Skip to content

Commit

Permalink
Add ZAP baseline scan to CI
Browse files Browse the repository at this point in the history
Dynamically scan AtoM for OWASP top ten issues. Limit reporting to WARN
and above.
  • Loading branch information
sbreker committed Dec 2, 2024
1 parent 8ff72e6 commit 3fbd3f1
Show file tree
Hide file tree
Showing 2 changed files with 164 additions and 0 deletions.
112 changes: 112 additions & 0 deletions .github/workflows/zap-baseline-local-atom.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,112 @@
name: DAST Scan - Local AtoM

on:
pull_request:
push:
branches:
- qa/**
- stable/**
- dev/owasp-zap-ci

jobs:
dynamic-analysis:
runs-on: ubuntu-20.04
strategy:
fail-fast: false
name: ZAP Baseline Test - local AtoM
env:
COMPOSE_FILE: ${{ github.workspace }}/docker/docker-compose.dev.yml
steps:
- name: Check out code
uses: actions/checkout@v3
- name: Start containerized services
run: |
sudo sysctl -w vm.max_map_count=262144
docker compose up -d percona elasticsearch gearmand
- name: Setup PHP
uses: shivammathur/setup-php@v2
with:
php-version: 7.4
coverage: none
extensions: apcu, opcache
- name: Setup PHP-FPM
run: |
sudo apt install php7.4-fpm
sudo service php7.4-fpm start
- name: Cache Composer dependencies
uses: actions/cache@v3
with:
path: ~/.composer/cache/files
key: 20.04-7.4-composer-${{ hashFiles('composer.lock') }}
- name: Install Composer dependencies
run: composer install
- name: Cache NPM dependencies
uses: actions/cache@v3
with:
path: |
~/.npm
~/.cache/Cypress
key: npm-${{ hashFiles('package-lock.json') }}
- name: Install NPM dependencies
run: sudo npm install -g npm && npm ci
- name: Modify Gearman config
run: |
echo -e "all:\n servers:\n default: 127.0.0.1:63005" \
> apps/qubit/config/gearman.yml
- name: Build themes
run: |
sudo npm install -g "less@<4.0.0"
make -C plugins/arDominionPlugin
make -C plugins/arArchivesCanadaPlugin
npm run build
- name: Run the installer
run: |
php symfony tools:install \
--database-host=127.0.0.1 \
--database-port=63003 \
--database-name=atom \
--database-user=atom \
--database-password=atom_12345 \
--search-host=127.0.0.1 \
--search-port=63002 \
--search-index=atom \
--demo \
--no-confirmation
- name: Change filesystem permissions
run: sudo chown -R www-data:www-data ${{ github.workspace }}
- name: Start application services
run: |
sudo cp test/etc/fpm_conf /etc/php/7.4/fpm/pool.d/atom.conf
sudo rm /etc/php/7.4/fpm/pool.d/www.conf
sudo systemctl restart php7.4-fpm
sudo php-fpm7.4 --test
sudo cp test/etc/worker_conf /usr/lib/systemd/system/atom-worker.service
sudo systemctl daemon-reload
sudo systemctl start atom-worker
- name: Install and configure Nginx
run: |
sudo apt install nginx
sudo cp test/etc/nginx_conf /etc/nginx/sites-available/atom
sudo ln -s /etc/nginx/sites-available/atom /etc/nginx/sites-enabled
sudo rm -f /etc/nginx/sites-enabled/default
sudo nginx -t
sudo systemctl restart nginx
# Create a temporary directory for ZAP report to avoid permission issues
- name: Create Temporary Directory for ZAP Report
run: |
mkdir -p /tmp/zap
sudo chmod 775 /tmp/zap
# Run OWASP ZAP Baseline Scan using the Docker container
- name: Run OWASP ZAP Baseline Scan (Docker)
run: |
HOST_IP=$(hostname -I | awk '{print $1}')
docker run -v /tmp/zap:/zap/wrk:rw --rm ghcr.io/zaproxy/zaproxy:stable zap-baseline.py -t http://$HOST_IP -r /zap/wrk/zap_report.html -a -l WARN
# Upload the ZAP report as an artifact for analysis
- name: Upload ZAP Report
uses: actions/upload-artifact@v4
with:
name: zap_report
path: /tmp/zap/zap_report.html
52 changes: 52 additions & 0 deletions .github/workflows/zap-baseline.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
name: DAST Scan

on:
pull_request:
push:
branches:
- qa/**
- stable/**
- dev/owasp-zap-ci

jobs:
dynamic-analysis:
runs-on: ubuntu-22.04
strategy:
fail-fast: false
name: ZAP Baseline Test - Docker AtoM
env:
COMPOSE_FILE: ${{ github.workspace }}/docker/docker-compose.dev.yml
steps:
- name: Check out code
uses: actions/checkout@v4

- name: Create Docker Network
run: |
docker network create zap_network
- name: Build and Run AtoM Docker Containers
run: |
docker compose up -d
docker network connect zap_network $(docker compose ps -q atom)
docker network connect zap_network $(docker compose ps -q nginx)
- name: Run Setup Commands in AtoM Container
run: |
docker exec $(docker compose ps -q atom) /bin/sh -c "npm install -g 'less@<4.0.0' && make -C plugins/arDominionPlugin && make -C plugins/arArchivesCanadaPlugin && npm run build"
- name: Run tools:purge in AtoM Container
run: |
docker exec $(docker compose ps -q atom) php -d memory_limit=-1 symfony tools:purge --demo
- name: OWASP ZAP baseline scan
uses: zaproxy/[email protected]
with:
target: 'http://localhost:63001'
docker_name: 'ghcr.io/zaproxy/zaproxy:stable'
allow_issue_writing: false
cmd_options: '-a -r report_html.html -l WARN'

- name: Clean Up Docker Containers
run: |
docker compose down
docker network rm zap_network

0 comments on commit 3fbd3f1

Please sign in to comment.