Skip to content

Security scanner tests #365

Security scanner tests

Security scanner tests #365

name: Security scanner tests
on:
workflow_dispatch:
workflow_run:
workflows: ["Deploy to environment"]
types:
- completed
env:
ZAP_ADDRESS: localhost
ZAP_PORT: 9876
jobs:
run-tests-with-zap:
name: Run Cypress tests with OWASP ZAP
environment: development
runs-on: ubuntu-latest
defaults:
run:
working-directory: Dfe.Academies.External.Web/CypressTests
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Create directory on runner
run: |
mkdir -m 777 ${{ github.workspace }}/zapoutput
- name: Get latest ZAP container version
run: |
ZAP_VERSION="$(wget -q -O - "https://hub.docker.com/v2/repositories/softwaresecurityproject/zap-stable/tags?page_size=2" | grep -o '"name": *"[^"]*' | grep -o '[^"]*$' | tail -n 1)"
echo "ZAP_VERSION=${ZAP_VERSION}">> $GITHUB_ENV
- name: Restore ZAP container from cache if exists
id: cache-docker-zap
uses: actions/cache@v4
with:
path: ~/ci/cache/docker/softwaresecurityproject
key: cache-docker-zap-${{ env.ZAP_VERSION }}
- name: Use cached image if hit
if: steps.cache-docker-zap.outputs.cache-hit == 'true'
run: docker image load --input ~/ci/cache/docker/softwaresecurityproject/zap-stable-${{ env.ZAP_VERSION }}.tar
- name: Pull image if no cache hit
if: steps.cache-docker-zap.outputs.cache-hit != 'true'
run: docker pull softwaresecurityproject/zap-stable:latest && mkdir -p ~/ci/cache/docker/softwaresecurityproject && docker image save softwaresecurityproject/zap-stable:latest --output ~/ci/cache/docker/softwaresecurityproject/zap-stable-${{ env.ZAP_VERSION }}.tar
- name: Start ZAP container
run: docker run --name zap_container --rm -d -v ${{ github.workspace }}/zapoutput/:/zap/wrk:rw -u zap -p ${{ env.ZAP_PORT }}:${{ env.ZAP_PORT }} -i softwaresecurityproject/zap-stable zap.sh -daemon -port ${{ env.ZAP_PORT }} -host 0.0.0.0 -config api.key=${{ secrets.ZAP_API_KEY }} -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true -config network.localServers.mainProxy.alpn.enabled=false -config network.localServers.mainProxy.address=0.0.0.0
- name: Set up NodeJS
uses: actions/setup-node@v4
with:
node-version: 18
- name: Install dependencies
run: npm ci
- name: Run Cypress tests through scanner
env:
HTTP_PROXY: "http://${{ env.ZAP_ADDRESS }}:${{ env.ZAP_PORT }}"
NO_PROXY: "google-analytics.com,googletagmanager.com,microsoftonline.com,gvt1.com"
LOGIN_USERNAME: ${{ secrets.LOGIN_USERNAME }}
LOGIN_PASSWORD: ${{ secrets.LOGIN_PASSWORD }}
URL: ${{ secrets.URL }}
SIGNIN_URL: ${{ secrets.SIGNIN_URL }}
ZAP: true
ZAP_API_KEY: ${{ secrets.ZAP_API_KEY }}
ZAP_ADDRESS: ${{ env.ZAP_ADDRESS }}
ZAP_PORT: ${{ env.ZAP_PORT }}
run: npm run cy:run -- --env URL='${{ secrets.URL }}',LOGIN_USERNAME=${{ secrets.LOGIN_USERNAME }},LOGIN_PASSWORD=${{ secrets.LOGIN_PASSWORD }},SIGNIN_URL=${{ secrets.SIGNIN_URL }}
- name: Get git sha
if: '!cancelled()'
run: |
CHECKED_OUT_SHA="$(git log -1 '--format=format:%H')"
echo "checked_out_sha=${CHECKED_OUT_SHA}" >> $GITHUB_ENV
- name: Azure login with SPN
if: '!cancelled()'
uses: azure/login@v2
with:
creds: ${{ secrets.OWASP_AZ_CREDENTIALS }}
- name: Push report to blob storage
if: '!cancelled()'
uses: azure/cli@v2
id: azure
with:
azcliversion: 2.49.0
inlineScript: |
az storage blob upload \
--container-name ${{ secrets.OWASP_STORAGE_CONTAINER_NAME }} \
--account-name ${{ secrets.OWASP_STORAGE_ACCOUNT_NAME }} \
--file "${{ github.workspace }}/zapoutput/ZAP-Report.html" \
--name "Dfe.Academies.External.Web/${{ env.checked_out_sha }}/ZAP-Report.html" \
--auth-mode login \
--overwrite
- name: Stop ZAP container
if: always()
run: docker stop zap_container