Update from template (#9)

Update from template

.gitattributes

@@ -0,0 +1,7 @@
+scripts/docker/** linguist-vendored
+scripts/githooks/** linguist-vendored
+scripts/reports/** linguist-vendored
+scripts/terraform/** linguist-vendored
+scripts/init.mk linguist-vendored
+scripts/shellscript-linter.sh linguist-vendored
+scripts/test.mk linguist-vendored

.github/actions/check-file-format/action.yaml

@@ -0,0 +1,10 @@
+name: "Check file format"
+description: "Check file format"
+runs:
+  using: "composite"
+  steps:
+    - name: "Check file format"
+      shell: bash
+      run: |
+        export BRANCH_NAME=origin/${{ github.event.repository.default_branch }}
+        ./scripts/githooks/check-file-format.sh

.github/actions/check-markdown-format/action.yaml

@@ -0,0 +1,10 @@
+name: "Check Markdown format"
+description: "Check Markdown format"
+runs:
+  using: "composite"
+  steps:
+    - name: "Check Markdown format"
+      shell: bash
+      run: |
+        export BRANCH_NAME=origin/${{ github.event.repository.default_branch }}
+        ./scripts/githooks/check-markdown-format.sh

.github/actions/check-terraform-format/action.yaml

@@ -0,0 +1,10 @@
+name: "Check Terraform format"
+description: "Check Terraform format"
+runs:
+  using: "composite"
+  steps:
+    - name: "Check Terraform format"
+      shell: bash
+      run: |
+        export CHECK_ONLY=true
+        ./scripts/githooks/check-terraform-format.sh

.github/actions/cloc-repository/action.yaml

@@ -0,0 +1,56 @@
+name: "Count lines of code"
+description: "Count lines of code"
+inputs:
+  build_datetime:
+    description: "Build datetime, set by the CI/CD pipeline workflow"
+    required: true
+  build_timestamp:
+    description: "Build timestamp, set by the CI/CD pipeline workflow"
+    required: true
+  idp_aws_report_upload_account_id:
+    description: "IDP AWS account ID"
+    required: true
+  idp_aws_report_upload_region:
+    description: "IDP AWS account region"
+    required: true
+  idp_aws_report_upload_role_name:
+    description: "Role to upload the report"
+    required: true
+  idp_aws_report_upload_bucket_endpoint:
+    description: "Bucket endpoint for the report"
+    required: true
+runs:
+  using: "composite"
+  steps:
+    - name: "Create CLOC report"
+      shell: bash
+      run: |
+        export BUILD_DATETIME=${{ inputs.build_datetime }}
+        ./scripts/reports/cloc-repository.sh
+    - name: "Compress CLOC report"
+      shell: bash
+      run: zip cloc-report.json.zip cloc-report.json
+    - name: "Upload CLOC report as an artefact"
+      uses: actions/upload-artifact@v3
+      with:
+        name: cloc-report.json.zip
+        path: ./cloc-report.json.zip
+        retention-days: 21
+    - name: "Check prerequisites for sending the report"
+      shell: bash
+      id: check
+      run: |
+        echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT
+    - name: "Authenticate to send the report"
+      if: steps.check.outputs.secrets_exist == 'true'
+      uses: aws-actions/configure-aws-credentials@v2
+      with:
+        role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }}
+        aws-region: ${{ inputs.idp_aws_report_upload_region }}
+    - name: "Send the CLOC report to the central location"
+      shell: bash
+      if: steps.check.outputs.secrets_exist == 'true'
+      run: |
+        aws s3 cp \
+          ./cloc-report.json.zip \
+          ${{ inputs.idp_aws_report_upload_bucket_endpoint }}/${{ inputs.build_timestamp }}-cloc-report.json.zip

.github/actions/perform-static-analysis/action.yaml

@@ -0,0 +1,28 @@
+name: "Perform static analysis"
+description: "Perform static analysis"
+inputs:
+  sonar_organisation_key:
+    description: "Sonar organisation key, used to identify the project"
+    required: false
+  sonar_project_key:
+    description: "Sonar project key, used to identify the project"
+    required: false
+  sonar_token:
+    description: "Sonar token, the API key"
+    required: false
+runs:
+  using: "composite"
+  steps:
+    - name: "Check prerequisites for performing static analysis"
+      shell: bash
+      id: check
+      run: echo "secret_exist=${{ inputs.sonar_token != '' }}" >> $GITHUB_OUTPUT
+    - name: "Perform static analysis"
+      shell: bash
+      if: steps.check.outputs.secret_exist == 'true'
+      run: |
+        export BRANCH_NAME=${GITHUB_HEAD_REF:-$(echo $GITHUB_REF | sed 's#refs/heads/##')}
+        export SONAR_ORGANISATION_KEY=${{ inputs.sonar_organisation_key }}
+        export SONAR_PROJECT_KEY=${{ inputs.sonar_project_key }}
+        export SONAR_TOKEN=${{ inputs.sonar_token }}
+        ./scripts/reports/perform-static-analysis.sh

