manage.get.gov/.github/workflows/security-check.yaml

name: Security checks

on:
  push:
    paths-ignore:
      - 'docs/**'
      - '**.md'
      - '.gitignore'
    branches:
      - main
  pull_request:
    paths-ignore:
      - 'docs/**'
      - '**.md'
      - '.gitignore'
    branches:
      - main

jobs:
  security-check:
    name: Django security check
    runs-on: ubuntu-latest
    env:
      # fail the Django security check even on warnings
      FAIL_LEVEL: WARNING
      ENV_TYPE: pipenv
      DEP_PATH: src/
      APP_PATH: src/
      EXTRA_ARGS: "--settings=registrar.config.settings"
      DJANGO_SECRET_KEY: not-a-secret-jw7kQcb35fcDRIKp7K4fqZBmVvb+Sy4nkAGf44DxHi6EJl
      DATABASE_URL: "postgres://not_a_user:not_a_password@not_a_host"
      DJANGO_BASE_URL: "https://not_a_host"
      REGISTRY_CL_ID: nothing
      REGISTRY_PASSWORD: nothing
      REGISTRY_CERT: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNMekNDQWRXZ0F3SUJBZ0lVWThXWEljcFVlVUk0TVUrU3NWbkIrOGErOUlnd0NnWUlLb1pJemowRUF3SXcKYlRFTE1Ba0dBMVVFQmhNQ1ZWTXhDekFKQmdOVkJBZ01Ba1JETVJNd0VRWURWUVFIREFwWFlYTm9hVzVuZEc5dQpNUXd3Q2dZRFZRUUtEQU5IVTBFeEREQUtCZ05WQkFzTUF6RTRSakVnTUI0R0ExVUVBd3dYUjA5V0lGQnliM1J2CmRIbHdaU0JTWldkcGMzUnlZWEl3SGhjTk1qTXdOREl4TVRVMU5ETTFXaGNOTWpRd05ESXdNVFUxTkRNMVdqQnQKTVFzd0NRWURWUVFHRXdKVlV6RUxNQWtHQTFVRUNBd0NSRU14RXpBUkJnTlZCQWNNQ2xkaGMyaHBibWQwYjI0eApEREFLQmdOVkJBb01BMGRUUVRFTU1Bb0dBMVVFQ3d3RE1UaEdNU0F3SGdZRFZRUUREQmRIVDFZZ1VISnZkRzkwCmVYQmxJRkpsWjJsemRISmhjakJaTUJNR0J5cUdTTTQ5QWdFR0NDcUdTTTQ5QXdFSEEwSUFCRkN4bGVsN1ZoWHkKb1ZIRWY2N3FKamo5UDk0ZWdqdXNtSWVaNFRLYkxkM3RRRVgzZnFKdVk4WmZzWWN4N0s1K0NEdnJLMnZRdjlMYgpmamhMTjZad3FqK2pVekJSTUIwR0ExVWREZ1FXQkJRUEZCRHdnSlhOUXE4a1V0K1hyYzFFWm9wbW9UQWZCZ05WCkhTTUVHREFXZ0JRUEZCRHdnSlhOUXE4a1V0K1hyYzFFWm9wbW9UQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01Bb0cKQ0NxR1NNNDlCQU1DQTBnQU1FVUNJRVJEaml0VGR0UTB3eVNXb1hEbCtYbUpVUmdENUo0VHVudkFGeDlDSitCUwpBaUVBME42eTJoeGdFWkYxRXJGYW1VQW5EUHlQSFlJeFNJQkwwNW5ibE9IZFVLRT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
      REGISTRY_KEY: LS0tLS1CRUdJTiBFTkNSWVBURUQgUFJJVkFURSBLRVktLS0tLQpNSUhzTUZjR0NTcUdTSWIzRFFFRkRUQktNQ2tHQ1NxR1NJYjNEUUVGRERBY0JBakJYK1UvdUFkQ3hBSUNDQUF3CkRBWUlLb1pJaHZjTkFna0ZBREFkQmdsZ2hrZ0JaUU1FQVNvRUVHWTNnblRGZ3F0UE5sVU93a2hvSHFrRWdaQlAKMG5FMWpSRXliTHBDNHFtaGczRXdaR2lXZDFWV2RLVEtyNXF3d3hsdjhCbHB1UHhtRGN4dTA1U3VReWhMcU5hWgpVNjRoZlFyYy94cnRnT3Mwc0ZXenlhY0hEaFhiQUdTQjdTTjc2WG55NU9wWDVZVGtRTFMvRTk4YmxFY3NQUWVuCkNqNTJnQzVPZ0JtYzl1cjZlbWY2bjd6TE5vUWovSzk4MEdIWjg5OVZHQ1J3OHhGZGIyb3IyU3dMcDd0V1Ixcz0KLS0tLS1FTkQgRU5DUllQVEVEIFBSSVZBVEUgS0VZLS0tLS0K
      REGISTRY_KEY_PASSPHRASE: fake
      REGISTRY_HOSTNAME: localhost

    steps:
      - name: Check out
        uses: actions/checkout@v3
      - name: Scan Django settings for security issues
        id: check
        uses: ./.github/actions/django-security-check
      - name: Upload output
        uses: actions/upload-artifact@v2
        with:
          name: security-check-output
          path: ./src/output.txt

  backdoor-check:
    name: Ensure custom mods are contained
    runs-on: ubuntu-latest

    steps:
      - name: Check out
        uses: actions/checkout@v3
      - name: MockUserLogin should not be in settings.MIDDLEWARE
        run: "! grep -rwn * --exclude-dir=node_modules -e registrar.tests.common.MockUserLogin"
        working-directory: ./src

  owasp-scan:
    name: OWASP security scan
    runs-on: ubuntu-latest

    steps:
      - name: Check out
        uses: actions/checkout@v3

      - name: Disable Login
        # by adding MockUserLogin to settings.MIDDLEWARE
        run: |
          perl -pi \
          -e 's/"django.contrib.auth.middleware.AuthenticationMiddleware",/$&"registrar.tests.common.MockUserLogin",/' \
          registrar/config/settings.py
        working-directory: ./src

      - name: OWASP scan
        run: docker compose run owasp
        working-directory: ./src