Add ZAP baseline scan to CI

Dynamically scan AtoM for OWASP top ten issues. Limit reporting to WARN
and above.

.github/workflows/zap-baseline-local-atom.yml

@@ -0,0 +1,115 @@
+name: DAST Scan - Local AtoM
+
+on:
+  pull_request:
+  push:
+    branches:
+    - qa/**
+    - stable/**
+    - dev/owasp-zap-ci
+
+jobs:
+  dynamic-analysis:
+    runs-on: ubuntu-20.04
+    strategy:
+      fail-fast: false
+    name: ZAP Baseline Test - local AtoM
+    env:
+      COMPOSE_FILE: ${{ github.workspace }}/docker/docker-compose.dev.yml
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v3
+    - name: Start containerized services
+      run: |
+        sudo sysctl -w vm.max_map_count=262144
+        docker compose up -d percona elasticsearch gearmand
+    - name: Setup PHP
+      uses: shivammathur/setup-php@v2
+      with:
+        php-version: 7.4
+        coverage: none
+        extensions: apcu, opcache
+    - name: Setup PHP-FPM
+      run: |
+        sudo apt install php7.4-fpm
+        sudo service php7.4-fpm start
+    - name: Cache Composer dependencies
+      uses: actions/cache@v3
+      with:
+        path: ~/.composer/cache/files
+        key: 20.04-7.4-composer-${{ hashFiles('composer.lock') }}
+    - name: Install Composer dependencies
+      run: composer install
+    - name: Cache NPM dependencies
+      uses: actions/cache@v3
+      with:
+        path: |
+          ~/.npm
+          ~/.cache/Cypress
+        key: npm-${{ hashFiles('package-lock.json') }}
+    - name: Install NPM dependencies
+      run: sudo npm install -g npm && npm ci
+    - name: Modify Gearman config
+      run: |
+        echo -e "all:\n  servers:\n    default: 127.0.0.1:63005" \
+          > apps/qubit/config/gearman.yml
+    - name: Build themes
+      run: |
+        sudo npm install -g "less@<4.0.0"
+        make -C plugins/arDominionPlugin
+        make -C plugins/arArchivesCanadaPlugin
+        npm run build
+    - name: Run the installer
+      run: |
+        php symfony tools:install \
+          --database-host=127.0.0.1 \
+          --database-port=63003 \
+          --database-name=atom \
+          --database-user=atom \
+          --database-password=atom_12345 \
+          --search-host=127.0.0.1 \
+          --search-port=63002 \
+          --search-index=atom \
+          --demo \
+          --no-confirmation
+    - name: Change filesystem permissions
+      run: sudo chown -R www-data:www-data ${{ github.workspace }}
+    - name: Start application services
+      run: |
+        sudo cp test/etc/fpm_conf /etc/php/7.4/fpm/pool.d/atom.conf
+        sudo rm /etc/php/7.4/fpm/pool.d/www.conf
+        sudo systemctl restart php7.4-fpm
+        sudo php-fpm7.4 --test
+        sudo cp test/etc/worker_conf /usr/lib/systemd/system/atom-worker.service
+        sudo systemctl daemon-reload
+        sudo systemctl start atom-worker
+    - name: Install and configure Nginx
+      run: |
+        sudo apt install nginx
+        sudo cp test/etc/nginx_conf /etc/nginx/sites-available/atom
+        sudo ln -s /etc/nginx/sites-available/atom /etc/nginx/sites-enabled
+        sudo rm -f /etc/nginx/sites-enabled/default
+        sudo nginx -t
+        sudo systemctl restart nginx
+
+    # # Allow write permissions to workspace so ZAP scan can map the files into its container.
+    # - name: Change filesystem permissions for ZAP
+    #   run: sudo chmod -R a+w ${{ github.workspace }}
+
+    # Run OWASP ZAP Baseline Scan using the Docker container
+    - name: Run OWASP ZAP Baseline Scan (Docker)
+      run: |
+        HOST_IP=$(hostname -I | awk '{print $1}')
+        echo "HOST_IP=$HOST_IP" >> $GITHUB_ENV
+        echo "Using HOST_IP: $HOST_IP"
+
+    # Run OWASP ZAP Baseline Scan using the GitHub action with HOST_IP
+    - name: OWASP ZAP baseline scan
+      uses: zaproxy/[email protected]
+      run:
+        working-directory: /tmp/zap
+      with:
+        target: "http://${{ env.HOST_IP }}"
+        docker_name: 'ghcr.io/zaproxy/zaproxy:stable'
+        allow_issue_writing: false
+        cmd_options: '-a -r report_html.html -l WARN'

.github/workflows/zap-baseline.yml

@@ -0,0 +1,52 @@
+name: DAST Scan
+
+on:
+  pull_request:
+  push:
+    branches:
+    - qa/**
+    - stable/**
+    - dev/owasp-zap-ci
+
+jobs:
+  dynamic-analysis:
+    runs-on: ubuntu-22.04
+    strategy:
+      fail-fast: false
+    name: ZAP Baseline Test - Docker AtoM
+    env:
+      COMPOSE_FILE: ${{ github.workspace }}/docker/docker-compose.dev.yml
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v4
+
+    - name: Create Docker Network
+      run: |
+        docker network create zap_network
+
+    - name: Build and Run AtoM Docker Containers
+      run: |
+        docker compose up -d
+        docker network connect zap_network $(docker compose ps -q atom)
+        docker network connect zap_network $(docker compose ps -q nginx)
+
+    - name: Run Setup Commands in AtoM Container
+      run: |
+        docker exec $(docker compose ps -q atom) /bin/sh -c "npm install -g 'less@<4.0.0' && make -C plugins/arDominionPlugin && make -C plugins/arArchivesCanadaPlugin && npm run build"
+
+    - name: Run tools:purge in AtoM Container
+      run: |
+        docker exec $(docker compose ps -q atom) php -d memory_limit=-1 symfony tools:purge --demo
+
+    - name: OWASP ZAP baseline scan
+      uses: zaproxy/[email protected]
+      with:
+        target: 'http://localhost:63001'
+        docker_name: 'ghcr.io/zaproxy/zaproxy:stable'
+        allow_issue_writing: false
+        cmd_options: '-a -r report_html.html -l WARN'
+
+    - name: Clean Up Docker Containers
+      run: |
+        docker compose down
+        docker network rm zap_network