Update full-security-scan.yml #28
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Baseline Security Scans | |
on: | |
workflow_dispatch: | |
push: | |
branches: | |
- suyash-kumar2-patch-1 | |
jobs: | |
owasp-zap-scan: | |
name: OWASP ZAP Scan | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
ref: suyash-kumar2-patch-1 | |
- name: Installing node.js | |
uses: actions/setup-node@v3 | |
with: | |
node-version: 18 | |
- name: Install dependencies | |
run: npm i | |
- name: Create frontend hosting script | |
run: | | |
touch hosting.sh | |
echo "npm run dev" >> hosting.sh | |
chmod u+x hosting.sh | |
- name: Start hosting frontend | |
run: nohup ./hosting.sh & | |
- name: Run ZAP Baseline | |
run: docker run -v $(pwd):/zap/wrk/:rw -p 8080:3000 -t owasp/zap2docker-stable zap-baseline.py -t http://localhost:3000 -x report_xml | |
# - name: Pulling Docker Image | |
# run: docker pull owasp/zap2docker-stable | |
# - name: Create ZAP hosting script | |
# run: | | |
# touch zaphosting.sh | |
# echo "docker run -p 8080:3000 -i owasp/zap2docker-stable zap.sh -daemon -host 0.0.0.0 -port 8080" >> zaphosting.sh | |
# chmod u+x zaphosting.sh | |
# - name: start hosting zap | |
# run: nohup ./zaphosting.sh & | |
# -p 8090:8090 means that port 8090 on the host machine is mapped to port 8090 inside the container. | |
# This allows you to access the service running inside the container on port 8090 from your host machine. | |
# - name: OWASP ZAP | |
# uses: zaproxy/action-baseline@v0.7.0 | |
# with: | |
# target: "http://localhost:3000" | |
# fail_action: false | |
# cmd_options: "-x report_as_xml" | |
checkov-scan: | |
name: Checkov Scan | |
runs-on: ubuntu-latest | |
needs: owasp-zap-scan | |
steps: | |
- name: Install Python | |
uses: actions/setup-python@v2 | |
with: | |
python-version: '3.x' | |
- name: Install Checkov | |
run: pip install checkov | |
- name: Run Checkov Scan | |
run: checkov --directory ${{ github.workspace }}/ --soft-fail --output json --output-file-path checkov_report.json | |
- name: Upload Checkov Report | |
uses: actions/upload-artifact@v3 | |
with: | |
name: checkov-report | |
path: checkov_report.json | |
import-ZAP-scan-to-defectDojo: | |
name: Import ZAP Scan to DefectDojo | |
runs-on: ubuntu-latest | |
needs: owasp-zap-scan | |
steps: | |
- name: Download ZAP artifact | |
uses: actions/download-artifact@v3 | |
with: | |
name: zap_scan | |
path: /home/runner/work/winter-pressures-frontend/winter-pressures-frontend/zap_scan_files | |
- name: Import Scan to DefectDojo | |
run: | | |
curl -v -X POST "https://ec2-3-10-56-49.eu-west-2.compute.amazonaws.com/api/v2/import-scan/" \ | |
-H "Authorization: Token 8a5949ed4351bae231680ab5193e80de0aa3babb" -H "accept: application/json" -H "Content-Type: multipart/form-data" \ | |
-F 'file=@zap_scan_files/report_json.json' \ | |
-F 'scan_type=ZAP Scan' \ | |
-F 'product_name=Winter Pressures Frontend' \ | |
-F 'engagement_name=Winter Pressures Security PoC' \ | |
-k # ignore SSL errors (endpoint does not have valid SSL cert) | |
# Cannot use this as the PoC endpoint has no SSL cert | |
# - name: Import Scan to DefectDojo | |
# uses: ivanamat/defectdojo-import-scan@v1 | |
# with: | |
# defectdojo_url: 'https://ec2-3-10-56-49.eu-west-2.compute.amazonaws.com' | |
# token: '8a5949ed4351bae231680ab5193e80de0aa3babb' | |
# scan_type: 'ZAP Scan' | |
# file: 'zap_scan_files/report_json.json' # relative path |