rails_template_18f 0.8.2 → 1.0.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +7 -0
- data/Gemfile.lock +58 -28
- data/README.md +5 -5
- data/Rakefile +12 -0
- data/SECURITY.md +18 -0
- data/lib/generators/rails_template18f/active_storage/active_storage_generator.rb +2 -9
- data/lib/generators/rails_template18f/active_storage/templates/oscal/component-definitions/active_storage/component-definition.json +69 -0
- data/lib/generators/rails_template18f/circleci/circleci_generator.rb +3 -3
- data/lib/generators/rails_template18f/circleci/templates/bin/ci-server-start +1 -1
- data/lib/generators/rails_template18f/circleci/templates/circleci/config.yml.tt +59 -16
- data/lib/generators/rails_template18f/circleci/templates/docker-compose.ci.yml +1 -0
- data/lib/generators/rails_template18f/circleci/templates/oscal/component-definitions/circleci/component-definition.json.tt +310 -0
- data/lib/generators/rails_template18f/github_actions/github_actions_generator.rb +7 -12
- data/lib/generators/rails_template18f/github_actions/templates/github/actions/setup-languages/action.yml.tt +1 -1
- data/lib/generators/rails_template18f/github_actions/templates/github/actions/setup-project/action.yml.tt +1 -0
- data/lib/generators/rails_template18f/github_actions/templates/github/actions/trestle-cmd/action.yml +20 -0
- data/lib/generators/rails_template18f/github_actions/templates/github/workflows/assemble-ssp.yml.tt +26 -0
- data/lib/generators/rails_template18f/github_actions/templates/github/workflows/brakeman-analysis.yml +6 -2
- data/lib/generators/rails_template18f/github_actions/templates/github/workflows/dependency-scans.yml +4 -4
- data/lib/generators/rails_template18f/github_actions/templates/github/workflows/deploy-production.yml.tt +14 -25
- data/lib/generators/rails_template18f/github_actions/templates/github/workflows/deploy-staging.yml.tt +14 -25
- data/lib/generators/rails_template18f/github_actions/templates/github/workflows/owasp-daily-scan.yml.tt +8 -3
- data/lib/generators/rails_template18f/github_actions/templates/github/workflows/owasp-scan.yml.tt +4 -3
- data/lib/generators/rails_template18f/github_actions/templates/github/workflows/pa11y.yml.tt +6 -2
- data/lib/generators/rails_template18f/github_actions/templates/github/workflows/rspec.yml.tt +1 -1
- data/lib/generators/rails_template18f/github_actions/templates/github/workflows/terraform-production.yml +20 -58
- data/lib/generators/rails_template18f/github_actions/templates/github/workflows/terraform-staging.yml +20 -58
- data/lib/generators/rails_template18f/github_actions/templates/github/workflows/validate-ssp.yml.tt +46 -0
- data/lib/generators/rails_template18f/github_actions/templates/oscal/component-definitions/github_actions/component-definition.json.tt +310 -0
- data/lib/generators/rails_template18f/i18n/i18n_generator.rb +7 -6
- data/lib/generators/rails_template18f/i18n/templates/config/locales/en.yml.tt +1 -0
- data/lib/generators/rails_template18f/i18n/templates/config/locales/es.yml +2 -0
- data/lib/generators/rails_template18f/i18n/templates/config/locales/fr.yml +2 -0
- data/lib/generators/rails_template18f/i18n/templates/config/locales/zh.yml +2 -0
- data/lib/generators/rails_template18f/newrelic/newrelic_generator.rb +2 -37
- data/lib/generators/rails_template18f/newrelic/templates/oscal/component-definitions/newrelic/component-definition.json.tt +113 -0
- data/lib/generators/rails_template18f/oscal/oscal_generator.rb +55 -17
- data/lib/generators/rails_template18f/oscal/templates/bin/trestle.tt +10 -0
