Update zaproxy.yml #12
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: OWASP ZAP | |
on: | |
push: | |
paths: | |
- '**' | |
- '!*.md' | |
jobs: | |
prune_images: | |
name: Prune Docker images | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Prune Docker images | |
run: docker image prune --force | |
build: | |
name: Build | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@master | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v2 | |
- name: Container Build | |
uses: docker/build-push-action@v4 | |
with: | |
context: . | |
tags: ec-cube | |
outputs: type=docker,dest=/tmp/ec-cube.tar | |
- name: Upload image | |
uses: actions/upload-artifact@v3 | |
with: | |
name: ec-cube | |
path: /tmp/ec-cube.tar | |
scan: | |
name: Scan | |
needs: build | |
runs-on: ubuntu-22.04 | |
strategy: | |
fail-fast: false | |
matrix: | |
target: | |
#- admin_authority | |
#- admin_class_category_csv | |
#- admin_class_name_csv | |
#- admin_content_block | |
#- admin_content_cache | |
#- admin_content_file | |
#- admin_content_layout | |
#- admin_customer_delivery | |
#- admin_customer_edit | |
#- admin_customer_list | |
#- admin_delivery | |
#- admin_js_css | |
#- admin_log | |
#- admin_login_history | |
#- admin_mail | |
#- admin_mail_edit | |
#- admin_masterdata | |
- admin_member_edit | |
#- admin_member_setting | |
#- admin_news | |
#- admin_order_edit | |
#- admin_order_edit_search | |
#- admin_order_list | |
#- admin_order_mail | |
#- admin_page | |
#- admin_payment | |
#- admin_product_category | |
#- admin_product_class_name | |
#- admin_product_csv | |
#- admin_product_copy | |
#- admin_product_edit | |
#- admin_product_edit_class | |
#- admin_product_tag | |
#- admin_product_view | |
#- admin_shipping_csv | |
#- admin_shop_setting | |
#- admin_system | |
#- admin_tax | |
#- admin_template | |
#- entry | |
#- front_block | |
#- front_contact | |
#- front_help | |
#- front_mypage | |
#- front_new_item | |
#- front_product | |
#- front_sitemap | |
#- guest_cart | |
#- guest_front | |
#- guest_shopping | |
#- guest_shopping_customer_edit | |
#- guest_shopping_shipping_edit | |
#- guest_shopping_shipping_multiple | |
#- mypage_change | |
#- mypage_delivery | |
#- mypage_favorite | |
#- mypage_order | |
#- plugin_coupon_admin_coupon | |
#- plugin_coupon_guest_shopping | |
#- plugin_mailmagazine_send | |
##- plugin_mailmagazine_template | |
#- plugin_product_review | |
#- plugin_recommend | |
#- plugin_related_product | |
#- plugin_sales_report | |
#include: | |
#- target: admin_authority | |
# thread_per_host: 1 | |
#- target: admin_customer_delivery | |
# before_script: admin_create_customer.zst | |
#- target: admin_content_cache | |
# thread_per_host: 1 | |
#- target: admin_js_css | |
# thread_per_host: 1 | |
#- target: admin_mail | |
# thread_per_host: 1 | |
#- target: admin_masterdata | |
# thread_per_host: 1 | |
#- target: admin_member_setting | |
# context: default | |
#- target: admin_order_edit_search | |
# before_script: admin_create_customers.zst | |
#- target: admin_shop_setting | |
# thread_per_host: 1 | |
#- target: admin_system | |
# thread_per_host: 1 | |
#- target: admin_template | |
# thread_per_host: 1 | |
#- target: entry | |
# thread_per_host: 1 | |
#- target: mypage_delivery | |
# before_script: admin_create_customer.zst | |
#- target: mypage_order | |
# before_script: admin_create_customer.zst | |
#- target: plugin_coupon_admin_coupon | |
# thread_per_host: 1 | |
#- target: plugin_coupon_guest_shopping | |
# before_script: plugin_coupon_admin_create_coupon.zst | |
#- target: plugin_mailmagazine_send | |
# before_script: plugin_mailmagazine_create_customers.zst | |
#- target: plugin_related_product | |
# thread_per_host: 1 | |
steps: | |
- name: Maximize build space | |
run: | | |
sudo rm -rf /usr/local/lib/android | |
sudo rm -rf /usr/share/dotnet | |
