-
Notifications
You must be signed in to change notification settings - Fork 126
120 lines (112 loc) · 3.69 KB
/
zap-baseline.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
name: DAST Scan
on:
pull_request:
push:
branches:
- qa/**
- stable/**
- dev/owasp-zap-ci
jobs:
dynamic-analysis:
runs-on: ubuntu-20.04
strategy:
fail-fast: false
name: ZAP Baseline Test
env:
COMPOSE_FILE: ${{ github.workspace }}/docker/docker-compose.dev.yml
steps:
- name: Check out code
uses: actions/checkout@v3
- name: Create Docker Network
run: |
docker network create zap_network
- name: Start containerized services
run: |
sudo sysctl -w vm.max_map_count=262144
docker compose up -d percona elasticsearch gearmand
- name: Setup PHP
uses: shivammathur/setup-php@v2
with:
php-version: 7.4
coverage: none
extensions: apcu, opcache
- name: Setup PHP-FPM
run: |
sudo apt install php7.4-fpm
sudo service php7.4-fpm start
- name: Cache Composer dependencies
uses: actions/cache@v3
with:
path: ~/.composer/cache/files
key: 20.04-7.4-composer-${{ hashFiles('composer.lock') }}
- name: Install Composer dependencies
run: composer install
- name: Cache NPM dependencies
uses: actions/cache@v3
with:
path: |
~/.npm
~/.cache/Cypress
key: npm-${{ hashFiles('package-lock.json') }}
- name: Install NPM dependencies
run: sudo npm install -g npm && npm ci
- name: Modify Gearman config
run: |
echo -e "all:\n servers:\n default: 127.0.0.1:63005" \
> apps/qubit/config/gearman.yml
- name: Build themes
run: |
sudo npm install -g "less@<4.0.0"
make -C plugins/arDominionPlugin
make -C plugins/arArchivesCanadaPlugin
npm run build
- name: Run the installer
run: |
php symfony tools:install \
--database-host=127.0.0.1 \
--database-port=63003 \
--database-name=atom \
--database-user=atom \
--database-password=atom_12345 \
--search-host=127.0.0.1 \
--search-port=63002 \
--search-index=atom \
--demo \
--no-confirmation
- name: Change filesystem permissions
run: sudo chown -R www-data:www-data ${{ github.workspace }}
- name: Start application services
run: |
sudo cp test/etc/fpm_conf /etc/php/7.4/fpm/pool.d/atom.conf
sudo rm /etc/php/7.4/fpm/pool.d/www.conf
sudo systemctl restart php7.4-fpm
sudo php-fpm7.4 --test
sudo cp test/etc/worker_conf /usr/lib/systemd/system/atom-worker.service
sudo systemctl daemon-reload
sudo systemctl start atom-worker
- name: Install and configure Nginx
run: |
sudo apt install nginx
sudo cp test/etc/nginx_conf /etc/nginx/sites-available/atom
sudo ln -s /etc/nginx/sites-available/atom /etc/nginx/sites-enabled
sudo rm -f /etc/nginx/sites-enabled/default
sudo nginx -t
sudo systemctl restart nginx
# Create a temporary directory for ZAP report to avoid permission issues
- name: Create temp dir for ZAP report
run: |
mkdir -p /tmp/zap
# Run OWASP ZAP Baseline Scan
- name: Run OWASP ZAP Baseline Scan
run: |
docker run --network zap_network -v /tmp/zap:/zap/wrk:rw --rm ghcr.io/zaproxy/zaproxy:stable zap-baseline.py -t http://localhost:63001 -r /zap/wrk/zap_report.html -l WARN
# Upload the ZAP report as an artifact for analysis
- name: Upload ZAP report
uses: actions/upload-artifact@v4
with:
name: zap_report
path: /tmp/zap/zap_report.html
- name: Clean Up Docker Containers
run: |
docker compose down
docker network rm zap_network