-
Notifications
You must be signed in to change notification settings - Fork 283
139 lines (112 loc) · 7.81 KB
/
.dast-nuclei-cmd-api-server.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
name: DAST_Scan_Nuclei
on:
push:
branches: [main, dev]
pull_request:
branches: [main, dev]
jobs:
nuclei-scan:
runs-on: ubuntu-20.04
steps:
- name: Install Indy SDK
run: >
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys CE7709D068DB5E88 \
&& sudo add-apt-repository "deb https://repo.sovrin.org/sdk/deb bionic stable" \
&& sudo apt-get update \
&& sudo apt-get install -y \
libindy \
libnullpay \
libvcx \
indy-cli \
&& sudo rm -f /etc/apt/sources.list.d/sovrin.list*
- name: Set up NodeJS v16.9.1
uses: actions/setup-node@v3.6.0
with:
node-version: v16.9.1
- name: Install jq
run: sudo apt update && sudo apt install -y jq
- name: Verify jq
run: jq --version
- uses: actions/checkout@v3.5.2
- uses: actions/setup-go@v4.0.0
with:
go-version: 1.17
- run: go install -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei@v2.6.3
- run: nuclei --version
- run: yarn configure
- name: Create URLs file for Nuclei
run: |
echo https://localhost:4000/ > urls.txt
echo https://localhost:4000/api/v1/api-server/healthcheck >> urls.txt
echo https://localhost:4000/api/v1/plugins/@hyperledger/cactus-plugin-consortium-manual/node/jws >> urls.txt
echo https://localhost:4000/api/v1/plugins/@hyperledger/cactus-plugin-consortium-manual/consortium/jws >> urls.txt
echo https://localhost:4000/api/v1/plugins/@hyperledger/cactus-plugin-consortium-manual/get-prometheus-exporter-metrics >> urls.txt
echo https://localhost:4000/api/v1/plugins/@hyperledger/cactus-plugin-ledger-connector-fabric/run-transaction >> urls.txt
echo https://localhost:4000/api/v1/plugins/@hyperledger/cactus-plugin-ledger-connector-fabric/get-transaction-receipt-by-txid >> urls.txt
echo https://localhost:4000/api/v1/plugins/@hyperledger/cactus-plugin-ledger-connector-fabric/deploy-contract-go-source >> urls.txt
echo https://localhost:4000/api/v1/plugins/@hyperledger/cactus-plugin-ledger-connector-fabric/deploy-contract >> urls.txt
echo https://localhost:4000/api/v1/plugins/@hyperledger/cactus-plugin-ledger-connector-fabric/get-prometheus-exporter-metrics >> urls.txt
echo https://localhost:4000/api/v1/plugins/@hyperledger/cactus-plugin-ledger-connector-besu/deploy-contract-solidity-bytecode >> urls.txt
echo https://localhost:4000/api/v1/plugins/@hyperledger/cactus-plugin-ledger-connector-besu/get-balance >> urls.txt
echo https://localhost:4000/api/v1/plugins/@hyperledger/cactus-plugin-ledger-connector-besu/get-block >> urls.txt
echo https://localhost:4000/api/v1/plugins/@hyperledger/cactus-plugin-ledger-connector-besu/run-transaction >> urls.txt
echo https://localhost:4000/api/v1/plugins/@hyperledger/cactus-plugin-ledger-connector-besu/get-transaction >> urls.txt
echo https://localhost:4000/api/v1/plugins/@hyperledger/cactus-plugin-ledger-connector-besu/get-past-logs >> urls.txt
echo https://localhost:4000/api/v1/plugins/@hyperledger/cactus-plugin-ledger-connector-besu/invoke-contract >> urls.txt
echo https://localhost:4000/api/v1/plugins/@hyperledger/cactus-plugin-ledger-connector-besu/sign-transaction >> urls.txt
echo https://localhost:4000/api/v1/plugins/@hyperledger/cactus-plugin-ledger-connector-besu/get-prometheus-exporter-metrics >> urls.txt
echo https://localhost:4000/api/v1/plugins/@hyperledger/cactus-plugin-ledger-connector-besu/get-besu-record >> urls.txt
- name: Show file content