- data/lib/generators/rails_template18f/oscal/templates/doc/compliance/oscal/trestle-config.yaml.tt +6 -0
- data/lib/generators/rails_template18f/sidekiq/sidekiq_generator.rb +2 -2
- data/lib/generators/rails_template18f/terraform/templates/terraform/README.md.tt +1 -1
- data/lib/generators/rails_template18f/terraform/templates/terraform/production/main.tf.tt +4 -4
- data/lib/generators/rails_template18f/terraform/templates/terraform/production/providers.tf.tt +0 -1
- data/lib/generators/rails_template18f/terraform/templates/terraform/staging/main.tf.tt +4 -4
- data/lib/generators/rails_template18f/terraform/templates/terraform/staging/providers.tf.tt +0 -1
- data/lib/rails_template18f/generators/base.rb +9 -24
- data/lib/rails_template18f/generators/pipeline_options.rb +0 -172
- data/lib/rails_template18f/version.rb +1 -1
- data/rails-template-18f.gemspec +6 -6
- data/railsrc +1 -0
- data/railsrc-hotwire +1 -0
- data/template.rb +48 -44
- data/templates/Brewfile +2 -2
- data/templates/README.md.tt +3 -4
- data/templates/app/assets/stylesheets/uswds-components.scss +6 -0
- data/templates/app/assets/stylesheets/uswds-overrides/_index.scss +2 -0
- data/templates/app/assets/stylesheets/uswds-overrides/_override-usa-banner.scss +13 -0
- data/templates/app/assets/stylesheets/uswds-overrides/_override-usa-language-selector.scss +38 -0
- data/templates/app/views/application/_header.html.erb +6 -5
- data/templates/app/views/application/_language_selector.html.erb +35 -0
- data/templates/app/views/application/_usa_banner.html.erb +21 -16
- data/templates/bin/owasp-scan +3 -3
- data/templates/bin/pa11y-scan +1 -1
- data/templates/config/environments/ci.rb +1 -0
- data/templates/pa11y.js +12 -0
- data/templates/pa11yci.js +8 -0
- metadata +31 -16
- data/templates/pa11yci +0 -9
- /data/lib/generators/rails_template18f/circleci/templates/{Dockerfile.tt → Dockerfile.ci.tt} +0 -0
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: a7f0ec410febea02b2e3cbc4200373ebbe5b2403f2bd643433acd8d493af8729
|
4
|
+
data.tar.gz: 6a58037093cf649f10bd0ae6166372c8d878e0eecf547baf0ab9be4be91b5d59
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 04c73690530b927f6cf0063c512f580725d19fcad7cce351b24e672b3169167747ae5c344ee437ca078bf4077f53bc7678a0fcdb0b5cf59b3743cec7ecfe79a0
|
7
|
+
data.tar.gz: 6aabb2b9fa5191ed1f295605d47153e79c753880eb8038591ceee1ac733185ddd23de64a7f0041f602527c12f4f92f627fe4a6379772b14cebe36fe87bcdf102
|
data/CHANGELOG.md
CHANGED
@@ -1,5 +1,12 @@
|
|
1
1
|
## [Unreleased]
|
2
2
|
|
3
|
+
## [1.0.0] - 2024-06-27
|
4
|
+
|
5
|
+
- new applications are now on Rails 7.1.x
|
6
|
+
- implement USWDS language selector component when translation files are included
|
7
|
+
- cleans up github actions and circleci generators to address bitrot
|
8
|
+
- utilize docker-trestle project for OSCAL integration / compliance as code
|
9
|
+
|
3
10
|
## [0.8.2] - 2024-06-06
|
4
11
|
|
5
12
|
- Replace deprecated github action for cloud.gov deploys with cg-supported one
|
data/Gemfile.lock
CHANGED
@@ -1,55 +1,71 @@
|
|
1
1
|
PATH
|
2
2
|
remote: .
|
3
3
|
specs:
|
4
|
-
rails_template_18f (0.
|
5
|
-
activesupport (~> 7.
|
6
|
-
colorize (~>
|
7
|
-
railties (~> 7.
|
8
|
-
thor (~> 1.
|
4
|
+
rails_template_18f (1.0.0)
|
5
|
+
activesupport (~> 7.1.0)
|
6
|
+
colorize (~> 1.1)
|
7
|
+
railties (~> 7.1.0)
|
8
|
+
thor (~> 1.3)
|
9
9
|
|
10
10
|
GEM
|
11
11
|
remote: https://rubygems.org/
|
12
12
|
specs:
|
13
|
-
actionpack (7.
|
14
|
-
actionview (= 7.
|
15
|
-
activesupport (= 7.
