Benefit Finder Release v0.5.0.beta.1 (Sprint 36)

benefit-finder/.husky/commit-msg → .githooks/commit-msg

@@ -1,6 +1,4 @@
-#!/usr/bin/env sh
-. "$(dirname -- "$0")/_/husky.sh"
-
+#!/bin/bash
 COMMIT_MESSAGE_FILE="$1"
 COMMIT_MESSAGE="$(cat $1)"
 COMMITPREFIX=$(git branch | grep '*' | sed 's/* //')

.githooks/pre-commit

@@ -0,0 +1,85 @@
+#!/bin/bash
+## Set the root directory in the pipeline
+ROOT_DIR=$(git rev-parse --show-toplevel)
+CURRENT_DIR="${PWD##*/}"
+
+JS_APP_DIR=benefit-finder
+IS_JS_APP=false
+USAGOV_APP_DIR=usagov-2021
+
+echo "Current directory ${CURRENT_DIR}"
+
+STAGED_FILES=$(git diff-index --cached --name-only HEAD)
+
+for file in $STAGED_FILES; do
+  # Check if file is located in the JS_APP_DIR
+  echo "Found stagged file: $file"
+  if [[ $file == *$JS_APP_DIR* ]]; then
+    IS_JS_APP=true
+  fi
+done
+
+# run custom actions for our JS App
+if [ $IS_JS_APP = true ]; then
+    echo "Found a JS application file, running front end task(s)"
+    # echo "running processes on staged files"
+    cd $ROOT_DIR/$JS_APP_DIR && npm run lint-staged
+    if [ $? -eq 0 ]; then
+        echo "Process succeeded."
+        cd $ROOT_DIR
+    else
+        echo "Process failed."
+        exit 1
+    fi
+fi
+
+# Check if Python 3 is installed and install if not
+if ! command -v python3 &> /dev/null; then
+    echo "Python 3 is not installed. Attempting to install Python 3..."
+    brew install python3 || { echo "Failed to install Python 3. Please install it manually."; exit 1; }
+fi
+# Check if venv module is available in Python, install if not
+if ! python3 -c "import venv" &> /dev/null; then
+    echo "venv module is not available. Python installation might not support venv."
+    exit 1
+fi
+# Set up Python virtual environment
+if [ ! -d ".venv" ]; then
+    python3 -m venv .venv
+    echo "Virtual environment created."
+else
+    echo "Virtual environment already exists."
+fi
+source .venv/bin/activate
+# Check if TruffleHog3 is installed and install if not
+if ! command -v trufflehog3 &> /dev/null; then
+    echo "TruffleHog3 is not installed. Installing TruffleHog3..."
+    pip install trufflehog3 || { echo "Failed to install TruffleHog3. Please install it manually."; exit 1; }
+fi
+# Check if jq is installed and install if not
+if ! command -v /opt/homebrew/bin/jq &> /dev/null; then
+    echo "jq is not installed. Installing jq..."
+    brew install jq || { echo "Failed to install jq. Please install it manually."; exit 1; }
+fi
+# Determine the branch name locally
+BRANCH_NAME=$(git symbolic-ref --short HEAD)
+if [ -z "$BRANCH_NAME" ]; then
+    echo "Failed to determine the branch name. Ensure you are in a Git repository."
+    exit 1
+fi
+
+echo "Scanning branch: $BRANCH_NAME"
+# TruffleHog3 Scan on local branch files
+trufflehog3 --no-history --no-entropy --severity MEDIUM -vv -r rules.yml --format json --output truffleHogResults.json || true
+# Prepare for result checking
+# Check for secrets in the results
+CONTENT=$(/opt/homebrew/bin/jq 'length' $ROOT_DIR/truffleHogResults.json)
+if [ "$CONTENT" -eq 0 ]; then
+    rm $ROOT_DIR/truffleHogResults.json
+    echo "No secrets found. Commit is safe."
+    exit 0
+else
+    echo "Secrets detected! Commit blocked."
+    echo "Please review and resolve issues."
+    exit 1
+fi

.githooks/pre-push

@@ -0,0 +1,25 @@
+#!/bin/bash
+## Set the root directory in the pipeline
+ROOT_DIR=$(git rev-parse --show-toplevel)
+JS_APP_DIR=benefit-finder
+
+COMMITTED_FILES=$(git diff --name-only HEAD~1..HEAD )
+
+echo $COMMITTED_FILES
+
+# run custom actions for our JS App
+for file in $COMMITTED_FILES; do
+  # Check file extension or content, or run a custom script
+  echo "Found committed file: $file"
+  if [[ $file == *$JS_APP_DIR* ]]; then
+    echo "running processes on committed files"
+    cd $ROOT_DIR/$JS_APP_DIR && CI=true npm run test:coverage
+    # check to see if process failed
+    if [ $? -eq 0 ]; then
+        echo "Process succeeded."
+    else
+        echo "Process failed."
+        exit 1
+    fi
+  fi
+done

