diff --git a/.github/workflows/megalinter.yml b/.github/workflows/megalinter.yml new file mode 100644 index 00000000..879b8f93 --- /dev/null +++ b/.github/workflows/megalinter.yml @@ -0,0 +1,99 @@ +--- +name: MegaLinter + +# yamllint disable-line rule:truthy +on: + # Triggers mega-linter when a pull_request event's activity type is opened, synchronize, or reopened by default. + pull_request: + branches: + - main + workflow_dispatch: + + +permissions: + contents: write + issues: write + pull-requests: write + +env: + # Comment env block if you do not want to apply fixes + # Apply linter fixes configuration + APPLY_FIXES: none # When active, APPLY_FIXES must also be defined as environment variable (in github/workflows/mega-linter.yml or other CI tool) + APPLY_FIXES_EVENT: all # Decide which event triggers application of fixes in a commit or a PR (pull_request, push, all) + APPLY_FIXES_MODE: commit # If APPLY_FIXES is used, defines if the fixes are directly committed (commit) or posted in a PR (pull_request) + +concurrency: + group: ${{ github.ref }}-${{ github.workflow }} + cancel-in-progress: true + +jobs: + build: + name: MegaLinter + runs-on: ubuntu-latest + permissions: write-all + steps: + # Git Checkout + - name: Checkout Code + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 + with: + token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }} + fetch-depth: 0 + + # MegaLinter + - name: MegaLinter + id: ml + uses: oxsecurity/megalinter/flavors/javascript@bacb5f8674e3730b904ca4d20c8bd477bc51b1a7 # pin@v7.13.0 + env: + VALIDATE_ALL_CODEBASE: true + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + # Upload MegaLinter artifacts + - name: Archive production artifacts + if: always() + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # pin@v3 + with: + name: MegaLinter reports + path: | + megalinter-reports + megalinter-reports/megalinter.log + + # Create pull request if applicable (for now works only on PR from same repository, not from forks) + - name: Create Pull Request with applied fixes + id: cpr + if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'pull_request' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) + uses: peter-evans/create-pull-request@4e1beaa7521e8b457b572c090b25bd3db56bf1c5 # pin@v5 + with: + token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }} + commit-message: "[MegaLinter] Apply linters automatic fixes" + title: "[MegaLinter] Apply linters automatic fixes" + labels: bot + - name: Create PR output + if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'pull_request' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) + run: | + echo "Pull Request Number - ${{ steps.cpr.outputs.pull-request-number }}" + echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}" + + # Push new commit if applicable (for now works only on PR from same repository, not from forks) + - name: Prepare commit + if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'commit' && github.ref != 'refs/heads/main' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) + run: sudo chown -Rc $UID .git/ + - name: Commit and push applied linter fixes + if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'commit' && github.ref != 'refs/heads/main' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) + uses: stefanzweifel/git-auto-commit-action@8621497c8c39c72f3e2a999a26b4ca1b5058a842 # pin@v5 + with: + branch: ${{ github.event.pull_request.head.ref || github.head_ref || github.ref }} + commit_message: "[MegaLinter] Apply linters fixes" + commit_user_name: megalinter-bot + commit_user_email: nicolas.vuillamy@ox.security + + - name: Check to see if the SARIF a was generated + id: sarif_file_exists + uses: andstor/file-existence-action@20b4d2e596410855db8f9ca21e96fbe18e12930b # pin@v2 + with: + files: "megalinter-reports/megalinter-report.sarif" + + - name: Upload MegaLinter scan results to GitHub Security tab + if: steps.sarif_file_exists.outputs.files_exists == 'true' + uses: github/codeql-action/upload-sarif@3e0e84636c6f5df46a2cb232ae1dd1384713150d # pin@v2 + with: + sarif_file: "megalinter-reports/megalinter-report.sarif" diff --git a/.github/workflows/pa11y.yml b/.github/workflows/pa11y.yml index 0f86dfeb..dbab91ec 100644 --- a/.github/workflows/pa11y.yml +++ b/.github/workflows/pa11y.yml @@ -1,16 +1,28 @@ +--- name: Pa11y Testing -on: [pull_request] +# yamllint