Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature: Added owaspscan-pipeline #215

Draft
wants to merge 2 commits into
base: develop
Choose a base branch
from
Draft

Feature: Added owaspscan-pipeline #215

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
5305bdf
added owaspscan-pipeline
DmByK Jul 15, 2024
8bd53b2
added auth-zap-scan
DmByK Aug 8, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
111 changes: 111 additions & 0 deletions .github/workflows/zap_scan.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,111 @@
name: owasp-security-scan

on:
pull_request:
branches:
- "**"
- "!main"

env:
NODE_VERSION: "22.x"
DB_USERNAME: postgres
DB_PASSWORD: postgres
DB_DATABASE: postgres
DATABASE_URL: postgres://postgres:postgres@localhost:5432/postgres?schema=public

jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Review Dependencies
uses: actions/dependency-review-action@v4

install:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Setup node
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
- name: Get npm cache directory
id: npm-cache-dir
run: echo "dir=$(npm config get cache)" >> ${GITHUB_OUTPUT}
- name: Cache npm
uses: actions/cache@v4
with:
path: ${{ steps.npm-cache-dir.outputs.dir }}
key: "${{ runner.os }}-npm-${{ env.NODE_VERSION }}-${{ hashFiles('package-lock.json') }}"
restore-keys: |
${{ runner.os }}-npm-
- name: Cache node modules
uses: actions/cache@v4
with:
path: ./node_modules
key: "${{ runner.os }}-node_modules-${{ env.NODE_VERSION }}-${{ hashFiles('package-lock.json') }}-${{ hashFiles('**/schema.prisma') }}"
restore-keys: |
${{ runner.os }}-node_modules-
- name: Cache e2e node modules
uses: actions/cache@v4
with:
path: ./e2e/node_modules
key: "${{ runner.os }}-node_modules_e2e-${{ env.NODE_VERSION }}-${{ hashFiles('./e2e/package-lock.json') }}"
restore-keys: |
${{ runner.os }}-node_modules_e2e-
- name: Install node dependencies
run: npm install
- name: Generate prisma types
run: npm run prisma -- generate

