18F's micro-purchase threshold experiment management app.
Ruby HTML Gherkin JavaScript CSS Shell
Clone or download
Failed to load latest commit information.
app Remove unused method in controller Jan 18, 2017
bin Migrate Micropurchase Prod to GovCloud Feb 1, 2017
certs/sp Add SLO and SSO endpoints for Login.gov (#1476) Jan 9, 2017
compliance First pass at ATO documentation Jan 3, 2017
config Remove Jen Ehlers from admins Apr 3, 2017
db Add SLO and SSO endpoints for Login.gov (#1476) Jan 9, 2017
doc First pass at ATO documentation Jan 3, 2017
docs Fix typo Jun 27, 2017
features Added additional tests for logout (#1499) Jan 13, 2017
keys Add SLO and SSO endpoints for Login.gov (#1476) Jan 9, 2017
lib Fixes rubocop fix fail! Nov 18, 2016
log Initial Rails commit: Oct 20, 2015
public Revert change to robots.txt Sep 7, 2016
script Remove staging prime task Sep 8, 2016
spec Added delivery_url to accepted_payment_pending_url trait in auctions … Apr 4, 2017
vendor/assets Added an actions sidebar Dec 28, 2016
.about.yml Update .about.yml Apr 3, 2017
.cfignore Allow the vendor directory to be deployed Apr 13, 2016
.codeclimate.yml Placating Code Climate: Dec 28, 2016
.csslintrc CodeClimate suggested adding these files Apr 27, 2016
.env.example Remove quotes from example .env file Mar 26, 2017
.env.test Tweaks to token view Aug 30, 2016
.erdconfig Add Entity Relationship Diagram Nov 18, 2015
.eslintignore CodeClimate suggested adding these files Apr 27, 2016
.eslintrc CodeClimate suggested adding these files Apr 27, 2016
.gitignore Update the docs for govcloud deployment Feb 21, 2017
.jshintrc add .jshintrc and edit some js for style Apr 23, 2016
.rspec Model specs moved over, gem and more Oct 20, 2015
.rubocop.yml Bump class length limit up to 150 Aug 16, 2016
.ruby-version Upgrade to Ruby 2.3.3 Dec 8, 2016
.scss-lint.yml Use 18F-wide SCSS linter Jun 27, 2016
.simplecov Tweaks to the SimpleCov config for develop Mar 29, 2016
.travis.yml Removing env block from .travis.yml May 9, 2017
CONTRIBUTING.md Add docs for testing Login.gov integration (#1503) Jan 18, 2017
Dockerfile Removing env block from .travis.yml May 9, 2017
Gemfile Locks ruby-saml gem version down to 1.4.2 May 26, 2017
Gemfile.lock Locks ruby-saml gem version down to 1.4.2 May 26, 2017
LICENSE.md Initial Rails commit: Oct 20, 2015
Procfile Send losing bidders an email Apr 27, 2016
README.md single space typo Mar 20, 2017
Rakefile Add Jasmine:CI to default rake task Jun 2, 2016
config.ru Initial Rails commit: Oct 20, 2015
docker-compose.yml Run Application using Docker Mar 15, 2016
hakiri_manifest.json Use Hakiri to test for known CVEs in gems and Ruby/Rails versions. Nov 19, 2015
manifest-staging.yml Use internal ruby buildpack Feb 21, 2017
manifest.yml use internal buildpack and use full domain Feb 21, 2017
system-security-plan.yml Added controls url to SSP Jan 3, 2017


Code Climate Test Coverage Dependency Status security Accessibility


This is a web application used to manage the bidding process for 18F's micro-purchase threshold experiment. The platform will allow vendors to bid on open opportunities with 18F, track their bids, and learn of the winning bidder. So long as vendors are registered on SAM.gov and have GitHub accounts, they will be able to view open opportunities and bid on them.

With this application, a vendor will be able to view the full list of open micro-purchasing opportunities, access bid histories, and place bids on services requested by 18F. All bids will start under $3,500 and each project will specify the desired product and method of delivery.

This is a Ruby/Rails application using ActiveRecord and PostgreSQL. This repo contains the front end of a web app that integrates GitHub and SAM.gov. For more information on setting up the back end of the web app, see below.

Throughput Graph


Local Development

See the CONTRIBUTING.md for a full run-down of how to contribute to this application.

Database Schema

We are keeping a version-controlled Entity Relationship Diagram (ERD) located indocs/erd.pdf. Any new change to the database schema must include an update to this diagram. You can automatically update the diagram by running (follow the local development instructions below if you don't have the app setup locally):

[docker-compose run web] bundle exec erd

Updating the ERD requires Graphiz. Installation instructions are here.

Coverage and CodeClimate

Because this application uses two different test suites (RSpec and Cucumber), it has a more complicated setup for measuring coverage and reporting it to CodeClimate. By default, CodeClimate only will use the coverage statistics from RSpec, meaning you will see a drop in coverage for controllers tested more thoroughly by Cucumber. The solution involves a few parts:

  1. The .simplecov file in the root specifies SimpleCov configuration shared by both RSpec and Cucumber. This switches the coverage gem to use for CI vs. local operation.
  2. The codeclimate_batch CLI merges the coverage reports from each suite before reporting to CodeClimate. This process includes sending all configs to the cc-amend service. To use the them, you must also make sure your CI calls bundler with --binstubs to install gem binaries locally.
  3. The codeclimate_batch gem will only run on a CI server and you must also define an environment variable CODECLIMATE_REPO_TOKEN with the value of the repo token provided by CodeClimate for it to work.
  4. The codeclimate_batch gem will also only run on the DEFAULT_BRANCH specified in the .simplecov file. If you change your CodeClimate to use a branch other than develop, you must change the value in .simplecov

If everything is working correctly, you should see the following text at the bottom of CI builds of your develop branch:

$ ./bin/codeclimate-batch --groups 2
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 23656  100    41  100 23615    202   114k --:--:-- --:--:-- --:--:--  118k
sent 2 reports for 18F-micropurchase-1248
Code climate: 0.21s to send 2 reports

Security Scans

This repository uses two tools to provide a total of three types of automated security checks:

  • Brakeman provides static code analysis.
  • Hakiri is used to ensure the Rails/Ruby versions contain no known CVEs.
  • Hakiri is used to ensure the gems declared in the Gemfile contain no known CVEs.

All security scans are built into the test suite. bundle exec rake spec will run them. To run the security scans ad hoc:


bundle exec brakeman

Hakiri for Ruby/Rails versions:

bundle exec hakiri system:scan -m hakiri_manifest.json

Hakiri for Gemfile dependency versions:

bundle exec hakiri gemfile:scan

Ignored Brakeman warnings

Sometimes Brakeman will report a false positive. In cases like these, the warnings will be ignored. Ignored warnings are declared in config/brakeman.ignore. This file contains a machine-readable list of all ignored warnings. Any ignored warning will contain a note explaining (or linking to an explanation of) why the warning is ignored.

Public domain

This project is in the worldwide public domain. As stated in CONTRIBUTING:

This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication.

All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.