From 9b9081eaf4408cbeef42d0ff0a729eb7b5ae3997 Mon Sep 17 00:00:00 2001 From: Vikram-Kumar-BCGov Date: Tue, 18 Feb 2025 13:19:04 -0700 Subject: [PATCH 01/14] added a docker-compose file for ease --- docker-compose.yaml | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 docker-compose.yaml diff --git a/docker-compose.yaml b/docker-compose.yaml new file mode 100644 index 0000000000..0de6063340 --- /dev/null +++ b/docker-compose.yaml @@ -0,0 +1,42 @@ +version: '3.8' + +services: + bc-bciers-nx-app: + build: + context: . + dockerfile: ./bciers/Dockerfile + ports: + - "3000:3000" + environment: + - HOST_ADMINISTRATION=http://localhost:3000 + - HOST_COMPLIANCE=http://localhost:3001 + - HOST_REGISTRATION=http://localhost:3002 + - HOST_REPORTING=http://localhost:3003 + networks: + - bciers-network + + bc-obps-app: + build: + context: . + dockerfile: ./bc_obps/Dockerfile + ports: + - "8000:8000" + environment: + - DJANGO_SETTINGS_MODULE=bc_obps.settings.production + networks: + - bciers-network + + zap-scan: + image: owasp/zap2docker-stable + container_name: zap-scanner + ports: + - "8080:8080" # ZAP UI + volumes: + - ./zap-scan:/zap/wrk + command: ["zap.sh", "-daemon", "-host", "0.0.0.0", "-port", "8080", "-config", "api.disablekey=true"] + networks: + - bciers-network + +networks: + bciers-network: + driver: bridge From a98b6dafb6f7f01c2e0cd390b0efd422feb4751f Mon Sep 17 00:00:00 2001 From: Vikram-Kumar-BCGov Date: Tue, 18 Feb 2025 16:28:34 -0700 Subject: [PATCH 02/14] updated docker compose --- docker-compose.yaml | 172 ++++++++++++++++++++++++++++++++++---------- 1 file changed, 133 insertions(+), 39 deletions(-) diff --git a/docker-compose.yaml b/docker-compose.yaml index 0de6063340..b74e49c4dc 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -1,42 +1,136 @@ -version: '3.8' +version: "3.8" services: - bc-bciers-nx-app: - build: - context: . - dockerfile: ./bciers/Dockerfile - ports: - - "3000:3000" - environment: - - HOST_ADMINISTRATION=http://localhost:3000 - - HOST_COMPLIANCE=http://localhost:3001 - - HOST_REGISTRATION=http://localhost:3002 - - HOST_REPORTING=http://localhost:3003 - networks: - - bciers-network - - bc-obps-app: - build: - context: . - dockerfile: ./bc_obps/Dockerfile - ports: - - "8000:8000" - environment: - - DJANGO_SETTINGS_MODULE=bc_obps.settings.production - networks: - - bciers-network - - zap-scan: - image: owasp/zap2docker-stable - container_name: zap-scanner - ports: - - "8080:8080" # ZAP UI + db: + image: postgres:16 + restart: always + environment: + POSTGRES_DB: registration + POSTGRES_USER: postgres + POSTGRES_PASSWORD: postgres volumes: - - ./zap-scan:/zap/wrk - command: ["zap.sh", "-daemon", "-host", "0.0.0.0", "-port", "8080", "-config", "api.disablekey=true"] - networks: - - bciers-network - -networks: - bciers-network: - driver: bridge + - db:/var/lib/postgresql/data + network_mode: host + + backend: + image: ghcr.io/bcgov/cas-reg-backend:${GITHUB_SHA} + environment: + DB_USER: postgres + DB_NAME: registration + DB_PASSWORD: postgres + DB_PORT: 5432 + DB_HOST: localhost + DJANGO_SECRET_KEY: ${DJANGO_SECRET_KEY} + ALLOWED_HOSTS: localhost,0.0.0.0,127.0.0.1 + ENVIRONMENT: dev + CI: true + depends_on: + - db + network_mode: host + healthcheck: + test: curl --fail http://127.0.0.1:8000/api || exit 1 + interval: 10s + timeout: 10s + retries: 20 + start_period: 60s + + dashboard: + image: ghcr.io/bcgov/cas-dash-e2e-frontend:${GITHUB_SHA} + environment: + CI: true + PORT: 3000 + HOSTNAME: localhost + NEXTAUTH_URL_INTERNAL: http://localhost:3000 + NEXTAUTH_URL: http://localhost:3000 + NEXTAUTH_SECRET: ${NEXTAUTH_SECRET} + API_URL: http://127.0.0.1:8000/api/ + KEYCLOAK_LOGIN_URL: ${KEYCLOAK_LOGIN_URL} + KEYCLOAK_CLIENT_SECRET: ${KEYCLOAK_CLIENT_SECRET} + KEYCLOAK_CLIENT_ID: ${KEYCLOAK_CLIENT_ID} + depends_on: + - backend + network_mode: host + + administration: + image: ghcr.io/bcgov/cas-admin-frontend:${GITHUB_SHA} + environment: + PORT: 4001 + HOSTNAME: localhost + NEXTAUTH_URL_INTERNAL: http://localhost:3000 + NEXTAUTH_URL: http://localhost:3000 + NEXTAUTH_SECRET: ${NEXTAUTH_SECRET} + API_URL: http://127.0.0.1:8000/api/ + KEYCLOAK_LOGIN_URL: ${KEYCLOAK_LOGIN_URL} + KEYCLOAK_CLIENT_SECRET: ${KEYCLOAK_CLIENT_SECRET} + KEYCLOAK_CLIENT_ID: ${KEYCLOAK_CLIENT_ID} + depends_on: + - backend + network_mode: host + + compliance: + image: ghcr.io/bcgov/cas-compliance-frontend:${GITHUB_SHA} + environment: + PORT: 7000 + HOSTNAME: localhost + NEXTAUTH_URL_INTERNAL: http://localhost:3000 + NEXTAUTH_URL: http://localhost:3000 + NEXTAUTH_SECRET: ${NEXTAUTH_SECRET} + API_URL: http://127.0.0.1:8000/api/ + KEYCLOAK_LOGIN_URL: ${KEYCLOAK_LOGIN_URL} + KEYCLOAK_CLIENT_SECRET: ${KEYCLOAK_CLIENT_SECRET} + KEYCLOAK_CLIENT_ID: ${KEYCLOAK_CLIENT_ID} + depends_on: + - backend + network_mode: host + + registration: + image: ghcr.io/bcgov/cas-reg-frontend:${GITHUB_SHA} + environment: + PORT: 4000 + HOSTNAME: localhost + NEXTAUTH_URL_INTERNAL: http://localhost:3000 + NEXTAUTH_URL: http://localhost:3000 + NEXTAUTH_SECRET: ${NEXTAUTH_SECRET} + API_URL: http://127.0.0.1:8000/api/ + KEYCLOAK_LOGIN_URL: ${KEYCLOAK_LOGIN_URL} + KEYCLOAK_CLIENT_SECRET: ${KEYCLOAK_CLIENT_SECRET} + KEYCLOAK_CLIENT_ID: ${KEYCLOAK_CLIENT_ID} + depends_on: + - backend + network_mode: host + + reporting: + image: ghcr.io/bcgov/cas-rep-frontend:${GITHUB_SHA} + environment: + PORT: 5000 + HOSTNAME: localhost + NEXTAUTH_URL_INTERNAL: http://localhost:3000 + NEXTAUTH_URL: http://localhost:3000 + NEXTAUTH_SECRET: ${NEXTAUTH_SECRET} + API_URL: http://127.0.0.1:8000/api/ + KEYCLOAK_LOGIN_URL: ${KEYCLOAK_LOGIN_URL} + KEYCLOAK_CLIENT_SECRET: ${KEYCLOAK_CLIENT_SECRET} + KEYCLOAK_CLIENT_ID: ${KEYCLOAK_CLIENT_ID} + depends_on: + - backend + network_mode: host + + nx-app: + image: ${IMAGE_URL}:${GITHUB_SHA} + environment: + PORT: ${NX_APP_PORT} + HOSTNAME: localhost + NEXTAUTH_URL_INTERNAL: http://localhost:3000 + NEXTAUTH_URL: http://localhost:3000 + NEXTAUTH_SECRET: ${NEXTAUTH_SECRET} + API_URL: http://127.0.0.1:8000/api/ + KEYCLOAK_LOGIN_URL: ${KEYCLOAK_LOGIN_URL} + KEYCLOAK_CLIENT_SECRET: ${KEYCLOAK_CLIENT_SECRET} + KEYCLOAK_CLIENT_ID: ${KEYCLOAK_CLIENT_ID} + depends_on: + - backend + network_mode: host + +volumes: + db: + driver: local From ac81c56f6460dbdb4a609a811cc2f3552edf1a14 Mon Sep 17 00:00:00 2001 From: Vikram-Kumar-BCGov Date: Wed, 19 Feb 2025 11:27:47 -0700 Subject: [PATCH 03/14] updated docker compose --- docker-compose.yaml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/docker-compose.yaml b/docker-compose.yaml index b74e49c4dc..5b6cd3a986 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -13,7 +13,7 @@ services: network_mode: host backend: - image: ghcr.io/bcgov/cas-reg-backend:${GITHUB_SHA} + image: ghcr.io/bcgov/cas-reg-backend:latest environment: DB_USER: postgres DB_NAME: registration @@ -23,7 +23,7 @@ services: DJANGO_SECRET_KEY: ${DJANGO_SECRET_KEY} ALLOWED_HOSTS: localhost,0.0.0.0,127.0.0.1 ENVIRONMENT: dev - CI: true + CI: "true" depends_on: - db network_mode: host @@ -35,9 +35,9 @@ services: start_period: 60s dashboard: - image: ghcr.io/bcgov/cas-dash-e2e-frontend:${GITHUB_SHA} + image: ghcr.io/bcgov/cas-dash-e2e-frontend:latest environment: - CI: true + CI: "true" PORT: 3000 HOSTNAME: localhost NEXTAUTH_URL_INTERNAL: http://localhost:3000 @@ -52,7 +52,7 @@ services: network_mode: host administration: - image: ghcr.io/bcgov/cas-admin-frontend:${GITHUB_SHA} + image: ghcr.io/bcgov/cas-admin-frontend:latest environment: PORT: 4001 HOSTNAME: localhost @@ -68,7 +68,7 @@ services: network_mode: host compliance: - image: ghcr.io/bcgov/cas-compliance-frontend:${GITHUB_SHA} + image: ghcr.io/bcgov/cas-compliance-frontend:latest environment: PORT: 7000 HOSTNAME: localhost @@ -84,7 +84,7 @@ services: network_mode: host registration: - image: ghcr.io/bcgov/cas-reg-frontend:${GITHUB_SHA} + image: ghcr.io/bcgov/cas-reg-frontend:$latest environment: PORT: 4000 HOSTNAME: localhost @@ -100,7 +100,7 @@ services: network_mode: host reporting: - image: ghcr.io/bcgov/cas-rep-frontend:${GITHUB_SHA} + image: ghcr.io/bcgov/cas-rep-frontend:$latest environment: PORT: 5000 HOSTNAME: localhost @@ -116,7 +116,7 @@ services: network_mode: host nx-app: - image: ${IMAGE_URL}:${GITHUB_SHA} + image: ${IMAGE_URL}:latest environment: PORT: ${NX_APP_PORT} HOSTNAME: localhost From 2ed54a809ecb9c6749b329796cff6efd503642a2 Mon Sep 17 00:00:00 2001 From: Vikram-Kumar-BCGov Date: Fri, 21 Feb 2025 09:38:04 -0700 Subject: [PATCH 04/14] Added git sha --- docker-compose.yaml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/docker-compose.yaml b/docker-compose.yaml index 5b6cd3a986..4c4386c742 