feat: PoC - Pentest Pipeline with OWASP ZAP

Author: marcel-haag

.github/workflows/c4po-ci.yml

@@ -10,10 +10,10 @@
 name: "Security C4PO CI"
 
 on:
-  pull_request:
+  # ToDo: Change "push" back to "pull_request" before integration
+  push:
     branches: [ "main" ]
 
-
 env:
   ANGULAR_PATH: security-c4po-angular
   API_PATH: security-c4po-api

.github/workflows/c4po-pentest.yml

@@ -0,0 +1,89 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# GitHub recommends pinning actions to a commit SHA.
+# To get a newer version, you will need to update the SHA.
+# You can also reference a tag or branch, but the action may change without warning.
+
+name: "Security C4PO Pentest Pipeline PoC"
+
+on:
+  pull_request:
+    branches: [ "main" ]
+
+#on:
+#  schedule:
+    # Runs every sunday at 00:00.
+    #- cron:  '0 0 * * 0'
+
+env:
+  ANGULAR_PATH: security-c4po-angular
+  API_PATH: security-c4po-api
+  REPORTING_PATH: security-c4po-reporting
+  CFG_PATH: security-c4po-cfg
+
+  ANGULAR_CLI_VERSION: 13
+
+
+jobs:
+
+  zap_baseline_scan:
+    name: "ZAP Baseline Job"
+
+    runs-on: ubuntu-latest
+    
+    steps:
+
+      - name: "ZAP Baseline Scan"
+        # Focuses on identifying common and high impact vulnerabilites.
+        # Designed to catch low hanging fruit & well-known security issues (XXS, SQL-Injection, ...) 
+        uses: zaproxy/action-baseline@v0.9.0
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          docker_name: 'ghcr.io/zaproxy/zaproxy:stable'
+          target: 'https://security.c4po.dev'
+          rules_file_name: '.zap/rules.tsv'
+          artifact_name: zap_baseline_scan
+          cmd_options: '-a'
+
+  zap_api_scan:
+    name: "ZAP API Job"
+          
+    runs-on: ubuntu-latest
+              
+    steps:
+
+      - name: "ZAP API Scan"
+        # Focuses on scanning RESTful APIs
+        # Optional: The format of the defintion, openapi, soap, or graphql. (Default is openapi)
+        # Looks for a wide range of vulnerabilities (SQL-Injections, authentication issues, insecure direct object references, ...)
+        uses: zaproxy/action-api-scan@v0.5.0
+        with:
+            token: ${{ secrets.GITHUB_TOKEN }}
+            docker_name: 'ghcr.io/zaproxy/zaproxy:stable'
+            format: openapi
+            target: 'https://security.c4po.dev'
+            rules_file_name: '.zap/rules.tsv'
+            artifact_name: zap_api_scan
+            cmd_options: '-a'
+
+  #zap_full_scan:
+  #  name: "ZAP Full Scan"
+
+  #  runs-on: ubuntu-latest
+
+  #  steps:
+
+  #    - name: "ZAP Full Scan"
+        # Focuses on comprehensive and thorough security assessment of web-application.
+        # Scan includes passive & active scanning, spidering and more in-depth checks for vulnerabilities.
+  #      uses: zaproxy/action-full-scan@v0.7.0
+  #      with:
+  #          token: ${{ secrets.GITHUB_TOKEN }}
+  #          docker_name: 'ghcr.io/zaproxy/zaproxy:stable'
+  #          target: 'https://security.c4po.dev'
+  #          rules_file_name: '.zap/rules.tsv'
+  #          artifact_name: zap_full_scan
+  #          cmd_options: '-a'

.github/workflows/c4po-release.yml

@@ -11,7 +11,8 @@ name: "Publish C4PO Docker Hub"
 
 on:
   push:
-    branches: [ "main" ]
+    # ToDo: Change back to main before integration
+    branches: [ "test" ]
 
 env:
   ANGULAR_PATH: security-c4po-angular