|
16
|
-
|
13
|
+
actionpack (7.1.3.4)
|
14
|
+
actionview (= 7.1.3.4)
|
15
|
+
activesupport (= 7.1.3.4)
|
16
|
+
nokogiri (>= 1.8.5)
|
17
|
+
racc
|
18
|
+
rack (>= 2.2.4)
|
19
|
+
rack-session (>= 1.0.1)
|
17
20
|
rack-test (>= 0.6.3)
|
18
|
-
rails-dom-testing (~> 2.
|
19
|
-
rails-html-sanitizer (~> 1.
|
20
|
-
actionview (7.
|
21
|
-
activesupport (= 7.
|
21
|
+
rails-dom-testing (~> 2.2)
|
22
|
+
rails-html-sanitizer (~> 1.6)
|
23
|
+
actionview (7.1.3.4)
|
24
|
+
activesupport (= 7.1.3.4)
|
22
25
|
builder (~> 3.1)
|
23
|
-
erubi (~> 1.
|
24
|
-
rails-dom-testing (~> 2.
|
25
|
-
rails-html-sanitizer (~> 1.
|
26
|
-
activesupport (7.
|
26
|
+
erubi (~> 1.11)
|
27
|
+
rails-dom-testing (~> 2.2)
|
28
|
+
rails-html-sanitizer (~> 1.6)
|
29
|
+
activesupport (7.1.3.4)
|
30
|
+
base64
|
31
|
+
bigdecimal
|
27
32
|
concurrent-ruby (~> 1.0, >= 1.0.2)
|
33
|
+
connection_pool (>= 2.2.5)
|
34
|
+
drb
|
28
35
|
i18n (>= 1.6, < 2)
|
29
36
|
minitest (>= 5.1)
|
37
|
+
mutex_m
|
30
38
|
tzinfo (~> 2.0)
|
31
39
|
ammeter (1.1.7)
|
32
40
|
activesupport (>= 3.0)
|
33
41
|
railties (>= 3.0)
|
34
42
|
rspec-rails (>= 2.2)
|
35
43
|
ast (2.4.2)
|
44
|
+
base64 (0.2.0)
|
45
|
+
bigdecimal (3.1.8)
|
36
46
|
builder (3.2.4)
|
37
47
|
byebug (11.1.3)
|
38
|
-
colorize (
|
48
|
+
colorize (1.1.0)
|
39
49
|
concurrent-ruby (1.3.1)
|
50
|
+
connection_pool (2.4.1)
|
40
51
|
crass (1.0.6)
|
41
52
|
diff-lcs (1.5.1)
|
53
|
+
drb (2.2.1)
|
42
54
|
erubi (1.12.0)
|
43
55
|
i18n (1.14.5)
|
44
56
|
concurrent-ruby (~> 1.0)
|
57
|
+
io-console (0.7.2)
|
58
|
+
irb (1.13.1)
|
59
|
+
rdoc (>= 4.0.0)
|
60
|
+
reline (>= 0.4.2)
|
45
61
|
json (2.7.2)
|
46
62
|
language_server-protocol (3.17.0.3)
|
47
63
|
lint_roller (1.1.0)
|
48
64
|
loofah (2.22.0)
|
49
65
|
crass (~> 1.0.2)
|
50
66
|
nokogiri (>= 1.12.0)
|
51
|
-
method_source (1.1.0)
|
52
67
|
minitest (5.23.1)
|
68
|
+
mutex_m (0.2.0)
|
53
69
|
nokogiri (1.16.5-arm64-darwin)
|
54
70
|
racc (~> 1.4)
|
55
71
|
nokogiri (1.16.5-x86_64-darwin)
|
@@ -60,10 +76,17 @@ GEM
|
|
60
76
|
parser (3.3.2.0)
|
61
77
|
ast (~> 2.4.1)
|
62
78
|
racc
|
79
|
+
psych (5.1.2)
|
80
|
+
stringio
|
63
81
|
racc (1.8.0)
|
64
|
-
rack (
|
82
|
+
rack (3.0.11)
|
83
|
+
rack-session (2.0.0)
|
84
|
+
rack (>= 3.0.0)
|
65
85
|
rack-test (2.1.0)
|
66
86
|
rack (>= 1.3)
|
87
|
+
rackup (2.1.0)
|
88
|
+
rack (>= 3)
|
89
|
+
webrick (~> 1.8)
|
67
90
|
rails-dom-testing (2.2.0)
|
68
91
|
activesupport (>= 5.0.0)
|
69
92
|
minitest
|
@@ -71,16 +94,21 @@ GEM
|
|
71
94
|
rails-html-sanitizer (1.6.0)
|
72
95
|
loofah (~> 2.21)
|
73
96
|
nokogiri (~> 1.14)
|
74
|
-
railties (7.