run: |
pwd
ls -la
cat urls.txt
# TODO: Clean up comments
# TODO: Remove --debug flag
- run: yarn generate-api-server-config
- run: echo "$(jq '.authorizationProtocol = "NONE"' .config.json)" > .config.json
- name: Install Fabric connector into the API server
run: echo "$(jq '.plugins += [{"packageName":"@hyperledger/cactus-plugin-ledger-connector-fabric", "type":"org.hyperledger.cactus.plugin_import_type.LOCAL", "action":"org.hyperledger.cactus.plugin_import_action.INSTALL", "options":{"instanceId":"some-unique-fabric-connector-instance-id", "peerBinary":"/fabric-samples/bin/peer", "connectionProfile":"{}", "dockerBinary":"usr/local/bin/docker","cliContainerEnv":{"CORE_PEER_LOCALMSPID":"Org1MSP","CORE_PEER_ADDRESS":"peer0.org1.example.com:7051","CORE_PEER_MSPCONFIGPATH":"/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp","CORE_PEER_TLS_ROOTCERT_FILE":"/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt","ORDERER_TLS_ROOTCERT_FILE":"/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem"},"discoveryOptions":{"enabled":true,"asLocalhost":true}}}] ' .config.json)" > .config.json
- name: Install Besu connector into the API server
run: echo "$(jq '.plugins += [{"packageName":"@hyperledger/cactus-plugin-ledger-connector-besu","type":"org.hyperledger.cactus.plugin_import_type.LOCAL","action":"org.hyperledger.cactus.plugin_import_action.INSTALL","options":{"rpcApiHttpHost":"http://localhost:8545", "rpcApiWsHost":"ws://localhost:8546", "instanceId":"some-unique-besu-connector-instance-id"}}]' .config.json)" > .config.json
- name: Run Besu all-in-one image
run: |
docker run -d -p 0.0.0.0:8545:8545/tcp -p 0.0.0.0:8546:8546/tcp -p 0.0.0.0:8888:8888/tcp -p 0.0.0.0:9001:9001/tcp -p 0.0.0.0:9545:9545/tcp ghcr.io/hyperledger/cactus-besu-all-in-one:2022-04-14-dda3f00
until curl --fail -X POST --data '{"jsonrpc":"2.0","method":"eth_chainId","params":[],"id":1}' localhost:8545; do sleep 5; done
# - run: |
# touch ~/nuclei-github-config.yaml \
# && echo -e "severity: critical,high" >> ~/nuclei-github-config.yaml \
# && echo -e "github:" >> ~/nuclei-github-config.yaml \
# && echo -e " username: \"$GITHUB_ACTOR\"" >> ~/nuclei-github-config.yaml \
# && echo -e " owner: \"${GITHUB_REPOSITORY%%/*}\"" >> ~/nuclei-github-config.yaml \
# && echo -e " token: \"${{ inputs.github-token }}\"" >> ~/nuclei-github-config.yaml \
# && echo -e " project-name: \"${GITHUB_REPOSITORY#*/}\"" >> ~/nuclei-github-config.yaml \
# && echo -e " issue-label: \"Nuclei\"" >> ~/nuclei-github-config.yaml \
# && echo "githubconfig=-rc ~/nuclei-github-config.yaml" >> $GITHUB_ENV
# shell: bash
# - run: ls -alt
- name: Start API Server & Run DAST
uses: BerniWittmann/background-server-action@v1.1.0
env:
# Needed because the wait-on syntax otherwise keeps thinking that
# there is a problem due to our self signed certificates on the
# test instance of the API server
NODE_TLS_REJECT_UNAUTHORIZED: 0
with:
build: yarn --version
start: yarn start:api-server
command: "nuclei --config=.nuclei-config.yaml --list=urls.txt --sarif-export ~/nuclei.sarif --output nuclei.log"
wait-on: "https://localhost:4000/api/v1/api-server/healthcheck"
# wait for 10 minutes for the server to respond
wait-on-timeout: 120
- run: pwd
- run: ls -alt
- name: GitHub Workflow artifacts
uses: actions/upload-artifact@v3.0.0
with:
name: nuclei.log
path: nuclei.log
# - name: GitHub Security Dashboard Alerts update
# uses: github/codeql-action/upload-sarif@v1
# with:
# sarif_file: ~/nuclei.sarif