disable-line rule:truthy +on: [ pull_request ] + +permissions: + contents: write + issues: write + pull-requests: write + +concurrency: + group: ${{ github.ref }}-${{ github.workflow }} + cancel-in-progress: true jobs: build: runs-on: ubuntu-latest - + steps: - - uses: actions/checkout@v3 - + - name: Checkout repository + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # pin@v3 + - name: Use Node - uses: actions/setup-node@v3 + uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 # pin@v3 with: node-version: '17.x' diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 48fe6e47..b1c7577d 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -1,18 +1,22 @@ +--- # This workflow uses actions that are not certified by GitHub. They are provided # by a third-party and are governed by separate terms of service, privacy # policy, and support documentation. name: Scorecard supply-chain security + +# yamllint disable-line rule:truthy on: # For Branch-Protection check. Only the default branch is supported. See # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection - branch_protection_rule: - # To guarantee Maintained check is occasionally updated. See + branch_protection_rule: # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained schedule: - cron: '43 7 * * 3' push: - branches: [ "main" ] + branches: + - "main" # Declare default permissions as read only. permissions: read-all @@ -32,12 +36,12 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4.1.7 with: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2 + uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # pin@v2.4.0 with: results_file: results.sarif results_format: sarif @@ -59,7 +63,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0 + uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # pin@v4.3.4 with: name: SARIF file path: results.sarif @@ -67,6 +71,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4 + uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # pin@v3 with: sarif_file: results.sarif diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 300f0774..91b72554 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -2,18 +2,19 @@ name: Build and Test # yamllint disable-line rule:truthy -on: +on: pull_request: + jobs: build: runs-on: ubuntu-latest - + steps: - - uses: actions/checkout@v3 - + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # pin@v3 + - name: Use Node - uses: actions/setup-node@v3 + uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 # pin@v3 with: node-version: '17.x' @@ -23,5 +24,5 @@ jobs: - name: Build site run: npm run build - # - name: Run tests - # run: npm run test +# - name: Run tests +# run: npm run test diff --git a/.gitignore b/.gitignore index 939ce5cf..8e263226 100644 --- a/.gitignore +++ b/.gitignore @@ -120,3 +120,6 @@ web_modules/ _site public node_modules + +megalinter-reports +reports diff --git a/.gitleaks.toml b/.gitleaks.toml new file mode 100644 index 00000000..6e3de8c9 --- /dev/null +++ b/.gitleaks.toml @@ -0,0 +1,21 @@ + +title = "gitleaks config" + +[extend] +# useDefault will extend the base configuration with the default gitleaks config: +# https://github.com/zricethezav/gitleaks/blob/master/config/gitleaks.toml +useDefault = true + +[allowlist] + description = "Allowlisted files" + paths = [ + '''.automation/test''', + '''megalinter-reports''', + '''.github/linters''', + '''node_modules''', + '''.mypy_cache''', + '''(.*?)gitleaks\.toml$''', + '''(?i)(.*?)(png|jpeg|jpg|gif|doc|docx|pdf|bin|xls|xlsx|pyc|zip)$''', + '''(go.mod|go.sum)$'''] + + diff --git a/.grype.yaml b/.grype.yaml new file mode 100644 index 00000000..3c442f39 --- /dev/null +++ b/.grype.yaml @@ -0,0 +1,14 @@ +--- +fail-on-severity: "high" + +exclude: + - './node_modules/**' + - './.git/**' + - './.github/**' + - './_site/**' + +ignore: + + # Ignored by default; disputed and unwarranted CVE that causes Megalinter to fail + # @link https://nvd.nist.gov/vuln/detail/CVE-2018-20225 + - vulnerability: CVE-2018-20225 diff --git a/.markdown-link-check.json b/.markdown-link-check.json new file mode 100644 index 00000000..afee61b2 --- /dev/null +++ b/.markdown-link-check.json @@ -0,0 +1,10 @@ +{ + "retryOn429": true, + "retryCount": 5, + "aliveStatusCodes": [200, 203], + "ignorePatterns": [ + { + "pattern": "^https?://github.com/" + } + ] +} diff --git a/.markdownlint.yaml b/.markdownlint.yaml