|
75
|
-
actionpack (= 7.
|
76
|
-
activesupport (= 7.
|
77
|
-
|
97
|
+
railties (7.1.3.4)
|
98
|
+
actionpack (= 7.1.3.4)
|
99
|
+
activesupport (= 7.1.3.4)
|
100
|
+
irb
|
101
|
+
rackup (>= 1.0.0)
|
78
102
|
rake (>= 12.2)
|
79
|
-
thor (~> 1.0)
|
80
|
-
zeitwerk (~> 2.
|
103
|
+
thor (~> 1.0, >= 1.2.2)
|
104
|
+
zeitwerk (~> 2.6)
|
81
105
|
rainbow (3.1.1)
|
82
106
|
rake (13.2.1)
|
107
|
+
rdoc (6.7.0)
|
108
|
+
psych (>= 4.0.0)
|
83
109
|
regexp_parser (2.9.2)
|
110
|
+
reline (0.5.8)
|
111
|
+
io-console (~> 0.5)
|
84
112
|
rexml (3.2.8)
|
85
113
|
strscan (>= 3.0.9)
|
86
114
|
rspec (3.13.0)
|
@@ -133,11 +161,13 @@ GEM
|
|
133
161
|
standard-performance (1.4.0)
|
134
162
|
lint_roller (~> 1.1)
|
135
163
|
rubocop-performance (~> 1.21.0)
|
164
|
+
stringio (3.1.0)
|
136
165
|
strscan (3.1.0)
|
137
166
|
thor (1.3.1)
|
138
167
|
tzinfo (2.0.6)
|
139
168
|
concurrent-ruby (~> 1.0)
|
140
169
|
unicode-display_width (2.5.0)
|
170
|
+
webrick (1.8.1)
|
141
171
|
zeitwerk (2.6.15)
|
142
172
|
|
143
173
|
PLATFORMS
|
@@ -151,8 +181,8 @@ DEPENDENCIES
|
|
151
181
|
byebug
|
152
182
|
rails_template_18f!
|
153
183
|
rake (~> 13.0)
|
154
|
-
rspec (~> 3.
|
155
|
-
standard (~> 1.
|
184
|
+
rspec (~> 3.13)
|
185
|
+
standard (~> 1.36)
|
156
186
|
|
157
187
|
BUNDLED WITH
|
158
188
|
2.3.15
|
data/README.md
CHANGED
@@ -2,9 +2,9 @@
|
|
2
2
|
============================
|
3
3
|
The 18F Rails template starts or upgrades Rails projects so that they're more secure, follow compliance rules, and are nearly ready to deploy onto cloud.gov. This gem sets up security checks and compliance diagrams, adds the U.S. Web Design System (USWDS), and much much more — [see the full list of features](#features).
|
4
4
|
|
5
|
-
This template will create a new Rails 7.
|
5
|
+
This template will create a new Rails 7.1.x project.
|
6
6
|
|
7
|
-
[See the `rails-
|
7
|
+
[See the `rails-7.0` branch for Rails 7.0.x](https://github.com/gsa-tts/rails-template/tree/rails-7.0)
|
8
8
|
|
9
9
|
## Installation
|
10
10
|
|
@@ -43,6 +43,7 @@ There are a variety of options that customize your Rails application.
|
|
43
43
|
--skip-action-cable # Don't include ActionCable websocket implementation
|
44
44
|
--skip-action-mailbox # Don't include inbound email
|
45
45
|
--skip-hotwire # Don't include Hotwire JS library
|
46
|
+
--skip-docker # Don't include Dockerfile meant for production use
|
46
47
|
--skip-test # Skip built-in test framework. (We include RSpec)
|
47
48
|
--javascript=webpack # Use webpack for JS bundling
|
48
49
|
--css=postcss # Use the PostCSS framework for bundling CSS
|
@@ -56,7 +57,6 @@ There are a variety of options that customize your Rails application.
