docs: Initial documentation. (#13)

Author: jamesiarmes

.github/workflows/branch.yml

@@ -0,0 +1,59 @@
+name: Deploy documentation
+
+on:
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: Environment to deploy to.
+        default: production
+        required: true
+        type: environment
+  push:
+    paths:
+      # Only trigger on changes to documentation files.
+      - 'docs/**'
+      - 'mkdocs.yaml'
+      - '.github/workflows/docs.yaml'
+      - '*.md'
+    branches:
+      - main
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  deploy:
+    name: Deploy Documentation to ${{ inputs.environment || 'production' }}
+    environment: ${{ inputs.environment || 'production'}}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - name: Set up AWS credentials
+        uses: aws-actions/configure-aws-credentials@v5
+        with:
+          aws-region: ${{ vars.AWS_REGION || 'us-east-1' }}
+          role-session-name: github-${{ github.event.repository.name }}-${{ github.run_id }}
+          role-to-assume: ${{ secrets.AWS_DOCS_ROLE_ARN }}
+      - uses: actions/setup-python@v6
+        with:
+          python-version: 3.x
+      - run: echo "cache_id=$(date --utc '+%V')" >> $GITHUB_ENV
+      - uses: actions/cache@v5
+        with:
+          key: mkdocs-material-${{ env.cache_id }}
+          path: .cache
+          restore-keys: |
+            mkdocs-material-
+      - name: Install python dependencies
+        run: |
+          pip install \
+            mkdocs-material \
+            markdown-callouts \
+            mdx_truly_sane_lists \
+            mkdocs-nav-weight \
+            pymdown-extensions
+      - name: Build documentation
+        run: mkdocs build
+      - name: Sync documentation to S3
+        run: aws s3 sync ./site "s3://${{ vars.DOCS_BUCKET || 'docs.dev.services.cfa.codes' }}/${{ vars.DOCS_PREFIX || 'cfa-security-controls' }}"

.github/workflows/docs.yaml

@@ -0,0 +1,51 @@
+name: TFLint Checks
+
+on:
+  push:
+  pull_request:
+    branches:
+      - main
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout source code
+        uses: actions/checkout@v6
+      - name: Cache plugin directory
+        uses: actions/cache@v5
+        with:
+          path: ~/.tflint.d/plugins
+          key: tflint-${{ hashFiles('.tflint.hcl') }}
+      - name: Setup TFLint
+        uses: terraform-linters/setup-tflint@v6
+      - name: Show version
+        run: tflint --version
+      - name: Init TFLint
+        run: tflint --init
+      - name: Run TFLint
+        # Run TFLint, outputting the results to a SARIF file. We use `tee` so
+        # that we can still see the output in the logs, and capture the exit
+        # code properly with `pipefail`.
+        run: |
+          set -o pipefail
+          tflint --format sarif --recursive \
+            --config "$GITHUB_WORKSPACE/.tflint.hcl" \
+            | tee tflint-results.sarif
+          exit "${PIPESTATUS[0]}"
+      - name: Parse SARIF file for annotations
+        if: always()
+        uses: jontyms/[email protected]
+        with:
+          annotation-level: notice
+          sarif-file: tflint-results.sarif
+      # When run on main, upload the SARIF file to GitHub.
+      - name: Upload SARIF result
+        if: always() && github.ref == 'refs/heads/main'
+        uses: github/codeql-action/upload-sarif@v4
+        with:
+          sarif_file: tflint-results.sarif

.github/workflows/main.yaml

@@ -0,0 +1,36 @@
+name: Trivy Analysis
+
+on:
+  push:
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  trivy:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout source code
+        uses: actions/checkout@v6
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/[email protected]
+        with:
+          scan-type: config
+          ignore-unfixed: true
+          skip-dirs: "**/*/.terraform"
+          exit-code: 1
+          format: sarif
+          output: trivy-results.sarif
+      - name: Parse SARIF file for annotations
+        if: always()
+        uses: jontyms/[email protected]
+        with:
+          annotation-level: notice
+          sarif-file: trivy-results.sarif
+      # When run on main, upload the SARIF file to GitHub.
+      - name: Upload SARIF result
+        if: always() && github.ref == 'refs/heads/main'
+        uses: github/codeql-action/upload-sarif@v4
+        with:
+          sarif_file: trivy-results.sarif

.github/workflows/tflint.yaml

@@ -0,0 +1,3 @@
+misconfigurations:
+  # Ignore Dockerfile healthcheck.
+  - id: AVD-DS-0026

.github/workflows/trivy.yaml

@@ -0,0 +1,6 @@
+FROM squidfunk/mkdocs-material:9.7
+
+# Install additional python dependencies.
+RUN pip install markdown-callouts mkdocs-nav-weight
+
+USER guest

.trivyignore.yaml

@@ -3,3 +3,13 @@
 This repository contains the configuration and automation for our security
 controls. These ensure that our organization is secure and meets our compliance
 requirements.
+
+## Components
+
+The following components are included in this repository:
+
+- [Hyperproof Sync][hyperproof]
+- AWS Macie configuration
+- AWS Security Hub automations
+
+[hyperproof]: docs/components/hyperproof.md

Dockerfile

@@ -0,0 +1,7 @@
+services:
+  docs:
+    build: .
+    ports:
+      - "8000:8000"
+    volumes:
+      - .:/docs

README.md

@@ -0,0 +1,4 @@
+---
+weight: 100
+empty: true
+---