Skip to content

Commit

Permalink
Add ZAP baseline scan to CI
Browse files Browse the repository at this point in the history
Dynamically scan AtoM for OWASP top ten issues. Limit reporting to WARN
and above.
  • Loading branch information
sbreker committed Dec 2, 2024
1 parent 8ff72e6 commit 33727b7
Show file tree
Hide file tree
Showing 2 changed files with 166 additions and 0 deletions.
114 changes: 114 additions & 0 deletions .github/workflows/zap-baseline-local-atom.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,114 @@
name: DAST Scan - Local AtoM

on:
pull_request:
push:
branches:
- qa/**
- stable/**
- dev/owasp-zap-ci

jobs:
dynamic-analysis:
runs-on: ubuntu-20.04
strategy:
fail-fast: false
name: ZAP Baseline Test - local AtoM
env:
COMPOSE_FILE: ${{ github.workspace }}/docker/docker-compose.dev.yml
steps:
- name: Check out code
uses: actions/checkout@v3
- name: Start containerized services
run: |
sudo sysctl -w vm.max_map_count=262144
docker compose up -d percona elasticsearch gearmand
- name: Setup PHP
uses: shivammathur/setup-php@v2
with:
php-version: 7.4
coverage: none
extensions: apcu, opcache
- name: Setup PHP-FPM
run: |
sudo apt install php7.4-fpm
sudo service php7.4-fpm start
- name: Cache Composer dependencies
uses: actions/cache@v3
with:
path: ~/.composer/cache/files
key: 20.04-7.4-composer-${{ hashFiles('composer.lock') }}
- name: Install Composer dependencies
run: composer install
- name: Cache NPM dependencies
uses: actions/cache@v3
with:
path: |
~/.npm
~/.cache/Cypress
key: npm-${{ hashFiles('package-lock.json') }}
- name: Install NPM dependencies
run: sudo npm install -g npm && npm ci
- name: Modify Gearman config
run: |
echo -e "all:\n servers:\n default: 127.0.0.1:63005" \
> apps/qubit/config/gearman.yml
- name: Build themes
run: |
sudo npm install -g "less@<4.0.0"
make -C plugins/arDominionPlugin
make -C plugins/arArchivesCanadaPlugin
npm run build
- name: Run the installer
run: |
php symfony tools:install \
--database-host=127.0.0.1 \
--database-port=63003 \
--database-name=atom \
--database-user=atom \
--database-password=atom_12345 \
--search-host=127.0.0.1 \
--search-port=63002 \
--search-index=atom \
--demo \
--no-confirmation
- name: Change filesystem permissions
run: sudo chown -R www-data:www-data ${{ github.workspace }}
- name: Start application services
run: |
sudo cp test/etc/fpm_conf /etc/php/7.4/fpm/pool.d/atom.conf
sudo rm /etc/php/7.4/fpm/pool.d/www.conf
sudo systemctl restart php7.4-fpm
sudo php-fpm7.4 --test
sudo cp test/etc/worker_conf /usr/lib/systemd/system/atom-worker.service
sudo systemctl daemon-reload
sudo systemctl start atom-worker
- name: Install and configure Nginx
run: |
sudo apt install nginx
sudo cp test/etc/nginx_conf /etc/nginx/sites-available/atom
sudo ln -s /etc/nginx/sites-available/atom /etc/nginx/sites-enabled
sudo rm -f /etc/nginx/sites-enabled/default
sudo nginx -t
sudo systemctl restart nginx
# # Allow write permissions to workspace so ZAP scan can map the files into its container.
# - name: Change filesystem permissions for ZAP
# run: sudo chmod -R a+w ${{ github.workspace }}

# Run OWASP ZAP Baseline Scan using the Docker container
- name: Run OWASP ZAP Baseline Scan (Docker)
run: |
HOST_IP=$(hostname -I | awk '{print $1}')
echo "HOST_IP=$HOST_IP" >> $GITHUB_ENV
echo "Using HOST_IP: $HOST_IP"
# Run OWASP ZAP Baseline Scan using the GitHub action with HOST_IP
- name: OWASP ZAP baseline scan
uses: zaproxy/action-baseline@v0.14.0
working-directory: /tmp/zap
with:
target: "http://${{ env.HOST_IP }}"
docker_name: 'ghcr.io/zaproxy/zaproxy:stable'
allow_issue_writing: false
cmd_options: '-a -r report_html.html -l WARN'
52 changes: 52 additions & 0 deletions .github/workflows/zap-baseline.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
name: DAST Scan

on:
pull_request:
push:
branches:
- qa/**
- stable/**
- dev/owasp-zap-ci

jobs:
dynamic-analysis:
runs-on: ubuntu-22.04
strategy:
fail-fast: false
name: ZAP Baseline Test - Docker AtoM
env:
COMPOSE_FILE: ${{ github.workspace }}/docker/docker-compose.dev.yml
steps:
- name: Check out code
uses: actions/checkout@v4

- name: Create Docker Network
run: |
docker network create zap_network
- name: Build and Run AtoM Docker Containers
run: |
docker compose up -d
docker network connect zap_network $(docker compose ps -q atom)
docker network connect zap_network $(docker compose ps -q nginx)
- name: Run Setup Commands in AtoM Container
run: |
docker exec $(docker compose ps -q atom) /bin/sh -c "npm install -g 'less@<4.0.0' && make -C plugins/arDominionPlugin && make -C plugins/arArchivesCanadaPlugin && npm run build"
- name: Run tools:purge in AtoM Container
run: |
docker exec $(docker compose ps -q atom) php -d memory_limit=-1 symfony tools:purge --demo
- name: OWASP ZAP baseline scan
uses: zaproxy/action-baseline@v0.14.0
with:
target: 'http://localhost:63001'
docker_name: 'ghcr.io/zaproxy/zaproxy:stable'
allow_issue_writing: false
cmd_options: '-a -r report_html.html -l WARN'

- name: Clean Up Docker Containers
run: |
docker compose down
docker network rm zap_network

0 comments on commit 33727b7

Please sign in to comment.