rails_template_18f 0.8.2 → 1.1.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (75) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +13 -0
  3. data/Gemfile.lock +58 -28
  4. data/README.md +5 -5
  5. data/Rakefile +12 -0
  6. data/SECURITY.md +18 -0
  7. data/lib/generators/rails_template18f/active_storage/active_storage_generator.rb +2 -9
  8. data/lib/generators/rails_template18f/active_storage/templates/oscal/component-definitions/active_storage/component-definition.json +69 -0
  9. data/lib/generators/rails_template18f/auditree/auditree_generator.rb +84 -0
  10. data/lib/generators/rails_template18f/auditree/templates/bin/auditree.tt +29 -0
  11. data/lib/generators/rails_template18f/auditree/templates/github/actions/auditree-cmd/action.yml.tt +31 -0
  12. data/lib/generators/rails_template18f/auditree/templates/github/workflows/auditree-validation.yml.tt +42 -0
  13. data/lib/generators/rails_template18f/circleci/circleci_generator.rb +3 -3
  14. data/lib/generators/rails_template18f/circleci/templates/bin/ci-server-start +1 -1
  15. data/lib/generators/rails_template18f/circleci/templates/circleci/config.yml.tt +59 -16
  16. data/lib/generators/rails_template18f/circleci/templates/docker-compose.ci.yml +1 -0
  17. data/lib/generators/rails_template18f/circleci/templates/oscal/component-definitions/circleci/component-definition.json.tt +310 -0
  18. data/lib/generators/rails_template18f/github_actions/github_actions_generator.rb +7 -12
  19. data/lib/generators/rails_template18f/github_actions/templates/github/actions/setup-languages/action.yml.tt +1 -1
  20. data/lib/generators/rails_template18f/github_actions/templates/github/actions/setup-project/action.yml.tt +1 -0
  21. data/lib/generators/rails_template18f/github_actions/templates/github/actions/trestle-cmd/action.yml +20 -0
  22. data/lib/generators/rails_template18f/github_actions/templates/github/workflows/assemble-ssp.yml.tt +26 -0
  23. data/lib/generators/rails_template18f/github_actions/templates/github/workflows/brakeman-analysis.yml +6 -2
  24. data/lib/generators/rails_template18f/github_actions/templates/github/workflows/dependency-scans.yml +4 -4
  25. data/lib/generators/rails_template18f/github_actions/templates/github/workflows/deploy-production.yml.tt +14 -25
  26. data/lib/generators/rails_template18f/github_actions/templates/github/workflows/deploy-staging.yml.tt +14 -25
  27. data/lib/generators/rails_template18f/github_actions/templates/github/workflows/owasp-daily-scan.yml.tt +8 -3
  28. data/lib/generators/rails_template18f/github_actions/templates/github/workflows/owasp-scan.yml.tt +4 -3
  29. data/lib/generators/rails_template18f/github_actions/templates/github/workflows/pa11y.yml.tt +6 -2
  30. data/lib/generators/rails_template18f/github_actions/templates/github/workflows/rspec.yml.tt +1 -1
  31. data/lib/generators/rails_template18f/github_actions/templates/github/workflows/terraform-production.yml +20 -58
  32. data/lib/generators/rails_template18f/github_actions/templates/github/workflows/terraform-staging.yml +20 -58
  33. data/lib/generators/rails_template18f/github_actions/templates/github/workflows/validate-ssp.yml.tt +46 -0
  34. data/lib/generators/rails_template18f/github_actions/templates/oscal/component-definitions/github_actions/component-definition.json.tt +310 -0
  35. data/lib/generators/rails_template18f/i18n/i18n_generator.rb +7 -6
  36. data/lib/generators/rails_template18f/i18n/templates/config/locales/en.yml.tt +1 -0
  37. data/lib/generators/rails_template18f/i18n/templates/config/locales/es.yml +2 -0
  38. data/lib/generators/rails_template18f/i18n/templates/config/locales/fr.yml +2 -0
  39. data/lib/generators/rails_template18f/i18n/templates/config/locales/zh.yml +2 -0
  40. data/lib/generators/rails_template18f/newrelic/newrelic_generator.rb +2 -37
  41. data/lib/generators/rails_template18f/newrelic/templates/oscal/component-definitions/newrelic/component-definition.json.tt +113 -0
  42. data/lib/generators/rails_template18f/oscal/oscal_generator.rb +55 -17
  43. data/lib/generators/rails_template18f/oscal/templates/bin/trestle.tt +10 -0
  44. data/lib/generators/rails_template18f/oscal/templates/doc/compliance/oscal/trestle-config.yaml.tt +6 -0
  45. data/lib/generators/rails_template18f/sidekiq/sidekiq_generator.rb +2 -2
  46. data/lib/generators/rails_template18f/terraform/templates/terraform/README.md.tt +1 -1
  47. data/lib/generators/rails_template18f/terraform/templates/terraform/production/main.tf.tt +4 -4
  48. data/lib/generators/rails_template18f/terraform/templates/terraform/production/providers.tf.tt +0 -1
  49. data/lib/generators/rails_template18f/terraform/templates/terraform/staging/main.tf.tt +4 -4
  50. data/lib/generators/rails_template18f/terraform/templates/terraform/staging/providers.tf.tt +0 -1
  51. data/lib/rails_template18f/generators/base.rb +9 -24
  52. data/lib/rails_template18f/generators/pipeline_options.rb +0 -172
  53. data/lib/rails_template18f/version.rb +1 -1
  54. data/rails-template-18f.gemspec +6 -6
  55. data/railsrc +1 -0
  56. data/railsrc-hotwire +1 -0
  57. data/template.rb +56 -44
  58. data/templates/Brewfile +2 -2
  59. data/templates/README.md.tt +3 -4
  60. data/templates/app/assets/stylesheets/uswds-components.scss +6 -0
  61. data/templates/app/assets/stylesheets/uswds-overrides/_index.scss +2 -0
  62. data/templates/app/assets/stylesheets/uswds-overrides/_override-usa-banner.scss +13 -0
  63. data/templates/app/assets/stylesheets/uswds-overrides/_override-usa-language-selector.scss +38 -0
  64. data/templates/app/views/application/_header.html.erb +6 -5
  65. data/templates/app/views/application/_language_selector.html.erb +35 -0
  66. data/templates/app/views/application/_usa_banner.html.erb +21 -16
  67. data/templates/bin/owasp-scan +3 -3
  68. data/templates/bin/pa11y-scan +1 -1
  69. data/templates/config/environments/ci.rb +1 -0
  70. data/templates/manifest.yml.tt +0 -1
  71. data/templates/pa11y.js +12 -0
  72. data/templates/pa11yci.js +8 -0
  73. metadata +35 -16
  74. data/templates/pa11yci +0 -9
  75. /data/lib/generators/rails_template18f/circleci/templates/{Dockerfile.tt → Dockerfile.ci.tt} +0 -0
@@ -1,10 +1,10 @@
1
1
  version: 2.1
2
2
 
