CI: add super-linter (#4)

* Configure super-linter GHA and fix directory structure

Author: eeaton

.github/linters/super-linter-fix-mode.env

@@ -0,0 +1,11 @@
+FIX_ENV=true
+FIX_JSON=true
+FIX_JSON_PRETTIER=true
+FIX_MARKDOWN=true
+FIX_MARKDOWN_PRETTIER=true
+FIX_PYTHON_BLACK=true
+FIX_PYTHON_ISORT=true
+FIX_PYTHON_RUFF=true
+FIX_SHELL_SHFMT=true
+FIX_TERRAFORM_FMT=true
+FIX_YAML_PRETTIER=true

.github/linters/super-linter.env

@@ -0,0 +1,29 @@
+CREATE_LOG_FILE=false
+DEFAULT_BRANCH=main
+GITLEAKS_LOG_LEVEL=warn
+IGNORE_GITIGNORED_FILES=true
+REMOVE_ANSI_COLOR_CODES_FROM_OUTPUT=true
+VALIDATE_BASH=true
+VALIDATE_BASH_EXEC=true
+VALIDATE_CHECKOV=true
+VALIDATE_DOCKERFILE_HADOLINT=true
+VALIDATE_EDITORCONFIG=true
+VALIDATE_ENV=true
+VALIDATE_GITHUB_ACTIONS=true
+VALIDATE_GITLEAKS=true
+VALIDATE_JSON=true
+VALIDATE_JSON_PRETTIER=true
+VALIDATE_MARKDOWN=true
+VALIDATE_MARKDOWN_PRETTIER=true
+VALIDATE_NATURAL_LANGUAGE=true
+VALIDATE_PYTHON_BLACK=true
+VALIDATE_PYTHON_FLAKE8=true
+VALIDATE_PYTHON_ISORT=true
+VALIDATE_PYTHON_MYPY=true
+VALIDATE_PYTHON_RUFF=true
+VALIDATE_RENOVATE=true
+VALIDATE_SHELL_SHFMT=true
+VALIDATE_TERRAFORM_FMT=true
+VALIDATE_TERRAFORM_TFLINT=true
+VALIDATE_YAML=true
+VALIDATE_YAML_PRETTIER=true

gcmvsp/.github/workflows/addlicense.yaml .github/workflows/addlicense.yamlgcmvsp/.github/workflows/addlicense.yaml renamed to .github/workflows/addlicense.yaml

@@ -51,4 +51,4 @@ jobs:
           branch: ${{ github.event.pull_request.head.ref || github.head_ref || github.ref }}
           commit_message: "chore: add license headers"
           commit_user_name: addlicense
-          commit_user_email: no-reply@addlicense.dev
+          commit_user_email: no-reply@addlicense.dev

.github/workflows/lint.yaml

@@ -0,0 +1,52 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+name: Lint
+
+on: # yamllint disable-line rule:truthy
+  push: null
+  pull_request: null
+  workflow_call: null
+
+permissions:
+  contents: read
+
+jobs:
+  lint:
+    concurrency:
+      # Ref: https://docs.github.com/en/actions/learn-github-actions/contexts#github-context
+      # github.head_ref: head_ref or source branch of the pull request
+      # github.ref: ref of the branch that triggered the workflow
+      group: ${{ github.workflow }}-lint-${{ github.head_ref || github.ref }}-${{ github.event_name }}
+      cancel-in-progress: true
+    permissions:
+      contents: read
+      packages: read
+      statuses: write
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Load super-linter configuration
+        # Use grep inverse matching to exclude eventual comments in the .env file
+        # because the GitHub Actions command to set environment variables doesn't
+        # support comments.
+        # Ref: https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions#setting-an-environment-variable
+        run: grep -v '^#' .github/linters/super-linter.env >> "$GITHUB_ENV"
+      - name: Super-Linter
+        uses: super-linter/super-linter@v7.2.1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.gitignore

@@ -9,3 +9,6 @@
 # Environment-specific variables
 *.tfvars
 *.tfvars.json
+
+# Super Linter output files
+super-linter-output/*