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -13,7 +13,7 @@ services: network_mode: host backend: - image: ghcr.io/bcgov/cas-reg-backend:latest + image: ghcr.io/bcgov/cas-reg-backend:${GITHUB_SHA} environment: DB_USER: postgres DB_NAME: registration @@ -35,7 +35,7 @@ services: start_period: 60s dashboard: - image: ghcr.io/bcgov/cas-dash-e2e-frontend:latest + image: ghcr.io/bcgov/cas-dash-e2e-frontend:${GITHUB_SHA} environment: CI: "true" PORT: 3000 @@ -52,7 +52,7 @@ services: network_mode: host administration: - image: ghcr.io/bcgov/cas-admin-frontend:latest + image: ghcr.io/bcgov/cas-admin-frontend:${GITHUB_SHA} environment: PORT: 4001 HOSTNAME: localhost @@ -68,7 +68,7 @@ services: network_mode: host compliance: - image: ghcr.io/bcgov/cas-compliance-frontend:latest + image: ghcr.io/bcgov/cas-compliance-frontend:${GITHUB_SHA} environment: PORT: 7000 HOSTNAME: localhost @@ -84,7 +84,7 @@ services: network_mode: host registration: - image: ghcr.io/bcgov/cas-reg-frontend:$latest + image: ghcr.io/bcgov/cas-reg-frontend:${GITHUB_SHA} environment: PORT: 4000 HOSTNAME: localhost @@ -100,7 +100,7 @@ services: network_mode: host reporting: - image: ghcr.io/bcgov/cas-rep-frontend:$latest + image: ghcr.io/bcgov/cas-rep-frontend:${GITHUB_SHA} environment: PORT: 5000 HOSTNAME: localhost @@ -116,7 +116,7 @@ services: network_mode: host nx-app: - image: ${IMAGE_URL}:latest + image: ghcr.io/bcgov/cas-nx-app:${GITHUB_SHA} environment: PORT: ${NX_APP_PORT} HOSTNAME: localhost From 2735afe0dabe14b38970d05ec760605fd0138877 Mon Sep 17 00:00:00 2001 From: Vikram-Kumar-BCGov Date: Mon, 24 Feb 2025 15:22:11 -0700 Subject: [PATCH 05/14] revert docker file --- docker-compose.yaml | 136 -------------------------------------------- 1 file changed, 136 deletions(-) delete mode 100644 docker-compose.yaml diff --git a/docker-compose.yaml b/docker-compose.yaml deleted file mode 100644 index 4c4386c742..0000000000 --- a/docker-compose.yaml +++ /dev/null @@ -1,136 +0,0 @@ -version: "3.8" - -services: - db: - image: postgres:16 - restart: always - environment: - POSTGRES_DB: registration - POSTGRES_USER: postgres - POSTGRES_PASSWORD: postgres - volumes: - - db:/var/lib/postgresql/data - network_mode: host - - backend: - image: ghcr.io/bcgov/cas-reg-backend:${GITHUB_SHA} - environment: - DB_USER: postgres - DB_NAME: registration - DB_PASSWORD: postgres - DB_PORT: 5432 - DB_HOST: localhost - DJANGO_SECRET_KEY: ${DJANGO_SECRET_KEY} - ALLOWED_HOSTS: localhost,0.0.0.0,127.0.0.1 - ENVIRONMENT: dev - CI: "true" - depends_on: - - db - network_mode: host - healthcheck: - test: curl --fail http://127.0.0.1:8000/api || exit 1 - interval: 10s - timeout: 10s - retries: 20 - start_period: 60s - - dashboard: - image: ghcr.io/bcgov/cas-dash-e2e-frontend:${GITHUB_SHA} - environment: - CI: "true" - PORT: 3000 - HOSTNAME: localhost - NEXTAUTH_URL_INTERNAL: http://localhost:3000 - NEXTAUTH_URL: http://localhost:3000 - NEXTAUTH_SECRET: ${NEXTAUTH_SECRET} - API_URL: http://127.0.0.1:8000/api/ - KEYCLOAK_LOGIN_URL: ${KEYCLOAK_LOGIN_URL} - KEYCLOAK_CLIENT_SECRET: ${KEYCLOAK_CLIENT_SECRET} - KEYCLOAK_CLIENT_ID: ${KEYCLOAK_CLIENT_ID} - depends_on: - - backend - network_mode: host - - administration: - image: ghcr.io/bcgov/cas-admin-frontend:${GITHUB_SHA} - environment: - PORT: 4001 - HOSTNAME: localhost - NEXTAUTH_URL_INTERNAL: http://localhost:3000 - NEXTAUTH_URL: http://localhost:3000 - NEXTAUTH_SECRET: ${NEXTAUTH_SECRET} - API_URL: http://127.0.0.1:8000/api/ - KEYCLOAK_LOGIN_URL: ${KEYCLOAK_LOGIN_URL} - KEYCLOAK_CLIENT_SECRET: ${KEYCLOAK_CLIENT_SECRET} - KEYCLOAK_CLIENT_ID: ${KEYCLOAK_CLIENT_ID} - depends_on: - - backend - network_mode: host - - compliance: - image: ghcr.io/bcgov/cas-compliance-frontend:${GITHUB_SHA} - environment: - PORT: 7000 - HOSTNAME: localhost - NEXTAUTH_URL_INTERNAL: http://localhost:3000 - NEXTAUTH_URL: http://localhost:3000 - NEXTAUTH_SECRET: ${NEXTAUTH_SECRET} - API_URL: http://127.0.0.1:8000/api/ - KEYCLOAK_LOGIN_URL: ${KEYCLOAK_LOGIN_URL} - KEYCLOAK_CLIENT_SECRET: ${KEYCLOAK_CLIENT_SECRET} - KEYCLOAK_CLIENT_ID: ${KEYCLOAK_CLIENT_ID} - depends_on: - - backend - network_mode: host - - registration: - image: ghcr.io/bcgov/cas-reg-frontend:${GITHUB_SHA} - environment: - PORT: 4000 - HOSTNAME: localhost - NEXTAUTH_URL_INTERNAL: http://localhost:3000 - NEXTAUTH_URL: http://localhost:3000 - NEXTAUTH_SECRET: ${NEXTAUTH_SECRET} - API_URL: http://127.0.0.1:8000/api/ - KEYCLOAK_LOGIN_URL: ${KEYCLOAK_LOGIN_URL} - KEYCLOAK_CLIENT_SECRET: ${KEYCLOAK_CLIENT_SECRET} - KEYCLOAK_CLIENT_ID: ${KEYCLOAK_CLIENT_ID} - depends_on: - - backend - network_mode: host - - reporting: - image: ghcr.io/bcgov/cas-rep-frontend:${GITHUB_SHA} - environment: - PORT: 5000 - HOSTNAME: localhost - NEXTAUTH_URL_INTERNAL: http://localhost:3000 - NEXTAUTH_URL: http://localhost:3000 - NEXTAUTH_SECRET: ${NEXTAUTH_SECRET} - API_URL: http://127.0.0.1:8000/api/ - KEYCLOAK_LOGIN_URL: ${KEYCLOAK_LOGIN_URL} - KEYCLOAK_CLIENT_SECRET: ${KEYCLOAK_CLIENT_SECRET} - KEYCLOAK_CLIENT_ID: ${KEYCLOAK_CLIENT_ID} - depends_on: - - backend - network_mode: host - - nx-app: - image: ghcr.io/bcgov/cas-nx-app:${GITHUB_SHA} - environment: - PORT: ${NX_APP_PORT} - HOSTNAME: localhost - NEXTAUTH_URL_INTERNAL: http://localhost:3000 - NEXTAUTH_URL: http://localhost:3000 - NEXTAUTH_SECRET: ${NEXTAUTH_SECRET} - API_URL: http://127.0.0.1:8000/api/ - KEYCLOAK_LOGIN_URL: ${KEYCLOAK_LOGIN_URL} - KEYCLOAK_CLIENT_SECRET: ${KEYCLOAK_CLIENT_SECRET} - KEYCLOAK_CLIENT_ID: ${KEYCLOAK_CLIENT_ID} - depends_on: - - backend - network_mode: host - -volumes: - db: - driver: local From b0e3c88f7f5872b2a8d15d2bddb16adc87ae0c29 Mon Sep 17 00:00:00 2001 From: Vikram-Kumar-BCGov Date: Tue, 25 Feb 2025 09:45:23 -0700 Subject: [PATCH 06/14] zap-owasp.yaml changes --- .github/workflows/zap-owasp.yaml | 113 +++++++++++++++++++++++++------ 1 file changed, 92 insertions(+), 21 deletions(-) diff --git a/.github/workflows/zap-owasp.yaml b/.github/workflows/zap-owasp.yaml index 0e11cf604f..cf02bb6b85 100644 --- a/.github/workflows/zap-owasp.yaml +++ b/.github/workflows/zap-owasp.yaml @@ -1,56 +1,127 @@ name: ZAP OWASP Scan Code +# This workflow can be called from other workflows. on: workflow_call: env: + # Common environment variables for your app PGUSER: postgres DJANGO_SECRET_KEY: ${{ secrets.DJANGO_SECRET_KEY }} + NEXTAUTH_SECRET: ${{ secrets.NEXTAUTH_SECRET }} + KEYCLOAK_CLIENT_ID: ${{ secrets.KEYCLOAK_CLIENT_ID }} + KEYCLOAK_CLIENT_SECRET: ${{ secrets.KEYCLOAK_CLIENT_SECRET }} + KEYCLOAK_LOGIN_URL: ${{ secrets.KEYCLOAK_LOGIN_URL }} jobs: zap-scan: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - name: dev env setup - uses: ./.github/actions/dev-env-setup - - name: run app locally - uses: ./.github/actions/run-registration1-app + - name: Checkout Code + uses: actions/checkout@v4 + + - name: Start Services with Docker Compose + run: | + echo "Starting services..." + docker-compose -f cas-registration/bciers/docker-compose-bciers-apps.yaml up -d + echo "Waiting for services to be ready..." + # Adjust sleep time if needed or implement a loop with health checks + sleep 60 + + # Scan the backend API (adjust the target path as needed) + - name: ZAP Scan - Backend API + uses: zaproxy/action-baseline@v0.14.0 with: - django_secret_key: ${{ env.DJANGO_SECRET_KEY }} - - name: ZAP Frontend Scan + token: ${{ secrets.GITHUB_TOKEN }} + docker_name: "ghcr.io/zaproxy/zaproxy:stable" + target: "http://127.0.0.1:8000/api" + rules_file_name: ".zap/rules-backend.tsv" + cmd_options: "-a -d -T 5 -m 2" + issue_title: "OWASP Baseline - Backend API" + fail_action: false + allow_issue_writing: false + artifact_name: backend_zap_scan + + # Scan the dashboard (frontend) app + - name: ZAP Scan - Dashboard Frontend uses: zaproxy/action-baseline@v0.14.0 with: token: ${{ secrets.GITHUB_TOKEN }} docker_name: "ghcr.io/zaproxy/zaproxy:stable" - target: "http://localhost:3000/" + target: "http://127.0.0.1:3000" rules_file_name: ".zap/rules-frontend.tsv" cmd_options: "-a -d -T 5 -m 2" - issue_title: OWASP Baseline - Frontend + issue_title: "OWASP Baseline - Dashboard Frontend" fail_action: false allow_issue_writing: false - artifact_name: frontend_zap_scan - - name: ZAP Backend Scan + artifact_name: dashboard_zap_scan + + # Scan the administration (frontend) app + - name: ZAP Scan - Administration Frontend uses: zaproxy/action-baseline@v0.14.0 with: token: ${{ secrets.GITHUB_TOKEN }} docker_name: "ghcr.io/zaproxy/zaproxy:stable" - target: "http://0.0.0.0:8000/" - rules_file_name: ".zap/rules-backend.tsv" + target: "http://127.0.0.1:4001" + rules_file_name: ".zap/rules-frontend.tsv" cmd_options: "-a -d -T 5 -m 2" - issue_title: OWASP