3
3
  orbs:
4
- ruby: circleci/ruby@1.3.0
5
- node: circleci/node@5.0.0
6
- browser-tools: circleci/browser-tools@1.2.3<% if terraform? %>
7
- terraform: circleci/terraform@3.0.0<% end %>
4
+ ruby: circleci/ruby@2.1.3
5
+ node: circleci/node@5.2.0
6
+ browser-tools: circleci/browser-tools@1.4.8<% if terraform? %>
7
+ terraform: circleci/terraform@3.2.1<% end %>
8
8
 
9
9
  commands:
10
10
  setup-project:
@@ -15,7 +15,24 @@ commands:
15
15
  install-yarn: true
16
16
  - node/install-packages:
17
17
  cache-only-lockfile: false
18
- pkg-manager: yarn
18
+ pkg-manager: yarn<% if oscal_dir_exists? %>
19
+ trestle-cmd:
20
+ description: Set up environment for running docker-trestle commands
21
+ parameters:
22
+ tag:
23
+ description: docker-trestle tag to use. Defaults to latest
24
+ type: string
25
+ default: latest
26
+ cmd:
27
+ description: Command to run within docker-trestle
28
+ type: string
29
+ steps:
30
+ - run:
31
+ name: Fix directory permissions
32
+ command: chmod -R a+w doc/compliance/oscal || true
33
+ - run:
34
+ name: Run trestle command
35
+ command: docker run -v $(pwd)/doc/compliance/oscal:/app/docs:rw ghcr.io/gsa-tts/trestle:<< parameters.tag >> << parameters.cmd >><% end %>
19
36
  cg-deploy:
20
37
  description: "Login to cloud foundry space with service account credentials
21
38
  and push application using deployment configuration file."
@@ -75,7 +92,7 @@ jobs:
75
92
  parallelism: 3
76
93
  docker:
77
94
  - image: cimg/ruby:<%= ruby_version %>
78
- - image: cimg/postgres:12.9
95
+ - image: cimg/postgres:15.7
79
96
  environment:
80
97
  POSTGRES_USER: circleci
81
98
  POSTGRES_DB: <%= app_name %>_test
@@ -117,7 +134,26 @@ jobs:
117
134
  - tmp/cache/assets/sprockets
118
135
 