|
|
56
57
|
|--------|-------------|
|
57
58
|
| `--no-skip-<framework>` | Each of the skipped frameworks listed above (also in `railsrc`) can be overridden on the command line. For example: `--no-skip-active-storage` will include support for `ActiveStorage` document uploads |
|
58
59
|
| `--javascript=esbuild` | Use [esbuild](https://esbuild.github.io/) instead of [webpack](https://webpack.js.org/) for JavaScript bundling. Note that maintaining IE11 support with esbuild may be tricky. |
|
59
|
-
| `--no-skip-<FRAMEWORK>` | Each of the skipped frameworks in `railsrc` can be overridden on the command line. For example: `--no-skip-active-storage` will include support for `ActiveStorage` document uploads |
|
60
60
|
|
61
61
|
You probably won't want to customize the template — that defeats the purpose of using this gem!
|
62
62
|
|
@@ -128,8 +128,8 @@ To install this gem onto your local machine, run `bundle exec rake install`. To
|
|
128
128
|
|
129
129
|
## Contributing
|
130
130
|
|
131
|
-
Bug reports and pull requests are welcome on GitHub at https://github.com/
|
131
|
+
Bug reports and pull requests are welcome on GitHub at https://github.com/gsa-tts/rails-template. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [code of conduct](https://github.com/gsa-tts/rails-template/blob/main/CODE_OF_CONDUCT.md).
|
132
132
|
|
133
133
|
## Code of conduct
|
134
134
|
|
135
|
-
Everyone interacting in the 18F Rails Template project's codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/
|
135
|
+
Everyone interacting in the 18F Rails Template project's codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/gsa-tts/rails-template/blob/main/CODE_OF_CONDUCT.md).
|
data/Rakefile
CHANGED
@@ -8,3 +8,15 @@ RSpec::Core::RakeTask.new(:spec)
|
|
8
8
|
require "standard/rake"
|
9
9
|
|
10
10
|
task default: %i[spec standard]
|
11
|
+
|
12
|
+
task :release do
|
13
|
+
# adding a custom release task because I can't get the default `rake release` to play nicely with my
|
14
|
+
# passkey login to rubygems.org on GFE, so I need to use the `gem push --otp` version.
|
15
|
+
# set the environment variable gem_push=false to enable this block
|
16
|
+
gemhelper = Bundler::GemHelper.instance
|
17
|
+
unless gemhelper.send :gem_push?
|
18
|
+
gemspec = gemhelper.gemspec
|
19
|
+
Bundler.ui.warn "Next step: publish the #{gemspec.name} gem with:"
|
20
|
+
Bundler.ui.warn "gem push pkg/#{gemspec.name}-#{gemspec.version}.gem --otp OTP"
|
21
|
+
end
|
22
|
+
end
|
data/SECURITY.md
ADDED
@@ -0,0 +1,18 @@
|
|
1
|
+
# Security Policy
|
2
|
+
|
3
|
+
## Supported Versions
|
4
|
+
|
5
|
+
Only certain branches are supported with security updates.
|
6
|
+
|
7
|
+
| Version (branch) | Supported |
|
8
|
+
| ---------------- | ----------- |
|
9
|
+
| main | :white_check_mark: |
|
10
|
+
| rails-7.0 | :white_check_mark: |
|
11
|
+
| other | :x: |
|
12
|
+
|
13
|
+
When using this code or reporting vulnerability please be sure to use supported branches and the most recent release tag.
|
14
|
+
|
15
|
+
## Reporting a Vulnerability
|
16
|
+
|
17
|
+
Use the `Report a vulnerability` link at https://github.com/GSA-TTS/rails-template/security to report a security vulnerability
|
18
|
+
on a supported branch of this repository.
|
@@ -94,15 +94,8 @@ module RailsTemplate18f
|
|
94
94
|
end
|
95
95
|
end
|
96
96
|
|
97
|
-
def
|
98
|
-
|
99
|
-
insert_into_oscal "si-3.md", <<~EOS, after: "## Implementation a.\n"
|
100
|
-
#{app_name} employs ClamAV to detect and quarantine malicious code in user-uploaded files.
|
101
|
-
EOS
|
102
|
-
insert_into_oscal "si-3.md", <<~EOS, after: "## Implementation b.\n"
|
103
|
-
ClamAV is configured to automatically update malicious code detection signatures on a daily basis.
