<
If you're new to Rails, see the Getting Started with Rails guide for an introduction to the framework.
brew bundle
xattr -d com.apple.quarantine $(which chromedriver)
(this is the only option if you are on Big Sur)bundle install
yarn install
bundle exec rake db:setup
bin/dev
Environment variables can be set in development using the dotenv gem.
Consistent but sensitive credentials should be added to config/credentials.yml.enc
by using $ rails credentials:edit
Production credentials should be added to config/credentials/production.yml.enc
by using $ rails credentials:edit --environment production
Any changes to variables in .env
that should not be checked into git should be set
in .env.local
.
If you wish to override a config globally for the test
Rails environment you can set it in .env.test.local
.
However, any config that should be set on other machines should either go into .env
or be explicitly set as part
of the test.
TBD
<script>
and <style>
securityThe system's Content-Security-Policy header prevents <script>
and <style>
tags from working without further
configuration. Use <%= javascript_tag nonce: true %>
for inline javascript.
See the CSP compliant script tag helpers ADR for more information on setting these up successfully.
We use the gem i18n-tasks
to manage locale files. Here are a few common tasks:
Add missing keys across locales:
$ i18n-tasks missing # shows missing keys
$ i18n-tasks add-missing # adds missing keys across locale files
Key sorting:
$ i18n-tasks normalize
Removing unused keys:
$ i18n-tasks unused # shows unused keys
$ i18n-tasks remove-unused # removes unused keys across locale files
For more information on usage and helpful rake tasks to manage locale files, see the documentation.
bundle exec rake spec
bundle exec rake standard
./bin/pa11y-scan
./bin/owasp-scan
bundle exec rake brakeman
bundle exec rake bundler:audit
bundle exec rake yarn:audit
Run everything: bundle exec rake
When new pages are added to the application, ensure they are added to ./pa11y.js
so that they can be scanned.
To enable automatic ruby linting and terraform formatting on every git commit
follow the instructions at the top of .githooks/pre-commit
GitHub actions are used to run all tests and scans as part of pull requests.
Security scans are also run on a scheduled basis. Weekly for static code scans, and daily for dependency scans.
Each environment has dependencies on a PostgreSQL RDS instance managed by cloud.gov. See cloud.gov docs for information on RDS.
Deploys to staging, including applying changes in terraform, happen
on every push to the main
branch in GitHub.
The following secrets must be set within the staging
environment secrets
to enable a deploy to work:
Secret Name | Description |
---|---|
CF_USERNAME |
cloud.gov SpaceDeployer username |
CF_PASSWORD |
cloud.gov SpaceDeployer password |
RAILS_MASTER_KEY |
config/master.key |
TERRAFORM_STATE_ACCESS_KEY |
Access key for terraform state bucket |
TERRAFORM_STATE_SECRET_ACCESS_KEY |
Secret key for terraform state bucket |
Deploys to production, including applying changes in terraform, happen
on every push to the production
branch in GitHub.
The following secrets must be set within the production
environment secrets
to enable a deploy to work:
Secret Name | Description |
---|---|
CF_USERNAME |
cloud.gov SpaceDeployer username |
CF_PASSWORD |
cloud.gov SpaceDeployer password |
RAILS_MASTER_KEY |
config/credentials/production.key |
TERRAFORM_STATE_ACCESS_KEY |
Access key for terraform state bucket |
TERRAFORM_STATE_SECRET_ACCESS_KEY |
Secret key for terraform state bucket |
All configuration that needs to be added to the deployed application's ENV should be added to
the env:
block in manifest.yml
Items that are both public and consistent across staging and production can be set directly there.
Otherwise, they are set as a ((variable))
within manifest.yml
and the variable is defined depending on sensitivity:
--var
addition to the cf_command
line on the deploy action like the existing rails_master_key
Configuration that changes from staging to production, but is public, should be added to config/deployment/staging.yml
and config/deployment/production.yml
Traffic to be delivered to the public internet or s3 must be proxied through the cg-egress-proxy app.
To deploy the proxy manually:
config/deployment/egress_proxy
bin/ops/deploy_egress_proxy.rb -s rahearn -a continuous_monitoring-staging
bin/ops/deploy_egress_proxy.rb -s rahearn -a continuous_monitoring-production
See the ruby troubleshooting doc first if you have any problems making outbound connections through the proxy.
Traffic to be delivered to the public internet must be proxied through the cg-egress-proxy app. Hostnames that the app should be able to
reach should be added to the allowlist
terraform configuration in terraform/staging/main.tf
and terraform/production/main.tf
See the ruby troubleshooting doc first if you have any problems making outbound connections through the proxy.
Auditree is used within CI/CD to validate that certain controls are in place.
bin/auditree
to start the auditree CLI.bin/auditree SCRIPT_NAME
to run a single auditree scriptThese steps must happen once per project.
bin/auditree init > config/auditree.template.json
AUDITREE_GITHUB_TOKEN
secret within your Github Actions secrets.config/auditree.template.json
with the repo addresses for your locker and code reposdevtools_cloud_gov
component definition into the project with the latest docker-trestleSee the auditree-devtools README for help with updating auditree and using new checks.
Security Controls should be documented within doc/compliance/oscal.
bin/trestle
to start the trestle CLI.bin/trestle SCRIPT_NAME
to run a single trestle scriptThese steps must happen once per project.
bin/trestle
cloud_gov
component to the local workspace with copy-component -n cloud_gov
generate-ssp-markdown
See the docker-trestle README for help with the workflow for using those scripts for editing the SSP.
Architectural Decision Records (ADR) are stored in doc/adr
To create a new ADR, first install ADR-tools if you don't
already have it installed.
brew bundle
or brew install adr-tools
Then create the ADR:
adr new Title Of Architectural Decision
This will create a new, numbered ADR in the doc/adr
directory.
Compliance diagrams are stored in doc/compliance
. See the README there for more information on
generating diagram updates.
This will continue to evolve as the project moves forward.
TBD