Add ZAP baseline scan to CI #11
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: DAST Scan - Local AtoM | |
on: | |
pull_request: | |
push: | |
branches: | |
- qa/** | |
- stable/** | |
- dev/owasp-zap-ci | |
jobs: | |
dynamic-analysis: | |
runs-on: ubuntu-20.04 | |
strategy: | |
fail-fast: false | |
name: ZAP Baseline Test - local AtoM | |
env: | |
COMPOSE_FILE: ${{ github.workspace }}/docker/docker-compose.dev.yml | |
steps: | |
- name: Check out code | |
uses: actions/checkout@v3 | |
- name: Start containerized services | |
run: | | |
sudo sysctl -w vm.max_map_count=262144 | |
docker compose up -d percona elasticsearch gearmand | |
- name: Setup PHP | |
uses: shivammathur/setup-php@v2 | |
with: | |
php-version: 7.4 | |
coverage: none | |
extensions: apcu, opcache | |
- name: Setup PHP-FPM | |
run: | | |
sudo apt install php7.4-fpm | |
sudo service php7.4-fpm start | |
- name: Cache Composer dependencies | |
uses: actions/cache@v3 | |
with: | |
path: ~/.composer/cache/files | |
key: 20.04-7.4-composer-${{ hashFiles('composer.lock') }} | |
- name: Install Composer dependencies | |
run: composer install | |
- name: Cache NPM dependencies | |
uses: actions/cache@v3 | |
with: | |
path: | | |
~/.npm | |
~/.cache/Cypress | |
key: npm-${{ hashFiles('package-lock.json') }} | |
- name: Install NPM dependencies | |
run: sudo npm install -g npm && npm ci | |
- name: Modify Gearman config | |
run: | | |
echo -e "all:\n servers:\n default: 127.0.0.1:63005" \ | |
> apps/qubit/config/gearman.yml | |
- name: Build themes | |
run: | | |
sudo npm install -g "less@<4.0.0" | |
make -C plugins/arDominionPlugin | |
make -C plugins/arArchivesCanadaPlugin | |
npm run build | |
- name: Run the installer | |
run: | | |
php symfony tools:install \ | |
--database-host=127.0.0.1 \ | |
--database-port=63003 \ | |
--database-name=atom \ | |
--database-user=atom \ | |
--database-password=atom_12345 \ | |
--search-host=127.0.0.1 \ | |
--search-port=63002 \ | |
--search-index=atom \ | |
--demo \ | |
--no-confirmation | |
- name: Change filesystem permissions | |
run: sudo chown -R www-data:www-data ${{ github.workspace }} | |
- name: Start application services | |
run: | | |
sudo cp test/etc/fpm_conf /etc/php/7.4/fpm/pool.d/atom.conf | |
sudo rm /etc/php/7.4/fpm/pool.d/www.conf | |
sudo systemctl restart php7.4-fpm | |
sudo php-fpm7.4 --test | |
sudo cp test/etc/worker_conf /usr/lib/systemd/system/atom-worker.service | |
sudo systemctl daemon-reload | |
sudo systemctl start atom-worker | |
- name: Install and configure Nginx | |
run: | | |
sudo apt install nginx | |
sudo cp test/etc/nginx_conf /etc/nginx/sites-available/atom | |
sudo ln -s /etc/nginx/sites-available/atom /etc/nginx/sites-enabled | |
sudo rm -f /etc/nginx/sites-enabled/default | |
sudo nginx -t | |
sudo systemctl restart nginx | |
# Create a temporary directory for ZAP report to avoid permission issues | |
- name: Create Temporary Directory for ZAP Report | |
run: mkdir -p /tmp/zap | |
# Run OWASP ZAP Baseline Scan using the Docker container | |
- name: Run OWASP ZAP Baseline Scan (Docker) | |
run: | | |
HOST_IP=$(ip route get 1 | awk '/src/ {print $7}') | |
docker run -v /tmp/zap:/zap/wrk:rw --rm ghcr.io/zaproxy/zaproxy:stable zap-baseline.py -t http://$HOST_IP -r /zap/wrk/zap_report.html -a -l WARN | |
# Upload the ZAP report as an artifact for analysis | |
- name: Upload ZAP Report | |
uses: actions/upload-artifact@v4 | |
with: | |
name: zap_report | |
path: /tmp/zap/zap_report.html |