diff --git a/.circleci/config.yml b/.circleci/config.yml index f81a95f7c..570208f2f 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -271,11 +271,11 @@ job-build: &job-build no_output_timeout: 30m # Optionally run Shipshape audit. - when: - condition: $SHIPSHAPE_RUN_AUDIT == 1 + condition: << parameters.shipshape_run_audit >> steps: - run: name: Audit code with shipshape - command: docker compose exec -T cli sh -c "/usr/local/bin/shipshape -o junit > /app/.logs/test_results/shipshape-results.xml" || [ "${DREVOPS_CI_SHIPSHAPE_IGNORE_FAILURE:-0}" -eq 1 ] + command: docker compose exec -T cli sh -c "/usr/local/bin/shipshape -e -o junit > /app/.logs/test_results/shipshape-results.xml" || [ "${DREVOPS_CI_SHIPSHAPE_IGNORE_FAILURE:-0}" -eq 1 ] - run: name: Process test logs and artifacts command: | @@ -367,6 +367,10 @@ jobs: # GovCMS profile, no sub-theme. build-govcms: <<: *runner_config + parameters: + shipshape_run_audit: + default: true + type: env_var_name environment: DRUPAL_PROFILE: govcms CIVICTHEME_SUBTHEME_ACTIVATION_SKIP: 1 diff --git a/shipshape.yml b/shipshape.yml index 25fcc2d17..7a57c08d3 100644 --- a/shipshape.yml +++ b/shipshape.yml @@ -98,143 +98,143 @@ checks: # truthy: true # - key: required_roles.authenticated # value: authenticated -# - name: '[FILE] Ensure only admins can register accounts' -# file: user.settings.yml -# ignore-missing: true -# path: config/default -# values: -# - key: register -# value: admin_only -# - name: '[FILE] Ensure CSS & JS aggregations are enabled' -# file: system.performance.yml -# ignore-missing: true -# path: config/default -# values: -# - key: css.preprocess -# value: true -# truthy: true -# - key: js.preprocess -# value: true -# truthy: true -# - name: '[FILE] Ensure no error log displayed' -# file: system.logging.yml -# ignore-missing: true -# path: config/default -# values: -# - key: error_level -# value: hide -# - name: '[FILE] Detect module files in theme folder' -# pattern: '.*.info.yml' -# ignore-missing: true -# path: 'themes' -# values: -# - key: type -# value: theme -# drush-yaml: -# - name: '[DATABASE] Validate active install profile' -# command: 'config:get --include-overridden core.extension' -# config-name: core.extension -# values: -# - key: profile -# value: govcms -# - name: '[DATABASE] Validate active TFA' -# severity: high -# command: 'config:get --include-overridden tfa.settings' -# config-name: tfa.settings -# values: -# - key: enabled -# value: true -# truthy: true -# - key: required_roles.authenticated -# value: authenticated -# - name: '[DATABASE] Ensure only admins can register accounts' -# command: 'config:get --include-overridden user.settings' -# config-name: user.settings -# values: -# - key: register -# value: admin_only -# - name: '[DATABASE] Ensure CSS & JS aggregations are enabled' -# command: 'config:get --include-overridden system.performance' -# config-name: system.performance -# values: -# - key: css.preprocess -# value: true -# truthy: true -# - key: js.preprocess -# value: true -# truthy: true -# - name: '[DATABASE] Ensure no error log displayed' -# command: 'config:get --include-overridden system.logging' -# config-name: user.settings -# values: -# - key: error_level -# value: hide -# drupal-file-module: -# - name: '[FILE] Verify enabled modules' -# severity: high -# path: config/default -# required: -# - govcms_security -# - httpav -# - lagoon_logs -# - tfa -# disallowed: -# - clamav -# - dblog -# - devel -# - module_permissions_ui -# - statistics -# - update -# - redirect_404 -# - name: '[FILE] Deprecated modules' -# path: config/default -# required: [] -# disallowed: -# - redirect_404 -# drupal-db-module: -# - name: '[DATABASE] Active modules audit' -# severity: high -# required: -# - govcms_security -# - httpav -# - lagoon_logs -# - tfa -# disallowed: -# - clamav -# - dblog -# - devel -# - module_permissions_ui -# - statistics -# - update -# - redirect_404 -# - name: '[DATABASE] Deprecated modules' -# required: [] -# disallowed: -# - redirect_404 -# drupal-db-permissions: -# - name: '[DATABASE] Disallowed permissions