From a68e6bdeb3179745f8127737272093b5cf47dcdf Mon Sep 17 00:00:00 2001 From: Keith Kennedy Date: Mon, 30 Oct 2023 11:30:17 +0000 Subject: [PATCH 1/5] Updated documentation to: - remove references to GigHub pages - mention codeowners in PR section of CONTRIBUTING.md - updated documentation on raising a security issue - provide detail of technical decisions related to migrating repo and hosting --- CONTRIBUTING.md | 6 +++--- README.md | 2 +- SECURITY.md | 4 +++- .../technical-decision-log.md | 12 +++++++----- 4 files changed, 14 insertions(+), 10 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index d5a2c96a..40accc1d 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -75,7 +75,7 @@ When creating a PR, use the appropriate template checklists for code and content ### Who can merge your PR -Any 2 of the maintainers on this repo are needed to accept your change. +Any 2 of the maintainers on this repo are needed to review and accept your change and at least 1 reviewer must be a [code owner](https://github.com/UKHomeOffice/engineering-guidance-and-standards/blob/main/CODEOWNERS). ## Your PR is merged! @@ -106,13 +106,13 @@ The following actions are performed for each PR: PRs must only be approved after they pass the above checks. -We are deploying the site to [GitHub pages](https://pages.github.com/). +We are deploying the site to a Docker container. ## Branching ### Branching strategy -We are using a simple trunk based strategy. There is only a single environment being used, as GitHub pages does not support more than 1 active site. +We are using a simple trunk based strategy. ### Review diff --git a/README.md b/README.md index 97c97e3e..c893951f 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ This is the home of engineering guidance and standards for the Home Office. Learn more about this project on the [about page](https://engineering.homeoffice.gov.uk/about/). -It is built using Markdown, GOV.UK templates, HO styles, the x-gov Eleventy Plugin, GitHub Actions and GitHub pages. +It is built using Markdown, GOV.UK templates, HO styles, the [x-gov Eleventy Plugin](https://x-govuk.github.io/govuk-eleventy-plugin/) and GitHub Actions. ## Requirements diff --git a/SECURITY.md b/SECURITY.md index 971b4adc..42656880 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -2,7 +2,9 @@ ## Report a security vulnerability -You can report a vulnerability to the Home Office Engineering Guidance and Standards team through the [repository's security advisory page](https://github.com/UKHomeOffice/engineering-guidance-and-standards/security/advisories/new). +You can report a vulnerability to the Home Office Engineering Guidance and Standards team using the following methods: +- Raise an issue on the [repository's security advisory page](https://github.com/UKHomeOffice/engineering-guidance-and-standards/security/advisories/new) +- Email [segas@digital.homeoffice.gov.uk](mailto:segas@digital.homeoffice.gov.uk) Please enter as much information as possible in your report, this will help us better triage the vulnerability. diff --git a/technical-docs/architecture-decision-records/technical-decision-log.md b/technical-docs/architecture-decision-records/technical-decision-log.md index e7fc41f1..e0d667f1 100644 --- a/technical-docs/architecture-decision-records/technical-decision-log.md +++ b/technical-docs/architecture-decision-records/technical-decision-log.md @@ -1,8 +1,10 @@ # Technical Decision Log | Issue# | Description | Notes | Decision | Decision Date | Further Information | -|--------|-----------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------|---------------------| -| N/A (Initial repository creation) | Choice of static site generator | Considered use of the [GDS Tech Docs Template](https://github.com/alphagov/tech-docs-template) (Ruby based) and the [x-Gov Eleventy Plugin](https://github.com/x-govuk/govuk-eleventy-plugin) (Node.js based). Both options easily configurable and restyled, Eleventy plugin receives slightly more regular and recent maintenance. | Use the x-Gov Eleventy Plugin for creation of this site, due to better inhouse familiarity with Node.js and better record of plugin maintenance. | 2022-05-17 | None | -| 66 | Add secret scanning to GitHub repository | GitHub provides secret scanning functionality. Users will receive alerts on GitHub for detected secrets, keys, or other tokens. Push protection can be