.github/workflows/test-cypress-prod-links.yml

@@ -33,6 +33,14 @@ jobs:
           config-file: cypress.prod.links.config.js
           working-directory: benefit-finder
 
+      - name: Prod Artifact(s)
+        if: failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: Prod cypress screenshots
+          path: ./benefit-finder/cypress/screenshots
+
+
       - name: create github issue
         uses: dacbd/create-issue-action@main
         if: failure()

.github/workflows/test-cypress.yml

@@ -40,6 +40,13 @@ jobs:
           build: "npm run cy:build:storybook"
           start: "npm run cy:run:pipeline"
 
+      - name: Chrome Artifact(s)
+        if: failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: Chrome cypress screenshots
+          path: ./benefit-finder/cypress/screenshots    
+
   tests-firefox:
     runs-on: ubuntu-latest
     steps:
@@ -65,6 +72,13 @@ jobs:
           build: "npm run cy:build:storybook"
           start: "npm run cy:run:pipeline"
 
+      - name: Firefox Artifact(s)
+        if: failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: Firefox cypress screenshots
+          path: ./benefit-finder/cypress/screenshots  
+
   tests-edge:
     runs-on: ubuntu-latest
     steps:
@@ -89,6 +103,13 @@ jobs:
           env: NODE_ENV=test
           build: "npm run cy:build:storybook"
           start: "npm run cy:run:pipeline"
+
+      - name: Edge Artifact(s)
+        if: failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: Edge cypress screenshots
+          path: ./benefit-finder/cypress/screenshots
 
   tests-webkit:
     runs-on: ubuntu-latest
@@ -110,7 +131,7 @@ jobs:
         uses: cypress-io/github-action@v6
         with:
           working-directory: ./benefit-finder
-          build: npx playwright install-deps webkit
+          build: npx playwright-webkit install-deps
           runTests: false
 
       - name: Cypress run (WebKit)
@@ -123,6 +144,13 @@ jobs:
           build: "npm run cy:build:storybook"
           start: "npm run cy:run:pipeline"
 
+      - name: Webkit Artifact(s)
+        if: failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: Webkit cypress screenshots
+          path: ./benefit-finder/cypress/screenshots
+
   tests-components:
     runs-on: ubuntu-latest
     steps:
@@ -147,3 +175,10 @@ jobs:
           browser: chrome
           env: NODE_ENV=test
           build: "npm run cy:prebuild:storybook"
+
+      - name: Component Artifact(s)
+        if: failure()
+        uses: actions/upload-artifact@v4
+        with:
+          name: Component cypress screenshots
+          path: ./benefit-finder/cypress/screenshots  

.github/workflows/thog_scan_commit.yml

@@ -1,11 +1,15 @@
 name: TruffleHog Scan
 
 on:
+  workflow_call:
   push:
     branches:
       - main
-      - develop
+      - dev
   pull_request:
+    branches:
+      - main
+      - dev
 
 jobs:
   scan:
@@ -17,67 +21,87 @@ jobs:
         with:
           fetch-depth: 0
 
+      - name: Install basic dependancies
+        run: ./scripts/pipeline/deb-basic-deps.sh
+
+      - name: Install AWSCLI
+        run: ./scripts/pipeline/awscli-install.sh
+
+      - name: Install Cloudfoundry CLI
+        run: ./scripts/pipeline/deb-cf-install.sh
+
       - name: Install GitHub CLI
         run: |
           sudo apt-get update
           sudo apt-get install -y gh
 
+      - name: Determine the branch name
+        id: determine-branch
+        run: |
+          if [ "${{ github.event_name }}" == "pull_request" ]; then
+            echo "BRANCH=${{ github.event.pull_request.head.ref }}" >> $GITHUB_ENV
+          else
+            echo "BRANCH=${{ github.ref_name }}" >> $GITHUB_ENV
+          fi
+
       - name: Authenticate GitHub CLI
         env:
           GITHUB_TOKEN: ${{ secrets.ADD_TO_PROJECT_PAT }}
         run: |
           gh auth setup-git
 
-      - name: Run TruffleHog scan
-        id: trufflehog_scan
-        uses: trufflesecurity/[email protected]
-        with:
-          base: ""
-          head: ${{ github.ref_name }}
-          extra_args: --only-verified --json --entropy --max-depth=50
-        continue-on-error: true
-
-      - name: Check TruffleHog Results
-        id: check_results
+      - name: Install TruffleHog3
         run: |
-          if [ -f truffleHogResults.json ]; then
-            echo "file_exists=true" >> $GITHUB_ENV
-          else
-            echo "file_exists=false" >> $GITHUB_ENV
-          fi
-
-      - name: Upload TruffleHog scan results
-        if: always() && env.file_exists == 'true'
-        uses: actions/upload-artifact@v3
-        with:
-          name: trufflehog-results
-          path: truffleHogResults.json
+          pip install trufflehog3
 
