OWASP ZAP (DAST Scan) #86
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
############################################################### | |
# Copyright (c) 2024 Contributors to the Eclipse Foundation | |
# | |
# See the NOTICE file(s) distributed with this work for additional | |
# information regarding copyright ownership. | |
# | |
# This program and the accompanying materials are made available under the | |
# terms of the Apache License, Version 2.0 which is available at | |
# https://www.apache.org/licenses/LICENSE-2.0. | |
# | |
# Unless required by applicable law or agreed to in writing, software | |
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT | |
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the | |
# License for the specific language governing permissions and limitations | |
# under the License. | |
# | |
# SPDX-License-Identifier: Apache-2.0 | |
############################################################### | |
name: "OWASP ZAP (DAST Scan)" | |
on: | |
push: | |
branches: [main] | |
paths: | |
- 'src/**' | |
pull_request: | |
paths: | |
- 'src/**' | |
schedule: | |
# Once a day | |
- cron: "0 0 * * *" | |
workflow_dispatch: | |
# Trigger manually | |
inputs: | |
node_image: | |
description: 'kindest/node image for k8s kind cluster' | |
# k8s version from 3.1 release as default | |
default: 'kindest/node:v1.27.3' | |
required: false | |
type: string | |
jobs: | |
owasp-zap-scan: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
with: | |
fetch-depth: 0 | |
- name: Kubernetes KinD Cluster | |
uses: container-tools/kind-action@0ad70e2299366b0e1552c7240f4e4567148f723e # v2.0.4 | |
with: | |
node_image: ${{ github.event.inputs.node_image || 'kindest/node:v1.27.3' }} | |
version: v0.20.0 | |
- name: Set up Helm | |
uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 | |
with: | |
version: v3.5.0 | |
- name: Build migration image | |
id: build-migration-image | |
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 | |
with: | |
context: . | |
file: ./docker/Dockerfile-credential-issuer-migrations | |
push: true | |
tags: kind-registry:5000/credential-issuer-migrations:testing | |
- name: Build service image | |
id: build-service-image | |
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 | |
with: | |
context: . | |
file: ./docker/Dockerfile-credential-issuer-service | |
push: true | |
tags: kind-registry:5000/credential-issuer-service:testing | |
- name: Build Worker image | |
id: build-worker-image | |
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 | |
with: | |
context: . | |
file: ./docker/Dockerfile-credential-issuer-processes-worker | |
push: true | |
tags: kind-registry:5000/credential-issuer-processes-worker:testing | |
- name: Build Expiry image | |
id: build-expiry-image | |
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 | |
with: | |
context: . | |
file: ./docker/Dockerfile-credential-expiry-app | |
push: true | |
tags: kind-registry:5000/credential-expiry-app:testing | |
- name: Add bitnami repo | |
run: | | |
helm repo add bitnami https://charts.bitnami.com/bitnami | |
helm repo update | |
- name: Update Helm dependencies | |
run: | | |
cd charts/ssi-credential-issuer | |
helm dependency build | |
- name: Install the chart on KinD cluster | |
run: helm install testing -n apps --create-namespace --wait --set issuer.image.name=kind-registry:5000/credential-issuer-service --set issuer.image.tag=testing --set issuermigrations.image.name=kind-registry:5000/credential-issuer-migrations --set issuermigrations.image.tag=testing --set processesworker.image.name=kind-registry:5000/credential-issuer-processes-worker --set processesworker.image.tag=testing --set credentialExpiry.image.name=kind-registry:5000/credential-expiry-app --set credentialExpiry.image.tag=testing --set issuer.swaggerEnabled=true charts/ssi-credential-issuer | |
- name: Configure port forward to app in KinD | |
run: | | |
echo "Getting Agent IP..." | |
IP_ADDR=$(hostname -i) | |
echo "-> IP: $IP_ADDR" | |
echo "IP_ADDR=$IP_ADDR" >> $GITHUB_ENV | |
POD_NAME=$(kubectl get pods --namespace apps -l "app.kubernetes.io/name=ssi-credential-issuer,app.kubernetes.io/instance=testing" -o jsonpath="{.items[0].metadata.name}") | |
CONTAINER_PORT=$(kubectl get pod --namespace apps $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") | |
echo "Port-forwarding 0.0.0.0:8080 to $POD_NAME:$CONTAINER_PORT..." | |
kubectl --namespace apps port-forward $POD_NAME 8080:$CONTAINER_PORT --address 0.0.0.0 & | |
- name: Generating report skeletons | |
if: success() || failure() | |
run: | | |
touch report_md.md report_html.html | |
chmod a+w report_md.md report_html.html | |
ls -lrt | |
- name: Run ZAP scan | |
run: | | |
set +e | |
echo "Pulling ZAP image..." | |
docker pull ghcr.io/zaproxy/zaproxy:stable -q | |
echo "Starting ZAP Docker container..." | |
docker run -v ${GITHUB_WORKSPACE}:/zap/wrk/:rw ghcr.io/zaproxy/zaproxy:stable zap-api-scan.py -t http://$IP_ADDR:8080/api/swagger/v1/swagger.json -f openapi -w report_md.md -r report_html.html -T 1 | |
echo "... done." | |
- name: Upload HTML report | |
if: success() || failure() | |
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 | |
with: | |
name: ZAP scan report | |
path: ./report_html.html | |
retention-days: 1 |