owaspscan:
runs-on: ubuntu-latest
needs:
- install
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Setup node
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
- name: Restore cached node modules
uses: actions/cache/restore@v4
with:
path: ./node_modules
key: "${{ runner.os }}-node_modules-${{ hashFiles('package-lock.json') }}-${{ hashFiles('**/schema.prisma') }}"
- name: Start services
env:
DB_USER: ${{ env.DB_USERNAME }}
DB_PASSWORD: ${{ env.DB_PASSWORD }}
run: |
cd development
chmod +x ./init/elasticsearch/init.sh
chmod +r ./init/elasticsearch/mappings/swissgeol_asset_asset.json
sed -i 's/- \.\/volumes\/elasticsearch\/data:\/usr\/share\/elasticsearch\/data//g' ./docker-compose.yaml
docker compose up -d db oidc elasticsearch
sleep 120
- name: Migrate database
run: npm run prisma -- migrate deploy
- name: Start frontend
run: |
npm run build
npm start &
sleep 60
- name: OWASP ZAP Full Scan
uses: zaproxy/[email protected]
with:
target: "http://localhost:4200"
fail_action: "false"
cmd_options: -a -j -U "admin" -n /zap/context/default.context
- name: Upload ZAP Scan Results
uses: actions/upload-artifact@v4
with:
name: zap_scan
path: ./zap/scan-results
- name: Stop services
run: |
cd development
docker compose down
89 changes: 89 additions & 0 deletions zap/context/default.context
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,89 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<configuration>
<context>
<name>Standard-Kontext</name>
<desc/>
<inscope>true</inscope>
<incregexes>http://localhost:4011.*</incregexes>
<incregexes>http://localhost:4200.*</incregexes>
<tech>
<include>Db.PostgreSQL</include>
<include>Language.ASP</include>
<include>Language.JSP/Servlet</include>
<include>Language.Java</include>
<include>Language.Java.Spring</include>
<include>Language.JavaScript</include>
<include>Language.XML</include>
<include>OS.Linux</include>
<include>OS.Windows</include>
<include>SCM.Git</include>
<include>WS.Apache</include>
<include>WS.Tomcat</include>
<exclude>Db</exclude>
<exclude>Db.CouchDB</exclude>
<exclude>Db.Firebird</exclude>
<exclude>Db.HypersonicSQL</exclude>
<exclude>Db.IBM DB2</exclude>
<exclude>Db.MariaDB</exclude>
<exclude>Db.Microsoft Access</exclude>
<exclude>Db.Microsoft SQL Server</exclude>
<exclude>Db.MongoDB</exclude>
<exclude>Db.MySQL</exclude>
<exclude>Db.Oracle</exclude>
<exclude>Db.SAP MaxDB</exclude>
<exclude>Db.SQLite</exclude>
<exclude>Db.Sybase</exclude>
<exclude>Language</exclude>
<exclude>Language.C</exclude>
<exclude>Language.PHP</exclude>
<exclude>Language.Python</exclude>
<exclude>Language.Ruby</exclude>
<exclude>OS</exclude>
<exclude>OS.MacOS</exclude>
<exclude>SCM</exclude>
<exclude>SCM.SVN</exclude>
<exclude>WS</exclude>
<exclude>WS.IIS</exclude>
</tech>
<urlparser>
<class>org.zaproxy.zap.model.StandardParameterParser</class>
<config>{"kvps":"&amp;","kvs":"=","struct":[]}</config>
</urlparser>
<postparser>
<class>org.zaproxy.zap.model.StandardParameterParser</class>
<config>{"kvps":"&amp;","kvs":"=","struct":[]}</config>
</postparser>
<authentication>
<type>2</type>
<strategy>EACH_RESP</strategy>
<pollurl/>
<polldata/>
<pollheaders/>
<pollfreq>60</pollfreq>
<pollunits>REQUESTS</pollunits>
<loggedin>\Qid_token\E</loggedin>
<loggedout>\QLogout\E</loggedout>
<form>
<loginurl>http://localhost:4011/Account/Login</loginurl>
<loginbody>Input.ReturnUrl=%2Fconnect%2Fauthorize%2Fcallback%3Fresponse_type%3Dcode%26client_id%3Dassets%26state%3DSU5kZlpCanU1bFkydFFVSTVyMVdEVFBpdFh2WEs1SERaLnJ4YWJOcUNRTkRG%26redirect_uri%3Dhttp%253A%252F%252Flocalhost%253A4200%26scope%3Dopenid%2520profile%2520email%2520cognito%26code_challenge%3DzQOsMsXRWejLxaINRJtgwpnJfg6blQjzO2p0Av_ghDY%26code_challenge_method%3DS256%26nonce%3DSU5kZlpCanU1bFkydFFVSTVyMVdEVFBpdFh2WEs1SERaLnJ4YWJOcUNRTkRG&amp;Input.Username={%username%}&amp;Input.Password={%password%}&amp;Input.Button=login&amp;__RequestVerificationToken=CfDJ8J9zj19_xjZOumsf_DtW9A0qnKNQFTcBhLJ35LoRFoxjUmXvMVvsN82mEDDWhVM_qlMHI9HhagwnbEeLp-eac5vWEvRIRkxzZS7aFWThs1zxMCkxe5QByRRCI89MbiC-njZelIq17MrtiyhP2xqz3mI&amp;Input.RememberLogin=false</loginbody>
<loginpageurl>http://localhost:4011/Account/Login</loginpageurl>
</form>
</authentication>
<users>
<user>267;true;YWRtaW4=;2;YWRtaW4=~YWRtaW4=~</user>
</users>
<forceduser>267</forceduser>
<session>
<type>0</type>
</session>
<authorization>
<type>0</type>
<basic>
<header/>
<body/>
<logic>AND</logic>
<code>-1</code>
</basic>
</authorization>
</context>
</configuration>
Loading