Skip to content

OWASP ZAP (DAST Scan) #385

OWASP ZAP (DAST Scan)

OWASP ZAP (DAST Scan) #385

Workflow file for this run

###############################################################
# Copyright (c) 2024 BMW Group AG
# Copyright 2024 SAP SE or an SAP affiliate company and ssi-dim-middle-layer contributors.
#
# See the NOTICE file(s) distributed with this work for additional
# information regarding copyright ownership.
#
# This program and the accompanying materials are made available under the
# terms of the Apache License, Version 2.0 which is available at
# https://www.apache.org/licenses/LICENSE-2.0.
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# SPDX-License-Identifier: Apache-2.0
###############################################################
name: "OWASP ZAP (DAST Scan)"
on:
push:
branches: [main]
paths:
- 'src/**'
pull_request:
paths:
- 'src/**'
schedule:
# Once a day
- cron: "0 0 * * *"
workflow_dispatch:
# Trigger manually
inputs:
node_image:
description: 'kindest/node image for k8s kind cluster'
# k8s version
default: 'kindest/node:v1.27.3'
required: false
type: string
jobs:
owasp-zap-scan:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
- name: Kubernetes KinD Cluster
uses: container-tools/kind-action@0ad70e2299366b0e1552c7240f4e4567148f723e # v2.0.4
with:
node_image: ${{ github.event.inputs.node_image || 'kindest/node:v1.27.3' }}
version: v0.20.0
- name: Set up Helm
uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
with:
version: v3.5.0
- name: Build migration image
id: build-migration-image
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
with:
context: .
file: ./docker/Dockerfile-dim-migrations
push: true
tags: kind-registry:5000/dim-migrations:testing
- name: Build service image
id: build-service-image
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
with:
context: .
file: ./docker/Dockerfile-dim-service
push: true
tags: kind-registry:5000/dim-service:testing
- name: Build Worker image
id: build-worker-image
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
with:
context: .
file: ./docker/Dockerfile-dim-processes-worker
push: true
tags: kind-registry:5000/dim-processes-worker:testing
- name: Add bitnami repo
run: |
helm repo add bitnami https://charts.bitnami.com/bitnami
helm repo update
- name: Update Helm dependencies
run: |
cd charts/dim
helm dependency build
- name: Install the chart on KinD cluster
run: helm install testing -n apps --create-namespace --wait --set dim.image.name=kind-registry:5000/dim-service --set dim.image.tag=testing --set migrations.image.name=kind-registry:5000/dim-migrations --set migrations.image.tag=testing --set processesworker.image.name=kind-registry:5000/dim-processes-worker --set processesworker.image.tag=testing --set dim.swaggerEnabled=true charts/dim
- name: Configure port forward to app in KinD
run: |
echo "Getting Agent IP..."
IP_ADDR=$(hostname -i)
echo "-> IP: $IP_ADDR"
echo "IP_ADDR=$IP_ADDR" >> $GITHUB_ENV
POD_NAME=$(kubectl get pods --namespace apps -l "app.kubernetes.io/name=dim,app.kubernetes.io/instance=testing" -o jsonpath="{.items[0].metadata.name}")
CONTAINER_PORT=$(kubectl get pod --namespace apps $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
echo "Port-forwarding 0.0.0.0:8080 to $POD_NAME:$CONTAINER_PORT..."
kubectl --namespace apps port-forward $POD_NAME 8080:$CONTAINER_PORT --address 0.0.0.0 &
- name: Generating report skeletons
if: success() || failure()
run: |
touch report_md.md report_html.html
chmod a+w report_md.md report_html.html
ls -lrt
- name: Run ZAP scan
run: |
set +e
echo "Pulling ZAP image..."
docker pull ghcr.io/zaproxy/zaproxy:stable -q
echo "Starting ZAP Docker container..."
docker run -v ${GITHUB_WORKSPACE}:/zap/wrk/:rw ghcr.io/zaproxy/zaproxy:stable zap-api-scan.py -t http://$IP_ADDR:8080/api/swagger/v1/swagger.json -f openapi -w report_md.md -r report_html.html -T 1
echo "... done."
- name: Upload HTML report
if: success() || failure()
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: ZAP scan report
path: ./report_html.html
retention-days: 1