-      - name: Convert JSON to Readable Report
-        if: always() && env.file_exists == 'true'
+      - name: TruffleHog3 Scan
+        id: scan
         run: |
-          jq -r '.results[] | "File: \(.path)\nCommit: \(.commit)\nDate: \(.date)\nReason: \(.reason)\n---------------------------"' truffleHogResults.json > truffleHogReport.txt
+          echo "Scanning branch: $BRANCH"
+          trufflehog3 --branch $BRANCH --no-entropy --severity MEDIUM -vv -c .trufflehog3.yml -r rules.yml --format json --output truffleHogResults.json  || true
+          trufflehog3 -R truffleHogResults.json --output truffleHogReport.html
 
-      - name: Upload Readable Report
-        if: always() && env.file_exists == 'true'
-        uses: actions/upload-artifact@v3
-        with:
-          name: trufflehog-readable-report
-          path: truffleHogReport.txt
+      - name: Cloud.gov login
+        env:
+          CF_USER: "${{ secrets.CF_USER }}"
+          CF_PASSWORD: "${{ secrets.CF_PASSWORD }}"
+          CF_ORG: "${{ secrets.CF_ORG }}"
+          PROJECT: "${{ secrets.PROJECT }}"
+        run: |
+          source ./scripts/pipeline/cloud-gov-login.sh
 
-      - name: Check for findings and create issue
-        if: failure() && env.file_exists == 'true'
+      - name: Upload Trufflehog Results
+        id: check_file
+        shell: bash
         env:
-          GITHUB_TOKEN: ${{ secrets.ADD_TO_PROJECT_PAT }}
+          CF_USER: "${{ secrets.CF_USER }}"
+          CF_PASSWORD: "${{ secrets.CF_PASSWORD }}"
+          CF_ORG: "${{ secrets.CF_ORG }}"
+          PROJECT: "${{ secrets.PROJECT }}"
+          DATABASE_BACKUP_BASTION_NAME: "${{ secrets.DATABASE_BACKUP_BASTION_NAME }}"
         run: |
-          if jq -e '.results | length > 0' truffleHogResults.json > /dev/null; then
-            echo "Secrets found. Creating GitHub issue."
-            gh issue create --title "TruffleHog Scan Results" --body "$(cat truffleHogReport.txt)" --label "bug,security" --assignee "@me"
-            exit 1
+          export TIMESTAMP=$(date --utc +%FT%TZ | tr ':', '-')
+          mv truffleHogResults.json truffleHogResults-${TIMESTAMP}.json
+          mv truffleHogReport.html truffleHogReport-${TIMESTAMP}.html
+          source ./scripts/pipeline/s3-thog-upload.sh
+          CONTENT=$(jq 'length' truffleHogResults-${TIMESTAMP}.json)
+          if [ "$CONTENT" -eq 0 ]; then
+            echo "No content found in JSON. Setting Skip to true."
+            echo "::set-output name=skip::true"
+          exit 0
           else
-            echo "No secrets found or no results file."
+            echo "Content found in JSON. Proceeding."
+            echo "::set-output name=skip::false"
           fi
 
+      - name: If findings found, create issue
+        if: steps.check_file.outputs.skip == 'false'
+        env:
+          GITHUB_TOKEN: ${{ secrets.ADD_TO_PROJECT_PAT }}
+        run: |
+          echo "Secrets found. Creating GitHub issue."
+          gh issue create --title "CREDS FOUND: TruffleHog Scan Results" --body "Please see backup s3 for TruffleHog Results" --label "bug,security" --assignee "@me"
+
       - name: Fail the job if any secrets are found
-        if: steps.trufflehog_scan.outcome == 'failure'
+        if: steps.check_file.outputs.skip == 'false'
         run: exit 1

.gitignore

@@ -55,4 +55,6 @@ backups/*.sql.gz
 **.log
 
 **restore.txt
-**backup.txt
+**backup.txt
+truffleHogResults.json
+.venv

.trufflehog3.yml

@@ -0,0 +1,22 @@
+exclude: # exclude matching issues
+  - message: Exclude Test Files, False Positives, and Compressed Files.
+    paths:
+      - rules.yml
+      - .trufflehog3.yml
+      - aws/**
+      - fake_creds.txt
+      - truffleHogResults.json
+      - bears-app/package.json
+      - .circleci/config.yml
+      - "**/*.png"
+      - "**/*.zip"
+      - "**/*.tar.gz"
+      - "**/*.deb"
+      - "**/*.so"
+      - "**/*.so."
+      - benefit-finder/storybook-static
+      - benefit-finder/themes
+      - benefit-finder/node_modules
+      - benefit-finder/build
+      - usagov-2021
+      - .venv