notifications-admin/.github/workflows/daily_checks.yml

name: Run daily scans

on:
  schedule:
    # cron format: 'minute hour dayofmonth month dayofweek'
    # this will run at 10am UTC every day (5am EST / 6am EDT)
    - cron: '0 10 * * *'

permissions:
  contents: read

env:
  NOTIFY_ENVIRONMENT: test
  FLASK_APP: application.py
  FLASK_ENV: development
  WERKZEUG_DEBUG_PIN: off
  REDIS_ENABLED: 0
  NODE_VERSION: 16.15.1
  AWS_REGION: us-west-2

jobs:
  dependency-audits:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v3
    - uses: ./.github/actions/setup-project
    - uses: trailofbits/gh-action-pip-audit@v1.0.0
      with:
        inputs: requirements.txt
        ignore-vulns: PYSEC-2022-237
    - name: Run npm audit
      run: make npm-audit

  static-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: ./.github/actions/setup-project
      - name: Install bandit
        run: pip install bandit
      - name: Run scan
        run: bandit -r app/ --confidence-level medium

  dynamic-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: ./.github/actions/setup-project
      - name: Run server
        run: make run-flask &
        env:
          NOTIFY_ENVIRONMENT: scanning
      - name: Run OWASP Full Scan
        uses: zaproxy/action-full-scan@v0.4.0
        with:
          docker_name: 'owasp/zap2docker-stable'
          target: 'http://localhost:6012'
          fail_action: true
          allow_issue_writing: false
          rules_file_name: 'zap.conf'
          cmd_options: '-I'