-
Notifications
You must be signed in to change notification settings - Fork 165
104 lines (101 loc) · 3.15 KB
/
waf-check.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
name: Waf Check FP
on:
pull_request:
branches: [ master ]
paths:
- 'appsec-configs/**.yaml'
- 'appsec-configs/**.yml'
- 'appsec-rules/**.yaml'
- 'appsec-rules/**.yml'
- '.github/workflows/waf-check.yaml'
- '.appsec-tests/**'
- 'waf-check/**'
push:
branches: [ master ]
paths:
- 'appsec-configs/**.yaml'
- 'appsec-configs/**.yml'
- 'appsec-rules/**.yaml'
- 'appsec-rules/**.yml'
- '.github/workflows/waf-check.yaml'
- '.appsec-tests/**'
- 'waf-check/**'
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
build:
runs-on: ubuntu-22.04
steps:
- name: Check out code into the Go module directory
uses: actions/checkout@v4
- uses: actions/setup-go@v4
with:
go-version: '1.22'
- name: Split dateset
run: |
cd waf-check && go build -o waf-check
./waf-check -download -batch -dir-count 6
- uses: actions/upload-artifact@v4
name: Upload dataset in artifact
with:
name: waf-check-dataset
path: ./waf-check/dataset/
retention-days: 1
run:
runs-on: ubuntu-22.04
needs: build
strategy:
matrix:
dataset_folder: ["dataset_0","dataset_1","dataset_2","dataset_3","dataset_4","dataset_5"]
steps:
- name: Check out code into the Go module directory
uses: actions/checkout@v4
- uses: actions/download-artifact@v4
with:
name: waf-check-dataset
path: waf-check/dataset/
name: Download dataset from artifact
- uses: actions/setup-go@v4
with:
go-version: '1.22'
- name: Install requirements
run: |
sudo apt install libre2-dev
- name: Install CrowdSec
run: |
current_pwd=$(pwd)
git clone https://github.com/crowdsecurity/crowdsec.git
cd crowdsec
BUILD_STATIC=1 make release
cd crowdsec-v*
sudo ./wizard.sh --unattended
- name: Setup CrowdSec Appsec
run: |
sudo cp waf-check/config/acquis.yaml /etc/crowdsec/acquis.yaml
sudo cp appsec-rules/*/vpatch-*.yaml /etc/crowdsec/appsec-rules/
sudo cp appsec-rules/crowdsecurity/base-config.yaml /etc/crowdsec/appsec-rules/
sudo cp appsec-configs/crowdsecurity/virtual-patching.yaml /etc/crowdsec/appsec-configs/
sudo systemctl restart crowdsec
- name: Register Remediation Component API Key
run: |
sudo cscli bouncers add hubtestAppsec -k "this_is_a_bad_password"
- name: Start OpenResty Container
run: |
docker compose -f docker/appsec/docker-compose.yaml up -d --build
sleep 3
- name: Build and Run Waf Check
run: |
cd waf-check && go build -o waf-check && ./waf-check -dataset "dataset/${{ matrix.dataset_folder }}"
- uses: actions/upload-artifact@v4
if: failure()
name: Upload dataset in artifact
with:
name: waf-check-result
path: ./waf-check/output/
retention-days: 1
- uses: geekyeggo/delete-artifact@v4
if: always()
with:
token: ${{ secrets.GITHUB_TOKEN }}
name: waf-check-dataset