|
104
|
-
EOS
|
105
|
-
end
|
97
|
+
def update_oscal
|
98
|
+
copy_oscal_component "active_storage"
|
106
99
|
end
|
107
100
|
end
|
108
101
|
end
|
@@ -0,0 +1,69 @@
|
|
1
|
+
{
|
2
|
+
"component-definition": {
|
3
|
+
"uuid": "6c8efe45-ab46-4d02-846e-5d58b4797a3e",
|
4
|
+
"metadata": {
|
5
|
+
"title": "ActiveStorage Component Definition.",
|
6
|
+
"last-modified": "2024-06-10T17:31:06.312964+00:00",
|
7
|
+
"version": "0.0.1",
|
8
|
+
"oscal-version": "1.1.2"
|
9
|
+
},
|
10
|
+
"components": [
|
11
|
+
{
|
12
|
+
"uuid": "a206dda7-d1f6-451c-8a0f-b6f4e8bf22d0",
|
13
|
+
"type": "software",
|
14
|
+
"title": "ClamAV",
|
15
|
+
"description": "ClamAV malware scanner",
|
16
|
+
"props": [
|
17
|
+
{
|
18
|
+
"name": "Rule_Id",
|
19
|
+
"value": "properly-configured",
|
20
|
+
"remarks": "rule_config"
|
21
|
+
},
|
22
|
+
{
|
23
|
+
"name": "Rule_Description",
|
24
|
+
"value": "System owner has configured the system to properly run the ClamAV scanner and send files to it on upload",
|
25
|
+
"remarks": "rule_config"
|
26
|
+
}
|
27
|
+
],
|
28
|
+
"control-implementations": [
|
29
|
+
{
|
30
|
+
"uuid": "e1a02625-cb99-48e6-8240-90f2fdcc8481",
|
31
|
+
"source": "trestle://profiles/gsa-moderate/profile.json",
|
32
|
+
"description": "Controls satisfied via use of the ClamAV malware scanning app",
|
33
|
+
"implemented-requirements": [
|
34
|
+
{
|
35
|
+
"uuid": "4c53c056-dbbd-4889-b268-e1d50bc1fd88",
|
36
|
+
"control-id": "si-3",
|
37
|
+
"description": "",
|
38
|
+
"statements": [
|
39
|
+
{
|
40
|
+
"statement-id": "si-3_smt.a",
|
41
|
+
"uuid": "9621f3b7-878f-487a-bfa1-bbd9d2111e25",
|
42
|
+
"description": "The system employs ClamAV to detect and quarantine malicious code in user-uploaded files.",
|
43
|
+
"props": [
|
44
|
+
{
|
45
|
+
"name": "Rule_Id",
|
46
|
+
"value": "properly-configured"
|
47
|
+
}
|
48
|
+
]
|
49
|
+
},
|
50
|
+
{
|
51
|
+
"statement-id": "si-3_smt.b",
|
52
|
+
"uuid": "850c1163-5c94-4018-9593-0f8e908ace2f",
|
53
|
+
"description": "ClamAV is configured to automatically update malicious code detection signatures on a daily basis.",
|
54
|
+
"props": [
|
55
|
+
{
|
56
|
+
"name": "Rule_Id",
|
57
|
+
"value": "properly-configured"
|
58
|
+
}
|
59
|
+
]
|
60
|
+
}
|
61
|
+
]
|
62
|
+
}
|
63
|
+
]
|
64
|
+
}
|
65
|
+
]
|
66
|
+
}
|
67
|
+
]
|
68
|
+
}
|
69
|
+
}
|
@@ -16,14 +16,14 @@ module RailsTemplate18f
|
|
16
16
|
def install_needed_gems
|
17
17
|
gem_name = "rspec_junit_formatter"
|
18
18
|
return if gem_installed? gem_name
|
19
|
-
gem gem_name, "~> 0.
|
19
|
+
gem gem_name, "~> 0.6", group: :test
|
20
20
|
bundle_install
|
21
21
|
end
|
22
22
|
|
23
23
|
def install_pipeline
|
24
24
|
directory "circleci", ".circleci"
|
25
25
|
copy_file "docker-compose.ci.yml"
|
26
|
-
template "Dockerfile"
|
26
|
+
template "Dockerfile.ci"
|
27
27
|
copy_file "bin/ci-server-start", mode: :preserve
|
28
28
|
end
|
29
29
|
|
@@ -66,7 +66,7 @@ EOB
|
|
66
66
|
end
|
67
67
|
|
68
68
|
def update_oscal_docs
|
69
|
-
|
69
|
+
copy_oscal_component "circleci"
|
70
70
|
end
|
71
71
|
|
72
72
|
no_tasks do
|
@@ -1,10 +1,10 @@
|
|
1
1
|
version: 2.1
|
2
2
|
|
3
3
|
orbs:
|
4
|
-
ruby: circleci/ruby@1.3
|
5
|
-
node: circleci/node@5.
