{"id":23421135,"url":"https://github.com/nhsdigital/eps-workflow-quality-checks","last_synced_at":"2025-04-09T09:34:32.556Z","repository":{"id":257434153,"uuid":"858224329","full_name":"NHSDigital/eps-workflow-quality-checks","owner":"NHSDigital","description":"A workflow to run the quality checks for EPS repositories","archived":false,"fork":false,"pushed_at":"2024-11-19T09:21:24.000Z","size":140,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2024-12-06T20:00:25.967Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Dockerfile","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/NHSDigital.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-09-16T14:24:28.000Z","updated_at":"2024-11-19T09:21:00.000Z","dependencies_parsed_at":"2024-09-16T18:42:51.584Z","dependency_job_id":"965b9ea7-4985-4cbc-af74-0d1829b385ba","html_url":"https://github.com/NHSDigital/eps-workflow-quality-checks","commit_stats":null,"previous_names":["nhsdigital/eps-workflow-quality-checks"],"tags_count":9,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NHSDigital%2Feps-workflow-quality-checks","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NHSDigital%2Feps-workflow-quality-checks/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NHSDigital%2Feps-workflow-quality-checks/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NHSDigital%2Feps-workflow-quality-checks/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/NHSDigital","download_url":"https://codeload.github.com/NHSDigital/eps-workflow-quality-checks/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248013021,"owners_count":21033291,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-12-23T02:14:07.649Z","updated_at":"2025-04-09T09:34:32.512Z","avatar_url":"https://github.com/NHSDigital.png","language":"Dockerfile","funding_links":[],"categories":[],"sub_categories":[],"readme":"# eps-workflow-quality-checks\n\n\nA workflow to run the quality checks for EPS repositories. The main element of this lives in the [`quality-checks.yml`](./.github/workflows/quality-checks.yml) configuration file. The steps executed by this workflow are as follows:\n\n- **Install Project Dependencies**\n- **Generate and Check SBOMs**: Creates Software Bill of Materials (SBOMs) to track dependencies for security and compliance. Uses [THIS](https://github.com/NHSDigital/eps-action-sbom) action.\n- **Run Linting**\n- **Run Unit Tests**\n- **Scan git history for secrets**: Scans for secret-like patterns, using https://github.com/NHSDigital/software-engineering-quality-framework/blob/main/tools/nhsd-git-secrets/git-secrets\n- **SonarCloud Scan**: Performs code analysis using SonarCloud to detect quality issues and vulnerabilities.\n- **Validate CloudFormation Templates** (*Conditional*): If CloudFormation, AWS SAM templates or CDK are present, runs `cfn-lint` (SAM and cloudformation only) and `cfn-guard` to validate templates against AWS best practices and security rules.\n- **CDK Synth** (*Conditional*): Runs `make cdk-synth` if packages/cdk folder exists\n- **Check Licenses**: Runs `make check-licenses`.\n- **Check Python Licenses** (*Conditional*): If the project uses Poetry, scans Python dependencies for incompatible licenses.\n\nThe secret scanning also has a dockerfile, which can be run against a repo in order to scan it manually (or as part of pre-commit hooks). This can be done like so:\n```bash\ndocker build -f https://raw.githubusercontent.com/NHSDigital/eps-workflow-quality-checks/refs/tags/v3.0.0/dockerfiles/nhsd-git-secrets.dockerfile -t git-secrets .\ndocker run -v /path/to/repo:/src git-secrets --scan-history .\n```\nFor usage of the script, see the [source repo](https://github.com/NHSDigital/software-engineering-quality-framework/blob/main/tools/nhsd-git-secrets/git-secrets). Generally, you will either need `--scan -r .` or `--scan-history .`. The arguments default to `--scan -r .`, i.e. scanning the current state of the code.\n\nIn order to enable the pre-commit hook for secret scanning (to prevent developers from committing secrets in the first place), add the following to the `.devcontainer/devcontainer.json` file:\n```json\n{\n    \"remoteEnv\": { \"LOCAL_WORKSPACE_FOLDER\": \"${localWorkspaceFolder}\" },\n    \"postAttachCommand\": \"docker build -f https://raw.githubusercontent.com/NHSDigital/eps-workflow-quality-checks/refs/tags/v4.0.2/dockerfiles/nhsd-git-secrets.dockerfile -t git-secrets . \u0026\u0026 pre-commit install --install-hooks -f\",\n    \"features\": {\n      \"ghcr.io/devcontainers/features/docker-outside-of-docker:1\": {\n        \"version\": \"latest\",\n        \"moby\": \"true\",\n        \"installDockerBuildx\": \"true\"\n      }\n    }\n}\n```\n\nAnd the this pre-commit hook to the `.pre-commit-config.yaml` file:\n```yaml\nrepos:\n- repo: local\n  hooks:\n    - id: git-secrets\n      name: Git Secrets\n      description: git-secrets scans commits, commit messages, and --no-ff merges to prevent adding secrets into your git repositories.\n      entry: bash\n      args:\n        - -c\n        - 'docker run -v \"$LOCAL_WORKSPACE_FOLDER:/src\" git-secrets --pre_commit_hook'\n      language: system\n```\n\n# Usage\n\n## Inputs\n\nNone\n\n## Required Makefile targets\n\nIn order to run, these `make` commands must be present. They may be mocked, if they are not relevant to the project.\n\n- `install`\n- `lint`\n- `test`\n- `check-licenses`\n- `cdk-synth` - only needed if packages/cdk folder exists\n\n## Environment variables\n\n### `SONAR_TOKEN`\n\nRequired for the SonarCloud Scan step, which analyzes your code for quality and security issues using SonarCloud.\n\n# Example Workflow Call\n\nTo use this workflow in your repository, call it from another workflow file:\n\n```yaml\nname: Quality Checks\n\non:\n  push:\n    branches:\n      - main\n      - develop\n\njobs:\n  quality_checks:\n    uses: NHSDigital/eps-workflow-quality-checks/.github/workflows/quality-checks.yml@4.0.2\n    secrets:\n      SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnhsdigital%2Feps-workflow-quality-checks","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnhsdigital%2Feps-workflow-quality-checks","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnhsdigital%2Feps-workflow-quality-checks/lists"}