sudo rm -rf /opt/ghc | |
- name: Checkout | |
uses: actions/checkout@master | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v2 | |
- name: Download image | |
uses: actions/download-artifact@v3 | |
with: | |
name: ec-cube | |
path: /tmp | |
- name: Load image | |
run: | | |
docker load --input /tmp/ec-cube.tar | |
docker tag ec-cube ghcr.io/ec-cube/ec-cube-php:8.1-apache | |
- name: Run containers | |
env: | |
APP_ENV: prod | |
APP_DEBUG: 0 | |
run: | | |
docker compose -f docker-compose.yml -f docker-compose.pgsql.yml -f docker-compose.owaspzap.ci.yml up -d --wait | |
docker compose cp zap/delete_data.sh postgres:/ | |
docker compose exec -d -e PGUSER=dbuser -e PGDATABASE=eccubedb postgres /delete_data.sh | |
docker compose cp zap/delete_files.sh ec-cube:/ | |
docker compose exec -d ec-cube /delete_files.sh | |
- name: Set up plugins | |
env: | |
APP_ENV: prod | |
APP_DEBUG: 0 | |
run: | | |
for code in Api42 Coupon42 MailMagazine42 ProductReview42 Recommend42 RelatedProduct42 SalesReport42 Securitychecker42 SiteKit42 | |
do | |
docker compose exec -u www-data:www-data ec-cube bin/console eccube:composer:require "ec-cube/${code,,}" | |
docker compose exec -u www-data:www-data ec-cube bin/console eccube:plugin:enable --code ${code} | |
done | |
- name: Disable rate limiter | |
run: | | |
docker compose exec -u www-data:www-data ec-cube sed -i -e "s/eccube_login_throttling_max_attempts: 5/eccube_login_throttling_max_attempts: 1024/" -e "s/eccube_login_throttling_interval: '30 minutes'/eccube_login_throttling_interval: '1 minutes'/" app/config/eccube/packages/eccube.yaml | |
docker compose exec -u www-data:www-data ec-cube rm -f app/config/eccube/packages/prod/eccube_rate_limiter.yaml | |
docker compose exec -u www-data:www-data ec-cube sed -i -e 's/30 min/1 min/g' app/config/eccube/packages/eccube_rate_limiter.yaml | |
docker compose exec -u www-data:www-data ec-cube bin/console cache:clear | |
docker compose exec -u www-data:www-data ec-cube bin/console debug:container --parameter eccube_login_throttling_max_attempts | |
docker compose exec -u www-data:www-data ec-cube bin/console debug:container --parameter eccube_login_throttling_interval | |
docker compose exec -u www-data:www-data ec-cube bin/console debug:config eccube | |
- name: Generate automation config | |
env: | |
ZAP_CONTEXT: "${{ matrix.context }}" | |
ZAP_THREAD_PER_HOST: "${{ matrix.thread_per_host }}" | |
ZAP_BEFORE_SCRIPT: "${{ matrix.before_script }}" | |
run: | | |
zap/generate_automation_config.sh \ | |
-t ${{ matrix.target }} \ | |
${ZAP_BEFORE_SCRIPT:+"-b ${ZAP_BEFORE_SCRIPT}"} \ | |
${ZAP_CONTEXT:+"-c ${ZAP_CONTEXT}"} \ | |
${ZAP_THREAD_PER_HOST:+"-n ${ZAP_THREAD_PER_HOST}"} | |
cat zap/automation/${{ matrix.target }}.yml | |
- name: Autorun | |
run: docker compose exec -it zap ./zap.sh -cmd -configfile /zap/wrk/options.properties -autorun wrk/automation/${{ matrix.target }}.yml | |
- name: Copy report | |
if: ${{ always() }} | |
run: | | |
docker compose cp zap:/tmp/report /tmp | |
docker compose cp zap:/tmp/alerts.json /tmp | |
- name: Upload report | |
if: ${{ always() }} | |
uses: actions/upload-artifact@v3 | |
with: | |
name: zap-${{ matrix.target }}-report | |
path: /tmp/report | |
- name: Upload alerts | |
if: ${{ always() }} | |
uses: actions/upload-artifact@v3 | |
with: | |
name: zap-${{ matrix.target }}-report | |
path: /tmp/alerts.json | |
merge: | |
name: Merge alerts | |
needs: scan | |
if: ${{ always() }} | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Download all artifacts | |
uses: actions/download-artifact@v3 | |
with: | |
path: artifacts | |
- name: Merge alerts | |
run: | | |
find . | |
jq -s add **/alerts.json > all_alerts.json | |
working-directory: artifacts | |
- name: Upload alerts | |
uses: actions/upload-artifact@v3 | |
with: | |
name: all_alerts | |
path: artifacts/all_alerts.json |