notifications-api/.github/workflows/daily_checks.yml

name: Run daily scans

on:
  schedule:
    # cron format: 'minute hour dayofmonth month dayofweek'
    # this will run at noon UTC every day (7am EST / 8am EDT)
    - cron: '0 12 * * *'

permissions:
  contents: read

env:
  DEBUG: True
  NOTIFY_ENVIRONMENT: test
  NEW_RELIC_CONFIG_FILE: newrelic.ini
  NEW_RELIC_ENVIRONMENT: test
  FLASK_APP: application.py
  WERKZEUG_DEBUG_PIN: off
  REDIS_ENABLED: 0
  AWS_US_TOLL_FREE_NUMBER: "+18556438890"

jobs:
  pip-audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: ./.github/actions/setup-project
      - name: Create requirements.txt
        run: poetry export --output requirements.txt
      - uses: pypa/gh-action-pip-audit@v1.1.0
        with:
          inputs: requirements.txt
          ignore-vulns: |
            PYSEC-2023-312
      - name: Upload pip-audit artifact
        uses: actions/upload-artifact@v4
        with:
          name: pip-audit-report
          path: /tmp/pip-audit-output.txt

  static-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: ./.github/actions/setup-project
      - name: Install bandit
        run: pip install bandit
      - name: Run scan
        run: bandit -r app/ -f txt -o /tmp/bandit-output.txt --confidence-level medium
      - name: Upload bandit artifact
        uses: actions/upload-artifact@v4
        with:
          name: bandit-report
          path: /tmp/bandit-output.txt

  dynamic-scan:
    runs-on: ubuntu-latest
    services:
      postgres:
        image: postgres
        env:
          POSTGRES_USER: user
          POSTGRES_PASSWORD: password
          POSTGRES_DB: test_notification_api
        options: >-
          --health-cmd pg_isready
          --health-interval 10s
          --health-timeout 5s
          --health-retries 5
        ports:
          # Maps tcp port 5432 on service container to the host
          - 5432:5432
    steps:
      - uses: actions/checkout@v4
      - uses: ./.github/actions/setup-project
      - name: Install application dependencies
        run: make bootstrap
        env:
          SQLALCHEMY_DATABASE_TEST_URI: postgresql://user:password@localhost:5432/test_notification_api
          NOTIFY_E2E_TEST_EMAIL: ${{ secrets.NOTIFY_E2E_TEST_EMAIL }}
          NOTIFY_E2E_TEST_HTTP_AUTH_PASSWORD: ${{ secrets.NOTIFY_E2E_TEST_HTTP_AUTH_PASSWORD }}
          NOTIFY_E2E_TEST_HTTP_AUTH_USER: ${{ secrets.NOTIFY_E2E_TEST_HTTP_AUTH_USER }}
          NOTIFY_E2E_TEST_PASSWORD: ${{ secrets.NOTIFY_E2E_TEST_PASSWORD }}
      - name: Run server
        run: make run-flask &
        env:
          SQLALCHEMY_DATABASE_TEST_URI: postgresql://user:password@localhost:5432/test_notification_api
      - name: Run OWASP API Scan
        uses: zaproxy/action-api-scan@v0.9.0
        with:
          docker_name: 'ghcr.io/zaproxy/zaproxy:weekly'
          target: 'http://localhost:6011/docs/openapi.yml'
          fail_action: true
          allow_issue_writing: false
          rules_file_name: 'zap.conf'
          cmd_options: '-I'