NHSDigital
diff --git a/‎application/.coveragerc‎ ‎.coveragerc‎application/.coveragerc renamed to .coveragerc b/‎application/.coveragerc‎ ‎.coveragerc‎application/.coveragerc renamed to .coveragerc
diff --git a/‎.github/PULL_REQUEST_TEMPLATE/release_pull_request_template.md‎
Lines changed: 5 additions & 0 deletions b/‎.github/PULL_REQUEST_TEMPLATE/release_pull_request_template.md‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎.github/PULL_REQUEST_TEMPLATE/task_pull_request_template.md‎
Lines changed: 30 additions & 0 deletions b/‎.github/PULL_REQUEST_TEMPLATE/task_pull_request_template.md‎
Lines changed: 30 additions & 0 deletions
diff --git a/‎.github/PULL_REQUEST_TEMPLATE/test_pull_request_template.md‎
Lines changed: 22 additions & 0 deletions b/‎.github/PULL_REQUEST_TEMPLATE/test_pull_request_template.md‎
Lines changed: 22 additions & 0 deletions
diff --git a/‎.github/dependabot.yml‎
Lines changed: 89 additions & 0 deletions b/‎.github/dependabot.yml‎
Lines changed: 89 additions & 0 deletions
diff --git a/‎.github/pull_request_template.md‎
Lines changed: 2 additions & 44 deletions b/‎.github/pull_request_template.md‎
Lines changed: 2 additions & 44 deletions
diff --git a/‎.github/workflows/check-pull-request-checklist.yml‎
Lines changed: 13 additions & 0 deletions b/‎.github/workflows/check-pull-request-checklist.yml‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎.github/workflows/code-quality.yml‎
Lines changed: 10 additions & 8 deletions b/‎.github/workflows/code-quality.yml‎
Lines changed: 10 additions & 8 deletions
diff --git a/‎.github/workflows/code-secrets.yml‎
Lines changed: 13 additions & 0 deletions b/‎.github/workflows/code-secrets.yml‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎.github/workflows/code-security.yml‎
Lines changed: 17 additions & 8 deletions b/‎.github/workflows/code-security.yml‎
Lines changed: 17 additions & 8 deletions
@@ -0,0 +1,5 @@
+# Release Branch Pull Request
+
+## Description of Changes
+
+Please include a summary of the change
@@ -0,0 +1,30 @@
+# Task Branch Pull Request
+
+**<https://nhsd-jira.digital.nhs.uk/browse/{{ .BRANCH_NUMBER }}>**
+
+## Description of Changes
+
+Please include a summary of the change
+
+## Type of change
+
+Delete not appropriate
+
+- Bug fix (non-breaking change which fixes an issue)
+- New feature (non-breaking change which adds functionality)
+- Breaking change (fix or feature that would cause existing functionality to not work as expected)
+- Refactoring (non-breaking change which improves the structure of the code)
+
+## Development Checklist
+
+- [ ] I have performed a self-review of my own code
+- [ ] I have run the [code formatting checks](../README.md#code-quality)
+- [ ] I have run the [code quality checks](../README.md#code-quality)
+- [ ] New code meets [standards](https://nhsd-confluence.digital.nhs.uk/display/DI/DI+Ways+of+Working) agreed by the team
+- [ ] Tests have added that prove my fix is effective or that my feature works (Integration tests)
+- [ ] I have updated Dependabot to include my changes (if applicable)
+
+## Code Reviewer Checklist
+
+- [ ] I can confirm the changes have been tested or approved by a tester
+- [ ] I have checked any ignore commands for code linting tools and I agree that the code is safe
@@ -0,0 +1,22 @@
+# Test Branch Pull Request
+
+## What branch do these tests check?
+
+-
+
+## Description of changes/tests
+
+Why do these tests need to exist?/When should the test be run?
+
+## Development Checklist
+
+- [ ] The tests are tagged correctly
+- [ ] The tests will be run in the development pipeline
+- [ ] The tests are stable and pass
+- [ ] I have used reusable functions and classes where possible
+
+## Code Reviewer Checklist
+
+- [ ] I am confident the tests are stable and have passed
+- [ ] I am confident the tests will be run in the development pipeline
+- [ ] I believe the tests developed in a way which makes them reusable and maintainable
@@ -0,0 +1,89 @@
+version: 2
+updates:
+  # Maintain dependencies for GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    target-branch: "develop"
+
+  # Maintain dependencies for Python (Works recursively in application directories)
+  - package-ecosystem: "pip"
+    directory: "/application"
+    schedule:
+      interval: "daily"
+    target-branch: "develop"
+
+  # Docker Dependencies
+  - package-ecosystem: "docker"
+    directory: "/build/docker/lambda"
+    schedule:
+      interval: "daily"
+    target-branch: "develop"
+
+  - package-ecosystem: "docker"
+    directory: "/build/docker/tester"
+    schedule:
+      interval: "daily"
+    target-branch: "develop"
+
+  # Terraform Dependencies
+  - package-ecosystem: "terraform"
+    directory: "/infrastructure/modules/s3"
+    schedule:
+      interval: "monthly"
+    target-branch: "develop"
+
+  - package-ecosystem: "terraform"
+    directory: "/infrastructure/stacks/after-lambda-deployment"
+    schedule:
+      interval: "monthly"
+    target-branch: "develop"
+
+  - package-ecosystem: "terraform"
+    directory: "/infrastructure/stacks/api-key"
+    schedule:
+      interval: "monthly"
+    target-branch: "develop"
+
+  - package-ecosystem: "terraform"
+    directory: "/infrastructure/stacks/appconfig"
+    schedule:
+      interval: "monthly"
+    target-branch: "develop"
+
+  - package-ecosystem: "terraform"
+    directory: "/infrastructure/stacks/before-lambda-deployment"
+    schedule:
+      interval: "monthly"
+    target-branch: "develop"
+
+  - package-ecosystem: "terraform"
+    directory: "/infrastructure/stacks/deployment-pipelines"
+    schedule:
+      interval: "monthly"
+    target-branch: "develop"
+
+  - package-ecosystem: "terraform"
