diff --git a/.github/workflows/owasp-dast.yaml b/.github/workflows/owasp-dast.yaml new file mode 100644 index 00000000..b3efc4ad --- /dev/null +++ b/.github/workflows/owasp-dast.yaml @@ -0,0 +1,111 @@ +# +# Copyright (c) 2023 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0. +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# +name: ZAP_ALL + +on: + schedule: + - cron: '0 0 * * *' + workflow_dispatch: + +jobs: + zap_scan1: + runs-on: ubuntu-latest + name: OWASP ZAP API Scan + + steps: + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1 + with: + ref: main + fetch-depth: 0 + + - name: MAD Test + id: mad_test + run: | + # Perform API Test 1 and capture the response + response=$(curl -w "%{http_code}" -v GET https://puris-customer.int.demo.catena-x.net/catena/materials --header "X-Api-Key: ${{ secrets.API_KEY }}") + echo "Response: $response" + + - name: Stock View Test + id: stock_view_test + run: | + # Perform API Test 3 and capture the response + response=$(curl -X GET https://puris-customer.int.demo.catena-x.net/catena/stockView/product-stocks --header "X-Api-Key: ${{ secrets.API_KEY }}") + echo "Response: $response" + + - name: Generating report skeletons + if: success() || failure() + run: | + touch API_report.html + chmod a+w API_report.html + ls -lrt + + - name: Run ZAP API scan + run: | + set +e + + echo "Pulling ZAP image..." + docker pull ghcr.io/zaproxy/zaproxy:stable -q + echo "Starting ZAP Docker container..." + docker run -v ${GITHUB_WORKSPACE}:/zap/wrk/:rw ghcr.io/zaproxy/zaproxy:stable zap-api-scan.py -t https://puris-customer.int.demo.catena-x.net -f openapi -r API_report.html -T 1 + + echo "... done." + + - name: Upload HTML report + if: success() || failure() + uses: actions/upload-artifact@v3 + with: + name: ZAP_API scan report + path: ./API_report.html + retention-days: 1 + + zap_scan2: + runs-on: ubuntu-latest + name: OWASP ZAP FULL Scan + steps: + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1 + with: + ref: main + + - name: Generating report skeletons + if: success() || failure() + run: | + touch fullscan_report.html + chmod a+w fullscan_report.html + ls -lrt + + - name: Perform ZAP FULL scan + run: | + set +e + + echo "Pulling ZAP image..." + docker pull ghcr.io/zaproxy/zaproxy:stable -q + echo "Starting ZAP Docker container..." + docker run -v ${GITHUB_WORKSPACE}:/zap/wrk/:rw ghcr.io/zaproxy/zaproxy:stable zap-full-scan.py -t https://knowledge.dev.demo.catena-x.net -r fullscan_report.html -T 1 + + echo "... done." + + - name: Upload HTML report + if: success() || failure() + uses: actions/upload-artifact@v3 + with: + name: ZAP_FULL scan report + path: ./fullscan_report.html + retention-days: 1