Baseline - Backend + issue_title: "OWASP Baseline - Administration Frontend" fail_action: false allow_issue_writing: false - artifact_name: backend_zap_scan + artifact_name: administration_zap_scan + + # Scan the registration (frontend) app + - name: ZAP Scan - Registration Frontend + uses: zaproxy/action-baseline@v0.14.0 + with: + token: ${{ secrets.GITHUB_TOKEN }} + docker_name: "ghcr.io/zaproxy/zaproxy:stable" + target: "http://127.0.0.1:4000" + rules_file_name: ".zap/rules-frontend.tsv" + cmd_options: "-a -d -T 5 -m 2" + issue_title: "OWASP Baseline - Registration Frontend" + fail_action: false + allow_issue_writing: false + artifact_name: registration_zap_scan + + # Scan the compliance (frontend) app + - name: ZAP Scan - Compliance Frontend + uses: zaproxy/action-baseline@v0.14.0 + with: + token: ${{ secrets.GITHUB_TOKEN }} + docker_name: "ghcr.io/zaproxy/zaproxy:stable" + target: "http://127.0.0.1:7000" + rules_file_name: ".zap/rules-frontend.tsv" + cmd_options: "-a -d -T 5 -m 2" + issue_title: "OWASP Baseline - Compliance Frontend" + fail_action: false + allow_issue_writing: false + artifact_name: compliance_zap_scan + + # Scan the reporting (frontend) app + - name: ZAP Scan - Reporting Frontend + uses: zaproxy/action-baseline@v0.14.0 + with: + token: ${{ secrets.GITHUB_TOKEN }} + docker_name: "ghcr.io/zaproxy/zaproxy:stable" + target: "http://127.0.0.1:5000" + rules_file_name: ".zap/rules-frontend.tsv" + cmd_options: "-a -d -T 5 -m 2" + issue_title: "OWASP Baseline - Reporting Frontend" + fail_action: false + allow_issue_writing: false + artifact_name: reporting_zap_scan + + - name: Tear Down Services + run: | + echo "Stopping services..." + docker-compose -f cas-registration/bciers/docker-compose-bciers-apps.yaml down - # Retry the workflow due to secondary rate limiting errors causing frequent failures + # This job will retry the workflow if ZAP scanning fails due to rate limiting or transient errors. retry-on-failure: needs: zap-scan - if: failure() || needs.zap-scan.result != 'success' && fromJSON(github.run_attempt) < 3 && !cancelled() + if: failure() || (needs.zap-scan.result != 'success' && fromJSON(github.run_attempt) < 3 && !cancelled()) runs-on: ubuntu-latest steps: - - env: - GH_REPO: ${{ github.repository }} - GH_TOKEN: ${{ github.token }} - GH_DEBUG: api + - name: Retry ZAP Scan run: gh workflow run retry-workflow.yaml -F run_id=${{ github.run_id }} From 03bf6281497abe9b7ac57944e7a407af233a4f9b Mon Sep 17 00:00:00 2001 From: Vikram-Kumar-BCGov Date: Tue, 25 Feb 2025 09:55:15 -0700 Subject: [PATCH 07/14] zap-owasp.yaml - install docker compose --- .github/workflows/zap-owasp.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/zap-owasp.yaml b/.github/workflows/zap-owasp.yaml index cf02bb6b85..683cb119c0 100644 --- a/.github/workflows/zap-owasp.yaml +++ b/.github/workflows/zap-owasp.yaml @@ -20,6 +20,12 @@ jobs: - name: Checkout Code uses: actions/checkout@v4 + #install docker compose + - name: Install Docker Compose + run: | + sudo apt-get update + sudo apt-get install -y docker-compose + - name: Start Services with Docker Compose run: | echo "Starting services..." From 62d2e2fb959918d6c6048d38f6005066477b2eb3 Mon Sep 17 00:00:00 2001 From: Vikram-Kumar-BCGov Date: Tue, 25 Feb 2025 10:05:45 -0700 Subject: [PATCH 08/14] zap-owasp.yaml - updated docker-compose-bciers-apps.yaml file path --- .github/workflows/zap-owasp.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/zap-owasp.yaml b/.github/workflows/zap-owasp.yaml index 683cb119c0..fc9db5e82d 100644 --- a/.github/workflows/zap-owasp.yaml +++ b/.github/workflows/zap-owasp.yaml @@ -29,7 +29,7 @@ jobs: - name: Start Services with Docker Compose run: | echo "Starting services..." - docker-compose -f cas-registration/bciers/docker-compose-bciers-apps.yaml up -d + docker-compose -f ./bciers/docker-compose-bciers-apps.yaml up -d echo "Waiting for services to be ready..." # Adjust sleep time if needed or implement a loop with health checks sleep 60 From e0ae78e8e7b42b482b65299132479872df68dbd1 Mon Sep 17 00:00:00 2001 From: Vikram-Kumar-BCGov Date: Tue, 25 Feb 2025 10:14:18 -0700 Subject: [PATCH 09/14] changed type true to 'true' (string) --- bciers/docker-compose-bciers-apps.