mirror of
https://github.com/GSA/notifications-api.git
synced 2025-12-20 15:31:15 -05:00
94 lines
2.7 KiB
YAML
94 lines
2.7 KiB
YAML
name: Run daily scans
|
|
|
|
on:
|
|
schedule:
|
|
# cron format: 'minute hour dayofmonth month dayofweek'
|
|
# this will run at noon UTC every day (7am EST / 8am EDT)
|
|
- cron: '0 12 * * *'
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
env:
|
|
DEBUG: True
|
|
ANTIVIRUS_ENABLED: 0
|
|
NOTIFY_ENVIRONMENT: test
|
|
STATSD_HOST: localhost
|
|
SES_STUB_URL: None
|
|
NOTIFY_APP_NAME: api
|
|
NOTIFY_EMAIL_DOMAIN: dispostable.com
|
|
NOTIFY_LOG_PATH: /workspace/logs/app.log
|
|
ADMIN_CLIENT_ID: notify-admin
|
|
ADMIN_CLIENT_SECRET: dev-notify-secret-key
|
|
FLASK_APP: application.py
|
|
FLASK_ENV: development
|
|
WERKZEUG_DEBUG_PIN: off
|
|
ADMIN_BASE_URL: http://localhost:6012
|
|
API_HOST_NAME: http://localhost:6011
|
|
REDIS_URL: redis://localhost:6380
|
|
REDIS_ENABLED: False
|
|
AWS_REGION: us-west-2
|
|
AWS_PINPOINT_REGION: us-west-2
|
|
AWS_US_TOLL_FREE_NUMBER: +18446120782
|
|
|
|
jobs:
|
|
pip-audit:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v3
|
|
- uses: ./.github/actions/setup-project
|
|
- name: Create requirements.txt
|
|
run: pipenv requirements > requirements.txt
|
|
- uses: trailofbits/gh-action-pip-audit@v1.0.0
|
|
with:
|
|
inputs: requirements.txt
|
|
ignore-vulns: PYSEC-2022-237
|
|
|
|
static-scan:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v3
|
|
- uses: ./.github/actions/setup-project
|
|
- name: Install bandit
|
|
run: pip install bandit
|
|
- name: Run scan
|
|
run: bandit -r app/ --confidence-level medium
|
|
|
|
dynamic-scan:
|
|
runs-on: ubuntu-latest
|
|
services:
|
|
postgres:
|
|
image: postgres
|
|
env:
|
|
POSTGRES_USER: user
|
|
POSTGRES_PASSWORD: password
|
|
POSTGRES_DB: test_notification_api
|
|
options: >-
|
|
--health-cmd pg_isready
|
|
--health-interval 10s
|
|
--health-timeout 5s
|
|
--health-retries 5
|
|
ports:
|
|
# Maps tcp port 5432 on service container to the host
|
|
- 5432:5432
|
|
steps:
|
|
- uses: actions/checkout@v3
|
|
- uses: ./.github/actions/setup-project
|
|
- name: Install application dependencies
|
|
run: make bootstrap
|
|
env:
|
|
SQLALCHEMY_DATABASE_TEST_URI: postgresql://user:password@localhost:5432/test_notification_api
|
|
- name: Run server
|
|
run: make run-flask &
|
|
env:
|
|
SQLALCHEMY_DATABASE_TEST_URI: postgresql://user:password@localhost:5432/test_notification_api
|
|
- name: Run OWASP Baseline Scan
|
|
uses: zaproxy/action-api-scan@v0.1.1
|
|
with:
|
|
docker_name: 'owasp/zap2docker-weekly'
|
|
target: 'http://localhost:6011/_status'
|
|
fail_action: true
|
|
allow_issue_writing: false
|
|
rules_file_name: 'zap.conf'
|
|
cmd_options: '-I'
|