Add tools and minor updates to cloning workflow #7135
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Security checks | |
on: | |
push: | |
paths-ignore: | |
- 'docs/**' | |
- '**.md' | |
- '.gitignore' | |
branches: | |
- main | |
pull_request: | |
paths-ignore: | |
- 'docs/**' | |
- '**.md' | |
- '.gitignore' | |
branches: | |
- main | |
jobs: | |
security-check: | |
name: Django security check | |
runs-on: ubuntu-latest | |
env: | |
# fail the Django security check even on warnings | |
FAIL_LEVEL: WARNING | |
ENV_TYPE: pipenv | |
DEP_PATH: src/ | |
APP_PATH: src/ | |
EXTRA_ARGS: "--settings=registrar.config.settings" | |
DJANGO_SECRET_KEY: not-a-secret-jw7kQcb35fcDRIKp7K4fqZBmVvb+Sy4nkAGf44DxHi6EJl | |
DATABASE_URL: "postgres://not_a_user:not_a_password@not_a_host" | |
DJANGO_BASE_URL: "https://not_a_host" | |
REGISTRY_CL_ID: nothing | |
REGISTRY_PASSWORD: nothing | |
REGISTRY_CERT: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNMekNDQWRXZ0F3SUJBZ0lVWThXWEljcFVlVUk0TVUrU3NWbkIrOGErOUlnd0NnWUlLb1pJemowRUF3SXcKYlRFTE1Ba0dBMVVFQmhNQ1ZWTXhDekFKQmdOVkJBZ01Ba1JETVJNd0VRWURWUVFIREFwWFlYTm9hVzVuZEc5dQpNUXd3Q2dZRFZRUUtEQU5IVTBFeEREQUtCZ05WQkFzTUF6RTRSakVnTUI0R0ExVUVBd3dYUjA5V0lGQnliM1J2CmRIbHdaU0JTWldkcGMzUnlZWEl3SGhjTk1qTXdOREl4TVRVMU5ETTFXaGNOTWpRd05ESXdNVFUxTkRNMVdqQnQKTVFzd0NRWURWUVFHRXdKVlV6RUxNQWtHQTFVRUNBd0NSRU14RXpBUkJnTlZCQWNNQ2xkaGMyaHBibWQwYjI0eApEREFLQmdOVkJBb01BMGRUUVRFTU1Bb0dBMVVFQ3d3RE1UaEdNU0F3SGdZRFZRUUREQmRIVDFZZ1VISnZkRzkwCmVYQmxJRkpsWjJsemRISmhjakJaTUJNR0J5cUdTTTQ5QWdFR0NDcUdTTTQ5QXdFSEEwSUFCRkN4bGVsN1ZoWHkKb1ZIRWY2N3FKamo5UDk0ZWdqdXNtSWVaNFRLYkxkM3RRRVgzZnFKdVk4WmZzWWN4N0s1K0NEdnJLMnZRdjlMYgpmamhMTjZad3FqK2pVekJSTUIwR0ExVWREZ1FXQkJRUEZCRHdnSlhOUXE4a1V0K1hyYzFFWm9wbW9UQWZCZ05WCkhTTUVHREFXZ0JRUEZCRHdnSlhOUXE4a1V0K1hyYzFFWm9wbW9UQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01Bb0cKQ0NxR1NNNDlCQU1DQTBnQU1FVUNJRVJEaml0VGR0UTB3eVNXb1hEbCtYbUpVUmdENUo0VHVudkFGeDlDSitCUwpBaUVBME42eTJoeGdFWkYxRXJGYW1VQW5EUHlQSFlJeFNJQkwwNW5ibE9IZFVLRT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= | |
REGISTRY_KEY: LS0tLS1CRUdJTiBFTkNSWVBURUQgUFJJVkFURSBLRVktLS0tLQpNSUhzTUZjR0NTcUdTSWIzRFFFRkRUQktNQ2tHQ1NxR1NJYjNEUUVGRERBY0JBakJYK1UvdUFkQ3hBSUNDQUF3CkRBWUlLb1pJaHZjTkFna0ZBREFkQmdsZ2hrZ0JaUU1FQVNvRUVHWTNnblRGZ3F0UE5sVU93a2hvSHFrRWdaQlAKMG5FMWpSRXliTHBDNHFtaGczRXdaR2lXZDFWV2RLVEtyNXF3d3hsdjhCbHB1UHhtRGN4dTA1U3VReWhMcU5hWgpVNjRoZlFyYy94cnRnT3Mwc0ZXenlhY0hEaFhiQUdTQjdTTjc2WG55NU9wWDVZVGtRTFMvRTk4YmxFY3NQUWVuCkNqNTJnQzVPZ0JtYzl1cjZlbWY2bjd6TE5vUWovSzk4MEdIWjg5OVZHQ1J3OHhGZGIyb3IyU3dMcDd0V1Ixcz0KLS0tLS1FTkQgRU5DUllQVEVEIFBSSVZBVEUgS0VZLS0tLS0K | |
REGISTRY_KEY_PASSPHRASE: fake | |
REGISTRY_HOSTNAME: localhost | |
steps: | |
- name: Check out | |
uses: actions/checkout@v3 | |
- name: Scan Django settings for security issues | |
id: check | |
uses: ./.github/actions/django-security-check | |
- name: Upload output | |
uses: actions/upload-artifact@v4 | |
with: | |
name: security-check-output | |
path: ./src/output.txt | |
backdoor-check: | |
name: Ensure custom mods are contained | |
runs-on: ubuntu-latest | |
steps: | |
- name: Check out | |
uses: actions/checkout@v3 | |
- name: MockUserLogin should not be in settings.MIDDLEWARE | |
run: "! grep -rwn * --exclude-dir=node_modules -e registrar.tests.common.MockUserLogin" | |
working-directory: ./src | |
owasp-scan: | |
name: OWASP security scan | |
runs-on: ubuntu-latest | |
steps: | |
- name: Check out | |
uses: actions/checkout@v3 | |
- name: Disable Login | |
# by adding MockUserLogin to settings.MIDDLEWARE | |
run: | | |
perl -pi \ | |
-e 's/"django.contrib.auth.middleware.AuthenticationMiddleware",/$&"registrar.tests.common.MockUserLogin",/' \ | |
registrar/config/settings.py | |
working-directory: ./src | |
- name: OWASP scan | |
run: docker compose run owasp | |
working-directory: ./src |