Skip to content

ZAP Check - Dev

ZAP Check - Dev #49

name: ZAP Check - Dev
on:
schedule:
# Runs daily at 4am
- cron: "0 4 * * *"
jobs:
security-checks-dev:
name: Run security checks against dev
runs-on: ubuntu-22.04
environment: development
# Permissions for OIDC authentication
permissions:
id-token: write
contents: write
issues: write
steps:
- name: Check out repository
uses: actions/checkout@v4
# Login to Azure using OIDC
- name: Login to Azure CLI
uses: azure/login@v2
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
# Change app setting for security scan
- name: Change the IsPublic flag
run: |
az webapp config appsettings set --resource-group ${{ vars.RESOURCE_NAME_PREFIX }}-rg --name ${{ vars.WEBAPP_NAME }} --settings ServiceAccess__IsPublic=true
# Run full ZAP scan
- name: ZAP Scan
uses: zaproxy/[email protected]
with:
token: ${{ secrets.GITHUB_TOKEN }}
docker_name: 'ghcr.io/zaproxy/zaproxy:stable'
target: https://${{ vars.WEBAPP_NAME }}.azurewebsites.net
allow_issue_writing: false
artifact_name: full_scan_dev
# Reset app setting following security scan
- name: Reset the IsPublic flag
run: |
az webapp config appsettings set --resource-group ${{ vars.RESOURCE_NAME_PREFIX }}-rg --name ${{ vars.WEBAPP_NAME }} --settings ServiceAccess__IsPublic=false