new file mode 100644 index 00000000..456a141d --- /dev/null +++ b/.markdownlint.yaml @@ -0,0 +1,27 @@ +--- +blanks-around-fences: false +blanks-around-headings: false +blanks-around-lists: false +code-fence-style: false +emphasis-style: false +heading-start-left: false +hr-style: false +list-indent: false +list-marker-space: false +no-blanks-blockquote: false +no-hard-tabs: false +no-missing-space-atx: false +no-missing-space-closed-atx: false +no-multiple-blanks: false +no-multiple-space-atx: false +no-multiple-space-blockquote: false +no-multiple-space-closed-atx: false +no-trailing-spaces: false +ol-prefix: false +strong-style: false +ul-indent: false + +MD013: + line_length: 999 + heading_line_length: 999 + code_block_line_length: 999 diff --git a/.mega-linter.yml b/.mega-linter.yml new file mode 100644 index 00000000..b442c93d --- /dev/null +++ b/.mega-linter.yml @@ -0,0 +1,57 @@ +--- +# don't test the reports Mega-Linter created, docs, or test files +ADDITIONAL_EXCLUDED_DIRECTORIES: [ + report, + megalinter-reports, + docs, + node_modules, + _site, +] + +# don't lint test files or documentation +FILTER_REGEX_EXCLUDE: (.venv/|/test/|\.test\.|_test\.|/docs/|/index.html|.github/.*\.html) + +# don't scan files listed in .gitignore (e.g., node_modules) +IGNORE_GITIGNORED_FILES: true + +# Disable devskim as it's reporting an error with no log message +DISABLE_LINTERS: + [ + REPOSITORY_DEVSKIM, + SPELL_MISSPELL, + SPELL_CSPELL, + SPELL_PROSELINT, + COPYPASTE_JSCPD, + BASH_EXEC, + ] + +# only scan new / updated files, not everything +VALIDATE_ALL_CODEBASE: true + +# don't print the alpaca -- it's cute, but we don't need it in the logs +PRINT_ALPACA: false + +# write a SARIF file +SARIF_REPORTER: true + +# don't fail on finding (yet) +DISABLE_ERRORS: true + +# use prettier for JavaScript code formatting +JAVASCRIPT_DEFAULT_STYLE: prettier + +# only scan the files in This commit, not the entire history of the repo +REPOSITORY_GITLEAKS_ARGUMENTS: --no-git + +# don't lint the generated code in the docs/ directory +REPOSITORY_DEVSKIM_ARGUMENTS: "--skip-git-ignored-files" + +# shfmt will.. +# - use multiples of 2 spaces for indenting +# - alllow binary operations to start new lines +# - indent switch case statements +# - place spaces around redirections +# - keep column alignment padding +BASH_SHFMT_ARGUMENTS: -i 2 -bn -ci -sr -kp + +REPOSITORY_TRUFFLEHOG_ARGUMENTS: "--exclude-paths=.trufflehogignore" diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 00000000..471fe145 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,43 @@ +--- +# pre-commit is a linter runner and GitHub hook manager +# See https://pre-commit.com for more information +# See https://pre-commit.com/hooks.html for more hooks +# Run `pre-commit autoupdate` now and then, why don't ya? + +repos: + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: c4a0b883114b00d8d76b479c820ce7950211c99b # frozen: v4.5.0 + hooks: + - id: trailing-whitespace + args: [--markdown-linebreak-ext=md] + - id: mixed-line-ending + args: ["--fix=lf"] + - id: end-of-file-fixer + exclude: \.idea$ + - id: check-added-large-files + args: ["--maxkb=2200"] + - id: check-merge-conflict + - id: detect-private-key + - id: check-yaml + files: \.ya?ml$ + - id: check-json + files: \.json$ + - id: check-xml + files: \.xml$ + + # So we allow this hook to pass if there are no creds + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: c4a0b883114b00d8d76b479c820ce7950211c99b # frozen: v4.5.0 + hooks: + - id: detect-aws-credentials + args: [--allow-missing-credentials] + + # Scan for secrets + - repo: https://github.com/zricethezav/gitleaks + rev: e815c559e3ac76227e8e7463cf3a6598b715687b # frozen: v8.18.1 + hooks: + - id: gitleaks-docker + name: Detect hardcoded secrets + description: Detect hardcoded secrets using Gitleaks + language: docker_image + entry: zricethezav/gitleaks:v8.15.0 protect --verbose --redact --staged diff --git a/.trufflehogignore b/.trufflehogignore new file mode 100644 index 00000000..6b8710a7 --- /dev/null +++ b/.trufflehogignore @@ -0,0 +1 @@ +.git diff --git a/.yamllint.yaml b/.yamllint.yaml new file mode 100644 index 00000000..30fb4bae --- /dev/null +++ b/.yamllint.yaml @@ -0,0 +1,10 @@ +--- +extends: default + +ignore-from-file: [".gitignore"] + +rules: + comments: + min-spaces-from-content: 1 + line-length: + max: 999