enabled which will block commits that contain [supported secrets](https://docs.github.com/en/code-security/secret-scanning/secret-scanning-patterns#supported-secrets). These settings can be found within the settings section "Code security and analysis". | Enable "Secret scanning" with "Push protection" within repository settings. Organisation administrators, repository administrators and teams with the security manager role will receive alerts when scan detects a secret. | 2023-06-01 | None | -| 65 | Add dependency vulnerability scanning using Dependabot to GitHub repository | GitHib provides dependency vulnerability scanning functionality. [Dependabot can be configured to automatically raise pull requests](https://docs.github.com/en/enterprise-cloud@latest/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates). | Dependabot configured to scan npm dependencies daily and github-actions dependencies weekly. These differ due to anticipated update cadence. | 2023-06-02 | None | -| 130 | Ignore phase banner being outside landmark regions | Those elements being outside a landmark region is a moderate level failure. It is not considered to be a high priority issue by the Gov.uk design system team. See [Github issue where phase banner and landmarks is discussed](https://github.com/alphagov/govuk-frontend/issues/1604). We will revisit this decision as part of a planned review of the site design as a whole. | Axe-core has been configured to ignore elements with a `data-axe-exclude` attribute. This has been added to the phase banner and breadcrumbs. | 2023-06-16 | None | +|--------|-----------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------|---------------------| +| N/A (Initial repository creation) | Choice of static site generator | Considered use of the [GDS Tech Docs Template](https://github.com/alphagov/tech-docs-template) (Ruby based) and the [x-Gov Eleventy Plugin](https://github.com/x-govuk/govuk-eleventy-plugin) (Node.js based). Both options easily configurable and restyled, Eleventy plugin receives slightly more regular and recent maintenance. | Use the x-Gov Eleventy Plugin for creation of this site, due to better inhouse familiarity with Node.js and better record of plugin maintenance. | 2022-05-17 | None | +| 66 | Add secret scanning to GitHub repository | GitHub provides secret scanning functionality. Users will receive alerts on GitHub for detected secrets, keys, or other tokens. Push protection can be enabled which will block commits that contain [supported secrets](https://docs.github.com/en/code-security/secret-scanning/secret-scanning-patterns#supported-secrets). These settings can be found within the settings section "Code security and analysis". | Enable "Secret scanning" with "Push protection" within repository settings. Organisation administrators, repository administrators and teams with the security manager role will receive alerts when scan detects a secret. | 2023-06-01 | None | +| 65 | Add dependency vulnerability scanning using Dependabot to GitHub repository | GitHib provides dependency vulnerability scanning functionality. [Dependabot can be configured to automatically raise pull requests](https://docs.github.com/en/enterprise-cloud@latest/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates). | Dependabot configured to scan npm dependencies daily and github-actions dependencies weekly. These differ due to anticipated update cadence. | 2023-06-02 | None | +| 130 | Ignore phase banner being outside landmark regions | Those elements being outside a landmark region is a moderate level failure. It is not considered to be a high priority issue by the Gov.uk design system team. See [Github issue where phase banner and landmarks is discussed](https://github.com/alphagov/govuk-frontend/issues/1604). We will revisit this decision as part of a planned review of the site design as a whole. | Axe-core has been configured to ignore elements with a `data-axe-exclude` attribute. This has been added to the phase banner and breadcrumbs. | 2023-06-16 | None | +| 72 | Moving hosting application on Home Office platform from GitHub Pages | In order to host the site under a Home Office domain (https://engineering.homeoffice.gov.uk), we are required to host the site on the Home Office platform. | Deployment actions updated to deploy to Home Office platform. | 2023-06-13 | None | +| 72 | Migration of repository