This repository has been using Travis CI, however access to Travis CI is now turning off. When you need to use this repository again, convert it to a CI/CD system which is in the ITSP such as Circle CI.

A few issues:

• Team API development has been stalled for a while (for various reasons), and the data isn't getting updated.
• We are overriding the Team API data for most entries in targets.json, so there's cognitive and technical complexity in merging the data.
• The Team API isn't relevant for projects not created/maintained by 18F, so there's diminishing benefit as we open up Compliance Toolkit to a broader range of users.
• This project will likely need to point to staging URLs rather than production (as scanning sites can be destructive/disruptive), so Compliance Toolkit will want a different list of URLs than the ones teams provide for the Team API.

@mtorres253 FYI!

Short of Concourse having additional features to handle what I'm calling multi-object builds, having the large number of groups in a single pipeline is no longer working; for starters, the group names no longer wrap, so the ones off to the right are no longer clickable.

Since Concourse now supports teams (and #127 will recommend having a dedicated team for these scans), I suggest we instead generate one pipeline per site, rather than one group per site. There are tradeoffs (like not being able to easily pause all at once), but I think it's worthwhile.

Almost all of the repos provide 'at a glance' information for static code analysis (Code Climate, Quantified Code, etc) via a badging mechanism. The same should be possible for ZAP scan information.

This applies to:

• Static security analysis
• Dependency analysis

We cover this in https://pages.18f.gov/before-you-ship/security/static-analysis/, and I think it still makes sense to rely on external service(s) like Gemnasium for this, but would be helpful to have [links to] all of the information in one place. Maybe an MVP is having the ability to display badges from the various services?

The results, according to https://compliance-viewer.18f.gov/results/c2/current, should be (0/2/290/0).
The build results show that there should be 2 HIGH alerts.

Related to https://trello.com/c/y63dRvhw/133-investigate-c2-scans-always-showing-as-new-results

This is potentially a capitalization issue, but may also be related to the way the scanner returns high results directly instead of waiting for the call to alerts.

https://18f.slack.com/archives/compliance-toolkit/p1461964310000617 and https://18f.slack.com/archives/dap/p1461963187000393

Static sites have a different security profile than a dynamic one. We should tune the scans to match.

Hearing about every single scan ends up being a lot of noise. Reduce it to only be the changes, the same as would be posted in the project channels.

Seems to be consistent across all new projects after following the new project steps. In filter-project-data:

/tmp/build/af6792a7/scripts/lib/team_data_filterer.rb:32:in `initialize': No such file or directory @ rb_sysopen - /tmp/build/af6792a7/project-data/project.json (Errno::ENOENT)
    from /tmp/build/af6792a7/scripts/lib/team_data_filterer.rb:32:in `new'
    from /tmp/build/af6792a7/scripts/lib/team_data_filterer.rb:32:in `read_json'
    from ./scripts/tasks/filter-project-data/task.rb:6:in `<main>'

e.g. https://ci.cloud.gov/pipelines/zap/jobs/zap-ondemand-cg-landing/builds/2

/cc @dlapiduz

As a user with zero or limited ruby experience, would like to make sure every step is explicitly written out.

• Local testing
• Deploying the pipeline to https://ci.cloud.gov

resource script '/opt/resource/check []' failed: exit status 1

stderr:
failed to fetch digest: 401 Unauthorized

This sort of error appears to be a random docker/concourse error, not related to the actual job of running scans. Is this something that we can catch or retry?

http://ci-tooling.cloud.gov/pipelines/zap/jobs/zap-scheduled-openopps/builds/1
https://trello.com/c/5FGAUZtq/135-increase-reliability-of-individual-scans

I added c2 in the targets.json, which caused me to get

WARN: `c2` is missing from Team API data.

in Concourse.

The project's name in the Team API is C2. Confusingly (but only tangentially related), https://team-api.18f.gov/public/api/projects/C2/ returns a 404, but https://team-api.18f.gov/public/api/projects/c2/ returns successfully.

...or integrating with tools like

• https://pulse.cio.gov/
• https://observatory.mozilla.org/

Right now, we build the pipeline with ERB, but just realized the Cloud Foundry community has a tool for doing templated YAML:

https://github.com/cloudfoundry-incubator/spiff

ZAP has been harder to work with than expected...we should look into alternatives.

Lists

• http://alternativeto.net/software/zed-attack-proxy/
• https://www.owasp.org/index.php/Appendix_A:_Testing_Tools#General_Testing
• https://www.quora.com/What-tools-can-be-used-as-an-alternative-of-Burp-Suite

Specifics

• Arachni
• Burp
• Gryffin

• Remove unused tasks/pipelines
• Put tasks/pipelines into respective folders

@DavidEBest Happy to help with this – any quick pointers on which aren't needed?

Would be really nice to be able to automatically verify that a pipeline works in a pull request (and have the commit status updated), without needing to take the contributor's word for it or pulling down and running the pipeline locally. Not sure how difficult this would be to do.

As a pipeline developer, I'd like to have commits merged to master pushed to the Concourse server.

It seems like regardless of Pipeline Resource there is a chicken/egg problem re: deploying pipelines and security. This is currently blocked, due to authorization issues.
Some discussion here: https://concourseci.slack.com/archives/general/p1459011568001972

We saw this problem before, when we were relying on the new session command to loop over all the projects. When I ran fly intercept I found that it was stuck in ZAP, attempting to create a new session.

