Skip to content

Commit

Permalink
Initial commit
Browse files Browse the repository at this point in the history
  • Loading branch information
rahearn committed Jun 25, 2024
0 parents commit c794f68
Show file tree
Hide file tree
Showing 158 changed files with 6,874 additions and 0 deletions.
5 changes: 5 additions & 0 deletions .browserslistrc
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# Supported browsers
> 2%
last 2 versions
IE 11
not dead
69 changes: 69 additions & 0 deletions .cfignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
# See https://help.github.com/articles/ignoring-files for more about ignoring files.
#
# If you find yourself ignoring temporary files generated by your text editor
# or operating system, you probably want to add a global ignore instead:
# git config --global core.excludesfile '~/.gitignore_global'

# Ignore bundler config.
/.bundle

# Ignore all environment files (except templates).
/.env*
!/.env*.erb

# Ignore all logfiles and tempfiles.
/log/*
/tmp/*
!/log/.keep
!/tmp/.keep

# Ignore pidfiles, but keep the directory.
/tmp/pids/*
!/tmp/pids/
!/tmp/pids/.keep

# Ignore storage (uploaded files in development and any SQLite databases).
/storage/*
!/storage/.keep
/tmp/storage/*
!/tmp/storage/
!/tmp/storage/.keep

/public/assets

# Ignore master key for decrypting credentials and more.
/config/master.key

# Ignore Brewfile debug info
Brewfile.lock.json

# Ignore local dotenv overrides
.env*.local

# Ignore OWASP files
/zap_report.html
/zap.yaml

# Ignore rspec examples status file
spec/examples.txt

/config/credentials/production.key

/app/assets/builds/*
!/app/assets/builds/.keep

/node_modules

# Trestle working files
doc/compliance/oscal/.trestle/_trash
doc/compliance/oscal/.trestle/cache

# Terraform
.terraform.lock.hcl
**/.terraform/*
secrets.auto.tfvars
terraform.tfstate
terraform.tfstate.backup

# compliance documentation
/doc/compliance/
5 changes: 5 additions & 0 deletions .editorconfig
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# EditorConfig is awesome: https://EditorConfig.org

[zap.conf]
indent_size = 4
indent_style = tab
9 changes: 9 additions & 0 deletions .erdconfig
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
attributes:
- content
- timestamps
filename: "doc/compliance/rendered/apps/data.logical"
filetype: pdf
inheritance: false
orientation: horizontal
polymorphism: false
exclude: "ActiveRecord::InternalMetadata,ActiveRecord::SchemaMigration"
9 changes: 9 additions & 0 deletions .gitattributes
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
# See https://git-scm.com/docs/gitattributes for more about git attribute files.

# Mark the database schema as having been generated.
db/schema.rb linguist-generated

# Mark any vendored files as having been vendored.
vendor/* linguist-vendored
config/credentials/*.yml.enc diff=rails_credentials
config/credentials.yml.enc diff=rails_credentials
31 changes: 31 additions & 0 deletions .githooks/pre-commit
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
#! /usr/bin/env bash
#
# This hook runs on `git commit` and will prevent you from committing without
# approval from the linter and tests.
#
# To run, this file must be symlinked to:
# .git/hooks/pre-commit
#
# To bypass this hook, run:
# $ git commit --no-verify
# $ git commit -n

echo "Running linter..."
bundle exec rake standard
linter_status=$?

if [ $linter_status -ne 0 ]; then
echo "Fix above before committing. Run 'git commit -n' to bypass linter."
exit 1
fi

echo "Running Terraform formatter"
files=$(git diff --cached --name-only terraform)
for f in $files
do
# Format any *.tf files that were cached/staged
if [ -e "$f" ] && [[ $f == *.tf ]]; then
terraform fmt "$f"
git add "$f"
fi
done
28 changes: 28 additions & 0 deletions .github/actions/run-server/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
name: "Run rails server"
description: "Run rails server in the background for scans to access"
inputs:
rails_env:
description: RAILS_ENV to set. Defaults to ci
required: false
default: ci
database_url:
description: DATABASE_URL to set
required: true
runs:
using: "composite"
steps:
- name: "Start server in background"
shell: bash
env:
RAILS_ENV: ${{ inputs.rails_env }}
DATABASE_URL: ${{ inputs.database_url }}
SECRET_KEY_BASE: not-actually-secret
run: bundle exec rails server &

- name: "Wait for startup"
shell: bash
run: sleep 5

- name: "Verify response working"
shell: bash
run: curl http://localhost:3000 -I
20 changes: 20 additions & 0 deletions .github/actions/setup-languages/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
name: Set up languages
description: Set up ruby, javascript, and dependencies
runs:
using: composite
steps:
- name: Set up Ruby
uses: ruby/setup-ruby@v1
with:
# bundler-cache automatically installs gems
bundler-cache: true
cache-version: 1

