name: Run daily scans on: schedule: # cron format: 'minute hour dayofmonth month dayofweek' # this will run at 10am UTC every day (5am EST / 6am EDT) - cron: '0 10 * * *' permissions: contents: read env: NOTIFY_ENVIRONMENT: test NEW_RELIC_CONFIG_FILE: newrelic.ini NEW_RELIC_ENVIRONMENT: test FLASK_APP: application.py WERKZEUG_DEBUG_PIN: off REDIS_ENABLED: 0 NODE_VERSION: 16.15.1 jobs: dependency-audits: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: ./.github/actions/setup-project - name: Create requirements.txt run: poetry export --without-hashes --format=requirements.txt > requirements.txt - uses: pypa/gh-action-pip-audit@v1.0.6 with: inputs: requirements.txt - name: Run npm audit run: make npm-audit static-scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: ./.github/actions/setup-project - name: Run scan run: poetry run bandit -r app/ --confidence-level medium dynamic-scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: ./.github/actions/setup-project - name: Run server run: make run-flask & env: NOTIFY_ENVIRONMENT: scanning - name: Run OWASP Full Scan uses: zaproxy/action-full-scan@v0.7.0 with: docker_name: 'ghcr.io/zaproxy/zaproxy:weekly' target: 'http://localhost:6012' fail_action: true allow_issue_writing: false rules_file_name: 'zap.conf' cmd_options: '-I'