119
136
  - ruby/rspec-test
120
-
137
+ <% if oscal_dir_exists? %>
138
+ validate_ssp:
139
+ machine:
140
+ image: ubuntu-2204:current
141
+ steps:
142
+ - checkout
143
+ - trestle-cmd:
144
+ cmd: trestle validate -f system-security-plans/<%= app_name %>/system-security-plan.json
145
+ - trestle-cmd:
146
+ cmd: assemble-ssp-json 2> /dev/null | grep "^No changes to assembled ssp"
147
+ assemble_ssp:
148
+ machine:
149
+ image: ubuntu-2204:current
150
+ steps:
151
+ - checkout
152
+ - trestle-cmd:
153
+ cmd: trestle assemble -n <%= app_name %> system-security-plan
154
+ - store_artifacts:
155
+ path: doc/compliance/oscal/dist/system-security-plans/<%= app_name %>.json
156
+ <% end %>
121
157
  static_security_scans:
122
158
  docker:
123
159
  - image: cimg/ruby:<%= ruby_version %>
@@ -149,7 +185,7 @@ jobs:
149
185
 
150
186
  owasp_scan:
151
187
  machine:
152
- image: ubuntu-2004:202111-02
188
+ image: ubuntu-2204:current
153
189
  steps:
154
190
  - checkout
155
191
 
@@ -172,14 +208,14 @@ jobs:
172
208
  name: Run OWASP Zap
173
209
  command: |
174
210
  docker run -v $(pwd)/zap.conf:/zap/wrk/zap.conf:ro -v $(pwd)/reports:/zap/wrk:rw --rm \
175
- --user zap:$(id -g) --network="project_ci_network" -t owasp/zap2docker-weekly \
211
+ --user zap:$(id -g) --network="project_ci_network" -t ghcr.io/zaproxy/zaproxy:weekly \
176
212
  zap-baseline.py -t http://web:3000 -c zap.conf -I -i -r owasp_report.html
177
213
  - store_artifacts:
178
214
  path: reports/owasp_report.html
179
215
 
180
216
  owasp_full_scan:
181
217
  machine:
182
- image: ubuntu-2004:202111-02
218
+ image: ubuntu-2204:current
183
219
  steps:
184
220
  - checkout
185
221
 
@@ -202,7 +238,7 @@ jobs:
202
238
  name: Run OWASP Zap
203
239
  command: |
204
240
  docker run -v $(pwd)/zap.conf:/zap/wrk/zap.conf:ro -v $(pwd)/reports:/zap/wrk:rw --rm \
205
- --user zap:$(id -g) --network="project_ci_network" -t owasp/zap2docker-weekly \
241
+ --user zap:$(id -g) --network="project_ci_network" -t ghcr.io/zaproxy/zaproxy:weekly \
206
242
  zap-full-scan.py -t http://web:3000 -c zap.conf -I -i -r owasp_report.html
207
243
  - store_artifacts:
208
244
  path: reports/owasp_report.html
@@ -210,7 +246,7 @@ jobs:
210
246
  a11y_scan:
211
247
  docker:
212
248
  - image: cimg/ruby:<%= ruby_version %>
213
- - image: cimg/postgres:12.9
249
+ - image: cimg/postgres:15.7
214
250
  environment:
215
251
  POSTGRES_USER: circleci
216
252
  POSTGRES_DB: <%= app_name %>_development
@@ -262,7 +298,7 @@ jobs:
262
298
 