on active site' -# severity: high -# disallowed: -# - administer config permissions -# - administer modules -# - administer permissions -# - administer seckit -# - administer site configuration -# - administer software updates -# - import configuration -# - synchronize configuration -# - use PHP for google analytics tracking visibility -# drupal-role-permissions: -# - name: '[DATABASE] Authenticated role check' -# severity: high -# rid: 'authenticated' -# required-permissions: -# - 'setup own tfa' -# drupal-admin-user: -# - name: '[DATABASE] Active user roles admin check' -# severity: high -# drupal-user-forbidden: -# - name: '[DATABASE] Active User 1 check' + - name: '[FILE] Ensure only admins can register accounts' + file: user.settings.yml + ignore-missing: true + path: config/default + values: + - key: register + value: admin_only + - name: '[FILE] Ensure CSS & JS aggregations are enabled' + file: system.performance.yml + ignore-missing: true + path: config/default + values: + - key: css.preprocess + value: true + truthy: true + - key: js.preprocess + value: true + truthy: true + - name: '[FILE] Ensure no error log displayed' + file: system.logging.yml + ignore-missing: true + path: config/default + values: + - key: error_level + value: hide + - name: '[FILE] Detect module files in theme folder' + pattern: '.*.info.yml' + ignore-missing: true + path: 'themes' + values: + - key: type + value: theme + drush-yaml: + - name: '[DATABASE] Validate active install profile' + command: 'config:get --include-overridden core.extension' + config-name: core.extension + values: + - key: profile + value: govcms + - name: '[DATABASE] Validate active TFA' + severity: high + command: 'config:get --include-overridden tfa.settings' + config-name: tfa.settings + values: + - key: enabled + value: true + truthy: true + - key: required_roles.authenticated + value: authenticated + - name: '[DATABASE] Ensure only admins can register accounts' + command: 'config:get --include-overridden user.settings' + config-name: user.settings + values: + - key: register + value: admin_only + - name: '[DATABASE] Ensure CSS & JS aggregations are enabled' + command: 'config:get --include-overridden system.performance' + config-name: system.performance + values: + - key: css.preprocess + value: true + truthy: true + - key: js.preprocess + value: true + truthy: true + - name: '[DATABASE] Ensure no error log displayed' + command: 'config:get --include-overridden system.logging' + config-name: user.settings + values: + - key: error_level + value: hide + drupal-file-module: + - name: '[FILE] Verify enabled modules' + severity: high + path: config/default + required: + - govcms_security + - httpav + - lagoon_logs + - tfa + disallowed: + - clamav + - dblog + - devel + - module_permissions_ui + - statistics + - update + - redirect_404 + - name: '[FILE] Deprecated modules' + path: config/default + required: [] + disallowed: + - redirect_404 + drupal-db-module: + - name: '[DATABASE] Active modules audit' + severity: high + required: + - govcms_security + - httpav + - lagoon_logs + - tfa + disallowed: + - clamav + - dblog + - devel + - module_permissions_ui + - statistics + - update + - redirect_404 + - name: '[DATABASE] Deprecated modules' + required: [] + disallowed: + - redirect_404 + drupal-db-permissions: + - name: '[DATABASE] Disallowed permissions on active site' + severity: high + disallowed: + - administer config permissions + - administer modules + - administer permissions + - administer seckit + - administer site configuration + - administer software updates + - import configuration + - synchronize configuration + - use PHP for google analytics tracking visibility + drupal-role-permissions: + - name: '[DATABASE] Authenticated role check' + severity: high + rid: 'authenticated' + required-permissions: + - 'setup own tfa' + drupal-admin-user: + - name: '[DATABASE] Active user roles admin check' + severity: high + drupal-user-forbidden: + - name: '[DATABASE] Active User 1 check' yamllint: - name: '[FILE] Yaml lint platform files' severity: high