mirror of
https://github.com/GSA/notifications-api.git
synced 2025-12-10 07:12:20 -05:00
e019e9cf11
The OWASP ZAP scan GitHub Actions have been updated recently and we need to make sure our GitHub Actions account for the recent changes. This changeset makes sure we are using the latest version of the OWASP ZAP API scan, the correct Docker image, and adjusts the name of the step to accurately reflect what scan is being run. Signed-off-by: Carlo Costino <carlo.costino@gsa.gov>
95 lines
3.0 KiB
YAML
95 lines
3.0 KiB
YAML
name: Run daily scans
|
|
|
|
on:
|
|
schedule:
|
|
# cron format: 'minute hour dayofmonth month dayofweek'
|
|
# this will run at noon UTC every day (7am EST / 8am EDT)
|
|
- cron: '0 12 * * *'
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
env:
|
|
DEBUG: True
|
|
NOTIFY_ENVIRONMENT: test
|
|
NEW_RELIC_CONFIG_FILE: newrelic.ini
|
|
NEW_RELIC_ENVIRONMENT: test
|
|
FLASK_APP: application.py
|
|
WERKZEUG_DEBUG_PIN: off
|
|
REDIS_ENABLED: 0
|
|
AWS_US_TOLL_FREE_NUMBER: "+18556438890"
|
|
|
|
jobs:
|
|
pip-audit:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v3
|
|
- uses: ./.github/actions/setup-project
|
|
- name: Create requirements.txt
|
|
run: poetry export --without-hashes --format=requirements.txt > requirements.txt
|
|
- uses: pypa/gh-action-pip-audit@v1.0.6
|
|
with:
|
|
inputs: requirements.txt
|
|
- name: Upload pip-audit artifact
|
|
uses: actions/upload-artifact@v3
|
|
with:
|
|
name: pip-audit-report
|
|
path: /tmp/pip-audit-output.txt
|
|
|
|
static-scan:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v3
|
|
- uses: ./.github/actions/setup-project
|
|
- name: Install bandit
|
|
run: pip install bandit
|
|
- name: Run scan
|
|
run: bandit -r app/ -f txt -o /tmp/bandit-output.txt --confidence-level medium
|
|
- name: Upload bandit artifact
|
|
uses: actions/upload-artifact@v3
|
|
with:
|
|
name: bandit-report
|
|
path: /tmp/bandit-output.txt
|
|
|
|
dynamic-scan:
|
|
runs-on: ubuntu-latest
|
|
services:
|
|
postgres:
|
|
image: postgres
|
|
env:
|
|
POSTGRES_USER: user
|
|
POSTGRES_PASSWORD: password
|
|
POSTGRES_DB: test_notification_api
|
|
options: >-
|
|
--health-cmd pg_isready
|
|
--health-interval 10s
|
|
--health-timeout 5s
|
|
--health-retries 5
|
|
ports:
|
|
# Maps tcp port 5432 on service container to the host
|
|
- 5432:5432
|
|
steps:
|
|
- uses: actions/checkout@v3
|
|
- uses: ./.github/actions/setup-project
|
|
- name: Install application dependencies
|
|
run: make bootstrap
|
|
env:
|
|
SQLALCHEMY_DATABASE_TEST_URI: postgresql://user:password@localhost:5432/test_notification_api
|
|
NOTIFY_E2E_TEST_EMAIL: ${{ secrets.NOTIFY_E2E_TEST_EMAIL }}
|
|
NOTIFY_E2E_TEST_HTTP_AUTH_PASSWORD: ${{ secrets.NOTIFY_E2E_TEST_HTTP_AUTH_PASSWORD }}
|
|
NOTIFY_E2E_TEST_HTTP_AUTH_USER: ${{ secrets.NOTIFY_E2E_TEST_HTTP_AUTH_USER }}
|
|
NOTIFY_E2E_TEST_PASSWORD: ${{ secrets.NOTIFY_E2E_TEST_PASSWORD }}
|
|
- name: Run server
|
|
run: make run-flask &
|
|
env:
|
|
SQLALCHEMY_DATABASE_TEST_URI: postgresql://user:password@localhost:5432/test_notification_api
|
|
- name: Run OWASP API Scan
|
|
uses: zaproxy/action-api-scan@v0.5.0
|
|
with:
|
|
docker_name: 'ghcr.io/zaproxy/zaproxy:weekly'
|
|
target: 'http://localhost:6011/docs/openapi.yml'
|
|
fail_action: true
|
|
allow_issue_writing: false
|
|
rules_file_name: 'zap.conf'
|
|
cmd_options: '-I'
|