This changeset adds the same additional steps needed in our PR checks to make sure the daily checks work properly with the recent Poetry update. It also updates our PR checks to use the latest pip-audit GitHub action.
Signed-off-by: Carlo Costino <carlo.costino@gsa.gov>
This changeset updates our GitHub Action for dynamic scans to use the latest release of the zaproxy-api-scan.
Signed-off-by: Carlo Costino <carlo.costino@gsa.gov>
This changeset adds a Python vulnerability that we need to ignore because it was incorrectly applied to the Python Redis module. This is a vulnerability with an older version of Redis itself, not the Python module.
Signed-off-by: Carlo Costino <carlo.costino@gsa.gov>
This changeset updates a couple of dependencies, including our Python dependency audit check, and specifically ignores a gunicorn audit flag that appeared on 4/16/2024.
As soon as there is an update available for gunicorn that addresses the issue we will remove the flag to ignore the vulnerability report and update the dependency.
Signed-off-by: Carlo Costino <carlo.costino@gsa.gov>
This changeset updates all references to GitHub Actions to be version 4 due to a mandatory Node.js update.
Signed-off-by: Carlo Costino <carlo.costino@gsa.gov>
The OWASP ZAP scan GitHub Actions have been updated recently and we need to make sure our GitHub Actions account for the recent changes. This changeset makes sure we are using the latest version of the OWASP ZAP API scan, the correct Docker image, and adjusts the name of the step to accurately reflect what scan is being run.
Signed-off-by: Carlo Costino <carlo.costino@gsa.gov>
I noticed that a previous scan yesterday had referenced the weekly releases under the hood despite being configured for stable.
Signed-off-by: Carlo Costino <carlo.costino@gsa.gov>
This PR fixes the dynamic-scan job, which is now failing in our PR checks due to missing environment variables.
Signed-off-by: Carlo Costino <carlo.costino@gsa.gov>