The ATF project consists of two VERY LARGE sites. I feel that there might be a bug with the new session creation code when there is a lot of data in the previous session. A possible work around/test to run would be to remove the new session mechanism, and just recreate the ZAP instance for every site. That'll incur a greater startup penalty, but that is less of a concern now that we aren't looping over all the projects within a single session.

http://ci-tooling.cloud.gov/pipelines/zap/jobs/zap-scheduled-atf-eregs/builds/1

https://trello.com/c/od2IZwIu/134-atf-eregs-scan-hangs-creating-a-new-zap-session

This repository is difficult to remember/find...maybe something like compliance-viewer-pipeline would make more sense? Or maybe we should actually merge this into https://github.com/18F/compliance-viewer? That being said, "Compliance Viewer" could be more aptly named "Compliance Checker" or something...

The rubocop config we have is good, but too strict in some ways for running on test code. We should create a more relaxed version for running on the tests.

Could have sworn we had an issue about this already, but would be helpful for the automated scans to also include accessibility checks.

https://pages.18f.gov/accessibility/tools/#automated-testing

This is in master.
If a site to be scanned does not have

1. any results in s3-bucket/results
2. any cached versions in Concourse

It will hang forever on waiting for a suitable set of input versions

More info + screenshots here: https://18f.slack.com/archives/compliance-toolkit/p1461085625000067

Currently, that task reports "No links" for a number of projects that we want to ignore:

No `links` for about_yml.
No `links` for authdelegate.
No `links` for 18f-identity.
No `links` for dodsbir-scrape.
No `links` for fec-cms.
No `links` for fec-style.
No `links` for hmacauth.
No `links` for laptop.
No `links` for openFEC-web-app.
No `links` for SBIR-EZ.
No `links` for sbirez.
No `links` for team_api.
No `links` for uscis.
https://team-browser.18f.gov/ is NOT up.
https://18f.gsa.gov/team-browser/ is NOT up.
https://www.google.com/calendar/embed?src=gsa.gov_0samf7guodi7o2jhdp0ec99aks%40group.calendar.google.com&ctz=America/Los_Angeles is NOT up.
https://team-browser.18f.gov/team-browser/ is NOT up.

Issues identified in that list:

• SBIR-EZ is a defunct project.
  • Is there a good way to indicate this in the about.yml?
• about_yml and laptop don't have standalone sites—should links include a reference to the repository? We might want to say explicitly one way or another in the about.yml instructions.

Ideas for improvement:

• Reach out to projects/teams where the about.yml seems out-of-date
• Filter by status
  • I see this in some of the entries in /projects, but it's not listed in the instructions.
• Filter by ____?
  • My initial thinking was "oh, there's just some field

Resources:

• https://github.com/18F/about_yml/blob/master/template.yml
• https://github.com/18F/about_yml/#cheat-sheet

@mtorres253 @ertzeid @ccostino The background here is that I'm pulling a list of URLs from the links provided in the Projects list of the Team API, for automatically checking if the sites are up, doing security scans, etc. Any advice on how to do better filtering of that list?

Broken out from 18F/before-you-ship#158.

There are several standardized Code Climate scanning engines that should be compatible with Concourse.CI, given recent changes (codeclimate/codeclimate#299 (comment)). When/if we move to do more static code analysis in house it'd be beneficial to use them.

Ideas:

• Only accept a single URL per target
• Convert to YAML instead of JSON

https://github.com/18F/concourse-compliance-testing/blob/master/config/targets.json

Tracking what's needed for this trello card:
https://trello.com/c/b3QE1wod/67-as-a-user-i-want-to-be-notified-if-my-zap-alerts-change

• Blocked by cloud-gov/s3-resource-simple#5
• Download and Rename last results from S3
• Move Result Scanner into tasks/, add a README, etc.
• Run Result Scanner over last+current.
• Address CodeClimate violations for ResultScanner

Can we add:

• cloud.gov
• login.cloud.gov / uaa.cloud.gov
• docs.cloud.gov
• logs.cloud.gov
• ci.cloud.gov
• api.cloud.gov
• console.cloud.gov
• metrics.cloud.gov
• community.cloud.gov

To the regular scans?

Thanks!

Slack notifications are useful for 18F users, but outside users would need a different notification mechanism.

Related to https://github.com/18F/writing-lab/issues/162

Improve the format of the slack notifications and provide some explanation text.

@cmc333333 mentioned getting a lot of noise in the channel:

Need to investigate why it's changing so much scan-to-scan.

We actively encourage sites to use dap for analytics. That means every site is getting dinged for correct behavior. We should add a mechanism to whitelist that domain. https://18f.slack.com/archives/dap/p1461960521000388

Seems like we may be trying to achieve overlapping things in the long term...we should see if there's a way we can combine efforts, or at the very least make sure there's not duplicate work.

https://github.com/18F/domain-scan/

/cc @konklone @mogul @adelevie

filter-project-data step seems to be broken for all jobs 😢

https://ci.cloud.gov/pipelines/zap/jobs/zap-scheduled-cg-landing/builds/14

/tmp/build/af6792a7/scripts/lib/team_data_filterer.rb:32:in `initialize': No such file or directory @ rb_sysopen - /tmp/build/af6792a7/project-data/project.json (Errno::ENOENT)
    from /tmp/build/af6792a7/scripts/lib/team_data_filterer.rb:32:in `new'
    from /tmp/build/af6792a7/scripts/lib/team_data_filterer.rb:32:in `read_json'
    from ./scripts/tasks/filter-project-data/task.rb:6:in `<main>'