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bciers/docker-compose-bciers-apps.yaml b/bciers/docker-compose-bciers-apps.yaml index b90e9fcd43..dc77c0fe86 100644 --- a/bciers/docker-compose-bciers-apps.yaml +++ b/bciers/docker-compose-bciers-apps.yaml @@ -21,7 +21,7 @@ services: DJANGO_SECRET_KEY: ${DJANGO_SECRET_KEY} ALLOWED_HOSTS: localhost,0.0.0.0,127.0.0.1 ENVIRONMENT: dev - CI: true + CI: "true" depends_on: - db # Ensures the database is up before the backend starts network_mode: host @@ -37,7 +37,7 @@ services: # Use the dashboard-e2e image which has nextjs rewrite hosts built in image: ghcr.io/bcgov/cas-dash-e2e-frontend:${GITHUB_SHA} environment: - CI: true # This is used to disable secureCookie in the dashboard route.ts file + CI: "true" # This is used to disable secureCookie in the dashboard route.ts file PORT: 3000 HOSTNAME: localhost NEXTAUTH_URL_INTERNAL: http://localhost:3000 From 4be35cb829f17c941c21f255e582073fda920b19 Mon Sep 17 00:00:00 2001 From: Vikram-Kumar-BCGov Date: Tue, 25 Feb 2025 10:37:01 -0700 Subject: [PATCH 10/14] commented the rules for now, as they dont exist --- .github/workflows/zap-owasp.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/zap-owasp.yaml b/.github/workflows/zap-owasp.yaml index fc9db5e82d..d331696bdf 100644 --- a/.github/workflows/zap-owasp.yaml +++ b/.github/workflows/zap-owasp.yaml @@ -41,7 +41,7 @@ jobs: token: ${{ secrets.GITHUB_TOKEN }} docker_name: "ghcr.io/zaproxy/zaproxy:stable" target: "http://127.0.0.1:8000/api" - rules_file_name: ".zap/rules-backend.tsv" + # rules_file_name: ".zap/rules-backend.tsv" cmd_options: "-a -d -T 5 -m 2" issue_title: "OWASP Baseline - Backend API" fail_action: false @@ -55,7 +55,7 @@ jobs: token: ${{ secrets.GITHUB_TOKEN }} docker_name: "ghcr.io/zaproxy/zaproxy:stable" target: "http://127.0.0.1:3000" - rules_file_name: ".zap/rules-frontend.tsv" + # rules_file_name: ".zap/rules-frontend.tsv" cmd_options: "-a -d -T 5 -m 2" issue_title: "OWASP Baseline - Dashboard Frontend" fail_action: false @@ -69,7 +69,7 @@ jobs: token: ${{ secrets.GITHUB_TOKEN }} docker_name: "ghcr.io/zaproxy/zaproxy:stable" target: "http://127.0.0.1:4001" - rules_file_name: ".zap/rules-frontend.tsv" + # rules_file_name: ".zap/rules-frontend.tsv" cmd_options: "-a -d -T 5 -m 2" issue_title: "OWASP Baseline - Administration Frontend" fail_action: false @@ -83,7 +83,7 @@ jobs: token: ${{ secrets.GITHUB_TOKEN }} docker_name: "ghcr.io/zaproxy/zaproxy:stable" target: "http://127.0.0.1:4000" - rules_file_name: ".zap/rules-frontend.tsv" + # rules_file_name: ".zap/rules-frontend.tsv" cmd_options: "-a -d -T 5 -m 2" issue_title: "OWASP Baseline - Registration Frontend" fail_action: false @@ -97,7 +97,7 @@ jobs: token: ${{ secrets.GITHUB_TOKEN }} docker_name: "ghcr.io/zaproxy/zaproxy:stable" target: "http://127.0.0.1:7000" - rules_file_name: ".zap/rules-frontend.tsv" + # rules_file_name: ".zap/rules-frontend.tsv" cmd_options: "-a -d -T 5 -m 2" issue_title: "OWASP Baseline - Compliance Frontend" fail_action: false @@ -111,7 +111,7 @@ jobs: token: ${{ secrets.GITHUB_TOKEN }} docker_name: "ghcr.io/zaproxy/zaproxy:stable" target: "http://127.0.0.1:5000" - rules_file_name: ".zap/rules-frontend.tsv" + # rules_file_name: ".zap/rules-frontend.tsv" cmd_options: "-a -d -T 5 -m 2" issue_title: "OWASP Baseline - Reporting Frontend" fail_action: false From 65f1500e930b7d494e78aee04b44da8ba32726a3 Mon Sep 17 00:00:00 2001 From: Vikram-Kumar-BCGov Date: Tue, 25 Feb 2025 14:00:48 -0700 Subject: [PATCH 11/14] updated access link --- .github/workflows/zap-owasp.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/zap-owasp.yaml b/.github/workflows/zap-owasp.yaml index d331696bdf..c75bdb76ae 100644 --- a/.github/workflows/zap-owasp.yaml +++ b/.github/workflows/zap-owasp.yaml @@ -54,7 +54,7 @@ jobs: with: token: ${{ secrets.GITHUB_TOKEN }} docker_name: "ghcr.io/zaproxy/zaproxy:stable" - target: "http://127.0.0.1:3000" + target: "http://host.docker.internal:3000" # rules_file_name: ".zap/rules-frontend.tsv" cmd_options: "-a -d -T 5 -m 2" issue_title: "OWASP Baseline - Dashboard Frontend" From 390274d58c88b206d328a0aa40beaa6380ec94a7 Mon Sep 17 00:00:00 2001 From: Vikram-Kumar-BCGov Date: Tue, 25 Feb 2025 14:12:54 -0700 Subject: [PATCH 12/14] revert updated access link --- .github/workflows/zap-owasp.