263
299
  - run:
264
300
  name: Run pa11y-ci
265
- command: yarn run pa11y-ci
301
+ command: yarn run pa11y-ci -c pa11yci.js
266
302
  <% if terraform? %>
267
303
  terraform_plan_staging:
268
304
  executor: terraform/default
@@ -290,7 +326,7 @@ jobs:
290
326
  - checkout
291
327
  - attach_workspace:
292
328
  at: .
293
- - terraform/apply
329
+ - terraform/apply:
294
330
  path: terraform/staging
295
331
  terraform_plan_production:
296
332
  executor: terraform/default
@@ -318,7 +354,7 @@ jobs:
318
354
  - checkout
319
355
  - attach_workspace:
320
356
  at: .
321
- - terraform/apply
357
+ - terraform/apply:
322
358
  path: terraform/production
323
359
  <% end %>
324
360
  deploy_staging:
@@ -353,7 +389,14 @@ workflows:
353
389
  - build
354
390
  - test:
355
391
  requires:
356
- - build
392
+ - build<% if oscal_dir_exists? %>
393
+ - validate_ssp
394
+ - assemble_ssp:
395
+ filters:
396
+ branches:
397
+ only: main
398
+ requires:
399
+ - validate_ssp<% end %>
357
400
  - static_security_scans:
358
401
  requires:
359
402
  - build
@@ -3,6 +3,7 @@ services:
3
3
  web:
4
4
  build:
5
5
  context: .
6
+ dockerfile: Dockerfile.ci
6
7
  user: ${CURRENT_USER:-root}
7
8
  networks:
8
9
  - ci_network
@@ -0,0 +1,310 @@
1
+ {
2
+ "component-definition": {
3
+ "uuid": "1ae68b65-8cae-4ab6-9a2a-7aadedcf609c",
4
+ "metadata": {
5
+ "title": "CircleCI Component Definition.",
6
+ "last-modified": "2024-06-10T21:22:51.617878+00:00",
7
+ "version": "0.0.1",
8
+ "oscal-version": "1.1.2"
9
+ },
10
+ "components": [
11
+ {
12
+ "uuid": "9f6e6fd0-e8fb-497a-9aa6-d2049c9f1efb",
13
+ "type": "service",
14
+ "title": "CircleCI",
15
+ "description": "CircleCI CI/CD Pipeline",
16
+ "props": [
17
+ {
18
+ "name": "Rule_Id",
19
+ "value": "properly-configured",
20
+ "remarks": "rule-config"
21
+ },
22
+ {
23
+ "name": "Rule_Description",
24
+ "value": "System Owner has configured the system to properly utilize CI/CD for all tests, scans, and deployments",
25
+ "remarks": "rule-config"
26
+ },
27
+ {
28
+ "name": "Rule_Id",
29
+ "value": "branch-protections",
30
+ "remarks": "rule-branch"
31
+ },
32
+ {
33
+ "name": "Rule_Description",
34
+ "value": "System Owner has configured GitHub branch protections as described in control",
35
+ "remarks": "rule-branch"
36
+ }
37
+ ],
38
+ "control-implementations": [
39
+ {
40
+ "uuid": "3268f365-afcd-4f31-8cfc-79455b222fb4",
41
+ "source": "trestle://profiles/lato/profile.json",
42
+ "description": "",
43
+ "implemented-requirements": [
44
+ {
45
+ "uuid": "e2367b3a-dc67-4b1d-b3c0-db5fb976154b",
46
+ "control-id": "ca-7",
47
+ "description": "",
48
+ "statements": [
49
+ {
50
+ "statement-id": "ca-7_smt.a",
51
+ "uuid": "9bcf27b2-134e-4fb9-bd7a-8c3a77b4fd03",
52
+ "description": "* <%= app_name %> DevOps staff review OWASP and Dependency scans every build, or at least weekly.\n* <%= app_name %> DevOps staff and the GSA ISSO review Web Application vulnerability scans on a weekly basis.\n* <%= app_name %> Administrators and DevOps staff review changes for potential security impact and engage the <%= app_name %> ISSO and ISSM who will review or engage assessment staff as needed.",
53
+ "props": [
54
+ {
55
+ "name": "Rule_Id",
56
+ "value": "properly-configured"
57
+ },
58
+ {
59
+ "name": "implementation-status",
60
+ "value": "partial"
61
+ }
62
+ ]
63
+ }
64
+ ]
65
+ },
66
+ {
67
+ "uuid": "6d74a1a5-7139-4f05-b72a-5fd6fd1cb021",
68
+ "control-id": "cm-2.2",
69
+ "description": "The <%= app_name %> team develops, documents, and maintains a current baseline for the <%= app_name %> application\ncomponents under configuration control, managed via git and github.com, and orchestrated using CircleCI\nand the cloud.gov Cloud Foundry CLI.\n\nNote: All cloud.gov brokered services (including databases) are fully managed by the cloud.gov platform.\nDue to this, the configuration and security of these services are not included in the <%= app_name %> configuration baseline.",
70
+ "props": [
71
+ {
72
+ "name": "Rule_Id",
73
+ "value": "properly-configured"
74
+ },
75
+ {
76
+ "name": "implementation-status",
77
+ "value": "implemented"
78
+ }
79
+ ]
80
+ },
81
+ {
82
+ "uuid": "8f6cd10e-a40c-4a9e-ad6c-ab73fb41ab64",
83
+ "control-id": "cm-3.1",
84
+ "description": "",
85
+ "statements": [
86
+ {
87
+ "statement-id": "cm-3.1_smt.f",
88
+ "uuid": "355f6e92-139e-4cc1-8497-63421731f265",
89
+ "description": "CircleCI is used to execute proposed changes to the information system.\nAdministrators and Developers for <%= app_name %> are automatically notified of\nthe success or failure of the change execution via the CircleCI and GitHub notification systems.",
90
+ "props": [
91
+ {
92
+ "name": "Rule_Id",
93
+ "value": "properly-configured"
94
+ },
95
+ {
96
+ "name": "implementation-status",
97
+ "value": "implemented"
98
+ }
99
+ ]
100
+ }
101
+ ]
102
+ },
103
+ {
104
+ "uuid": "d989abdd-4e77-4d22-a0cd-a004e4bd0958",
105
+ "control-id": "ra-5",
106
+ "description": "",
107
+ "statements": [
108
+ {
109
+ "statement-id": "ra-5_smt.a",
110
+ "uuid": "5801d27a-d3e7-469b-af64-cd8e03b20622",
111
