From 1e5aeb8a145df3c75989fffc16338732a9980ce0 Mon Sep 17 00:00:00 2001 From: Steve Breker Date: Thu, 28 Nov 2024 11:35:27 -0800 Subject: [PATCH] Add ZAP baseline scan to CI Dynamically scan AtoM for OWASP top ten issues. Limit reporting to WARN and above. --- .github/workflows/zap-baseline.yml | 51 ++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 .github/workflows/zap-baseline.yml diff --git a/.github/workflows/zap-baseline.yml b/.github/workflows/zap-baseline.yml new file mode 100644 index 0000000000..af992b86d0 --- /dev/null +++ b/.github/workflows/zap-baseline.yml @@ -0,0 +1,51 @@ +name: DAST Scan + +on: + pull_request: + push: + branches: + - qa/** + - stable/** + - dev/owasp-zap-ci + +jobs: + dynamic-analysis: + runs-on: ubuntu-22.04 + strategy: + fail-fast: false + name: ZAP Baseline Test + env: + COMPOSE_FILE: ${{ github.workspace }}/docker/docker-compose.dev.yml + steps: + - name: Check out code + uses: actions/checkout@v4 + + - name: Create Docker Network + run: | + docker network create zap_network + + - name: Build and Run AtoM Docker Containers + run: | + docker compose up -d + docker network connect zap_network $(docker compose ps -q atom) + + - name: Run Setup Commands in AtoM Container + run: | + docker exec $(docker compose ps -q atom) /bin/sh -c "npm install -g 'less@<4.0.0' && make -C plugins/arDominionPlugin && make -C plugins/arArchivesCanadaPlugin && npm run build" + + - name: Run tools:purge in AtoM Container + run: | + docker exec $(docker compose ps -q atom) php -d memory_limit=-1 symfony tools:purge --demo + + - name: OWASP ZAP baseline scan + uses: zaproxy/action-baseline@v0.14.0 + with: + target: 'http://localhost:63001' + docker_name: 'ghcr.io/zaproxy/zaproxy:stable' + allow_issue_writing: false + cmd_options: '-a -r zap_report.html -l WARN' + + - name: Clean Up Docker Containers + run: | + docker compose down + docker network rm zap_network