of the branches above | ||
branches: [ main ] | ||
schedule: | ||
# cron format: 'minute hour dayofmonth month dayofweek' | ||
# this will run at noon UTC each Monday (7am EST / 8am EDT) | ||
- cron: '0 12 * * 1' | ||
|
||
permissions: | ||
contents: read | ||
security-events: write | ||
|
||
jobs: | ||
brakeman-scan: | ||
name: Brakeman Scan | ||
runs-on: ubuntu-latest | ||
steps: | ||
- uses: actions/checkout@v4 | ||
|
||
- uses: ./.github/actions/setup-languages | ||
|
||
# Execute Brakeman CLI and generate a SARIF output with the security issues identified during the analysis | ||
- name: Scan | ||
continue-on-error: true | ||
run: | | ||
bundle exec brakeman -f sarif -o output.sarif.json . | ||
# Upload the SARIF file generated in the previous step | ||
- name: Upload SARIF | ||
uses: github/codeql-action/upload-sarif@v3 | ||
with: | ||
sarif_file: output.sarif.json |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,56 @@ | ||
name: Ruby and Javascript dependency scans | ||
|
||
on: | ||
push: | ||
branches: [ main ] | ||
paths-ignore: | ||
- 'doc/**' | ||
- 'README.md' | ||
pull_request: | ||
branches: [ main ] | ||
schedule: | ||
# cron format: 'minute hour dayofmonth month dayofweek' | ||
# this will run at noon UTC every day (7am EST / 8am EDT) | ||
- cron: '0 12 * * *' | ||
|
||
jobs: | ||
bundle-audit: | ||
name: Bundle audit | ||
runs-on: ubuntu-latest | ||
|
||
steps: | ||
- uses: actions/checkout@v4 | ||
|
||
- uses: ./.github/actions/setup-languages | ||
|
||
- name: Update advisory database and run checks | ||
run: bundle exec rake bundler:audit | ||
|
||
yarn-audit: | ||
name: Yarn audit | ||
runs-on: ubuntu-latest | ||
|
||
steps: | ||
- uses: actions/checkout@v4 | ||
|
||
- uses: ./.github/actions/setup-languages | ||
|
||
- name: Run yarn audit | ||
run: bundle exec rake yarn:audit | ||
|
||
ruby-bom: | ||
name: Ruby SBOM Generation | ||
runs-on: ubuntu-latest | ||
|
||
steps: | ||
- uses: actions/checkout@v4 | ||
- uses: ./.github/actions/setup-languages | ||
- name: Install cyclonedx | ||
run: gem install cyclonedx-ruby | ||
- name: Generate BOM | ||
run: cyclonedx-ruby -p . -o ruby_bom.xml | ||
- name: Save BOM | ||
uses: actions/upload-artifact@v4 | ||
with: | ||
name: ruby-bom | ||
path: ./ruby_bom.xml |
Oops, something went wrong.