mirror of
https://github.com/GSA/notifications-api.git
synced 2026-01-18 08:32:35 -05:00
55e24a611a
This changeset updates the PYSEC notices to ignore to due versions that either cannot be fixed or are false positives. Specifically, this changeset removes previously ignored vulnerability reports and adds PYSEC-2023-312 to the list because it is a false positive and refers to Redis itself, not the Python Redis client (see https://github.com/pypa/advisory-database/issues/237 for details). Signed-off-by: Carlo Costino <carlo.costino@gsa.gov>
148 lines
5.0 KiB
YAML
148 lines
5.0 KiB
YAML
name: Run checks
|
|
|
|
on: [push]
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
env:
|
|
DEBUG: True
|
|
NOTIFY_ENVIRONMENT: test
|
|
NEW_RELIC_CONFIG_FILE: newrelic.ini
|
|
NEW_RELIC_ENVIRONMENT: test
|
|
FLASK_APP: application.py
|
|
WERKZEUG_DEBUG_PIN: off
|
|
REDIS_ENABLED: 0
|
|
AWS_US_TOLL_FREE_NUMBER: "+18556438890"
|
|
|
|
jobs:
|
|
|
|
build:
|
|
runs-on: ubuntu-latest
|
|
|
|
services:
|
|
postgres:
|
|
image: postgres
|
|
env:
|
|
POSTGRES_USER: user
|
|
POSTGRES_PASSWORD: password
|
|
POSTGRES_DB: test_notification_api
|
|
options: >-
|
|
--health-cmd pg_isready
|
|
--health-interval 10s
|
|
--health-timeout 5s
|
|
--health-retries 5
|
|
ports:
|
|
# Maps tcp port 5432 on service container to the host
|
|
- 5432:5432
|
|
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: ./.github/actions/setup-project
|
|
- name: Install application dependencies
|
|
run: make bootstrap
|
|
env:
|
|
SQLALCHEMY_DATABASE_TEST_URI: postgresql://user:password@localhost:5432/test_notification_api
|
|
NOTIFY_E2E_TEST_EMAIL: ${{ secrets.NOTIFY_E2E_TEST_EMAIL }}
|
|
NOTIFY_E2E_TEST_HTTP_AUTH_PASSWORD: ${{ secrets.NOTIFY_E2E_TEST_HTTP_AUTH_PASSWORD }}
|
|
NOTIFY_E2E_TEST_HTTP_AUTH_USER: ${{ secrets.NOTIFY_E2E_TEST_HTTP_AUTH_USER }}
|
|
NOTIFY_E2E_TEST_PASSWORD: ${{ secrets.NOTIFY_E2E_TEST_PASSWORD }}
|
|
|
|
- name: Check imports alphabetized
|
|
run: poetry run isort --check-only ./app ./tests
|
|
- name: Run style checks
|
|
run: poetry run flake8 .
|
|
- name: Check for dead code
|
|
run: make dead-code
|
|
- name: Run tests with coverage
|
|
run: poetry run coverage run --omit=*/migrations/*,*/tests/* -m pytest --maxfail=10
|
|
env:
|
|
SQLALCHEMY_DATABASE_TEST_URI: postgresql://user:password@localhost:5432/test_notification_api
|
|
NOTIFY_E2E_TEST_EMAIL: ${{ secrets.NOTIFY_E2E_TEST_EMAIL }}
|
|
NOTIFY_E2E_TEST_HTTP_AUTH_PASSWORD: ${{ secrets.NOTIFY_E2E_TEST_HTTP_AUTH_PASSWORD }}
|
|
NOTIFY_E2E_TEST_HTTP_AUTH_USER: ${{ secrets.NOTIFY_E2E_TEST_HTTP_AUTH_USER }}
|
|
NOTIFY_E2E_TEST_PASSWORD: ${{ secrets.NOTIFY_E2E_TEST_PASSWORD }}
|
|
- name: Check coverage threshold
|
|
# TODO get this back up to 95
|
|
run: poetry run coverage report -m --fail-under=93
|
|
|
|
validate-new-relic-config:
|
|
runs-on: ubuntu-latest
|
|
environment: staging
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: ./.github/actions/setup-project
|
|
- name: Install poetry packages
|
|
run: poetry install
|
|
- name: Validate NewRelic config
|
|
env:
|
|
NEW_RELIC_LICENSE_KEY: ${{ secrets.NEW_RELIC_LICENSE_KEY }}
|
|
# Need to set a NEW_RELIC_ENVIRONMENT with monitor_mode: true
|
|
NEW_RELIC_ENVIRONMENT: staging
|
|
run: poetry run newrelic-admin validate-config $NEW_RELIC_CONFIG_FILE
|
|
|
|
pip-audit:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: ./.github/actions/setup-project
|
|
- name: Create requirements.txt
|
|
run: poetry export --without-hashes --format=requirements.txt > requirements.txt
|
|
- uses: pypa/gh-action-pip-audit@v1.0.8
|
|
with:
|
|
inputs: requirements.txt
|
|
ignore-vulns: |
|
|
PYSEC-2023-312
|
|
|
|
static-scan:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: ./.github/actions/setup-project
|
|
- name: Install bandit
|
|
run: pip install bandit
|
|
- name: Run scan
|
|
run: bandit -r app/ --confidence-level medium
|
|
|
|
dynamic-scan:
|
|
runs-on: ubuntu-latest
|
|
services:
|
|
postgres:
|
|
image: postgres
|
|
env:
|
|
POSTGRES_USER: user
|
|
POSTGRES_PASSWORD: password
|
|
POSTGRES_DB: test_notification_api
|
|
options: >-
|
|
--health-cmd pg_isready
|
|
--health-interval 10s
|
|
--health-timeout 5s
|
|
--health-retries 5
|
|
ports:
|
|
# Maps tcp port 5432 on service container to the host
|
|
- 5432:5432
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- uses: ./.github/actions/setup-project
|
|
- name: Install application dependencies
|
|
run: make bootstrap
|
|
env:
|
|
SQLALCHEMY_DATABASE_TEST_URI: postgresql://user:password@localhost:5432/test_notification_api
|
|
NOTIFY_E2E_TEST_EMAIL: ${{ secrets.NOTIFY_E2E_TEST_EMAIL }}
|
|
NOTIFY_E2E_TEST_HTTP_AUTH_PASSWORD: ${{ secrets.NOTIFY_E2E_TEST_HTTP_AUTH_PASSWORD }}
|
|
NOTIFY_E2E_TEST_HTTP_AUTH_USER: ${{ secrets.NOTIFY_E2E_TEST_HTTP_AUTH_USER }}
|
|
NOTIFY_E2E_TEST_PASSWORD: ${{ secrets.NOTIFY_E2E_TEST_PASSWORD }}
|
|
- name: Run server
|
|
run: make run-flask &
|
|
env:
|
|
SQLALCHEMY_DATABASE_TEST_URI: postgresql://user:password@localhost:5432/test_notification_api
|
|
- name: Run OWASP API Scan
|
|
uses: zaproxy/action-api-scan@v0.9.0
|
|
with:
|
|
docker_name: 'ghcr.io/zaproxy/zaproxy:weekly'
|
|
target: 'http://localhost:6011/docs/openapi.yml'
|
|
fail_action: true
|
|
allow_issue_writing: false
|
|
rules_file_name: 'zap.conf'
|
|
cmd_options: '-I'
|