|
6
|
-
browser-tools: circleci/browser-tools@1.
|
7
|
-
terraform: circleci/terraform@3.
|
4
|
+
ruby: circleci/ruby@2.1.3
|
5
|
+
node: circleci/node@5.2.0
|
6
|
+
browser-tools: circleci/browser-tools@1.4.8<% if terraform? %>
|
7
|
+
terraform: circleci/terraform@3.2.1<% end %>
|
8
8
|
|
9
9
|
commands:
|
10
10
|
setup-project:
|
@@ -15,7 +15,24 @@ commands:
|
|
15
15
|
install-yarn: true
|
16
16
|
- node/install-packages:
|
17
17
|
cache-only-lockfile: false
|
18
|
-
pkg-manager: yarn
|
18
|
+
pkg-manager: yarn<% if oscal_dir_exists? %>
|
19
|
+
trestle-cmd:
|
20
|
+
description: Set up environment for running docker-trestle commands
|
21
|
+
parameters:
|
22
|
+
tag:
|
23
|
+
description: docker-trestle tag to use. Defaults to latest
|
24
|
+
type: string
|
25
|
+
default: latest
|
26
|
+
cmd:
|
27
|
+
description: Command to run within docker-trestle
|
28
|
+
type: string
|
29
|
+
steps:
|
30
|
+
- run:
|
31
|
+
name: Fix directory permissions
|
32
|
+
command: chmod -R a+w doc/compliance/oscal || true
|
33
|
+
- run:
|
34
|
+
name: Run trestle command
|
35
|
+
command: docker run -v $(pwd)/doc/compliance/oscal:/app/docs:rw ghcr.io/gsa-tts/trestle:<< parameters.tag >> << parameters.cmd >><% end %>
|
19
36
|
cg-deploy:
|
20
37
|
description: "Login to cloud foundry space with service account credentials
|
21
38
|
and push application using deployment configuration file."
|
@@ -75,7 +92,7 @@ jobs:
|
|
75
92
|
parallelism: 3
|
76
93
|
docker:
|
77
94
|
- image: cimg/ruby:<%= ruby_version %>
|
78
|
-
- image: cimg/postgres:
|
95
|
+
- image: cimg/postgres:15.7
|
79
96
|
environment:
|
80
97
|
POSTGRES_USER: circleci
|
81
98
|
POSTGRES_DB: <%= app_name %>_test
|
@@ -117,7 +134,26 @@ jobs:
|
|
117
134
|
- tmp/cache/assets/sprockets
|
118
135
|
|
119
136
|
- ruby/rspec-test
|
120
|
-
|
137
|
+
<% if oscal_dir_exists? %>
|
138
|
+
validate_ssp:
|
139
|
+
machine:
|
140
|
+
image: ubuntu-2204:current
|
141
|
+
steps:
|
142
|
+
- checkout
|
143
|
+
- trestle-cmd:
|
144
|
+
cmd: trestle validate -f system-security-plans/<%= app_name %>/system-security-plan.json
|
145
|
+
- trestle-cmd:
|
146
|
+
cmd: assemble-ssp-json 2> /dev/null | grep "^No changes to assembled ssp"
|
147
|
+
assemble_ssp:
|
148
|
+
machine:
|
149
|
+
image: ubuntu-2204:current
|
150
|
+
steps:
|
151
|
+
- checkout
|
152
|
+
- trestle-cmd:
|
153
|
+
cmd: trestle assemble -n <%= app_name %> system-security-plan
|
154
|
+
- store_artifacts:
|
155
|
+
path: doc/compliance/oscal/dist/system-security-plans/<%= app_name %>.json
|
156
|
+
<% end %>
|
121
157
|
static_security_scans:
|
122
158
|
docker:
|
123
159
|
- image: cimg/ruby:<%= ruby_version %>
|
@@ -149,7 +185,7 @@ jobs:
|
|
149
185
|
|
150
186
|
owasp_scan:
|
151
187
|
machine:
|
152
|
-
image: ubuntu-
|
188
|
+
