Migrate Static Sites to GSA-TTS & add build checks

[btylerburton]

User Story

In order to maintain our list of static sites within the GSA's Pages ATO umbrella, the Pages team would like datagovteam to migrate our static sites to the GSA-TTS org and enable a list of build checks to confirm the build is secure.

Acceptance Criteria

[ACs should be clearly demoable/verifiable whenever possible. Try specifying them using BDD.]

• GIVEN I have a site configured on pages.cloud.gov
  THEN I expect to see the source repository listed under the GSA-TTS org
  AND that it is managed by @GSA-TTS/data-gov-team-tts
  AND that is is configured with Github Security, Security Scorecard, Github AllStar, Codeql, Dependabot and Snyk

Background

[Any helpful contextual notes or links to artifacts/evidence, if needed]

Security Considerations (required)

[Any security concerns that might be implicated in the change. "None" is OK, just be explicit here!]

Sketch

• Migrate the repo to GSA-TTS org
• Add data-gov-team-tts as maintainer
• Configure Github Security
• Configure Security Scorecard
• Configure Github AllStar
• Configure Codeql
• Configure Dependabot
• Configure Snyk

Repeat the above steps for each of the following repos:

• https://github.com/gsa/feedback.usa.gov (no longer a site)
• https://github.com/gsa/us-data-federation
• https://github.com/gsa/data-strategy
• https://github.com/gsa/resources.data.gov
• https://github.com/gsa/datagov-11ty
• https://github.com/GSA/sdg-indicators-usa

[btylerburton]

Blocked pending attendance of Pages Office Hours to clarify some of the security implementation details...

[btylerburton]

Office hours scheduled for 11/2 at 11:30AM EST

EDIT: We will complete a single site with Pages team and then repeat the process for the rest of the sites.

[Jin-Sun-tts]

resources.data.gov:

https://docs.google.com/document/d/16uJVDXZYNPpjC5q5Cxmx-k003mj0SGFRU33I2uKFrQ4/edit#heading=h.m7d74e15hego

[Jin-Sun-tts]

• Go to the /settings/access/ page and confirm the admin and resource group settings.
• Implement a security policy by including a security.md file.
• Activate vulnerability reporting.
• Establish a dependabot.yml file within the .github directory and configure the package ecosystem value.
• Enable CodeQL analysis for code scanning (set to default settings).
• Enable secret scanning.

[Jin-Sun-tts]

setup package-ecosystem value npm in dependabot.yml file GSA/resources.data.gov#626
The property '#/updates/0/package-ecosystem' value "" did not match one of the following values: npm, bundler, composer, maven, mix, cargo, gradle, nuget, gomod, docker, elm, gitsubmodule, github-actions, pip, terraform, pub, swift

[Jin-Sun-tts]

data-strategy:
https://docs.google.com/document/d/12PRQTkHCEp04S6KoWT_UNBb6tWeRQTAegtQPIwNfcHM

datagov-11ty:
https://docs.google.com/document/d/1srG6dMEpZBMVtMLNpgWC8hIXSBLcmHaEfsjZQfohxF0

us-data-federation:
https://docs.google.com/document/d/1lu4Axr44gyB1KldlyO3J7gHpt4cMHpVWmPmsE4o16tI

sdg-indicators-usa:
https://docs.google.com/document/d/1GR2RKVd4tE1LXZEBvbDfsRhrcu2CjuuTruq962-tPvs/edit

[btylerburton]

@Jin-Sun-tts let's circle back together to add sdg.data.gov to this list.

[Jin-Sun-tts]

Finished all security setup/modification in https://github.com/GSA/sdg-indicators-usa except the dependabot update.

Could not setup dependabot.yml file because of unsolved PR GSA/sdg-indicators-usa#1054, will check with @btylerburton on Monday.

[Jin-Sun-tts]

configuration and documentation for sdg.data.gov is done.

[Jin-Sun-tts]

checked with Ryan Wold, the feedback.usa.gov is no longer a site, and @btylerburton will work with Ryan to remove it from our https://pages.cloud.gov/sites account.