to [UK Home Office](https://github.com/UKHomeOffice) organisation from [HO CTO](https://github.com/HO-CTO/) | Migration of repository was required to allow hosting of application on the Home Office platform (see previous decision log item) | Migration of repository to [UK Home Office](https://github.com/UKHomeOffice//engineering-guidance-and-standards). The [previous repository location](https://github.com/HO-CTO/engineering-guidance-and-standards) has been updated to provide a redirection to the new location. | 2023-06-13 | None | From 06daf4eca2085fada128f5fb1f1fcd53727d1f10 Mon Sep 17 00:00:00 2001 From: Keith Kennedy Date: Mon, 30 Oct 2023 11:33:34 +0000 Subject: [PATCH 2/5] Minor text correction --- .../architecture-decision-records/technical-decision-log.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/technical-docs/architecture-decision-records/technical-decision-log.md b/technical-docs/architecture-decision-records/technical-decision-log.md index e0d667f1..389afac9 100644 --- a/technical-docs/architecture-decision-records/technical-decision-log.md +++ b/technical-docs/architecture-decision-records/technical-decision-log.md @@ -6,5 +6,5 @@ | 66 | Add secret scanning to GitHub repository | GitHub provides secret scanning functionality. Users will receive alerts on GitHub for detected secrets, keys, or other tokens. Push protection can be enabled which will block commits that contain [supported secrets](https://docs.github.com/en/code-security/secret-scanning/secret-scanning-patterns#supported-secrets). These settings can be found within the settings section "Code security and analysis". | Enable "Secret scanning" with "Push protection" within repository settings. Organisation administrators, repository administrators and teams with the security manager role will receive alerts when scan detects a secret. | 2023-06-01 | None | | 65 | Add dependency vulnerability scanning using Dependabot to GitHub repository | GitHib provides dependency vulnerability scanning functionality. [Dependabot can be configured to automatically raise pull requests](https://docs.github.com/en/enterprise-cloud@latest/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates). | Dependabot configured to scan npm dependencies daily and github-actions dependencies weekly. These differ due to anticipated update cadence. | 2023-06-02 | None | | 130 | Ignore phase banner being outside landmark regions | Those elements being outside a landmark region is a moderate level failure. It is not considered to be a high priority issue by the Gov.uk design system team. See [Github issue where phase banner and landmarks is discussed](https://github.com/alphagov/govuk-frontend/issues/1604). We will revisit this decision as part of a planned review of the site design as a whole. | Axe-core has been configured to ignore elements with a `data-axe-exclude` attribute. This has been added to the phase banner and breadcrumbs. | 2023-06-16 | None | -| 72 | Moving hosting application on Home Office platform from GitHub Pages | In order to host the site under a Home Office domain (https://engineering.homeoffice.gov.uk), we are required to host the site on the Home Office platform. | Deployment actions updated to deploy to Home Office platform. | 2023-06-13 | None | -| 72 | Migration of repository to [UK Home Office](https://github.com/UKHomeOffice) organisation from [HO CTO](https://github.com/HO-CTO/) | Migration of repository was required to allow hosting of application on the Home Office platform (see previous decision log item) | Migration of repository to [UK Home Office](https://github.com/UKHomeOffice//engineering-guidance-and-standards). The [previous repository location](https://github.com/HO-CTO/engineering-guidance-and-standards) has been updated to provide a redirection to the new location. | 2023-06-13 | None | +| 72 | Moving hosting application on Home Office platform from GitHub Pages | In order to host the site under a Home Office domain (https://engineering.homeoffice.gov.uk), we are required to host the site on the Home Office platform. | Deployment actions updated to deploy to Home Office platform. | 2023-06-13 | None | +| 72 | Migration of repository to [UK Home Office](https://github.com/UKHomeOffice) organisation from [HO CTO](https://github.com/HO-CTO/) | Migration of repository was required to allow hosting of application on the Home