.github/actions/scan-dependencies/action.yaml

@@ -0,0 +1,72 @@
+name: "Scan dependencies"
+description: "Scan dependencies"
+inputs:
+  build_datetime:
+    description: "Build datetime, set by the CI/CD pipeline workflow"
+    required: true
+  build_timestamp:
+    description: "Build timestamp, set by the CI/CD pipeline workflow"
+    required: true
+  idp_aws_report_upload_account_id:
+    description: "IDP AWS report upload account ID to upload the report to"
+    required: false
+  idp_aws_report_upload_region:
+    description: "IDP AWS report upload account region to upload the report to"
+    required: false
+  idp_aws_report_upload_role_name:
+    description: "IDP AWS report upload role name for OIDC authentication"
+    required: false
+  idp_aws_report_upload_bucket_endpoint:
+    description: "IDP AWS report upload endpoint to upload the report to"
+    required: false
+runs:
+  using: "composite"
+  steps:
+    - name: "Generate SBOM"
+      shell: bash
+      run: |
+        export BUILD_DATETIME=${{ inputs.build_datetime }}
+        ./scripts/reports/generate-sbom.sh
+    - name: "Compress SBOM report"
+      shell: bash
+      run: zip sbom-repository-report.json.zip sbom-repository-report.json
+    - name: "Upload SBOM report as an artefact"
+      uses: actions/upload-artifact@v3
+      with:
+        name: sbom-repository-report.json.zip
+        path: ./sbom-repository-report.json.zip
+        retention-days: 21
+    - name: "Scan vulnerabilities"
+      shell: bash
+      run: |
+        export BUILD_DATETIME=${{ inputs.build_datetime }}
+        ./scripts/reports/scan-vulnerabilities.sh
+    - name: "Compress vulnerabilities report"
+      shell: bash
+      run: zip vulnerabilities-repository-report.json.zip vulnerabilities-repository-report.json
+    - name: "Upload vulnerabilities report as an artefact"
+      uses: actions/upload-artifact@v3
+      with:
+        name: vulnerabilities-repository-report.json.zip
+        path: ./vulnerabilities-repository-report.json.zip
+        retention-days: 21
+    - name: "Check prerequisites for sending the reports"
+      shell: bash
+      id: check
+      run: echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT
+    - name: "Authenticate to send the reports"
+      if: steps.check.outputs.secrets_exist == 'true'
+      uses: aws-actions/configure-aws-credentials@v2
+      with:
+        role-to-assume: arn:aws:iam::${{ inputs.idp_aws_report_upload_account_id }}:role/${{ inputs.idp_aws_report_upload_role_name }}
+        aws-region: ${{ inputs.idp_aws_report_upload_region }}
+    - name: "Send the SBOM and vulnerabilities reports to the central location"
+      shell: bash
+      if: steps.check.outputs.secrets_exist == 'true'
+      run: |
+        aws s3 cp \
+          ./sbom-repository-report.json.zip \
+          ${{ inputs.idp_aws_report_upload_bucket_endpoint }}/${{ inputs.build_timestamp }}-sbom-repository-report.json.zip
+        aws s3 cp \
+          ./vulnerabilities-repository-report.json.zip \
+          ${{ inputs.idp_aws_report_upload_bucket_endpoint }}/${{ inputs.build_timestamp }}-vulnerabilities-repository-report.json.zip

.github/actions/scan-secrets/action.yaml

@@ -0,0 +1,10 @@
+name: "Scan secrets"
+description: "Scan secrets"
+runs:
+  using: "composite"
+  steps:
+    - name: "Scan secrets"
+      shell: bash
+      run: |
+        export ALL_FILES=true
+        ./scripts/githooks/scan-secrets.sh

.github/dependabot.yaml

@@ -0,0 +1,28 @@
+version: 2
+
+updates:
+
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "daily"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
+
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "daily"
+
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "daily"
+
+  - package-ecosystem: "terraform"
+    directory: "/"
+    schedule:
+      interval: "daily"