From 2550464b8f249029369a408d53c4df7f7c44fa78 Mon Sep 17 00:00:00 2001 From: Ryan Ahearn Date: Tue, 23 Aug 2022 16:44:34 -0400 Subject: [PATCH] Run scans every day --- .github/workflows/checks.yml | 2 +- .github/workflows/daily_checks.yml | 93 ++++++++++++++++++++++++++++++ 2 files changed, 94 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/daily_checks.yml diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index b59c57dd5..b7340ec17 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -117,7 +117,7 @@ jobs: uses: zaproxy/action-api-scan@v0.1.1 with: docker_name: 'owasp/zap2docker-weekly' - target: 'http://localhost:6011/' + target: 'http://localhost:6011/_status' fail_action: true allow_issue_writing: false rules_file_name: 'zap.conf' diff --git a/.github/workflows/daily_checks.yml b/.github/workflows/daily_checks.yml new file mode 100644 index 000000000..16ea19a80 --- /dev/null +++ b/.github/workflows/daily_checks.yml @@ -0,0 +1,93 @@ +name: Run daily scans + +on: + schedule: + # cron format: 'minute hour dayofmonth month dayofweek' + # this will run at noon UTC every day (7am EST / 8am EDT) + - cron: '0 12 * * *' + +permissions: + contents: read + +env: + DEBUG: True + ANTIVIRUS_ENABLED: 0 + NOTIFY_ENVIRONMENT: test + NOTIFICATION_QUEUE_PREFIX: local_dev_10x + STATSD_HOST: localhost + SES_STUB_URL: None + NOTIFY_APP_NAME: api + NOTIFY_EMAIL_DOMAIN: dispostable.com + NOTIFY_LOG_PATH: /workspace/logs/app.log + ADMIN_CLIENT_ID: notify-admin + ADMIN_CLIENT_SECRET: dev-notify-secret-key + GOVUK_ALERTS_CLIENT_ID: govuk-alerts + FLASK_APP: application.py + FLASK_ENV: development + WERKZEUG_DEBUG_PIN: off + ADMIN_BASE_URL: http://localhost:6012 + API_HOST_NAME: http://localhost:6011 + REDIS_URL: redis://localhost:6380 + REDIS_ENABLED: False + AWS_REGION: us-west-2 + AWS_PINPOINT_REGION: us-west-2 + AWS_US_TOLL_FREE_NUMBER: +18446120782 + +jobs: + pip-audit: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - uses: ./.github/actions/setup-project + - uses: trailofbits/gh-action-pip-audit@v1.0.0 + with: + inputs: requirements.txt requirements_for_test.txt + ignore-vulns: PYSEC-2022-237 + + static-scan: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - uses: ./.github/actions/setup-project + - name: Install bandit + run: pip install bandit + - name: Run scan + run: bandit -r app/ --confidence-level medium + + dynamic-scan: + runs-on: ubuntu-latest + services: + postgres: + image: postgres + env: + POSTGRES_USER: user + POSTGRES_PASSWORD: password + POSTGRES_DB: test_notification_api + options: >- + --health-cmd pg_isready + --health-interval 10s + --health-timeout 5s + --health-retries 5 + ports: + # Maps tcp port 5432 on service container to the host + - 5432:5432 + steps: + - uses: actions/checkout@v3 + - uses: ./.github/actions/setup-project + - name: Install application dependencies + run: make bootstrap + env: + SQLALCHEMY_DATABASE_TEST_URI: postgresql://user:password@localhost:5432/test_notification_api + - name: Run server + run: make run-flask & + env: + SQLALCHEMY_DATABASE_TEST_URI: postgresql://user:password@localhost:5432/test_notification_api + - name: Run OWASP Baseline Scan + uses: zaproxy/action-api-scan@v0.1.1 + with: + docker_name: 'owasp/zap2docker-weekly' + target: 'http://localhost:6011/_status' + fail_action: true + allow_issue_writing: false + rules_file_name: 'zap.conf' + cmd_options: '-I'