The command line output for this one didn't give enough information to know what the actual problem was. Also it seems like it might be a false positive since in my case the robotstxt variable was actually already set and I was still getting this error.

Why is this a bad thing? I did disable it anyway though.

When the Google Analytics UA code is correctly configured, you still get this error:

Google Analytics is not configured correctly. Code snippet after is not correct - want , ga('create', 'UA-54970022-1', 'auto', {'name': 'govcms'}); ga('govcms.send', 'pageview', {'anonymizeIp': true}); but got ,

Tests to ensure the site is correctly configured google analytics.

those didn't come up in the report. Granted I should have remembered to do that however it would be good for the report to have a module whitelist that it checks against.

this is intentional and is actual content. I can't really think of many situations where this error would return files that could just be deleted as they weren't actually needed.

There is not enough context here to do anything with this information. Even the HTML output doesn't give any more insight

he option suggested here doesn't work when using the 'Do a "Search" with custom path instead of a Drupal Search when a 404 occurs' option.

The fs:largeFiles check (https://drutiny.github.io/2.3.x/audits/DrutinyAuditFilesystem/#largefiles)
uses a variant of the find command that is not natively supported on busybox (it requires https://pkgs.alpinelinux.org/package/v3.9/main/x86/findutils to provide the -M size option and the printf command)

As such, it should be disabled in the checks until the apk has been added to the images.

https://github.com/govCMS/audit-site/blob/7.x-3.x/Profiles/d7-full.profile.yml#L135-L138
https://github.com/govCMS/audit-site/blob/7.x-3.x/Profiles/d8-full.profile.yml#L136-L139

In the meantime, the Drupal:largeFiles check provides file sizes via the database.

There is not enough information here to know what this is referring to.

Getting the following issues that don't seem to have any way of rectifying. Hoping answers here will assist others.

1.The following modules are not enabled: govcms_tweaks.
There is no module called 'govcms_tweaks' as at 7-x-2.20

2. Page cache max-age is not set above 300 seconds. Currently set to 0.
   Where is this set and how can it be changed?

3. Robots.txt is not set correctly, currently set to #
   As previously discussed, how can this by fixed?

4. Compress cached pages (page_compression) is enabled.
   Only things compressed are CSS and Javascript. How can this be fixed?

5. Could not determine missing modules.
   What module is missing (maybe the govcms_tweak module)?

6. Search is using the database. Currently 51 nodes in 1 database index.
   Correct, so what is wrong?

Can a site audit be submitted with errors, even when there are false negative issues?

As per https://drutiny.github.io/2.3.x/audits/DrutinyAuditFilesystem/

this reference to path should be directory

https://github.com/govCMS/audit-site/blob/7.x-3.x/Profiles/d8-full.profile.yml#L175

This audit should run different checks if being run by a site builder than if run by GovCMS.

Some of the issues that come out of the report are things that the site builder cannot mitigate, so they should not be shown to those users.

I suggest a flag that can be set to run in different modes.

There are quite a few profiles there, so it would be useful to know what the difference between them is without having to dig into the actual script diffs.

There is not sufficient information to fix this. I only enabled this module because the audit told me to. I feel this is something that should be done on the GovCMS / Acquia end of the forklift process.

Some modules that require server configuration that may not be available on the development version. It would make more sense for you to enable these during the forklift process. Also, some modules aren't part of GovCMS, i.e. the site factory modules and govcms_tweaks so couldn't be enabled.

Upon running the report, I get:

User #1 Locked Down Failed 
It is important to lock down user #1 in Drupal, this user is special an ignores access control.
User #1 is not secure.
Email address '[email protected]' is not set correctly.
Remediation
Change the username to be random, set the email address to go nowhere, set the password to something secure.

How can I set the email address "to go nowhere"? I have specified multiple combinations but have not been able to move past this.

parent issue at drutiny/drutiny#98

Instructions are very light on for someone new to this.

Also running command:

wget https://github.com/govCMS/audit-site/releases/download/7.x-3.x-beta2/audit.phar

results in the following:

--2019-10-24 13:20:55-- https://github.com/govCMS/audit-site/releases/download/7.x-3.x-beta2/audit.phar
Resolving github.com (github.com)... 13.237.44.5
Connecting to github.com (github.com)|13.237.44.5|:443... connected.
HTTP request sent, awaiting response... 404 Not Found
2019-10-24 13:20:55 ERROR 404: Not Found.

As this is an integral part of the forklift process are there plans to fix this and make it easiest to carry out?

We should add https://drutiny.github.io/2.3.x/audits/DrutinyAuditDrupal/#moduleupdatestatus to a scheduled check for updates and log the result.

This seems redundant since GovCMS change these details during forklift. Also the values that GovCMS set are in direct conflict with this item.

When running an audit, I get:

Page Cache Control Max Age Failed 
Ensure you page cache expiry is set to an optimal level for best performance.
Page cache max-age is not set above 300 seconds. Currently set to 0.
Remediation
Set the variable page_cache_maximum_age to be greater than 300.

However when running drush vget page_cache_maximum_age I get:

page_cache_maximum_age: 300

Is there something I am doing wrong here?

Due to the dynamic nature of the files directory it is not a good idea to link direct to files with /sites/default/files/etc paths.

If you configure Linkit for file entities so that URL type is 'URL type' or 'Download file link' then you are going to end up with those direct file paths in your content, which may later break.

It would be good to raise a notice about this setting if it is configured in a potentially risky way.

Due to the flexibility of Search API it doesn't matter in this case which backend we had it set to because there is no solr specific config in there. All that needs to be done is edit the index and change the server to your Acquia server, then re-index. That can't be done on our end anyway we don't have the server details.

@fiasco ,

I'm not able to get this running. I'm on an ubuntu vm, I've run the steps in the README, I've checked the alias and I'm getting these errors when I try and run:
$

PHP Warning:  require(/path/to/audit-site/vendor/seanhamlin/site-audit/bin/../vendor/autoload.php): failed to open stream: No such file or directory in /path/to/audit-site/vendor/seanhamlin/site-audit/bin/site-audit on line 13
PHP Stack trace:
PHP   1. {main}() /path/to/audit-site/vendor/seanhamlin/site-audit/bin/site-audit:0
PHP Fatal error:  require(): Failed opening required '/path/to/audit-site/vendor/seanhamlin/site-audit/bin/../vendor/autoload.php' (include_path='.:/usr/share/php:/usr/share/pear') in /path/to/audit-site/vendor/seanhamlin/site-audit/bin/site-audit on line 13
PHP Stack trace:
PHP   1. {main}() /path/to/audit-site/vendor/seanhamlin/site-audit/bin/site-audit:0

This is purposely not set yet and we have the required permissions to configure it later so I don't think it should necessarily be a requirement for forklift.

Large images on websites lead to longer load times, and wherever possible, they could (and should) be optimised.

This policy would utilise one of the Drutiny filesystem audits https://drutiny.github.io/2.3.x/audits/DrutinyAuditFilesystem/ to check specifically for the presence of image files over a predefined size

https://github.com/govCMS/scaffold-tooling/blob/master/scripts/tests/govcms-audit

We don't know what the URL is going to be yet so this cannot be set yet.