+ "description": "Any vulnerabilities in <%= app_name %> would have to be introduced at time of deployment because <%= app_name %>\nis a set of cloud.gov managed applications with SSH disabled in Production. <%= app_name %> monitors for\nvulnerabilities by ensuring that scans for vulnerabilities in the information system and hosted applications occur\ndaily and when new code is deployed.\n\nOWASP ZAP scans are built into the CircleCI CI/CD pipeline and runs a series of web vulnerability scans before\na successful deploy can be made to cloud.gov. Any issues or alerts caused by the scan are documented by <%= app_name %>\nOperations and cause the deployment to fail. Issues are tracked in GitHub. The issue posted will provide information\non which endpoints are vulnerable and the level of vulnerability, ranging from **False Positive** to **High**.\nThe issue also provides a detailed report formatted in html, json, and markdown.\n\nSystem Administrators are responsible for reporting any new vulnerabilities reported by the OWASP ZAP scan to the <%= app_name %> ISSO.",
112
+ "props": [
113
+ {
114
+ "name": "Rule_Id",
115
+ "value": "properly-configured"
116
+ },
117
+ {
118
+ "name": "implementation-status",
119
+ "value": "implemented"
120
+ }
121
+ ]
122
+ },
123
+ {
124
+ "statement-id": "ra-5_smt.b",
125
+ "uuid": "ec74b865-ec28-4557-911d-33e9ab8049cb",
126
+ "description": "1. Alerts from each ZAP vulnerability scan are automatically reported in GitHub as an issue on the <%= app_name %> repository. This issue will enumerate each finding and detail the type and severity of the vulnerability. <%= app_name %> Developers and <%= app_name %> Administrators receive automated alerts via GitHub of the issues to remediate. Scan results are sent to the <%= app_name %> System Owner by <%= app_name %> Administrators. The vulnerabilities are analyzed and prioritized within GitHub based on input from the System Owner and ISSO.\n1. The ZAP report contains vulnerabilities grouped by type and by risk level. The report also provides a detailed report formatted in html, json, and markdown. The reported issues also include the CVE item associated with the vulnerability.\n1. Vulnerabilities are classified by ZAP under a level range from **False Positive** to **High**. The impact level is used to drive the priority of the effort to remediate.",
127
+ "props": [
128
+ {
129
+ "name": "Rule_Id",
130
+ "value": "properly-configured"
131
+ },
132
+ {
133
+ "name": "implementation-status",
134
+ "value": "implemented"
135
+ }
136
+ ]
137
+ },
138
+ {
139
+ "statement-id": "ra-5_smt.c",
140
+ "uuid": "d0cdbd01-5f63-43f5-9756-4dc423fa2e73",
141
+ "description": "The ZAP vulnerability report contains information about how the attack was made and suggested solutions for each vulnerability found. Any static code analysis findings identified during automation as part of the GitHub pull request process must be reviewed, analyzed, and resolved by the <%= app_name %> Developer before the team can merge the pull request.",
142
+ "props": [
143
+ {
144
+ "name": "Rule_Id",
145
+ "value": "properly-configured"
146
+ },
147
+ {
148
+ "name": "Rule_Id",
149
+ "value": "branch-protections"
150
+ },
151
+ {
152
+ "name": "implementation-status",
153
+ "value": "planned"
154
+ }
155
+ ]
156
+ }
157
+ ]
158
+ },
159
+ {
160
+ "uuid": "5b755a7a-8032-47e9-8e12-e87de6c698e8",
161
+ "control-id": "sa-11.1",
162
+ "description": "The CI/CD pipeline utilizes multiple tools to perform static code analysis for security and privacy:\n\n* **Brakeman** is a static code scanner designed to find security issues in Ruby on Rails code. It can flag potential SQL injection,\nCommand Injection, open redirects, and other common vulnerabilities.\n* **bundle-audit** checks Ruby dependencies against a database of known CVE numbers.\n* **yarn audit** checks Javascript dependencies against a database of known CVE numbers.\n* **OWASP ZAP** is a dynamic security scanner that can simulate actual attacks on a running server.\n\nAn additional RAILS_ENV has been created called ci. It inherits from production to ensure that the system being tested is as close as possible to production while allowing for overrides such as bypassing authentication in a secure way.",
163
+ "props": [
164
+ {
165
+ "name": "Rule_Id",
166
+ "value": "properly-configured"
167
+ },
168
+ {
169
+ "name": "implementation-status",
170
+ "value": "implemented"
171
+ }
172
+ ]
173
+ },
174
+ {
175
+ "uuid": "e7f41388-bacd-4633-bf85-182de4349221",
176
+ "control-id": "sa-22",
177
+ "description": "",
178
+ "statements": [
179
+ {
180
+ "statement-id": "sa-22_smt.a",
181
+ "uuid": "90bdb946-0a0f-43e3-a8c3-2eb7a9662409",
182
+ "description": "The <%= app_name %> application is built and supported by the <%= app_name %> DevOps staff.\n\nThe application utilizes public open source Ruby and NodeJS components.\n\nThe application utilizes dependency scanning tools Bundle Audit and Yarn Audit to find vulnerable or insecure dependencies.\n\nIf a vulnerable or insecure dependency is found it will be upgraded or replaced. Additionally the <%= app_name %> team code review processes include a review of the health (up to date, supported, many individuals involved) of direct open source dependencies.",
183
+ "props": [
184
+ {
185
+ "name": "Rule_Id",
186
+ "value": "properly-configured"
187
+ },
188
+ {
189
+ "name": "implementation-status",
190
+ "value": "implemented"
191
+ }
192
+ ]
193
+ },
194
+ {
195
+ "statement-id": "sa-22_smt.b",
196
+ "uuid": "e23cb5e4-cf82-47b9-8abd-25ec772387bd",
197
+ "description": "There are currently no unsupported system components within <%= app_name %>. In case an unsupported system component is required to maintain <%= app_name %>, the <%= app_name %> System Owner will be consulted to make a determination in coordination with the <%= app_name %> ISSO and ISSM.",
198
+ "props": [
199
+ {
200
+ "name": "Rule_Id",
201
+ "value": "properly-configured"
202
+ },
203
+ {
204
+ "name": "implementation-status",
205
+ "value": "implemented"
206
+ }
207
+ ]
208
+ }
209
+ ]
