Add python and npm audits to checks.yml

.github/actions/setup-project/action.yml

@@ -0,0 +1,17 @@
+name: Set up project
+description: Setup python & install dependencies
+runs:
+  using: composite
+  steps:
+    - name: Install container dependencies
+      shell: bash
+      run: |
+        sudo apt-get update \
+        && sudo apt-get install -y --no-install-recommends \
+        libcurl4-openssl-dev
+    - name: Set up Python 3.9
+      uses: actions/setup-python@v3
+      with:
+        python-version: "3.9"
+    - name: Install application dependencies
+      run: make bootstrap

.github/workflows/checks.yml

@@ -29,20 +29,9 @@ env:
 jobs:
   build:
     runs-on: ubuntu-latest
-
     steps:
-    - name: Install container dependencies
-      run: |
-        sudo apt-get update \
-        && sudo apt-get install -y --no-install-recommends \
-        libcurl4-openssl-dev
     - uses: actions/checkout@v3
-    - name: Set up Python 3.9
-      uses: actions/setup-python@v3
-      with:
-        python-version: "3.9"
-    - name: Install application dependencies
-      run: make bootstrap
+    - uses: ./.github/actions/setup-project
     - name: Run style checks
       run: flake8 .
     - name: Check imports alphabetized
@@ -51,3 +40,15 @@ jobs:
       run: npm test
     - name: Run py tests
       run: pytest -n4 --maxfail=10
+
+  dependency-audits:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - uses: ./.github/actions/setup-project
+    - uses: trailofbits/gh-action-pip-audit@v1.0.0
+      with:
+        inputs: requirements.txt requirements_for_test.txt
+        ignore-vulns: PYSEC-2022-237
+    - name: Run npm audit
+      run: make npm-audit

.github/workflows/daily_checks.yml

@@ -0,0 +1,44 @@
+name: Run daily scans
+
+on:
+  schedule:
+    # cron format: 'minute hour dayofmonth month dayofweek'
+    # this will run at noon UTC every day (7am EST / 8am EDT)
+    - cron: '0 12 * * *'
+
+permissions:
+  contents: read
+
+env:
+  NOTIFY_ENVIRONMENT: test
+  FLASK_APP: application.py
+  FLASK_ENV: development
+  WERKZEUG_DEBUG_PIN: off
+  REDIS_URL: redis://adminredis:6379/0
+  DEV_REDIS_URL: redis://adminredis:6379/0
+  REDIS_ENABLED: False
+  ANTIVIRUS_ENABLED: 0
+  NODE_VERSION: 16.15.1
+  ADMIN_CLIENT_ID: notify-admin
+  ADMIN_CLIENT_USERNAME: notify-admin
+  ADMIN_CLIENT_SECRET: dev-notify-secret-key
+  GOVUK_ALERTS_CLIENT_ID: govuk-alerts
+  ADMIN_BASE_URL: http://localhost:6012
+  API_HOST_NAME: http://localhost:6011
+  DEV_API_HOST_NAME: http://localhost:6011
+  AWS_REGION: us-west-2
+  BASIC_AUTH_USERNAME: curiousabout
+  BASIC_AUTH_PASSWORD: the10xnotifybeta
+
+jobs:
+  dependency-audits:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - uses: ./.github/actions/setup-project
+    - uses: trailofbits/gh-action-pip-audit@v1.0.0
+      with:
+        inputs: requirements.txt requirements_for_test.txt
+        ignore-vulns: PYSEC-2022-237
+    - name: Run npm audit
+      run: make npm-audit

Makefile

@@ -73,6 +73,14 @@ freeze-requirements: ## create static requirements.txt
 	${VIRTUALENV_ROOT}/bin/pip install --upgrade pip-tools
 	${VIRTUALENV_ROOT}/bin/pip-compile requirements.in
 
+.PHONY: pip-audit
+pip-audit:
+	pip install --upgrade pip-audit
+	pip-audit -r requirements.txt -r requirements_for_test.txt -l --ignore-vuln PYSEC-2022-237
+
+.PHONY: audit
+audit: npm-audit pip-audit
+
 .PHONY: clean
 clean:
 	rm -rf node_modules cache target ${CF_MANIFEST_PATH}

package.json

@@ -10,7 +10,7 @@
     "test-watch": "jest --watch --config tests/javascripts/jest.config.js tests/javascripts",
     "build": "gulp",
     "watch": "gulp watch",
-    "audit": "better-npm-audit audit --production --level high"
+    "audit": "better-npm-audit audit --production --level low"
   },
   "repository": {
     "type": "git",