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/zap-owasp.yaml b/.github/workflows/zap-owasp.yaml index c75bdb76ae..d331696bdf 100644 --- a/.github/workflows/zap-owasp.yaml +++ b/.github/workflows/zap-owasp.yaml @@ -54,7 +54,7 @@ jobs: with: token: ${{ secrets.GITHUB_TOKEN }} docker_name: "ghcr.io/zaproxy/zaproxy:stable" - target: "http://host.docker.internal:3000" + target: "http://127.0.0.1:3000" # rules_file_name: ".zap/rules-frontend.tsv" cmd_options: "-a -d -T 5 -m 2" issue_title: "OWASP Baseline - Dashboard Frontend" From c148b03f354f35c612bac2727158752fe702fee4 Mon Sep 17 00:00:00 2001 From: Vikram-Kumar-BCGov Date: Tue, 25 Feb 2025 14:25:25 -0700 Subject: [PATCH 13/14] added health checks --- .github/workflows/zap-owasp.yaml | 37 ++++++++++++-------------- bciers/docker-compose-bciers-apps.yaml | 27 ++++++++++++------- 2 files changed, 35 insertions(+), 29 deletions(-) diff --git a/.github/workflows/zap-owasp.yaml b/.github/workflows/zap-owasp.yaml index d331696bdf..b34b39ae20 100644 --- a/.github/workflows/zap-owasp.yaml +++ b/.github/workflows/zap-owasp.yaml @@ -1,11 +1,9 @@ name: ZAP OWASP Scan Code -# This workflow can be called from other workflows. on: workflow_call: env: - # Common environment variables for your app PGUSER: postgres DJANGO_SECRET_KEY: ${{ secrets.DJANGO_SECRET_KEY }} NEXTAUTH_SECRET: ${{ secrets.NEXTAUTH_SECRET }} @@ -20,98 +18,97 @@ jobs: - name: Checkout Code uses: actions/checkout@v4 - #install docker compose + # Install Docker and Docker Compose - name: Install Docker Compose run: | sudo apt-get update sudo apt-get install -y docker-compose + # Start all services using Docker Compose - name: Start Services with Docker Compose run: | echo "Starting services..." - docker-compose -f ./bciers/docker-compose-bciers-apps.yaml up -d + docker-compose -f ./cas-registration/bciers/docker-compose-bciers-apps.yaml up -d echo "Waiting for services to be ready..." - # Adjust sleep time if needed or implement a loop with health checks - sleep 60 - # Scan the backend API (adjust the target path as needed) + # Wait for the backend API to be healthy + - name: Wait for Backend API Readiness + run: | + timeout 90s bash -c 'until curl -s -o /dev/null -w "%{http_code}" http://127.0.0.1:8000/api | grep -q "200"; do sleep 3; done' || { echo "Backend API is not ready"; exit 1; } + + # Wait for Frontend Readiness (Dashboard) + - name: Wait for Dashboard Readiness + run: | + timeout 90s bash -c 'until curl -s -o /dev/null -w "%{http_code}" http://127.0.0.1:3000 | grep -q "200"; do sleep 3; done' || { echo "Dashboard is not ready"; exit 1; } + + # Run ZAP Scan for Backend API - name: ZAP Scan - Backend API uses: zaproxy/action-baseline@v0.14.0 with: token: ${{ secrets.GITHUB_TOKEN }} docker_name: "ghcr.io/zaproxy/zaproxy:stable" target: "http://127.0.0.1:8000/api" - # rules_file_name: ".zap/rules-backend.tsv" cmd_options: "-a -d -T 5 -m 2" issue_title: "OWASP Baseline - Backend API" fail_action: false allow_issue_writing: false artifact_name: backend_zap_scan - # Scan the dashboard (frontend) app + # Run ZAP Scan for Frontend Apps - name: ZAP Scan - Dashboard Frontend uses: zaproxy/action-baseline@v0.14.0 with: token: ${{ secrets.GITHUB_TOKEN }} docker_name: "ghcr.io/zaproxy/zaproxy:stable" target: "http://127.0.0.1:3000" - # rules_file_name: ".zap/rules-frontend.tsv" cmd_options: "-a -d -T 5 -m 2" issue_title: "OWASP Baseline - Dashboard Frontend" fail_action: false allow_issue_writing: false artifact_name: dashboard_zap_scan - # Scan the administration (frontend) app - name: ZAP Scan - Administration Frontend uses: zaproxy/action-baseline@v0.14.0 with: token: ${{ secrets.GITHUB_TOKEN }} docker_name: "ghcr.io/zaproxy/zaproxy:stable" target: "http://127.0.0.1:4001" - # rules_file_name: ".zap/rules-frontend.tsv" cmd_options: "-a -d -T 5 -m 2" issue_title: "OWASP Baseline - Administration Frontend" fail_action: false allow_issue_writing: false artifact_name: administration_zap_scan - # Scan the registration (frontend) app - name: ZAP Scan - Registration Frontend uses: zaproxy/action-baseline@v0.14.0 with: token: ${{ secrets.GITHUB_TOKEN }} docker_name: "ghcr.io/zaproxy/zaproxy:stable" target: "http://127.0.0.1:4000" - # rules_file_name: ".zap/rules-frontend.tsv" cmd_options: "-a -d -T 5 -m 2" issue_title: "OWASP Baseline - Registration Frontend" fail_action: false allow_issue_writing: false artifact_name: registration_zap_scan - # Scan the compliance (frontend) app - name: ZAP Scan - Compliance Frontend uses: zaproxy/action-baseline@v0.14.0 with: token: ${{ secrets.GITHUB_TOKEN }} docker_name: "ghcr.io/zaproxy/zaproxy:stable" target: "http://127.0.0.1:7000" - # rules_file_name: ".zap/rules-frontend.tsv" cmd_options: "-a -d -T 5 -m 2" issue_title: "OWASP Baseline - Compliance Frontend" fail_action: false allow_issue_writing: false artifact_name: compliance_zap_scan - # Scan the reporting (frontend) app - name: ZAP Scan - Reporting Frontend uses: zaproxy/action-baseline@v0.14.0 with: token: ${{ secrets.GITHUB_TOKEN }} docker_name: "ghcr.io/zaproxy/zaproxy:stable" target: "http://127.0.0.1:5000" - # rules_file_name: ".zap/rules-frontend.tsv" cmd_options: "-a -d -T 5 -m 2" issue_title: "OWASP Baseline - Reporting Frontend" fail_action: false @@ -121,9 +118,9 @@ jobs: - name: Tear Down Services run: | echo "Stopping services..." - docker-compose -f cas-registration/bciers/docker-compose-bciers-apps.yaml down + docker-compose -f ./cas-registration/bciers/docker-compose-bciers-apps.yaml down - # This job will retry the workflow if ZAP scanning fails due to rate limiting or transient errors. + # Retry job in case of failure retry-on-failure: needs: zap-scan if: failure() || (needs.zap-scan.result != 'success' && fromJSON(github.run_attempt) < 3 && !cancelled()) diff --git a/bciers/docker-compose-bciers-apps.yaml b/bciers/docker-compose-bciers-apps.yaml index dc77c0fe86..7005bb7b13 100644 --- a/bciers/docker-compose-bciers-apps.yaml +++ b/bciers/docker-compose-bciers-apps.yaml @@ -23,9 +23,8 @@ services: ENVIRONMENT: dev CI: "true" depends_on: - - db # Ensures the database is up before the backend starts + - db network_mode: host - # Healthcheck to ensure the API is ready before reporting healthy healthcheck: test: curl --fail http://127.0.0.1:8000/api || exit 1 interval: 10s @@ -34,10 +33,9 @@ services: start_period: 60s dashboard: - # Use the dashboard-e2e image which has nextjs rewrite hosts built in image: ghcr.io/bcgov/cas-dash-e2e-frontend:${GITHUB_SHA} environment: - CI: "true" # This is used to disable secureCookie in the dashboard route.ts file + CI: "true" PORT: 3000 HOSTNAME: localhost NEXTAUTH_URL_INTERNAL: http://localhost:3000 @@ -48,8 +46,15 @@ services: KEYCLOAK_CLIENT_SECRET: ${KEYCLOAK_CLIENT_SECRET} KEYCLOAK_CLIENT_ID: ${KEYCLOAK_CLIENT_ID} depends_on: - - backend + backend: + condition: service_healthy # Wait for backend health check network_mode: host + healthcheck: + test: curl --fail http://127.0.0.1:3000 || exit 1 + interval: 10s + timeout: 10s + retries: 20 + start_period: 60s administration: image: ghcr.io/bcgov/cas-admin-frontend:${GITHUB_SHA} @@ -64,7 +69,8 @@ services: KEYCLOAK_CLIENT_SECRET: ${KEYCLOAK_CLIENT_SECRET} KEYCLOAK_CLIENT_ID: ${KEYCLOAK_CLIENT_ID} depends_on: - - backend + backend: + condition: service_healthy network_mode: host compliance: @@ -80,7 +86,8 @@ services: KEYCLOAK_CLIENT_SECRET: ${KEYCLOAK_CLIENT_SECRET} KEYCLOAK_CLIENT_ID: ${KEYCLOAK_CLIENT_ID} depends_on: - - backend + backend: + condition: service_healthy network_mode: host registration: @@ -96,7 +103,8 @@ services: KEYCLOAK_CLIENT_SECRET: ${KEYCLOAK_CLIENT_SECRET} KEYCLOAK_CLIENT_ID: ${KEYCLOAK_CLIENT_ID} depends_on: - - backend + backend: + condition: service_healthy network_mode: host reporting: @@ -112,7 +120,8 @@ services: KEYCLOAK_CLIENT_SECRET: ${KEYCLOAK_CLIENT_SECRET} KEYCLOAK_CLIENT_ID: ${KEYCLOAK_CLIENT_ID} depends_on: - - backend + backend: + condition: service_healthy network_mode: host volumes: From 331f98190c62991851483cd1005affa51b5f698f Mon Sep 17 00:00:00 2001 From: Vikram-Kumar-BCGov Date: Tue, 25 Feb 2025 14:36:33 -0700 Subject: [PATCH 14/14] fixed file path --- .github/workflows/zap-owasp.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/zap-owasp.yaml b/.github/workflows/zap-owasp.yaml index b34b39ae20..b39873d057 100644 --- a/.github/workflows/zap-owasp.yaml +++ b/.github/workflows/zap-owasp.yaml @@ -28,7 +28,7 @@ jobs: - name: Start Services with Docker Compose run: | echo "Starting services..." - docker-compose -f ./cas-registration/bciers/docker-compose-bciers-apps.yaml up -d + docker-compose -f ./bciers/docker-compose-bciers-apps.yaml up -d echo "Waiting for services to be ready..." # Wait for the backend API to be healthy