210
+ },
211
+ {
212
+ "uuid": "8e2a476b-299c-48d5-b4de-749393d74adf",
213
+ "control-id": "sc-28.1",
214
+ "description": "As an additional layer of protection, all PII data is encrypted using [Active Record Encryption — Ruby on Rails Guides](https://guides.rubyonrails.org/active_record_encryption.html).\nThis encryption is implemented in a using non-deterministic AES-256-GCM through Ruby's openssl library with a 256-bit key and a random initialization vector {rails crypto module}.\n\nThe Data Encryption Key is stored in the credentials.yml file in an encrypted format by Ruby's openssl library using the AES-128-GCM cipher,\nand is built into the application package.\n\nThe credentials.yml decryption key is stored in CircleCI and injected into the running application as an environmental variable. The application then uses this key\nto decrypt the credentials.yml file and obtain the Data Encryption Key.\n\nA backup of the key is stored by the Lead Developer and System Owner within a keepass database stored in Google Drive.",
215
+ "props": [
216
+ {
217
+ "name": "Rule_Id",
218
+ "value": "properly-configured"
219
+ },
220
+ {
221
+ "name": "implementation-status",
222
+ "value": "partial"
223
+ }
224
+ ]
225
+ },
226
+ {
227
+ "uuid": "731fe0af-a996-470d-916d-62f6aaa41823",
228
+ "control-id": "si-2",
229
+ "description": "",
230
+ "statements": [
231
+ {
232
+ "statement-id": "si-2_smt.a",
233
+ "uuid": "1cbbaed9-503a-4b26-879b-805a4d44c898",
234
+ "description": "Flaw and vulnerability checks are built into the <%= app_name %> CI/CD pipeline and automated to ensure compliance. Dynamic vulnerability scans are performed against <%= app_name %> before a successful deployment and reports issues after every scan.\n\nCompliance is documented in sections SA-11 and RA-5. The <%= app_name %> DevOps team uses GitHub as the Product Backlog to track and prioritize issues related to system flaws.\n\nThe responsibility of remediating flaws and vulnerabilities (once a remediation is available) falls on the <%= app_name %> Developer, who updates the <%= app_name %> code and deploys fixes as part of the normal development and CI/CD process.",
235
+ "props": [
236
+ {
237
+ "name": "Rule_Id",
238
+ "value": "properly-configured"
239
+ },
240
+ {
241
+ "name": "Rule_Id",
242
+ "value": "branch-protections"
243
+ },
244
+ {
245
+ "name": "implementation-status",
246
+ "value": "implemented"
247
+ }
248
+ ]
249
+ },
250
+ {
251
+ "statement-id": "si-2_smt.b",
252
+ "uuid": "85cad7f1-6c2b-43b2-b4f3-7acb6cd6ec09",
253
+ "description": "Any flaws or vulnerabilities resolved in <%= app_name %> result in a GitHub issue for triage via the <%= app_name %> CM Configuration Control process described in CM-2(2). After resolving a vulnerability or flaw in <%= app_name %>, unit tests and integration tests are updated to prevent further inclusion of similar flaws.\n\n* All GitHub tickets have accompanying Acceptance Criteria that are used to create unit tests.\n* Unit tests are run on the Development environment when new code is pushed.\n* Integration tests are run on the Test environment when the remediation is deployed via the CI/CD process to ensure that the production environment does not suffer from any side effects of the vulnerability remediation.\n* Integration tests are run on the Prod environment when the remediation is deployed via the CI/CD process to validate the remediation and application functionality.\n* All findings that are not remediated immediately are tracked in the #{app_name} Plan of Action and Milestones (POAM) by <%= app_name %> Operations and the <%= app_name %> ISSO.",
254
+ "props": [
255
+ {
256
+ "name": "Rule_Id",
257
+ "value": "properly-configured"
258
+ },
259
+ {
260
+ "name": "implementation-status",
261
+ "value": "implemented"
262
+ }
263
+ ]
264
+ }
265
+ ]
266
+ },
267
+ {
268
+ "uuid": "547c5134-5dd7-4310-8965-63da171cfa14",
269
+ "control-id": "si-10",
270
+ "description": "All inputs from the end user are parameterized prior to use to avoid potential sql injection.\n\nBrakeman scanner is impelmented within CircleCI which further identifies coding practices\nthat may lead to application vulnerabilities that are a result of improper input validation.",
271
+ "props": [
272
+ {
273
+ "name": "Rule_Id",
274
+ "value": "properly-configured"
275
+ },
276
+ {
277
+ "name": "implementation-status",
278
+ "value": "partial"
279
+ }
280
+ ]
281
+ },
282
+ {
283
+ "uuid": "907f1164-670a-4776-b931-16e28c91eb18",
284
+ "control-id": "sr-3",
285
+ "description": "",
286
+ "statements": [
287
+ {
288
+ "statement-id": "sr-3_smt.b",
289
+ "uuid": "4be57dda-04ec-4387-80ef-d13a50193156",
290
+ "description": "A complete Software Bill of Materials (SBOM) for all Ruby dependencies is automatically\ngenerated by CircleCI on each push to GitHub as well as on a nightly basis. These can be downloaded\nfrom the applicable artifact section for each CI job.",
291
+ "props": [
292
+ {
293
+ "name": "Rule_Id",
294
+ "value": "properly-configured"
295
+ },
296
+ {
297
+ "name": "implementation-status",
298
+ "value": "partial"
299
+ }
300
+ ]
301
+ }
302
+ ]
303
+ }
304
+ ]
305
+ }
306
+ ]
307
+ }
308
+ ]
309
+ }
310
+ }
@@ -21,6 +21,11 @@ module RailsTemplate18f
21
21
  remove_file ".github/workflows/terraform-staging.yml"
22
22
  remove_file ".github/workflows/terraform-production.yml"
23
23
  end
24
+ if !oscal_dir_exists?
25
+ remove_file ".github/workflows/validate-ssp.yml"
26
+ remove_file ".github/workflows/assemble-ssp.yml"
27
+ remove_dir ".github/actions/trestle-cmd"
28
+ end
24
29
  end
25
30
 
