mirror of
https://github.com/GSA/notifications-admin.git
synced 2026-04-27 04:31:11 -04:00
38379176f4
The OWASP ZAP scan GitHub Actions have been updated recently and we need to make sure our GitHub Actions account for the recent changes. This changeset makes sure we are using the latest version of the OWASP ZAP API scan and the correct Docker image. Signed-off-by: Carlo Costino <carlo.costino@gsa.gov>
61 lines
1.6 KiB
YAML
61 lines
1.6 KiB
YAML
name: Run daily scans
|
|
|
|
on:
|
|
schedule:
|
|
# cron format: 'minute hour dayofmonth month dayofweek'
|
|
# this will run at 10am UTC every day (5am EST / 6am EDT)
|
|
- cron: '0 10 * * *'
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
env:
|
|
NOTIFY_ENVIRONMENT: test
|
|
NEW_RELIC_CONFIG_FILE: newrelic.ini
|
|
NEW_RELIC_ENVIRONMENT: test
|
|
FLASK_APP: application.py
|
|
WERKZEUG_DEBUG_PIN: off
|
|
REDIS_ENABLED: 0
|
|
NODE_VERSION: 16.15.1
|
|
|
|
jobs:
|
|
dependency-audits:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v3
|
|
- uses: ./.github/actions/setup-project
|
|
- name: Create requirements.txt
|
|
run: poetry export --without-hashes --format=requirements.txt > requirements.txt
|
|
- uses: pypa/gh-action-pip-audit@v1.0.6
|
|
with:
|
|
inputs: requirements.txt
|
|
- name: Run npm audit
|
|
run: make npm-audit
|
|
|
|
static-scan:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v3
|
|
- uses: ./.github/actions/setup-project
|
|
- name: Run scan
|
|
run: poetry run bandit -r app/ --confidence-level medium
|
|
|
|
dynamic-scan:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v3
|
|
- uses: ./.github/actions/setup-project
|
|
- name: Run server
|
|
run: make run-flask &
|
|
env:
|
|
NOTIFY_ENVIRONMENT: scanning
|
|
- name: Run OWASP Full Scan
|
|
uses: zaproxy/action-full-scan@v0.7.0
|
|
with:
|
|
docker_name: 'ghcr.io/zaproxy/zaproxy:weekly'
|
|
target: 'http://localhost:6012'
|
|
fail_action: true
|
|
allow_issue_writing: false
|
|
rules_file_name: 'zap.conf'
|
|
cmd_options: '-I'
|