image: ubuntu-2204:current
|
153
189
|
steps:
|
154
190
|
- checkout
|
155
191
|
|
@@ -172,14 +208,14 @@ jobs:
|
|
172
208
|
name: Run OWASP Zap
|
173
209
|
command: |
|
174
210
|
docker run -v $(pwd)/zap.conf:/zap/wrk/zap.conf:ro -v $(pwd)/reports:/zap/wrk:rw --rm \
|
175
|
-
--user zap:$(id -g) --network="project_ci_network" -t
|
211
|
+
--user zap:$(id -g) --network="project_ci_network" -t ghcr.io/zaproxy/zaproxy:weekly \
|
176
212
|
zap-baseline.py -t http://web:3000 -c zap.conf -I -i -r owasp_report.html
|
177
213
|
- store_artifacts:
|
178
214
|
path: reports/owasp_report.html
|
179
215
|
|
180
216
|
owasp_full_scan:
|
181
217
|
machine:
|
182
|
-
image: ubuntu-
|
218
|
+
image: ubuntu-2204:current
|
183
219
|
steps:
|
184
220
|
- checkout
|
185
221
|
|
@@ -202,7 +238,7 @@ jobs:
|
|
202
238
|
name: Run OWASP Zap
|
203
239
|
command: |
|
204
240
|
docker run -v $(pwd)/zap.conf:/zap/wrk/zap.conf:ro -v $(pwd)/reports:/zap/wrk:rw --rm \
|
205
|
-
--user zap:$(id -g) --network="project_ci_network" -t
|
241
|
+
--user zap:$(id -g) --network="project_ci_network" -t ghcr.io/zaproxy/zaproxy:weekly \
|
206
242
|
zap-full-scan.py -t http://web:3000 -c zap.conf -I -i -r owasp_report.html
|
207
243
|
- store_artifacts:
|
208
244
|
path: reports/owasp_report.html
|
@@ -210,7 +246,7 @@ jobs:
|
|
210
246
|
a11y_scan:
|
211
247
|
docker:
|
212
248
|
- image: cimg/ruby:<%= ruby_version %>
|
213
|
-
- image: cimg/postgres:
|
249
|
+
- image: cimg/postgres:15.7
|
214
250
|
environment:
|
215
251
|
POSTGRES_USER: circleci
|
216
252
|
POSTGRES_DB: <%= app_name %>_development
|
@@ -262,7 +298,7 @@ jobs:
|
|
262
298
|
|
263
299
|
- run:
|
264
300
|
name: Run pa11y-ci
|
265
|
-
command: yarn run pa11y-ci
|
301
|
+
command: yarn run pa11y-ci -c pa11yci.js
|
266
302
|
<% if terraform? %>
|
267
303
|
terraform_plan_staging:
|
268
304
|
executor: terraform/default
|
@@ -290,7 +326,7 @@ jobs:
|
|
290
326
|
- checkout
|
291
327
|
- attach_workspace:
|
292
328
|
at: .
|
293
|
-
- terraform/apply
|
329
|
+
- terraform/apply:
|
294
330
|
path: terraform/staging
|
295
331
|
terraform_plan_production:
|
296
332
|
executor: terraform/default
|
@@ -318,7 +354,7 @@ jobs:
|
|
318
354
|
- checkout
|
319
355
|
- attach_workspace:
|
320
356
|
at: .
|
321
|
-
- terraform/apply
|
357
|
+
- terraform/apply:
|
322
358
|
path: terraform/production
|
323
359
|
<% end %>
|
324
360
|
deploy_staging:
|
@@ -353,7 +389,14 @@ workflows:
|
|
353
389
|
- build
|
354
390
|
- test:
|
355
391
|
requires:
|
356
|
-
- build
|
392
|
+
- build<% if oscal_dir_exists? %>
|
393
|
+
- validate_ssp
|
394
|
+
- assemble_ssp:
|
395
|
+
filters:
|
396
|
+
branches:
|
397
|
+
only: main
|
398
|
+
requires:
|
399
|
+
- validate_ssp<% end %>
|
357
400
|
- static_security_scans:
|
358
401
|
requires:
|
359
402
|
- build
|