val → prod

.env_example

@@ -22,6 +22,7 @@ stageEnrollmentCountsTableArn=local_nonsense_if_unset_we_search_CF_for
 DYNAMODB_URL=http://localhost:8000
 COGNITO_USER_POOL_ID=placeholder
 COGNITO_USER_POOL_CLIENT_ID=placeholder
+POST_SIGNOUT_REDIRECT=http://localhost:3000/
 API_URL=http://localhost:3030/local
 S3_LOCAL_ENDPOINT=http://localhost:4569
 S3_ATTACHMENTS_BUCKET_NAME=local-uploads

.github/workflows/git-secrets.yaml

@@ -0,0 +1,11 @@
+name: gitleaks
+on: [pull_request, push, workflow_dispatch]
+jobs:
+  gitleaks-scan:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - name: Run gitlakes docker	    
+      uses: docker://zricethezav/gitleaks
+      with:
+        args: detect --source /github/workspace/ --no-git --verbose

.github/workflows/schedule-jira-sync.yml

@@ -21,7 +21,7 @@ jobs:
           aws-region: ${{ secrets.AWS_DEFAULT_REGION }}
           role-to-assume: ${{ secrets.PRODUCTION_SYNC_OIDC_ROLE }}
       - name: Sync Security Hub and Jira
-        uses: Enterprise-CMCS/[email protected].1
+        uses: Enterprise-CMCS/mac-fc-[email protected].3
         with:
           jira-token: ${{ secrets.JIRA_SERVICE_USER_TOKEN }}
           jira-username: ${{ secrets.JIRA_SERVICE_USERNAME }}

.github/workflows/snyk-test.yml

@@ -0,0 +1,57 @@
+name: Snyk Scan and Report
+
+on:
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: "0 4 * * *" # run every day at midnight
+
+permissions:
+  id-token: write
+
+jobs:
+  snyk_run:
+    name: Snyk Run (for PR and push)
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request'
+
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v2
+
+      - name: Install Snyk and Run Snyk test
+        run: |
+          npm install -g snyk
+          snyk test --all-projects --json > snyk_output.txt || true
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+
+  snyk_nightly_run:
+    name: Snyk Nightly Run (for nightly cron with JIRA)
+    runs-on: ubuntu-latest
+    if: github.event_name == 'schedule'
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v2
+
+      - name: Install Snyk and Run Snyk test
+        run: |
+          npm install -g snyk
+          snyk test --all-projects --json > snyk_output.txt || true
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+
+      - name: use the custom github  action to parse Snyk output
+        uses: Enterprise-CMCS/[email protected]
+        with:
+          jira-username: ${{ secrets.JIRA_SERVICE_USERNAME }}
+          jira-token: ${{ secrets.JIRA_SERVICE_USER_TOKEN }}
+          jira-host: "qmacbis.atlassian.net"
+          jira-project-key: "MDCT"
+          jira-issue-type: "Task"
+          jira-custom-field-key-value: '{ "customfield_10007" : "MDCT-2280", "customfield_14154" : [{"id": "16958", "value": "CARTS"}] }'
+          jira-labels: "CARTS,snyk"
+          jira-title-prefix: "[CARTS] - Snyk :"
+          assign-jira-ticket-to: "620e936fa715c6006914c7d2" # pragma: allowlist secret (Jira user ID for Rehman)
+          scan-output-path: "snyk_output.txt"
+          scan-type: "snyk"

.gitleaks.toml

@@ -0,0 +1,2 @@
+[allowlist]
+  files = [ "*.test.json" ]

.pre-commit-config.yaml

@@ -29,3 +29,12 @@ repos:
           - services/uploads/src/test.json
           - --exclude-files
           - tests/cypress/cypress.json
+  - repo: https://github.com/astral-sh/ruff-pre-commit
+    # Ruff version.
+    rev: v0.0.272
+    hooks:
+      - id: ruff
+  - repo: https://github.com/zricethezav/gitleaks
+    rev: v8.12.0
+    hooks:
+      - id: gitleaks

.snyk

@@ -0,0 +1,10 @@
+# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
+version: v1.25.0
+# ignores vulnerabilities until expiry date; change duration by modifying expiry date
+ignore:
+  SNYK-JS-JSON5-3182856:
+    - '*':
+        reason: None Given
+        expires: 2023-05-18T00:00:00.000Z
+        created: 2023-05-16T13:38:44.312Z
+patch: {}