+    directory: "/infrastructure/stacks/development-pipeline"
+    schedule:
+      interval: "monthly"
+    target-branch: "develop"
+
+  - package-ecosystem: "terraform"
+    directory: "/infrastructure/stacks/dos-api-gateway-mock"
+    schedule:
+      interval: "monthly"
+    target-branch: "develop"
+
+  - package-ecosystem: "terraform"
+    directory: "/infrastructure/stacks/perf-test-tools"
+    schedule:
+      interval: "monthly"
+    target-branch: "develop"
+
+  - package-ecosystem: "terraform"
+    directory: "/infrastructure/stacks/release-pipeline"
+    schedule:
+      interval: "monthly"
+    target-branch: "develop"
@@ -1,45 +1,3 @@
-## Link to JIRA Ticket
+# Warning
 
--
-
-## Description
-
-Please include a summary of the change
-
-### Noteworthy Changes
-
-- These are changes the reviewer should look out for
-
-## Type of change
-
-Delete not appropriate
-
-- Bug fix (non-breaking change which fixes an issue)
-- New feature (non-breaking change which adds functionality)
-- Breaking change (fix or feature that would cause existing functionality to not work as expected)
-- This change requires a documentation update
-
-## Testing
-
-Please tick the testing that has been completed
-
-- [ ] Unit tests
-- [ ] Integration tests
-
-## Developer Checklist
-
-- [ ] I have performed a self-review of my own code
-- [ ] I have run the [code formatting checks](../README.md#code-quality)
-- [ ] I have run the [code quality checks](../README.md#code-quality)
-- [ ] New code meets [standards](https://nhsd-confluence.digital.nhs.uk/display/DI/DI+Ways+of+Working) agreed by the team
-- [ ] Unit test code coverage is at or above 80%
-- [ ] New and existing unit tests pass locally with my changes
-- [ ] Tests have added that prove my fix is effective or that my feature works (Integration tests)
-- [ ] I have made corresponding changes to the documentation
-- [ ] I have cleaned down my environment (if created)
-
-## Code Reviewer Checklist
-
-- [ ] I have run the unit tests and they run correctly
-- [ ] I can confirm the changes have been tested or approved by a tester
-- [ ] I can confirm no remaining infrastructure is left over from this branch
+Please don't modify this description yet it will be populated once you create the pull request.
@@ -0,0 +1,13 @@
+name: "Check Pull Request Checklist"
+on:
+  pull_request:
+    types: [opened, ready_for_review, edited, synchronize, reopened]
+jobs:
+  pull-request-checklist:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: mheap/require-checklist-action@v1
+        with:
+          requireChecklist: false
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -1,14 +1,14 @@
 name: "Check code format and quality"
 on:
   push:
-    branches: [master]
+    branches: [develop, main]
   pull_request:
-    types: [opened, synchronize, reopened]
+    types: [opened, ready_for_review, synchronize, reopened]
 jobs:
   check-code-quality:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
         with:
           fetch-depth: 0
       - name: Check text files format
@@ -17,22 +17,24 @@ jobs:
       - name: Check Python files format
         run: |
           make python-linting
-      - name: Check Terraform files format
+      - name: Python Dead Code Check
         run: |
-          build/automation/etc/githooks/scripts/terraform-format-pre-commit.sh
+          make tester-build python-dead-code-scanning
       - name: Create coverage report
         run: |
-          make tester-build coverage-report
+          make coverage-report
       - uses: sonarsource/sonarcloud-github-action@master
         # SEE: https://github.com/SonarSource/sonarcloud-github-action
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
         with:
-          projectBaseDir: ./application
+          projectBaseDir: .
           args: >
+            -Dsonar.sources=application,deployment,infrastructure
             -Dsonar.organization=nhsd-exeter
             -Dsonar.projectKey=uec-dos-int
-            -Dsonar.coverage.exclusions=tests/**,**/tests/**
+            -Dsonar.coverage.exclusions=tests/**,**/tests/**,deployment,infrastructure,application/scripts
             -Dsonar.python.coverage.reportPaths=coverage.xml
             -Dsonar.python.version=3.9
+            -Dsonar.exclusions=application/**/tests/**
@@ -0,0 +1,13 @@
+name: "Check code for Secrets"
+on: push
+jobs:
+  check-code-secrets:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - name: Check if code contains any secrets
+        run: make git-config git-secrets-scan-repo-files
+      - name: Checkov Secret Scanner
+        run: make checkov-secret-scanning
@@ -1,14 +1,23 @@
-name: "Check code for secrets"
-on: push
+name: "Check code for Security Vulnerabilities"
+on:
+  push:
+    branches: [develop, master]
+  pull_request:
+    types: [opened, synchronize, reopened]
 jobs:
   check-code-security:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
         with:
           fetch-depth: 0
-      - name: Check if code contains any secrets
-        run: |
-          make \
-            git-config \
-            git-secrets-scan-repo-files
+      - name: Check if code contains any Terraform Security Vulnerabilities
+        run: make terraform-security
+      - name: Checkov Security and Best Practices - Serverless Framework
+        run: make -s serverless-best-practices
+      - name: Checkov Security and Best Practices - Docker
+        run: make -s docker-best-practices
+      - name: Checkov Security and Best Practices - Terraform
+        run: make -s terraform-best-practices
+      - name: Checkov Security and Best Practices - Github Actions
+        run: make -s github-actions-best-practices