Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security scanning with ZAP #14840

Open
Piedone opened this issue Dec 5, 2023 · 1 comment
Open

Security scanning with ZAP #14840

Piedone opened this issue Dec 5, 2023 · 1 comment
Labels
enhancement
Milestone
2.x

Comments

@Piedone
Copy link
Member

Piedone commented Dec 5, 2023
edited
Loading

Is your feature request related to a problem? Please describe.

Sometimes we are notified about security issues by a community member, and it also happens that people run security scans for an Orchard Core app. However, we don't have a planned and especially continuous way to ensure that we don't introduce security issues.

Describe the solution you'd like

While ultimately, only an in-depth and application-specific pentest can reveal all security issues, we could still utilize Zed Attack Proxy (ZAP) to run scans automatically. ZAP is the world's most widely used web app security scanner, and a fellow open-source project I can recommend.

Just now, we've released a feature for our UI Testing Toolbox to run ZAP scans from a UI test of an Orchard Core app, see the announcement here and docs here. A security scan can be executed with as little as this xUnit test:

[Fact]
public Task BasicSecurityScanShouldPass() => ExecuteTestAfterSetupAsync(context => context.RunAndAssertBaselineSecurityScanAsync());

We could use this feature to run a full security scan on Orchard Core before releases. For this, we could have a separate repository with an Orchard Core solution using the latest preview packages. We could even run this more frequently, even weekly, and then the package references can be kept up to date automatically. It could even create issues for any new findings.

Also, while we’re at it, it could run some smoke testing with Basic Orchard features tests and Monkey tests.

Related:

Describe alternatives you've considered

A bare-bones ZAP integration can be done with e.g. the ZAP Action Full Scan GitHub Actions action, that runs the Full Scan packages scan of ZAP. However, this needs a running app, and fine-tuned configuration and assertions are not available.
@sebastienros sebastienros added this to the backlog milestone Dec 14, 2023
@Piedone Piedone mentioned this issue Jan 10, 2024
Closed
29 tasks
@github-actions github-actions bot mentioned this issue Jan 11, 2024
Closed
@Piedone Piedone modified the milestones: backlog, 2.1 May 3, 2024
@MikeAlhayek MikeAlhayek modified the milestones: 2.1, 2.x Nov 12, 2024
@github-actions GitHub Actions
Copy link
Contributor

We triaged this issue and set the milestone according to the priority we think is appropriate (see the docs on how we triage and prioritize issues).

This indicates when the core team may start working on it. However, if you'd like to contribute, we'd warmly welcome you to do that anytime. See our guide on contributions here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
2.x
Development

No branches or pull requests
3 participants
@sebastienros @Piedone @MikeAlhayek