name: 'API: Pull Request' on: push: branches: - 'master' - 'v5.*' paths: - '.github/workflows/api-pull-request.yml' - 'api/**' - '!api/docs/**' - '!api/README.md' - '!api/CHANGELOG.md' pull_request: branches: - 'master' - 'v5.*' paths: - '.github/workflows/api-pull-request.yml' - 'api/**' - '!api/docs/**' - '!api/README.md' - '!api/CHANGELOG.md' concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true env: POSTGRES_HOST: localhost POSTGRES_PORT: 5432 POSTGRES_ADMIN_USER: prowler POSTGRES_ADMIN_PASSWORD: S3cret POSTGRES_USER: prowler_user POSTGRES_PASSWORD: prowler POSTGRES_DB: postgres-db VALKEY_HOST: localhost VALKEY_PORT: 6379 VALKEY_DB: 0 API_WORKING_DIR: ./api IMAGE_NAME: prowler-api jobs: code-quality: if: github.repository == 'prowler-cloud/prowler' runs-on: ubuntu-latest timeout-minutes: 30 permissions: contents: read strategy: matrix: python-version: - '3.12' defaults: run: working-directory: ./api steps: - name: Checkout repository uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Setup Python with Poetry uses: ./.github/actions/setup-python-poetry with: python-version: ${{ matrix.python-version }} working-directory: ./api - name: Poetry check run: poetry check --lock - name: Ruff lint run: poetry run ruff check . --exclude contrib - name: Ruff format run: poetry run ruff format --check . --exclude contrib - name: Pylint run: poetry run pylint --disable=W,C,R,E -j 0 -rn -sn src/ security-scans: if: github.repository == 'prowler-cloud/prowler' runs-on: ubuntu-latest timeout-minutes: 15 permissions: contents: read strategy: matrix: python-version: - '3.12' defaults: run: working-directory: ./api steps: - name: Checkout repository uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Setup Python with Poetry uses: ./.github/actions/setup-python-poetry with: python-version: ${{ matrix.python-version }} working-directory: ./api - name: Bandit run: poetry run bandit -q -lll -x '*_test.py,./contrib/' -r . - name: Safety # 76352, 76353, 77323 come from SDK, but they cannot upgrade it yet. It does not affect API # TODO: Botocore needs urllib3 1.X so we need to ignore these vulnerabilities 77744,77745. Remove this once we upgrade to urllib3 2.X run: poetry run safety check --ignore 70612,66963,74429,76352,76353,77323,77744,77745 - name: Vulture run: poetry run vulture --exclude "contrib,tests,conftest.py" --min-confidence 100 . tests: if: github.repository == 'prowler-cloud/prowler' runs-on: ubuntu-latest timeout-minutes: 30 permissions: contents: read strategy: matrix: python-version: - '3.12' defaults: run: working-directory: ./api services: postgres: image: postgres env: POSTGRES_HOST: ${{ env.POSTGRES_HOST }} POSTGRES_PORT: ${{ env.POSTGRES_PORT }} POSTGRES_USER: ${{ env.POSTGRES_USER }} POSTGRES_PASSWORD: ${{ env.POSTGRES_PASSWORD }} POSTGRES_DB: ${{ env.POSTGRES_DB }} ports: - 5432:5432 options: >- --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5 valkey: image: valkey/valkey:7-alpine3.19 env: VALKEY_HOST: ${{ env.VALKEY_HOST }} VALKEY_PORT: ${{ env.VALKEY_PORT }} VALKEY_DB: ${{ env.VALKEY_DB }} ports: - 6379:6379 options: >- --health-cmd "valkey-cli ping" --health-interval 10s --health-timeout 5s --health-retries 5 steps: - name: Checkout repository uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Setup Python with Poetry uses: ./.github/actions/setup-python-poetry with: python-version: ${{ matrix.python-version }} working-directory: ./api - name: Run tests with pytest run: poetry run pytest --cov=./src/backend --cov-report=xml src/backend - name: Upload coverage reports to Codecov uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1 env: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} with: flags: api dockerfile-lint: if: github.repository == 'prowler-cloud/prowler' runs-on: ubuntu-latest timeout-minutes: 15 permissions: contents: read steps: - name: Checkout repository uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Lint Dockerfile with Hadolint uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0 with: dockerfile: api/Dockerfile ignore: DL3013 container-build-and-scan: if: github.repository == 'prowler-cloud/prowler' runs-on: ubuntu-latest timeout-minutes: 30 permissions: contents: read security-events: write pull-requests: write steps: - name: Checkout repository uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Set up Docker Buildx uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - name: Build container uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: context: ${{ env.API_WORKING_DIR }} push: false load: true tags: ${{ env.IMAGE_NAME }}:${{ github.sha }} cache-from: type=gha cache-to: type=gha,mode=max - name: Scan container with Trivy uses: ./.github/actions/trivy-scan with: image-name: ${{ env.IMAGE_NAME }} image-tag: ${{ github.sha }} fail-on-critical: 'false' severity: 'CRITICAL'