Run daily scans #855
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Run daily scans | |
| on: | |
| schedule: | |
| # cron format: 'minute hour dayofmonth month dayofweek' | |
| # this will run at 10am UTC every day (5am EST / 6am EDT) | |
| - cron: '0 10 * * *' | |
| permissions: | |
| contents: read | |
| env: | |
| NOTIFY_ENVIRONMENT: test | |
| NEW_RELIC_CONFIG_FILE: newrelic.ini | |
| NEW_RELIC_ENVIRONMENT: test | |
| FLASK_APP: application.py | |
| WERKZEUG_DEBUG_PIN: off | |
| REDIS_ENABLED: 0 | |
| NODE_VERSION: 16.15.1 | |
| jobs: | |
| dependency-audits: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: ./.github/actions/setup-project | |
| - name: Create requirements.txt | |
| run: poetry export --without-hashes --format=requirements.txt > requirements.txt | |
| - uses: pypa/[email protected] | |
| with: | |
| inputs: requirements.txt | |
| - name: Run npm audit | |
| run: make npm-audit | |
| static-scan: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: ./.github/actions/setup-project | |
| - name: Run scan | |
| run: poetry run bandit -r app/ --confidence-level medium | |
| dynamic-scan: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: ./.github/actions/setup-project | |
| - name: Run server | |
| run: make run-flask & | |
| env: | |
| NOTIFY_ENVIRONMENT: scanning | |
| - name: Run OWASP Full Scan | |
| uses: zaproxy/[email protected] | |
| with: | |
| docker_name: 'ghcr.io/zaproxy/zaproxy:weekly' | |
| target: 'http://localhost:6012' | |
| fail_action: true | |
| allow_issue_writing: false | |
| rules_file_name: 'zap.conf' | |
| cmd_options: '-I' |