CONTRIBUTING

@@ -30,4 +30,27 @@ This project follows
 All submissions, including submissions by project members, require review. We
 use GitHub pull requests for this purpose. Consult
 [GitHub Help](https://help.github.com/articles/about-pull-requests/) for more
-information on using pull requests.
+information on using pull requests.
+
+### Linting and Formatting
+
+Many of the files in the repository are checked against linting tools and static code analysis for secure coding practices. This workflow is triggered by [.github/workflows/lint.yaml](.github/workflows/lint.yaml), running multiple lint libraries in [Super-Linter](https://github.com/super-linter/super-linter) with the settings configured in [.github/linters/super-linter.env](.github/linters/super-linter.env)
+
+1. To validate that your code passes these checks, use the following methods depending on your environment:
+
+   1. **GitHub Actions**: GitHub Actions will automatically run all configured checks when a PR is created or modified.
+
+   1. **Local**: You can manually trigger the tests in a docker container from your local environment with the following command:
+
+      ```bash
+      ./run_linters.sh
+      ```
+
+1. For issues that can be fixed automatically, you can automatically fix issues in your local environment with either of the following methods:
+
+   1. **Fix mode**: Run super-linter locally in fix mode by setting an environment variable to additionally run automatic fixes for the libraries configure
+
+      ```bash
+      export LINTER_CONTAINER_FIX_MODE=true
+      ./run_linters.sh
+      ```

README.md

@@ -1,3 +1,6 @@
- # OCISO Solutions
+# OCISO Solutions
 
- 
+This repository contains solutions and sample code from the Google Cloud Office of the Chief Information Security Officer (OCISO) team.
+Each sub-directory is a standalone solution that addresses different use cases.
+
+This is not an official Google product.

gcmvsp/README.md

@@ -1,4 +1,3 @@
-
 # Google Cloud Minimum Viable Secure Platform (GCMVSP)
 
 This repository contains sample code to implement the set of terraform policies recommended by GMVSP.
@@ -8,16 +7,17 @@ This repository assumes you're already familiar with the [Organisation Policy Se
 
 We recommend that new organizations should apply the full set of policies before creating other resources on Google Cloud. This creates a guardrail that resources cannot be created in violation of the organization policies.
 
-For existing Google Cloud customers that have already created resources, implementing policies at the organization node can be risky, and might have existing resources in violation of the policy. In this scenario, we recommend that you use a combination of the following strategies: 
- - [Test organization policy changes with Policy Simulator](https://docs.cloud.google.com/policy-intelligence/docs/test-organization-policies)
- - [Create an organization policy in dry-run mode](https://docs.cloud.google.com/resource-manager/docs/organization-policy/dry-run-policy)
- - For legacy policies that don't support Policy Simulator or dry-run mode, enforce policies gradually by apply to a non-critical project or folder first to assess potential violations.
+For existing Google Cloud customers that have already created resources, implementing policies at the organization node can be risky, and might have existing resources in violation of the policy. In this scenario, we recommend that you use a combination of the following strategies:
+
+- [Test organization policy changes with Policy Simulator](https://docs.cloud.google.com/policy-intelligence/docs/test-organization-policies)
+- [Create an organization policy in dry-run mode](https://docs.cloud.google.com/resource-manager/docs/organization-policy/dry-run-policy)
+- For legacy policies that don't support Policy Simulator or dry-run mode, enforce policies gradually by apply to a non-critical project or folder first to assess potential violations.
 
 ## Quickstart
 
 To deploy the Infrastructure-as-Code (IaC) resources using terraform, perform the follow steps:
 
-1. Decide where in the [resource hierarchy](https://docs.cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy) (organization, folder, or project) you will apply organization policies. 
+1. Decide where in the [resource hierarchy](https://docs.cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy) (organization, folder, or project) you will apply organization policies.
 
 1. This example code is deployed through Terraform using your own user identity. Your user identity needs the following [IAM Roles](https://cloud.google.com/iam/docs/roles-overview) on your organization, folder, or project:
 
@@ -46,9 +46,9 @@ To deploy the Infrastructure-as-Code (IaC) resources using terraform, perform th
 
 1. Create a terraform.tfvars file with the following variables:
 
-   | Terraform variables         | Description                                                                                           |
-   | --------------------------- | ----------------------------------------------------------------------------------------------------- |
-   | parent_id                  | The ID of your your Google Cloud organization, folder, or project in the format organizations/123456789, folders/123456789, or projects/project-id.  |
+   | Terraform variables | Description                                                                                                                                         |
+   | ------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------- |
+   | parent_id           | The ID of your your Google Cloud organization, folder, or project in the format organizations/123456789, folders/123456789, or projects/project-id. |
 
 1. Initialize Terraform:
 
@@ -60,4 +60,4 @@ To deploy the Infrastructure-as-Code (IaC) resources using terraform, perform th
 
    ```sh
    terraform apply
-   ```
+   ```

gcmvsp/main.tf

@@ -1,3 +1,17 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 resource "google_org_policy_policy" "require_os_login" {
   name   = "${var.parent_id}/policies/compute.managed.requireOsLogin"
   parent = var.parent_id

gcmvsp/providers.tf

@@ -1,3 +1,17 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 terraform {
   required_providers {
     google = {