From 942c7e85d754b94bdce9bcbcbf2715c362c23ceb Mon Sep 17 00:00:00 2001 From: Steve Breker Date: Thu, 28 Nov 2024 11:35:27 -0800 Subject: [PATCH] Add ZAP baseline scan to CI Dynamically scan AtoM for OWASP top ten issues. Limit reporting to WARN and above. --- .github/workflows/zap-baseline.yml | 120 +++++++++++++++++++++++++++++ 1 file changed, 120 insertions(+) create mode 100644 .github/workflows/zap-baseline.yml diff --git a/.github/workflows/zap-baseline.yml b/.github/workflows/zap-baseline.yml new file mode 100644 index 0000000000..ca0887e73b --- /dev/null +++ b/.github/workflows/zap-baseline.yml @@ -0,0 +1,120 @@ +name: DAST Scan + +on: + pull_request: + push: + branches: + - qa/** + - stable/** + - dev/owasp-zap-ci + +jobs: + dynamic-analysis: + runs-on: ubuntu-20.04 + strategy: + fail-fast: false + name: ZAP Baseline Test + env: + COMPOSE_FILE: ${{ github.workspace }}/docker/docker-compose.dev.yml + steps: + - name: Check out code + uses: actions/checkout@v3 + + - name: Create Docker Network + run: | + docker network create zap_network + + - name: Start containerized services + run: | + sudo sysctl -w vm.max_map_count=262144 + docker compose up -d percona elasticsearch gearmand + - name: Setup PHP + uses: shivammathur/setup-php@v2 + with: + php-version: 7.4 + coverage: none + extensions: apcu, opcache + - name: Setup PHP-FPM + run: | + sudo apt install php7.4-fpm + sudo service php7.4-fpm start + - name: Cache Composer dependencies + uses: actions/cache@v3 + with: + path: ~/.composer/cache/files + key: 20.04-7.4-composer-${{ hashFiles('composer.lock') }} + - name: Install Composer dependencies + run: composer install + - name: Cache NPM dependencies + uses: actions/cache@v3 + with: + path: | + ~/.npm + ~/.cache/Cypress + key: npm-${{ hashFiles('package-lock.json') }} + - name: Install NPM dependencies + run: sudo npm install -g npm && npm ci + - name: Modify Gearman config + run: | + echo -e "all:\n servers:\n default: 127.0.0.1:63005" \ + > apps/qubit/config/gearman.yml + - name: Build themes + run: | + sudo npm install -g "less@<4.0.0" + make -C plugins/arDominionPlugin + make -C plugins/arArchivesCanadaPlugin + npm run build + - name: Run the installer + run: | + php symfony tools:install \ + --database-host=127.0.0.1 \ + --database-port=63003 \ + --database-name=atom \ + --database-user=atom \ + --database-password=atom_12345 \ + --search-host=127.0.0.1 \ + --search-port=63002 \ + --search-index=atom \ + --demo \ + --no-confirmation + - name: Change filesystem permissions + run: sudo chown -R www-data:www-data ${{ github.workspace }} + - name: Start application services + run: | + sudo cp test/etc/fpm_conf /etc/php/7.4/fpm/pool.d/atom.conf + sudo rm /etc/php/7.4/fpm/pool.d/www.conf + sudo systemctl restart php7.4-fpm + sudo php-fpm7.4 --test + sudo cp test/etc/worker_conf /usr/lib/systemd/system/atom-worker.service + sudo systemctl daemon-reload + sudo systemctl start atom-worker + - name: Install and configure Nginx + run: | + sudo apt install nginx + sudo cp test/etc/nginx_conf /etc/nginx/sites-available/atom + sudo ln -s /etc/nginx/sites-available/atom /etc/nginx/sites-enabled + sudo rm -f /etc/nginx/sites-enabled/default + sudo nginx -t + sudo systemctl restart nginx + + # Create a temporary directory for ZAP report to avoid permission issues + - name: Create temp dir for ZAP report + run: | + mkdir -p /tmp/zap + + # Run OWASP ZAP Baseline Scan + - name: Run OWASP ZAP Baseline Scan + run: | + docker run --network zap_network -v /tmp/zap:/zap/wrk:rw --rm ghcr.io/zaproxy/zaproxy:stable zap-baseline.py -t http://localhost:63001 -r /zap/wrk/zap_report.html -l WARN + + # Upload the ZAP report as an artifact for analysis + - name: Upload ZAP report + uses: actions/upload-artifact@v4 + with: + name: zap_report + path: /tmp/zap/zap_report.html + + - name: Clean Up Docker Containers + run: | + docker compose down + docker network rm zap_network