name: Run checks on: [push] permissions: contents: read env: NOTIFY_ENVIRONMENT: test FLASK_APP: application.py FLASK_ENV: development WERKZEUG_DEBUG_PIN: off REDIS_ENABLED: 0 NODE_VERSION: 16.15.1 AWS_REGION: us-west-2 jobs: build: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - uses: ./.github/actions/setup-project - name: Run style checks run: flake8 . - name: Check imports alphabetized run: isort --check-only ./app ./tests - name: Run js lint run: npm run lint - name: Run js tests run: npm test - name: Run py tests run: pytest -n4 --maxfail=10 dependency-audits: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - uses: ./.github/actions/setup-project - uses: trailofbits/gh-action-pip-audit@v1.0.0 with: inputs: requirements.txt ignore-vulns: PYSEC-2022-237 - name: Run npm audit run: make npm-audit static-scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - uses: ./.github/actions/setup-project - name: Install bandit run: pip install bandit - name: Run scan run: bandit -r app/ --confidence-level medium dynamic-scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - uses: ./.github/actions/setup-project - name: Run server run: make run-flask & env: NOTIFY_ENVIRONMENT: scanning - name: Run OWASP Baseline Scan uses: zaproxy/action-baseline@v0.7.0 with: docker_name: "owasp/zap2docker-stable" target: "http://localhost:6012" fail_action: true allow_issue_writing: false rules_file_name: "zap.conf" cmd_options: "-I" a11y-scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - uses: ./.github/actions/setup-project - name: Run server run: make run-flask & env: NOTIFY_ENVIRONMENT: scanning - name: Run pa11y-ci run: make a11y-scan