From e88faf73e0562419426685479b09ce18df855b06 Mon Sep 17 00:00:00 2001 From: mhg Date: Wed, 13 Sep 2023 14:06:47 +0200 Subject: [PATCH] feat: PoC - Pentest Pipeline with OWASP ZAP --- .github/workflows/c4po-ci.yml | 6 +-- .github/workflows/c4po-pentest.yml | 86 ++++++++++++++++++++++++++++++ .github/workflows/c4po-release.yml | 3 +- 3 files changed, 91 insertions(+), 4 deletions(-) create mode 100644 .github/workflows/c4po-pentest.yml diff --git a/.github/workflows/c4po-ci.yml b/.github/workflows/c4po-ci.yml index aeb50ed..1f741eb 100644 --- a/.github/workflows/c4po-ci.yml +++ b/.github/workflows/c4po-ci.yml @@ -10,9 +10,9 @@ name: "CI: Clean Build C4PO" on: - pull_request: - branches: [ "main" ] - + # ToDo: Change "push" back to "pull_request" before integration + push: + branches: [ "test" ] env: ANGULAR_PATH: security-c4po-angular diff --git a/.github/workflows/c4po-pentest.yml b/.github/workflows/c4po-pentest.yml new file mode 100644 index 0000000..298afb9 --- /dev/null +++ b/.github/workflows/c4po-pentest.yml @@ -0,0 +1,86 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# GitHub recommends pinning actions to a commit SHA. +# To get a newer version, you will need to update the SHA. +# You can also reference a tag or branch, but the action may change without warning. + +name: "Security C4PO Pentest Pipeline PoC" + +on: + pull_request: + branches: [ "main" ] + +#on: +# schedule: + # Runs every sunday at 00:00. + # - cron: '0 0 * * 0' + +env: + ANGULAR_PATH: security-c4po-angular + API_PATH: security-c4po-api + REPORTING_PATH: security-c4po-reporting + CFG_PATH: security-c4po-cfg + +jobs: + + zap_baseline_scan: + name: "ZAP Baseline Job" + + runs-on: ubuntu-latest + + steps: + + - name: "ZAP Baseline Scan" + # Focuses on identifying common and high impact vulnerabilites. + # Designed to catch low hanging fruit & well-known security issues (XXS, SQL-Injection, ...) + uses: zaproxy/action-baseline@v0.9.0 + with: + token: ${{ secrets.GITHUB_TOKEN }} + docker_name: 'ghcr.io/zaproxy/zaproxy:stable' + target: 'https://security.c4po.dev' + rules_file_name: '.zap/rules.tsv' + artifact_name: zap_baseline_scan + cmd_options: '-a' + + zap_api_scan: + name: "ZAP API Job" + + runs-on: ubuntu-latest + + steps: + + - name: "ZAP API Scan" + # Focuses on scanning RESTful APIs + # Optional: The format of the defintion, openapi, soap, or graphql. (Default is openapi) + # Looks for a wide range of vulnerabilities (SQL-Injections, authentication issues, insecure direct object references, ...) + uses: zaproxy/action-api-scan@v0.5.0 + with: + token: ${{ secrets.GITHUB_TOKEN }} + docker_name: 'ghcr.io/zaproxy/zaproxy:stable' + format: openapi + target: 'https://security.c4po.dev' + rules_file_name: '.zap/rules.tsv' + artifact_name: zap_api_scan + cmd_options: '-a' + + #zap_full_scan: + # name: "ZAP Full Scan" + + # runs-on: ubuntu-latest + + # steps: + + # - name: "ZAP Full Scan" + # Focuses on comprehensive and thorough security assessment of web-application. + # Scan includes passive & active scanning, spidering and more in-depth checks for vulnerabilities. + # uses: zaproxy/action-full-scan@v0.7.0 + # with: + # token: ${{ secrets.GITHUB_TOKEN }} + # docker_name: 'ghcr.io/zaproxy/zaproxy:stable' + # target: 'https://security.c4po.dev' + # rules_file_name: '.zap/rules.tsv' + # artifact_name: zap_full_scan + # cmd_options: '-a' \ No newline at end of file diff --git a/.github/workflows/c4po-release.yml b/.github/workflows/c4po-release.yml index c681ce7..86a8b0d 100644 --- a/.github/workflows/c4po-release.yml +++ b/.github/workflows/c4po-release.yml @@ -11,7 +11,8 @@ name: "CD: Publish C4PO to Docker Hub" on: push: - branches: [ "main" ] + # ToDo: Change back to main before integration + branches: [ "test" ] env: ANGULAR_PATH: security-c4po-angular