Manages uploaded assets (images, PDFs etc.) for applications in the GOV.UK Publishing stack.
Ruby HTML Shell
Latest commit d7390ff Aug 15, 2016 @h-lame h-lame committed on GitHub Merge pull request #50 from alphagov/update-rails-version
Update Rails to
Failed to load latest commit information.
app Bump GDS-SSO dependency Dec 14, 2015
spec Bump GDS-SSO dependency Dec 14, 2015
.ruby-version Bump Ruby to 2.2.3 Dec 13, 2015 Define contributing guide Nov 29, 2013
LICENCE README asset update method changed to PUT Jun 23, 2016
Rakefile Upgrade to rails 4.2.x and mongoid 4.x Oct 12, 2015 Add bracnh building for Jenkins CI Dec 14, 2015

Asset Manager

Manages uploaded assets (images, PDFs etc.) for applications in the GOV.UK Publishing stack.

Technical Documentation

This is a small Rails application that receives uploaded files from publishing applications and returns the URLs that they will be made available at. Before an asset is available to the public, it is virus scanned. Once a file is found to be clean, Asset Manager serves it at the previously generated URL. Unscanned or Infected files return a 404 Not Found error.

Scanning uses ClamAV and occurs asynchronously via Delayed Job.


Virus scanning expects govuk_clamscan to exist on the PATH, and to be symlinked to either clamscan or clamdscan, which are part of clamav. This is configured by govuk-puppet.

Running the application


The application runs on port 3037 by default. Within the GDS VM it's exposed on

It can also be run via bowl on the GDS dev VM:

bowl asset_manager

Newly uploaded assets return 404 until they've been scanned for viruses. Scanning for viruses is done asynchronously via Delayed Job. Run Delayed Job queue processor:

bundle exec rake jobs:work


bundle exec rspec


POST /assets expects a single file uploaded via the asset[file] parameter. This creates the asset and schedules it for scanning.

PUT /assets/:id expects a file in the same format, and replaces it at the provided ID.

GET /assets/:id returns information about the requested asset, but not the asset itself.

See the AssetPresenter class for the return format for the above API calls. All API requests must be authenticated with a token generated in the Signon application.

GET /media/:id/:filename serves the file to the user if it is marked as clean.


MIT License