• What systems are in my organisation?
• Where is the risk?
• Who do I talk to about that?

Crowdsource systems and the risks they contain.

• pre-commit ^†
• Java 11+ JDK
• Node 10
• Maven
• Yarn
• Docker & docker-compose
• Python 3

^† There are Git hooks in this repository that perform linting and security-related checks before commits. Use pre-commit to install these:

pre-commit install

There are 2 services, frontend (UI) and backend (API).

The UI is SPA react app created via create-react-app.

The API is a Quarkus based java app.

By default, the API serves up the UI but they are designed to be independently deployable.

To build and start developing the API locally:

./tasks build-frontend
./tasks build-backend
./tasks dev-backend

This will build the UI, copy the files over to be served up by the backend, build the backend and start the backend in dev mode with file watch and hot reload for the backend only.

If you want to develop the frontend with hot reload

./tasks dev-frontend

The pre-commit Git hook checks changes for possible secrets using detect-secrets. These checks look for keywords and regions of randomness that might be passwords.

As the checks are heuristic-based, false-positives are possible. If, after reviewing any rejected commits, you’re confident that there are no secrets, run the following command and include the .secrets.baseline file in the commit:

detect-secrets scan > .secrets.baseline

For this to work, you’ll need to have the detect-secrets tool installed directly. pre-commit has its own copy which isn’t normally accessible. To install it, use pip (or pip3):

pip install detect-secrets