From 85b81dddecfefb11d3651c6ab49e94c02e0b1bf7 Mon Sep 17 00:00:00 2001 From: Steve Breker Date: Thu, 28 Nov 2024 11:35:27 -0800 Subject: [PATCH] Add ZAP baseline scan to CI Dynamically scan AtoM for OWASP top ten issues. Limit reporting to WARN and above. --- .github/workflows/zap-baseline-local-atom.yml | 115 ++++++++++++++++++ .github/workflows/zap-baseline.yml | 52 ++++++++ 2 files changed, 167 insertions(+) create mode 100644 .github/workflows/zap-baseline-local-atom.yml create mode 100644 .github/workflows/zap-baseline.yml diff --git a/.github/workflows/zap-baseline-local-atom.yml b/.github/workflows/zap-baseline-local-atom.yml new file mode 100644 index 0000000000..23ad935171 --- /dev/null +++ b/.github/workflows/zap-baseline-local-atom.yml @@ -0,0 +1,115 @@ +name: DAST Scan - Local AtoM + +on: + pull_request: + push: + branches: + - qa/** + - stable/** + - dev/owasp-zap-ci + +jobs: + dynamic-analysis: + runs-on: ubuntu-20.04 + strategy: + fail-fast: false + name: ZAP Baseline Test - local AtoM + env: + COMPOSE_FILE: ${{ github.workspace }}/docker/docker-compose.dev.yml + steps: + - name: Check out code + uses: actions/checkout@v3 + - name: Start containerized services + run: | + sudo sysctl -w vm.max_map_count=262144 + docker compose up -d percona elasticsearch gearmand + - name: Setup PHP + uses: shivammathur/setup-php@v2 + with: + php-version: 7.4 + coverage: none + extensions: apcu, opcache + - name: Setup PHP-FPM + run: | + sudo apt install php7.4-fpm + sudo service php7.4-fpm start + - name: Cache Composer dependencies + uses: actions/cache@v3 + with: + path: ~/.composer/cache/files + key: 20.04-7.4-composer-${{ hashFiles('composer.lock') }} + - name: Install Composer dependencies + run: composer install + - name: Cache NPM dependencies + uses: actions/cache@v3 + with: + path: | + ~/.npm + ~/.cache/Cypress + key: npm-${{ hashFiles('package-lock.json') }} + - name: Install NPM dependencies + run: sudo npm install -g npm && npm ci + - name: Modify Gearman config + run: | + echo -e "all:\n servers:\n default: 127.0.0.1:63005" \ + > apps/qubit/config/gearman.yml + - name: Build themes + run: | + sudo npm install -g "less@<4.0.0" + make -C plugins/arDominionPlugin + make -C plugins/arArchivesCanadaPlugin + npm run build + - name: Run the installer + run: | + php symfony tools:install \ + --database-host=127.0.0.1 \ + --database-port=63003 \ + --database-name=atom \ + --database-user=atom \ + --database-password=atom_12345 \ + --search-host=127.0.0.1 \ + --search-port=63002 \ + --search-index=atom \ + --demo \ + --no-confirmation + - name: Change filesystem permissions + run: sudo chown -R www-data:www-data ${{ github.workspace }} + - name: Start application services + run: | + sudo cp test/etc/fpm_conf /etc/php/7.4/fpm/pool.d/atom.conf + sudo rm /etc/php/7.4/fpm/pool.d/www.conf + sudo systemctl restart php7.4-fpm + sudo php-fpm7.4 --test + sudo cp test/etc/worker_conf /usr/lib/systemd/system/atom-worker.service + sudo systemctl daemon-reload + sudo systemctl start atom-worker + - name: Install and configure Nginx + run: | + sudo apt install nginx + sudo cp test/etc/nginx_conf /etc/nginx/sites-available/atom + sudo ln -s /etc/nginx/sites-available/atom /etc/nginx/sites-enabled + sudo rm -f /etc/nginx/sites-enabled/default + sudo nginx -t + sudo systemctl restart nginx + + # # Allow write permissions to workspace so ZAP scan can map the files into its container. + # - name: Change filesystem permissions for ZAP + # run: sudo chmod -R a+w ${{ github.workspace }} + + # Run OWASP ZAP Baseline Scan using the Docker container + - name: Run OWASP ZAP Baseline Scan (Docker) + run: | + HOST_IP=$(hostname -I | awk '{print $1}') + echo "HOST_IP=$HOST_IP" >> $GITHUB_ENV + echo "Using HOST_IP: $HOST_IP" + + # Run OWASP ZAP Baseline Scan using the GitHub action with HOST_IP + - name: OWASP ZAP baseline scan + uses: zaproxy/action-baseline@v0.14.0 + run: + working-directory: /tmp/zap + with: + target: "http://${{ env.HOST_IP }}" + docker_name: 'ghcr.io/zaproxy/zaproxy:stable' + allow_issue_writing: false + cmd_options: '-a -r report_html.html -l WARN' diff --git a/.github/workflows/zap-baseline.yml b/.github/workflows/zap-baseline.yml new file mode 100644 index 0000000000..133469fdf0 --- /dev/null +++ b/.github/workflows/zap-baseline.yml @@ -0,0 +1,52 @@ +name: DAST Scan + +on: + pull_request: + push: + branches: + - qa/** + - stable/** + - dev/owasp-zap-ci + +jobs: + dynamic-analysis: + runs-on: ubuntu-22.04 + strategy: + fail-fast: false + name: ZAP Baseline Test - Docker AtoM + env: + COMPOSE_FILE: ${{ github.workspace }}/docker/docker-compose.dev.yml + steps: + - name: Check out code + uses: actions/checkout@v4 + + - name: Create Docker Network + run: | + docker network create zap_network + + - name: Build and Run AtoM Docker Containers + run: | + docker compose up -d + docker network connect zap_network $(docker compose ps -q atom) + docker network connect zap_network $(docker compose ps -q nginx) + + - name: Run Setup Commands in AtoM Container + run: | + docker exec $(docker compose ps -q atom) /bin/sh -c "npm install -g 'less@<4.0.0' && make -C plugins/arDominionPlugin && make -C plugins/arArchivesCanadaPlugin && npm run build" + + - name: Run tools:purge in AtoM Container + run: | + docker exec $(docker compose ps -q atom) php -d memory_limit=-1 symfony tools:purge --demo + + - name: OWASP ZAP baseline scan + uses: zaproxy/action-baseline@v0.14.0 + with: + target: 'http://localhost:63001' + docker_name: 'ghcr.io/zaproxy/zaproxy:stable' + allow_issue_writing: false + cmd_options: '-a -r report_html.html -l WARN' + + - name: Clean Up Docker Containers + run: | + docker compose down + docker network rm zap_network