mirror of
https://github.com/GSA/notifications-api.git
synced 2025-12-25 01:41:34 -05:00
e019e9cf11
The OWASP ZAP scan GitHub Actions have been updated recently and we need to make sure our GitHub Actions account for the recent changes. This changeset makes sure we are using the latest version of the OWASP ZAP API scan, the correct Docker image, and adjusts the name of the step to accurately reflect what scan is being run. Signed-off-by: Carlo Costino <carlo.costino@gsa.gov>
143 lines
4.9 KiB
YAML
143 lines
4.9 KiB
YAML
name: Run checks
|
|
|
|
on: [push]
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
env:
|
|
DEBUG: True
|
|
NOTIFY_ENVIRONMENT: test
|
|
NEW_RELIC_CONFIG_FILE: newrelic.ini
|
|
NEW_RELIC_ENVIRONMENT: test
|
|
FLASK_APP: application.py
|
|
WERKZEUG_DEBUG_PIN: off
|
|
REDIS_ENABLED: 0
|
|
AWS_US_TOLL_FREE_NUMBER: "+18556438890"
|
|
|
|
jobs:
|
|
build:
|
|
runs-on: ubuntu-latest
|
|
|
|
services:
|
|
postgres:
|
|
image: postgres
|
|
env:
|
|
POSTGRES_USER: user
|
|
POSTGRES_PASSWORD: password
|
|
POSTGRES_DB: test_notification_api
|
|
options: >-
|
|
--health-cmd pg_isready
|
|
--health-interval 10s
|
|
--health-timeout 5s
|
|
--health-retries 5
|
|
ports:
|
|
# Maps tcp port 5432 on service container to the host
|
|
- 5432:5432
|
|
|
|
steps:
|
|
- uses: actions/checkout@v3
|
|
- uses: ./.github/actions/setup-project
|
|
- name: Install application dependencies
|
|
run: make bootstrap
|
|
env:
|
|
SQLALCHEMY_DATABASE_TEST_URI: postgresql://user:password@localhost:5432/test_notification_api
|
|
NOTIFY_E2E_TEST_EMAIL: ${{ secrets.NOTIFY_E2E_TEST_EMAIL }}
|
|
NOTIFY_E2E_TEST_HTTP_AUTH_PASSWORD: ${{ secrets.NOTIFY_E2E_TEST_HTTP_AUTH_PASSWORD }}
|
|
NOTIFY_E2E_TEST_HTTP_AUTH_USER: ${{ secrets.NOTIFY_E2E_TEST_HTTP_AUTH_USER }}
|
|
NOTIFY_E2E_TEST_PASSWORD: ${{ secrets.NOTIFY_E2E_TEST_PASSWORD }}
|
|
- name: Run style checks
|
|
run: poetry run flake8 .
|
|
- name: Check imports alphabetized
|
|
run: poetry run isort --check-only ./app ./tests
|
|
- name: Check for dead code
|
|
run: make dead-code
|
|
- name: Run tests with coverage
|
|
run: poetry run coverage run --omit=*/notifications_utils/* -m pytest --maxfail=10
|
|
env:
|
|
SQLALCHEMY_DATABASE_TEST_URI: postgresql://user:password@localhost:5432/test_notification_api
|
|
NOTIFY_E2E_TEST_EMAIL: ${{ secrets.NOTIFY_E2E_TEST_EMAIL }}
|
|
NOTIFY_E2E_TEST_HTTP_AUTH_PASSWORD: ${{ secrets.NOTIFY_E2E_TEST_HTTP_AUTH_PASSWORD }}
|
|
NOTIFY_E2E_TEST_HTTP_AUTH_USER: ${{ secrets.NOTIFY_E2E_TEST_HTTP_AUTH_USER }}
|
|
NOTIFY_E2E_TEST_PASSWORD: ${{ secrets.NOTIFY_E2E_TEST_PASSWORD }}
|
|
- name: Check coverage threshold
|
|
run: poetry run coverage report --fail-under=50
|
|
|
|
validate-new-relic-config:
|
|
runs-on: ubuntu-latest
|
|
environment: staging
|
|
steps:
|
|
- uses: actions/checkout@v3
|
|
- uses: ./.github/actions/setup-project
|
|
- name: Install poetry packages
|
|
run: poetry install
|
|
- name: Validate NewRelic config
|
|
env:
|
|
NEW_RELIC_LICENSE_KEY: ${{ secrets.NEW_RELIC_LICENSE_KEY }}
|
|
# Need to set a NEW_RELIC_ENVIRONMENT with monitor_mode: true
|
|
NEW_RELIC_ENVIRONMENT: staging
|
|
run: poetry run newrelic-admin validate-config $NEW_RELIC_CONFIG_FILE
|
|
|
|
pip-audit:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v3
|
|
- uses: ./.github/actions/setup-project
|
|
- name: Create requirements.txt
|
|
run: poetry export --without-hashes --format=requirements.txt > requirements.txt
|
|
- uses: pypa/gh-action-pip-audit@v1.0.6
|
|
with:
|
|
inputs: requirements.txt
|
|
|
|
static-scan:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v3
|
|
- uses: ./.github/actions/setup-project
|
|
- name: Install bandit
|
|
run: pip install bandit
|
|
- name: Run scan
|
|
run: bandit -r app/ --confidence-level medium
|
|
|
|
dynamic-scan:
|
|
runs-on: ubuntu-latest
|
|
services:
|
|
postgres:
|
|
image: postgres
|
|
env:
|
|
POSTGRES_USER: user
|
|
POSTGRES_PASSWORD: password
|
|
POSTGRES_DB: test_notification_api
|
|
options: >-
|
|
--health-cmd pg_isready
|
|
--health-interval 10s
|
|
--health-timeout 5s
|
|
--health-retries 5
|
|
ports:
|
|
# Maps tcp port 5432 on service container to the host
|
|
- 5432:5432
|
|
steps:
|
|
- uses: actions/checkout@v3
|
|
- uses: ./.github/actions/setup-project
|
|
- name: Install application dependencies
|
|
run: make bootstrap
|
|
env:
|
|
SQLALCHEMY_DATABASE_TEST_URI: postgresql://user:password@localhost:5432/test_notification_api
|
|
NOTIFY_E2E_TEST_EMAIL: ${{ secrets.NOTIFY_E2E_TEST_EMAIL }}
|
|
NOTIFY_E2E_TEST_HTTP_AUTH_PASSWORD: ${{ secrets.NOTIFY_E2E_TEST_HTTP_AUTH_PASSWORD }}
|
|
NOTIFY_E2E_TEST_HTTP_AUTH_USER: ${{ secrets.NOTIFY_E2E_TEST_HTTP_AUTH_USER }}
|
|
NOTIFY_E2E_TEST_PASSWORD: ${{ secrets.NOTIFY_E2E_TEST_PASSWORD }}
|
|
- name: Run server
|
|
run: make run-flask &
|
|
env:
|
|
SQLALCHEMY_DATABASE_TEST_URI: postgresql://user:password@localhost:5432/test_notification_api
|
|
- name: Run OWASP API Scan
|
|
uses: zaproxy/action-api-scan@v0.5.0
|
|
with:
|
|
docker_name: 'ghcr.io/zaproxy/zaproxy:weekly'
|
|
target: 'http://localhost:6011/docs/openapi.yml'
|
|
fail_action: true
|
|
allow_issue_writing: false
|
|
rules_file_name: 'zap.conf'
|
|
cmd_options: '-I'
|