Office platform (see previous decision log item). | Migration of repository to [UK Home Office](https://github.com/UKHomeOffice//engineering-guidance-and-standards). The [previous repository location](https://github.com/HO-CTO/engineering-guidance-and-standards) has been updated to provide a redirection to the new location. | 2023-06-13 | None | From b22c34277265adab08f7ccb5674402ec954d3172 Mon Sep 17 00:00:00 2001 From: edhamiltonHO <92923571+edhamiltonHO@users.noreply.github.com> Date: Mon, 30 Oct 2023 13:55:45 +0000 Subject: [PATCH 3/5] replaced out of sequence section on reporting security vulnerability --- CONTRIBUTING.md | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 40accc1d..04ce85ae 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -30,6 +30,7 @@ We will now look at the process we expect contributors to take when suggesting f - propose a new principle - propose a new standard - review any existing content + - report a security vulnerability ### Solve an issue @@ -57,12 +58,6 @@ Make sure you pull your fork and switch to your new branch to do these changes. Don't forget to commit and push your changes to your forked repo ready for the contribution! -## Security vulnerability - -### Report a security vulnerability - -You can report a security vulnerability to the Home Office Engineering Guidance and Standards team using the [repository's security advisory page](https://github.com/UKHomeOffice/engineering-guidance-and-standards/security/advisories/new). - ## Pull Requests When you're finished with your changes you should create a pull request, commonly known as a PR. From b47d8bfca0d7bc3b8646aae73bf10f3e95f2d20d Mon Sep 17 00:00:00 2001 From: Keith Kennedy <133027753+keithkennedyHO@users.noreply.github.com> Date: Mon, 30 Oct 2023 15:07:13 +0000 Subject: [PATCH 4/5] Update technical-docs/architecture-decision-records/technical-decision-log.md Co-authored-by: Robert Deniszczyc <72561986+robertdeniszczyc2@users.noreply.github.com> --- .../architecture-decision-records/technical-decision-log.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/technical-docs/architecture-decision-records/technical-decision-log.md b/technical-docs/architecture-decision-records/technical-decision-log.md index 389afac9..61182108 100644 --- a/technical-docs/architecture-decision-records/technical-decision-log.md +++ b/technical-docs/architecture-decision-records/technical-decision-log.md @@ -7,4 +7,4 @@ | 65 | Add dependency vulnerability scanning using Dependabot to GitHub repository | GitHib provides dependency vulnerability scanning functionality. [Dependabot can be configured to automatically raise pull requests](https://docs.github.com/en/enterprise-cloud@latest/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates). | Dependabot configured to scan npm dependencies daily and github-actions dependencies weekly. These differ due to anticipated update cadence. | 2023-06-02 | None | | 130 | Ignore phase banner being outside landmark regions | Those elements being outside a landmark region is a moderate level failure. It is not considered to be a high priority issue by the Gov.uk design system team. See [Github issue where phase banner and landmarks is discussed](https://github.com/alphagov/govuk-frontend/issues/1604). We will revisit this decision as part of a planned review of the site design as a whole. | Axe-core has been configured to ignore elements with a `data-axe-exclude` attribute. This has been added to the phase banner and breadcrumbs. | 2023-06-16 | None | | 72 | Moving hosting application on Home Office platform from GitHub Pages | In order to host the site under a Home Office domain (https://engineering.homeoffice.gov.uk), we are required to host the site on the Home Office platform. | Deployment actions updated to deploy to Home Office platform. | 2023-06-13 | None | -| 72 | Migration of repository to [UK Home Office](https://github.com/UKHomeOffice) organisation from [HO CTO](https://github.com/HO-CTO/) | Migration of repository was required to allow hosting of application on the Home Office platform (see previous decision log item). | Migration of repository to [UK Home Office](https://github.com/UKHomeOffice//engineering-guidance-and-standards). The [previous repository location](https://github.com/HO-CTO/engineering-guidance-and-standards) has been updated to provide a redirection to the new location. | 