26
31
  def update_readme
@@ -59,17 +64,8 @@ EOB
59
64
  EOB
60
65
  end
61
66
 
62
- def update_terraform_readme
63
- return unless terraform?
64
- readme_filename = "terraform/README.md"
65
- insert_into_file readme_filename, " |- .force-action-apply\n", after: "- <env>/\n"
66
- insert_into_file readme_filename, <<~EOM, after: /.*environment-specific modules:$/
67
- \n- `.force-action-apply` is a file that can be updated to force GitHub Actions to run `terraform apply` during the deploy phase
68
- EOM
69
- end
70
-
71
67
  def update_oscal_docs
72
- update_cicd_oscal_docs("GitHub Actions")
68
+ copy_oscal_component "github_actions"
73
69
  end
74
70
 
75
71
  no_tasks do
@@ -122,8 +118,7 @@ EOB
122
118
  <<~EOM
123
119
 
124
120
  1. Store variables that must be secret using [GitHub Environment Secrets](https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-an-environment)
125
- 1. Add the secret to the `env:` block of the deploy action [as in this example](https://github.com/OHS-Hosting-Infrastructure/complaint-tracker/blob/a9e8d22aae2023a0afb631a6182251c04f597f7e/.github/workflows/deploy-stage.yml#L20)
126
- 1. Add the appropriate `--var` addition to the `push_arguments` line on the deploy action [as in this example](https://github.com/OHS-Hosting-Infrastructure/complaint-tracker/blob/a9e8d22aae2023a0afb631a6182251c04f597f7e/.github/workflows/deploy-stage.yml#L27)
121
+ 1. Add the appropriate `--var` addition to the `cf_command` line on the deploy action like the existing `rails_master_key`
127
122
  EOM
128
123
  end
129
124
  end
@@ -11,7 +11,7 @@ runs:
11
11
  cache-version: 1
12
12
 
