feat: Initial implementation of a system to collect compliance evidence. (#8)

Author: jamesiarmes

.github/workflows/codeql.yaml

@@ -31,11 +31,13 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          # We use javascript to analyze JSON and YAML files.
+          # We use JavaScript to analyze JSON and YAML files.
           - language: javascript-typescript
             build_mode: none
           - language: actions
             build_mode: none
+          - language: ruby
+            build_mode: none
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4

.github/workflows/hyperproof.yaml

@@ -0,0 +1,39 @@
+name: Hyperproof Sync
+
+on:
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: Environment to deploy to.
+        default: production
+        required: true
+        type: environment
+
+permissions:
+  contents: read
+
+jobs:
+  collect:
+    runs-on: ubuntu-latest
+    environment: ${{ github.event.inputs.environment }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          bundler-cache: true
+          working-directory: ./hyperproof
+      - name: Collect and sync proof
+        working-directory: ./hyperproof
+        env:
+          APTIBLE_USERNAME: ${{ secrets.APTIBLE_USERNAME }}
+          APTIBLE_PASSWORD: ${{ secrets.APTIBLE_PASSWORD }}
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          AWS_REGION: us-east-1
+          HYPERPROOF_CLIENT_ID: ${{ secrets.HYPERPROOF_CLIENT_ID }}
+          HYPERPROOF_CLIENT_SECRET: ${{ secrets.HYPERPROOF_CLIENT_SECRET }}
+        run:
+          bin/hyperproof collect

.github/workflows/ruby.yaml

@@ -0,0 +1,84 @@
+name: Ruby checks
+
+on:
+  push:
+
+permissions:
+  contents: read
+
+jobs:
+  projects:
+    name: Find ruby projects
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout source code
+        uses: actions/checkout@v4
+      - name: Find all ruby projects
+        id: projects
+        uses: Rishabh510/Path-lister-action@master
+        with:
+          path: .
+          type: .ruby-version
+      - name: Output results
+        run: |
+          echo "Found ${{ steps.projects.outputs.path_count }} file(s) with this extension:"
+          for i in ${{ steps.projects.outputs.paths }}; do
+          echo $i
+          done
+      - name: Get the project paths
+        id: paths
+        run: |
+          projects=()
+          paths=(${{ steps.projects.outputs.paths }})
+          for i in "${paths[@]}"; do
+            projects+=($(dirname "$i"))
+          done
+          output=$(echo "${projects[@]}" | jq --raw-input -c 'split(" ")')
+          echo "OUTPUT: $output"
+          echo "projects=${output}" >> $GITHUB_OUTPUT
+      - name: Show all matching projects
+        shell: bash
+        run: |
+          echo "${{ steps.paths.outputs.projects }}"
+    outputs:
+      projects: ${{ steps.paths.outputs.projects }}
+
+  lint:
+    name: Lint ruby code
+    needs: projects
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        dir: ${{ fromJSON(needs.projects.outputs.projects) }}
+    steps:
+      - uses: actions/checkout@v4
+      - run: git fetch origin main --depth=1
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          bundler-cache: true
+          working-directory: ${{ matrix.dir }}
+      - name: RuboCop Linter
+        working-directory: ${{ matrix.dir }}
+        run: bundle exec rubocop
+
+  spec:
+    name: Run ruby tests
+    needs: projects
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        dir: ${{ fromJSON(needs.projects.outputs.projects) }}
+    env:
+      COVERAGE: 1
+
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          bundler-cache: true
+          working-directory: ${{ matrix.dir }}
+      - name: Run tests
+        working-directory: ${{ matrix.dir }}
+        run: bundle exec rspec

hyperproof/.gitignore

@@ -0,0 +1,4 @@
+*.csv
+*.env
+coverage/
+vendor/

hyperproof/.rspec

@@ -0,0 +1,4 @@
+--require spec_helper.rb
+--color
+--format RSpec::Github::Formatter
+--format documentation

hyperproof/.rubocop.yml

@@ -0,0 +1,37 @@
+require:
+  - rubocop-yard
+
+plugins:
+  - rubocop-md
+  - rubocop-performance
+  - rubocop-rake
+  - rubocop-rspec
+  - rubocop-thread_safety
+
+AllCops:
+  NewCops: enable
+  SuggestExtensions: true
+  TargetRubyVersion: 3.4
+
+Metrics/MethodLength:
+  CountAsOne:
+    - array
+    - hash
+    - method_call
+
+# Exclude our main gem include from the file naming convention, to keep it
+# consistent with the gem name.
+Naming/FileName:
+  Exclude:
+    - lib/cfa-security-controls-hyperproof.rb
+    - README.md
+
+RSpec/ExampleLength:
+  CountAsOne:
+    - array
+    - hash
+    - method_call
+
+# Favor more reusable helpers.
+RSpec/MultipleMemoizedHelpers:
+  Max: 10

hyperproof/.ruby-version

@@ -0,0 +1 @@
+3.4.3

hyperproof/Gemfile

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+source 'https://rubygems.org'
+
+gemspec
+
+group :development do
+  gem 'rake', '~> 13.2'
+  gem 'rubocop', '~> 1.75'
+  gem 'rubocop-md', '~> 2.0'
+  gem 'rubocop-performance', '~> 1.25'
+  gem 'rubocop-rake', '~> 0.7'
+  gem 'rubocop-rspec', '~> 3.6'
+  gem 'rubocop-thread_safety', '~> 0.7'
+  gem 'rubocop-yard', '~> 0.10'
+end
+
+group :development, :test do
+  gem 'rspec', '~> 3.13'
+  gem 'rspec-github', '~> 3.0'
+  gem 'simplecov', '~> 0.22'
+end