- name: Set up node
uses: actions/setup-node@v4
with:
node-version: '20.13.1'
cache: 'yarn'
- name: Install yarn dependencies
shell: bash
run: yarn install --frozen-lockfile
34 changes: 34 additions & 0 deletions .github/actions/setup-project/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
name: Set up project with database
description: Setup Ruby, Javascript, and load the database schema into a running postgres db
inputs:
rails_env:
description: RAILS_ENV to set. Defaults to ci
required: false
default: ci
database_url:
description: DATABASE_URL to set
required: false
default: postgres://cidbuser:postgres@localhost:5432/continuous_monitoring_test
outputs:
database_url:
value: ${{ inputs.database_url }}
runs:
using: composite
steps:
- name: Set up Ruby & Javascript
uses: ./.github/actions/setup-languages

- name: Precompile assets
env:
RAILS_ENV: ${{ inputs.rails_env }}
SECRET_KEY_BASE: not-actually-secret
shell: bash
run: bundle exec rake assets:precompile

- name: Set up database
env:
RAILS_ENV: ${{ inputs.rails_env }}
SECRET_KEY_BASE: not-actually-secret
DATABASE_URL: ${{ inputs.database_url }}
shell: bash
run: bundle exec rake db:schema:load
20 changes: 20 additions & 0 deletions .github/actions/trestle-cmd/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
name: "Run a docker-trestle command"
description: "Sets up workspace for running a single command in docker-trestle"
inputs:
tag:
description: docker-trestle tag to use. Defaults to latest
required: false
default: latest
cmd:
description: Command to run within docker-trestle
required: true
runs:
using: "composite"
steps:
- name: Enable writing to trestle directories
shell: bash
run: chmod -R a+w $GITHUB_WORKSPACE/doc/compliance/oscal

- name: Run cmd
shell: bash
run: docker run -v $GITHUB_WORKSPACE/doc/compliance/oscal:/app/docs:rw ghcr.io/gsa-tts/trestle:latest ${{ inputs.cmd }}
26 changes: 26 additions & 0 deletions .github/workflows/assemble-ssp.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
name: Assemble SSPP updates

on:
workflow_dispatch:
push:
branches: [ main ]
paths:
- "doc/compliance/oscal/**"

jobs:
assemble_ssp:
name: Assemble SSPP updates and save artifact
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4

- name: Assemble final SSPP
uses: ./.github/actions/trestle-cmd
with:
cmd: trestle assemble -n continuous_monitoring system-security-plan

- name: Save artifact
uses: actions/upload-artifact@v4
with:
name: continuous_monitoring_SSPP
path: doc/compliance/oscal/dist/system-security-plans/continuous_monitoring.json
48 changes: 48 additions & 0 deletions .github/workflows/brakeman-analysis.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.

# This workflow integrates Brakeman with GitHub's Code Scanning feature
# Brakeman is a static analysis security vulnerability scanner for Ruby on Rails applications

name: Brakeman Scan

on:
push:
branches: [ main ]
paths-ignore:
- 'doc/**'
- 'README.md'
pull_request:
# The branches below must be a subset of the branches above
branches: [ main ]
schedule:
# cron format: 'minute hour dayofmonth month dayofweek'
# this will run at noon UTC each Monday (7am EST / 8am EDT)
- cron: '0 12 * * 1'

permissions:
contents: read
security-events: write

jobs:
brakeman-scan:
name: Brakeman Scan
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4

- uses: ./.github/actions/setup-languages

# Execute Brakeman CLI and generate a SARIF output with the security issues identified during the analysis
- name: Scan
continue-on-error: true
run: |
bundle exec brakeman -f sarif -o output.sarif.json .
# Upload the SARIF file generated in the previous step
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: output.sarif.json
56 changes: 56 additions & 0 deletions .github/workflows/dependency-scans.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
name: Ruby and Javascript dependency scans

on:
push:
branches: [ main ]
paths-ignore:
- 'doc/**'
- 'README.md'
pull_request:
branches: [ main ]
schedule:
# cron format: 'minute hour dayofmonth month dayofweek'
# this will run at noon UTC every day (7am EST / 8am EDT)
- cron: '0 12 * * *'

jobs:
bundle-audit:
name: Bundle audit
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v4

- uses: ./.github/actions/setup-languages

- name: Update advisory database and run checks
run: bundle exec rake bundler:audit

yarn-audit:
name: Yarn audit
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v4

- uses: ./.github/actions/setup-languages

- name: Run yarn audit
run: bundle exec rake yarn:audit

ruby-bom:
name: Ruby SBOM Generation
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v4
- uses: ./.github/actions/setup-languages
- name: Install cyclonedx
run: gem install cyclonedx-ruby
- name: Generate BOM
run: cyclonedx-ruby -p . -o ruby_bom.xml
- name: Save BOM
uses: actions/upload-artifact@v4
with:
name: ruby-bom
path: ./ruby_bom.xml
Loading

0 comments on commit c794f68

Please sign in to comment.