Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: add automated DAST scanning (courtesy of @RoKrish14). #90

Closed
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
128 changes: 128 additions & 0 deletions .github/workflows/DAST.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,128 @@
---
#
# Copyright (c) 2024 ZF Friedrichshafen AG
# Copyright (c) 2024 T-Systems International GmbH
# Copyright (c) 2024 Contributors to the Eclipse Foundation
#
# See the NOTICE file(s) distributed with this work for additional
# information regarding copyright ownership.
#
# This program and the accompanying materials are made available under the
# terms of the Apache License, Version 2.0 which is available at
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# SPDX-License-Identifier: Apache-2.0
#
name: ZAP_ALL

on:
schedule:
- cron: '0 0 * * *'
workflow_dispatch:

jobs:
zap_scan1:
runs-on: ubuntu-latest
name: OWASP ZAP API Scan

steps:
- name: Checkout
uses: actions/checkout@v2
with:
ref: main
fetch-depth: 0

- name: API Test 1
id: api_test_1
run: |
# Perform API Test 1 and capture the response
response=$(curl -w "%{http_code}" -v GET https://knowledge.int.demo.catena-x.net/oem-provider-agent3/sparql?query=SELECT%20%3Fs%20WHERE%20%7B%20%3Fs%20%3Chttp%3A%2F%2Fwww.w3.org%2F1999%2F02%2F22-rdf-syntax-ns%23type%3E%20%3Chttps%3A%2F%2Fw3id.org%2Fcatenax%2Fontology%2Fvehicle%23Part%3E.%20%7D%20LIMIT%2010 --user "${{ secrets.BASIC_AUTH_USER }}:${{ secrets.BASIC_AUTH_PASSWORD }}")
echo "Response: $response"

- name: API Test 2
id: api_test_2
run: |
# Perform API Test 2 and capture the response
response=$(curl -w "%{http_code}" -X GET https://knowledge.int.demo.catena-x.net/oem-provider-agent3/sparql?query=SELECT%20%3Fs%20WHERE%20%7B%20%3Fs%20%3Chttp%3A%2F%2Fwww.w3.org%2F1999%2F02%2F22-rdf-syntax-ns%23type%3E%20%3Chttps%3A%2F%2Fw3id.org%2Fcatenax%2Fontology%2Fvehicle%23Part%3E.%20%7D%20LIMIT%2010 --header "Authorization: Basic ${{ secrets.BASIC_AUTH_TOKEN }}")
echo "Response: $response"

- name: API Test 3
id: api_test_3
run: |
# Perform API Test 3 and capture the response
response=$(curl -X POST https://knowledge.int.demo.catena-x.net/oem-edc-control/BPNL00000003COJN/management/v2/assets/request --header "X-Api-Key: ${{ secrets.API_KEY }}")
echo "Response: $response"

- name: API Test 4
id: api_test_4
run: |
# Perform API Test 4 and capture the response
response=$(curl -X GET https://knowledge.int.demo.catena-x.net/tiera-edc-data/BPNL00000003CPIY/api/agent?query=SELECT%20%3Fs%20%3Fp%20%3Fo%20WHERE%20%7B%20%3Fs%20%3Fp%20%3Fo.%7D%20LIMIT%2010 --header "Authorization: Bearer ${{ secrets.OAUTH2 }}")
echo "Response: $response"

- name: Generating report skeletons
if: success() || failure()
run: |
touch API_report.html
chmod a+w API_report.html
ls -lrt

- name: Run ZAP API scan
run: |
set +e

echo "Pulling ZAP image..."
docker pull ghcr.io/zaproxy/zaproxy:stable -q
echo "Starting ZAP Docker container..."
docker run -v ${GITHUB_WORKSPACE}:/zap/wrk/:rw ghcr.io/zaproxy/zaproxy:stable zap-api-scan.py -t docs/openapi.json -f openapi -r API_report.html -T 1

echo "... done."

- name: Upload HTML report
if: success() || failure()
uses: actions/upload-artifact@v3
with:
name: ZAP_API scan report
path: ./API_report.html
retention-days: 1

zap_scan2:
runs-on: ubuntu-latest
name: OWASP ZAP FULL Scan
steps:
- name: Checkout
uses: actions/checkout@v2
with:
ref: main

- name: Generating report skeletons
if: success() || failure()
run: |
touch fullscan_report.html
chmod a+w fullscan_report.html
ls -lrt

- name: Perform ZAP FULL scan
run: |
set +e

echo "Pulling ZAP image..."
docker pull ghcr.io/zaproxy/zaproxy:stable -q
echo "Starting ZAP Docker container..."
docker run -v ${GITHUB_WORKSPACE}:/zap/wrk/:rw ghcr.io/zaproxy/zaproxy:stable zap-full-scan.py -t https://knowledge.int.demo.catena-x.net -r fullscan_report.html -T 1

echo "... done."

- name: Upload HTML report
if: success() || failure()
uses: actions/upload-artifact@v3
with:
name: ZAP_FULL scan report
path: ./fullscan_report.html
retention-days: 1
6 changes: 2 additions & 4 deletions .github/workflows/kics.yml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
---
#
# Copyright (c) 2021, 2023 Contributors to the Eclipse Foundation
# Copyright (c) 2021, 2024 Contributors to the Eclipse Foundation
#
# See the NOTICE file(s) distributed with this work for additional
# information regarding copyright ownership.
Expand Down Expand Up @@ -32,9 +32,7 @@ on:

workflow_dispatch:

# Since rules may change should run regularily
schedule:
- cron: "0 0 * * *"


jobs:
analyze:
Expand Down
4 changes: 2 additions & 2 deletions docs/README.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
<!--
* Copyright (c) 2022,2023 Contributors to the Eclipse Foundation
* Copyright (c) 2022,2024 Contributors to the Eclipse Foundation
*
* See the NOTICE file(s) distributed with this work for additional
* information regarding copyright ownership.
Expand All @@ -20,7 +20,7 @@

# Tractus-X Knowledge Agents Reference Implementation (KA-RI) Documentation

In the Knowledge Agent Architecture, an Agent is any component which speaks and/or enacts a Semantic Web protocol, such as SPARQL.
In the Knowledge Agent Architecture, an Agent is any component which speaks and/or enacts a Semantic Web protocol, such as SPARQL. So agents share a common [Open Api Specifaction](openapi.json) of which they implement a particular profile, i.e., a sub-protocol.

Binding Agents are the intermediate layer between the dataspace (represented by the Matchmaking Agent that is connected to any Agent-Enabled Application and/or the Agent-Enabled Connector) and your business data & functions.

Expand Down
Loading
Loading