feat: move pen tests to cronjob (#24)

* Remove penetration tests from main merge * Cronjob for penentration tests
bcgov · Sep 22, 2023 · 0e66926 · 0e66926
1 parent 773c5bc
commit 0e66926
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 8 deletions.
diff --git a/.github/workflows/analysis.yml b/.github/workflows/analysis.yml
@@ -6,7 +6,7 @@ on:
   pull_request:
     types: [opened, reopened, synchronize, ready_for_review]
   schedule:
-    - cron: "0 11 * * 0" # 3 AM PST = 12 PM UDT, runs sundays
+    - cron: "0 11 * * 0" # 3 AM PST = 12 PM UDT, Sundays
   workflow_dispatch:
 
 concurrency:

diff --git a/.github/workflows/merge.yml b/.github/workflows/merge.yml
@@ -24,7 +24,7 @@ jobs:
           - name: backend
             file: backend/openshift.deploy.yml
             overwrite: true
-            verification_path: /api
+            verification_path: /health
           - name: frontend
             file: frontend/openshift.deploy.yml
             overwrite: true
@@ -39,10 +39,6 @@ jobs:
           parameters:
             -p ZONE=test -p PROMOTE=${{ github.repository }}/${{ matrix.name }}:test
             -p NAME=${{ github.event.repository.name }} ${{ matrix.parameters }}
-          penetration_test: true
-          penetration_test_artifact: ${{ matrix.name }}
-          penetration_test_issue: ${{ matrix.name }}
-          penetration_test_token: ${{ secrets.GITHUB_TOKEN }}
           verification_path: ${{ matrix.verification_path }}
 
   deploys-prod:
@@ -57,7 +53,7 @@ jobs:
           - name: backend
             file: backend/openshift.deploy.yml
             overwrite: true
-            verification_path: /api
+            verification_path: /health
           - name: frontend
             file: frontend/openshift.deploy.yml
             overwrite: true
@@ -72,7 +68,6 @@ jobs:
           parameters:
             -p ZONE=prod -p PROMOTE=${{ github.repository }}/${{ matrix.name }}:test
             -p NAME=${{ github.event.repository.name }} ${{ matrix.parameters }}
-          penetration_test: false
           verification_path: ${{ matrix.verification_path }}
 
   image-promotions:

diff --git a/.github/workflows/pentests.yml b/.github/workflows/pentests.yml
@@ -0,0 +1,29 @@
+name: Penetration Tests
+
+on:
+  schedule: [cron: "0 11 * * 6"] # 3 AM PST = 12 PM UDT, Saturdays
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  zap_scan:
+    runs-on: ubuntu-latest
+    name: Penetration Tests
+    env:
+      DOMAIN: apps.silver.devops.gov.bc.ca
+      PREFIX: ${{ github.event.repository.name }}-test
+    strategy:
+      matrix:
+        name: [backend, frontend]
+    steps:
+      - name: ZAP Scan
+        uses: zaproxy/[email protected]
+        with:
+          allow_issue_writing: true
+          artifact_name: "zap_${{ matrix.name }}"
+          cmd_options: "-a"
+          issue_title: "ZAP: ${{ matrix.name }}"
+          target: https://${{ env.PREFIX }}-${{ matrix.name }}.${{ env.DOMAIN }}