-
Notifications
You must be signed in to change notification settings - Fork 126
135 lines (126 loc) · 4.46 KB
/
zap-baseline-local-atom.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
name: DAST Scan - Local AtoM
on:
pull_request:
push:
branches:
- qa/**
- stable/**
- dev/owasp-zap-ci
jobs:
dynamic-analysis:
runs-on: ubuntu-20.04
strategy:
fail-fast: false
name: ZAP Baseline Test - local AtoM
env:
COMPOSE_FILE: ${{ github.workspace }}/docker/docker-compose.dev.yml
steps:
- name: Check out code
uses: actions/checkout@v3
- name: Start containerized services
run: |
sudo sysctl -w vm.max_map_count=262144
docker compose up -d percona elasticsearch gearmand
- name: Setup PHP
uses: shivammathur/setup-php@v2
with:
php-version: 7.4
coverage: none
extensions: apcu, opcache
- name: Setup PHP-FPM
run: |
sudo apt install php7.4-fpm
sudo service php7.4-fpm start
- name: Cache Composer dependencies
uses: actions/cache@v3
with:
path: ~/.composer/cache/files
key: 20.04-7.4-composer-${{ hashFiles('composer.lock') }}
- name: Install Composer dependencies
run: composer install
- name: Cache NPM dependencies
uses: actions/cache@v3
with:
path: |
~/.npm
~/.cache/Cypress
key: npm-${{ hashFiles('package-lock.json') }}
- name: Install NPM dependencies
run: sudo npm install -g npm && npm ci
- name: Modify Gearman config
run: |
echo -e "all:\n servers:\n default: 127.0.0.1:63005" \
> apps/qubit/config/gearman.yml
- name: Build themes
run: |
sudo npm install -g "less@<4.0.0"
make -C plugins/arDominionPlugin
make -C plugins/arArchivesCanadaPlugin
npm run build
- name: Run the installer
run: |
php symfony tools:install \
--database-host=127.0.0.1 \
--database-port=63003 \
--database-name=atom \
--database-user=atom \
--database-password=atom_12345 \
--search-host=127.0.0.1 \
--search-port=63002 \
--search-index=atom \
--demo \
--no-confirmation
- name: Change filesystem permissions
run: sudo chown -R www-data:www-data ${{ github.workspace }}
- name: Start application services
run: |
sudo cp test/etc/fpm_conf /etc/php/7.4/fpm/pool.d/atom.conf
sudo rm /etc/php/7.4/fpm/pool.d/www.conf
sudo systemctl restart php7.4-fpm
sudo php-fpm7.4 --test
sudo cp test/etc/worker_conf /usr/lib/systemd/system/atom-worker.service
sudo systemctl daemon-reload
sudo systemctl start atom-worker
- name: Install and configure Nginx
run: |
sudo apt install nginx
sudo cp test/etc/nginx_conf /etc/nginx/sites-available/atom
sudo ln -s /etc/nginx/sites-available/atom /etc/nginx/sites-enabled
sudo rm -f /etc/nginx/sites-enabled/default
sudo nginx -t
sudo systemctl restart nginx
# Create a temporary directory for ZAP report to avoid permission issues
- name: Create Temporary Directory for ZAP Report
run: |
mkdir -p /tmp/zap
sudo chmod 777 /tmp/zap
# Run OWASP ZAP Baseline Scan using the Docker container
- name: Run OWASP ZAP Baseline Scan (Docker)
run: |
HOST_IP=$(hostname -I | awk '{print $1}')
docker run -v /tmp/zap:/zap/wrk:rw --user root --rm ghcr.io/zaproxy/zaproxy:stable \
zap-baseline.py -t http://$HOST_IP -r /zap/wrk/zap_report.html -a -l WARN
# Upload the ZAP report as an artifact for analysis
- name: Upload ZAP Report
uses: actions/upload-artifact@v4
with:
name: zap_report
path: /tmp/zap/zap_report.html
# # Allow write permissions to workspace so ZAP scan can map the files into its container.
# - name: Change filesystem permissions for ZAP
# run: sudo chmod -R a+w ${{ github.workspace }}
# # Get the AtoM host IP address.
# - name: Run OWASP ZAP Baseline Scan
# run: |
# HOST_IP=$(hostname -I | awk '{print $1}')
# echo "HOST_IP=$HOST_IP" >> $GITHUB_ENV
# echo "Using HOST_IP: $HOST_IP"
# # Run OWASP ZAP Baseline Scan using the GitHub action with HOST_IP.
# - name: OWASP ZAP baseline scan
# uses: zaproxy/[email protected]
# working-directory: /tmp/zap
# with:
# target: "http://${{ env.HOST_IP }}"
# docker_name: 'ghcr.io/zaproxy/zaproxy:stable'
# allow_issue_writing: false
# cmd_options: '-a -r report_html.html -l WARN'