fixed tag for dockerfile #14
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Last applied at: Fri, 14 Feb 2025 00:40:40 GMT | |
| # DevOps Shield - The ultimate DevSecOps platform designed to secure your DevOps. | |
| # https://devopsshield.com | |
| ############################################################## | |
| # This is a DevOps Shield - Application Security - Code Security Template. | |
| # This workflow template uses actions that are not certified by DevOps Shield. | |
| # They are provided by a third-party and are governed by separate terms of service, privacy policy, and support documentation. | |
| # Use this workflow template for integrating code security into your pipelines and workflows. | |
| # DevOps Shield Workflow Template Details: | |
| # ------------------------------------------------------------ | |
| # Code: GH_DAST_Zed_Attack_Proxy_ZAP | |
| # Name: Zed Attack Proxy (ZAP) Penetration Testing | |
| # DevSecOpsControls: DAST | |
| # Provider: Checkmarx | |
| # Categories: Code Scanning, Penetration Testing | |
| # Description: | |
| # Zed Attack Proxy (ZAP) by Checkmarx is a free, open-source penetration testing tool. | |
| # ZAP is designed specifically for testing web applications and is both flexible and extensible. | |
| # Automate with ZAP. ZAP provides range of options for security automation. | |
| # The world's most widely used web app scanner. Free and open source. A community based GitHub Top 1000 project that anyone can contribute to. | |
| # A GitHub Action for running the ZAP Full Scan to perform Dynamic Application Security Testing (DAST). | |
| # The ZAP full scan action runs the ZAP spider against the specified target (by default with no time limit) followed by an optional ajax spider scan and then a full active scan before reporting the results. | |
| # WARNING this action will perform attacks on the target website. You should only scan targets that you have permission to test. | |
| # Read the official documentation to find out more. | |
| # For more information: | |
| # https://www.zaproxy.org/ | |
| # https://www.zaproxy.org/docs/ | |
| # https://github.com/zaproxy/ | |
| # https://www.zaproxy.org/docs/automate/ | |
| # https://www.zaproxy.org/docs/guides/zapping-the-top-10-2021/ | |
| # ------------------------------------------------------------ | |
| # Source repository: https://github.com/zaproxy/action-full-scan | |
| ############################################################## | |
| name: Zed Attack Proxy (ZAP) Full Scan | |
| on: | |
| push: | |
| branches: [master] | |
| schedule: | |
| - cron: 0 0 * * 0 | |
| env: | |
| ZAP_TARGET: "http://127.0.0.1:8000/" # Change this to your target URL | |
| imageName: "localbuild/testimage" | |
| tag: "latest" | |
| jobs: | |
| zap_scan: | |
| name: ZAP Full Scan | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| security-events: write # for github/codeql-action/upload-sarif to upload SARIF results | |
| issues: write # to create issues for alerts | |
| steps: | |
| - uses: actions/checkout@v4 | |
| # build and start your application here | |
| - name: Start Application | |
| run: | | |
| echo "Building and starting the application..." | |
| docker build -f Dockerfile -t ${{ env.imageName }}:${{ env.tag }} . | |
| echo "Starting the application..." | |
| docker run -d --rm -p 8000:8000 ${{ env.imageName }}:${{ env.tag }} | |
| - name: Run ZAP Scan | |
| uses: zaproxy/action-full-scan@v0.12.0 | |
| id: zap | |
| with: | |
| target: "${{ env.ZAP_TARGET }}" |