mirror of
https://github.com/GSA/notifications-admin.git
synced 2026-02-05 10:53:28 -05:00
14508b2d97
This changeset updates all references to GitHub Actions to be version 4 due to a mandatory Node.js update. Signed-off-by: Carlo Costino <carlo.costino@gsa.gov>
61 lines
1.6 KiB
YAML
61 lines
1.6 KiB
YAML
name: Run daily scans
|
|
|
|
on:
|
|
schedule:
|
|
# cron format: 'minute hour dayofmonth month dayofweek'
|
|
# this will run at 10am UTC every day (5am EST / 6am EDT)
|
|
- cron: '0 10 * * *'
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
env:
|
|
NOTIFY_ENVIRONMENT: test
|
|
NEW_RELIC_CONFIG_FILE: newrelic.ini
|
|
NEW_RELIC_ENVIRONMENT: test
|
|
FLASK_APP: application.py
|
|
WERKZEUG_DEBUG_PIN: off
|
|
REDIS_ENABLED: 0
|
|
NODE_VERSION: 16.15.1
|
|
|
|
jobs:
|
|
dependency-audits:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: ./.github/actions/setup-project
|
|
- name: Create requirements.txt
|
|
run: poetry export --without-hashes --format=requirements.txt > requirements.txt
|
|
- uses: pypa/gh-action-pip-audit@v1.0.6
|
|
with:
|
|
inputs: requirements.txt
|
|
- name: Run npm audit
|
|
run: make npm-audit
|
|
|
|
static-scan:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: ./.github/actions/setup-project
|
|
- name: Run scan
|
|
run: poetry run bandit -r app/ --confidence-level medium
|
|
|
|
dynamic-scan:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: ./.github/actions/setup-project
|
|
- name: Run server
|
|
run: make run-flask &
|
|
env:
|
|
NOTIFY_ENVIRONMENT: scanning
|
|
- name: Run OWASP Full Scan
|
|
uses: zaproxy/action-full-scan@v0.7.0
|
|
with:
|
|
docker_name: 'ghcr.io/zaproxy/zaproxy:weekly'
|
|
target: 'http://localhost:6012'
|
|
fail_action: true
|
|
allow_issue_writing: false
|
|
rules_file_name: 'zap.conf'
|
|
cmd_options: '-I'
|