13
13
  - name: Set up node
14
- uses: actions/setup-node@v2
14
+ uses: actions/setup-node@v4
15
15
  with:
16
16
  node-version: '<%= node_version %>'
17
17
  cache: 'yarn'
@@ -28,6 +28,7 @@ runs:
28
28
  - name: Set up database
29
29
  env:
30
30
  RAILS_ENV: ${{ inputs.rails_env }}
31
+ SECRET_KEY_BASE: not-actually-secret
31
32
  DATABASE_URL: ${{ inputs.database_url }}
32
33
  shell: bash
33
34
  run: bundle exec rake db:schema:load
@@ -0,0 +1,20 @@
1
+ name: "Run a docker-trestle command"
2
+ description: "Sets up workspace for running a single command in docker-trestle"
3
+ inputs:
4
+ tag:
5
+ description: docker-trestle tag to use. Defaults to latest
6
+ required: false
7
+ default: latest
8
+ cmd:
9
+ description: Command to run within docker-trestle
10
+ required: true
11
+ runs:
12
+ using: "composite"
13
+ steps:
14
+ - name: Enable writing to trestle directories
15
+ shell: bash
16
+ run: chmod -R a+w $GITHUB_WORKSPACE/doc/compliance/oscal
17
+
18
+ - name: Run cmd
19
+ shell: bash
20
+ run: docker run -v $GITHUB_WORKSPACE/doc/compliance/oscal:/app/docs:rw ghcr.io/gsa-tts/trestle:latest ${{ inputs.cmd }}
@@ -0,0 +1,26 @@
1
+ name: Assemble SSPP updates
2
+
3
+ on:
4
+ workflow_dispatch:
5
+ push:
6
+ branches: [ main ]
7
+ paths:
8
+ - "doc/compliance/oscal/**"
9
+
10
+ jobs:
11
+ assemble_ssp:
12
+ name: Assemble SSPP updates and save artifact
13
+ runs-on: ubuntu-latest
14
+ steps:
15
+ - uses: actions/checkout@v4
16
+
17
+ - name: Assemble final SSPP
18
+ uses: ./.github/actions/trestle-cmd
19
+ with:
20
+ cmd: trestle assemble -n <%= app_name %> system-security-plan
21
+
22
+ - name: Save artifact
23
+ uses: actions/upload-artifact@v4
24
+ with:
25
+ name: <%= app_name %>_SSPP
26
+ path: doc/compliance/oscal/dist/system-security-plans/<%= app_name %>.json
@@ -22,12 +22,16 @@ on:
22
22
  # this will run at noon UTC each Monday (7am EST / 8am EDT)
23
23
  - cron: '0 12 * * 1'
24
24
 
25
+ permissions:
26
+ contents: read
27
+ security-events: write
28
+
25
29
  jobs:
26
30
  brakeman-scan:
27
31
  name: Brakeman Scan
28
32
  runs-on: ubuntu-latest
29
33
  steps:
30
- - uses: actions/checkout@v2
34
+ - uses: actions/checkout@v4
31
35
 
32
36
  - uses: ./.github/actions/setup-languages
33
37
 
@@ -39,6 +43,6 @@ jobs:
39
43
 
40
44
  # Upload the SARIF file generated in the previous step
41
45
  - name: Upload SARIF
42
- uses: github/codeql-action/upload-sarif@v1
46
+ uses: github/codeql-action/upload-sarif@v3
43
47
  with:
44
48
  sarif_file: output.sarif.json
@@ -19,7 +19,7 @@ jobs:
19
19
  runs-on: ubuntu-latest
20
20
 
21
21
  steps:
22
- - uses: actions/checkout@v2
22
+ - uses: actions/checkout@v4
23
23
 
24
24
  - uses: ./.github/actions/setup-languages
25
25
 
@@ -31,7 +31,7 @@ jobs:
31
31
  runs-on: ubuntu-latest
32
32
 
33
33
  steps:
34
- - uses: actions/checkout@v2
34
+ - uses: actions/checkout@v4
35
35
 
36
36
  - uses: ./.github/actions/setup-languages
37
37
 
@@ -43,14 +43,14 @@ jobs:
43
43
  runs-on: ubuntu-latest
44
44
 
45
45
  steps:
46
- - uses: actions/checkout@v2
46
+ - uses: actions/checkout@v4
47
47
  - uses: ./.github/actions/setup-languages
48
48
  - name: Install cyclonedx
49
49
  run: gem install cyclonedx-ruby
50
50
  - name: Generate BOM
51
51
  run: cyclonedx-ruby -p . -o ruby_bom.xml
52
52
  - name: Save BOM
53
- uses: actions/upload-artifact@v3
53
+ uses: actions/upload-artifact@v4
54
54
  with:
55
55
  name: ruby-bom
56
56
  path: ./ruby_bom.xml