Run scans every day

.github/workflows/checks.yml

@@ -117,7 +117,7 @@ jobs:
         uses: zaproxy/action-api-scan@v0.1.1
         with:
           docker_name: 'owasp/zap2docker-weekly'
-          target: 'http://localhost:6011/'
+          target: 'http://localhost:6011/_status'
           fail_action: true
           allow_issue_writing: false
           rules_file_name: 'zap.conf'

.github/workflows/daily_checks.yml

@@ -0,0 +1,93 @@
+name: Run daily scans
+
+on:
+  schedule:
+    # cron format: 'minute hour dayofmonth month dayofweek'
+    # this will run at noon UTC every day (7am EST / 8am EDT)
+    - cron: '0 12 * * *'
+
+permissions:
+  contents: read
+
+env:
+  DEBUG: True
+  ANTIVIRUS_ENABLED: 0
+  NOTIFY_ENVIRONMENT: test
+  NOTIFICATION_QUEUE_PREFIX: local_dev_10x
+  STATSD_HOST: localhost
+  SES_STUB_URL: None
+  NOTIFY_APP_NAME: api
+  NOTIFY_EMAIL_DOMAIN: dispostable.com
+  NOTIFY_LOG_PATH: /workspace/logs/app.log
+  ADMIN_CLIENT_ID: notify-admin
+  ADMIN_CLIENT_SECRET: dev-notify-secret-key
+  GOVUK_ALERTS_CLIENT_ID: govuk-alerts
+  FLASK_APP: application.py
+  FLASK_ENV: development
+  WERKZEUG_DEBUG_PIN: off
+  ADMIN_BASE_URL: http://localhost:6012
+  API_HOST_NAME: http://localhost:6011
+  REDIS_URL: redis://localhost:6380
+  REDIS_ENABLED: False
+  AWS_REGION: us-west-2
+  AWS_PINPOINT_REGION: us-west-2
+  AWS_US_TOLL_FREE_NUMBER: +18446120782
+
+jobs:
+  pip-audit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: ./.github/actions/setup-project
+      - uses: trailofbits/gh-action-pip-audit@v1.0.0
+        with:
+          inputs: requirements.txt requirements_for_test.txt
+          ignore-vulns: PYSEC-2022-237
+
+  static-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: ./.github/actions/setup-project
+      - name: Install bandit
+        run: pip install bandit
+      - name: Run scan
+        run: bandit -r app/ --confidence-level medium
+
+  dynamic-scan:
+    runs-on: ubuntu-latest
+    services:
+      postgres:
+        image: postgres
+        env:
+          POSTGRES_USER: user
+          POSTGRES_PASSWORD: password
+          POSTGRES_DB: test_notification_api
+        options: >-
+          --health-cmd pg_isready
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+        ports:
+          # Maps tcp port 5432 on service container to the host
+          - 5432:5432
+    steps:
+      - uses: actions/checkout@v3
+      - uses: ./.github/actions/setup-project
+      - name: Install application dependencies
+        run: make bootstrap
+        env:
+          SQLALCHEMY_DATABASE_TEST_URI: postgresql://user:password@localhost:5432/test_notification_api
+      - name: Run server
+        run: make run-flask &
+        env:
+          SQLALCHEMY_DATABASE_TEST_URI: postgresql://user:password@localhost:5432/test_notification_api
+      - name: Run OWASP Baseline Scan
+        uses: zaproxy/action-api-scan@v0.1.1
+        with:
+          docker_name: 'owasp/zap2docker-weekly'
+          target: 'http://localhost:6011/_status'
+          fail_action: true
+          allow_issue_writing: false
+          rules_file_name: 'zap.conf'
+          cmd_options: '-I'