-
Notifications
You must be signed in to change notification settings - Fork 13
133 lines (113 loc) · 4.75 KB
/
owasp-zap.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
###############################################################
# Copyright (c) 2024 Contributors to the Eclipse Foundation
#
# See the NOTICE file(s) distributed with this work for additional
# information regarding copyright ownership.
#
# This program and the accompanying materials are made available under the
# terms of the Apache License, Version 2.0 which is available at
# https://www.apache.org/licenses/LICENSE-2.0.
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# SPDX-License-Identifier: Apache-2.0
###############################################################
name: "OWASP ZAP (DAST Scan)"
on:
push:
branches: [main]
paths:
- 'src/**'
pull_request:
paths:
- 'src/**'
schedule:
# Once a day
- cron: "0 0 * * *"
workflow_dispatch:
# Trigger manually
inputs:
node_image:
description: 'kindest/node image for k8s kind cluster'
# k8s version from 3.1 release as default
default: 'kindest/node:v1.27.3'
required: false
type: string
jobs:
owasp-zap-scan:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
- name: Kubernetes KinD Cluster
uses: container-tools/kind-action@0ad70e2299366b0e1552c7240f4e4567148f723e # v2.0.4
with:
node_image: ${{ github.event.inputs.node_image || 'kindest/node:v1.27.3' }}
version: v0.20.0
- name: Set up Helm
uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
with:
version: v3.5.0
- name: Build migration image
id: build-migration-image
uses: docker/build-push-action@94f8f8c2eec4bc3f1d78c1755580779804cb87b2 # v6.0.1
with:
context: .
file: ./docker/Dockerfile-policy-hub-migrations
push: true
tags: kind-registry:5000/policy-hub-migrations:testing
- name: Build service image
id: build-service-image
uses: docker/build-push-action@94f8f8c2eec4bc3f1d78c1755580779804cb87b2 # v6.0.1
with:
context: .
file: ./docker/Dockerfile-policy-hub-service
push: true
tags: kind-registry:5000/policy-hub-service:testing
- name: Add bitnami repo
run: |
helm repo add bitnami https://charts.bitnami.com/bitnami
helm repo update
- name: Update Helm dependencies
run: |
cd charts/policy-hub
helm dependency build
- name: Install the chart on KinD cluster
run: helm install testing -n apps --create-namespace --wait --set service.image.name=kind-registry:5000/policy-hub-service --set service.image.tag=testing --set migrations.image.name=kind-registry:5000/policy-hub-migrations --set migrations.image.tag=testing --set service.swaggerEnabled=true charts/policy-hub
- name: Configure port forward to app in KinD
run: |
echo "Getting Agent IP..."
IP_ADDR=$(hostname -i)
echo "-> IP: $IP_ADDR"
echo "IP_ADDR=$IP_ADDR" >> $GITHUB_ENV
POD_NAME=$(kubectl get pods --namespace apps -l "app.kubernetes.io/name=policy-hub,app.kubernetes.io/instance=testing" -o jsonpath="{.items[0].metadata.name}")
CONTAINER_PORT=$(kubectl get pod --namespace apps $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
echo "Port-forwarding 0.0.0.0:8080 to $POD_NAME:$CONTAINER_PORT..."
kubectl --namespace apps port-forward $POD_NAME 8080:$CONTAINER_PORT --address 0.0.0.0 &
- name: Generating report skeletons
if: success() || failure()
run: |
touch report_md.md report_html.html
chmod a+w report_md.md report_html.html
ls -lrt
- name: Run ZAP scan
run: |
set +e
echo "Pulling ZAP image..."
docker pull ghcr.io/zaproxy/zaproxy:stable -q
echo "Starting ZAP Docker container..."
docker run -v ${GITHUB_WORKSPACE}:/zap/wrk/:rw ghcr.io/zaproxy/zaproxy:stable zap-api-scan.py -t http://$IP_ADDR:8080/api/policy-hub/swagger/v2/swagger.json -f openapi -w report_md.md -r report_html.html -T 1
echo "... done."
- name: Upload HTML report
if: success() || failure()
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: ZAP scan report
path: ./report_html.html
retention-days: 1