2023-06-13 | None | +| 72 | Migration of repository to [UK Home Office](https://github.com/UKHomeOffice) organisation from [HO CTO](https://github.com/HO-CTO/) | Migration of repository was required to allow hosting of application on the Home Office platform (see previous decision log item). | Migration of repository to [UK Home Office](https://github.com/UKHomeOffice/engineering-guidance-and-standards). The [previous repository location](https://github.com/HO-CTO/engineering-guidance-and-standards) has been updated to provide a redirection to the new location. | 2023-06-13 | None | From 5b850def7b29a0a855f61a52ae7be69076bd2a55 Mon Sep 17 00:00:00 2001 From: edhamiltonHO <92923571+edhamiltonHO@users.noreply.github.com> Date: Mon, 30 Oct 2023 16:46:21 +0000 Subject: [PATCH 5/5] Clarified language on move to home office platform Co-authored-by: Jeff Horton <87995501+jeff-horton-ho-sas@users.noreply.github.com> --- .../architecture-decision-records/technical-decision-log.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/technical-docs/architecture-decision-records/technical-decision-log.md b/technical-docs/architecture-decision-records/technical-decision-log.md index 61182108..baf2bc9d 100644 --- a/technical-docs/architecture-decision-records/technical-decision-log.md +++ b/technical-docs/architecture-decision-records/technical-decision-log.md @@ -6,5 +6,5 @@ | 66 | Add secret scanning to GitHub repository | GitHub provides secret scanning functionality. Users will receive alerts on GitHub for detected secrets, keys, or other tokens. Push protection can be enabled which will block commits that contain [supported secrets](https://docs.github.com/en/code-security/secret-scanning/secret-scanning-patterns#supported-secrets). These settings can be found within the settings section "Code security and analysis". | Enable "Secret scanning" with "Push protection" within repository settings. Organisation administrators, repository administrators and teams with the security manager role will receive alerts when scan detects a secret. | 2023-06-01 | None | | 65 | Add dependency vulnerability scanning using Dependabot to GitHub repository | GitHib provides dependency vulnerability scanning functionality. [Dependabot can be configured to automatically raise pull requests](https://docs.github.com/en/enterprise-cloud@latest/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates). | Dependabot configured to scan npm dependencies daily and github-actions dependencies weekly. These differ due to anticipated update cadence. | 2023-06-02 | None | | 130 | Ignore phase banner being outside landmark regions | Those elements being outside a landmark region is a moderate level failure. It is not considered to be a high priority issue by the Gov.uk design system team. See [Github issue where phase banner and landmarks is discussed](https://github.com/alphagov/govuk-frontend/issues/1604). We will revisit this decision as part of a planned review of the site design as a whole. | Axe-core has been configured to ignore elements with a `data-axe-exclude` attribute. This has been added to the phase banner and breadcrumbs. | 2023-06-16 | None | -| 72 | Moving hosting application on Home Office platform from GitHub Pages | In order to host the site under a Home Office domain (https://engineering.homeoffice.gov.uk), we are required to host the site on the Home Office platform. | Deployment actions updated to deploy to Home Office platform. | 2023-06-13 | None | +| 72 | Switch to hosting the site on a Home Office platform from GitHub Pages | In order to host the site under a Home Office domain (https://engineering.homeoffice.gov.uk), we are required to host the site on the Home Office application container platform. | Deployment actions updated to deploy to Home Office platform. | 2023-06-13 | None | | 72 | Migration of repository to [UK Home Office](https://github.com/UKHomeOffice) organisation from [HO CTO](https://github.com/HO-CTO/) | Migration of repository was required to allow hosting of application on the Home Office platform (see previous decision log item). | Migration of repository to [UK Home Office](https://github.com/UKHomeOffice/engineering-guidance-and-standards). The [previous repository location](https://github.com/HO-CTO/engineering-guidance-and-standards) has been updated to provide a redirection to the new location. | 2023-06-13 | None |