Merge pull request #252 from FraunhoferISST/ci/owasp

ci(owasp-dast): added workflow for DAST

.github/workflows/owasp-dast.yaml

@@ -0,0 +1,111 @@
+#
+# Copyright (c) 2023 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Apache License, Version 2.0 which is available at
+# https://www.apache.org/licenses/LICENSE-2.0.
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+name: ZAP_ALL
+
+on:
+  schedule:
+    - cron: '0 0 * * *'
+  workflow_dispatch:
+
+jobs:
+  zap_scan1:
+    runs-on: ubuntu-latest
+    name: OWASP ZAP API Scan
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1
+        with:
+          ref: main
+          fetch-depth: 0
+
+      - name: MAD Test
+        id: mad_test
+        run: |
+          # Perform API Test 1 and capture the response
+          response=$(curl -w "%{http_code}" -v GET https://puris-backend-customer.int.demo.catena-x.net/catena/materials --header "X-Api-Key: ${{ API_KEY }}")
+          echo "Response: $response"
+
+      - name: Stock View Test
+        id: stock_view_test
+        run: |
+          # Perform API Test 3 and capture the response
+          response=$(curl -X GET https://puris-backend-customer.int.demo.catena-x.net/catena/stockView/product-stocks --header "X-Api-Key: ${{ API_KEY }}")
+          echo "Response: $response"
+
+      - name: Generating report skeletons
+        if: success() || failure()
+        run: |
+          touch API_report.html
+          chmod a+w API_report.html
+          ls -lrt
+
+      - name: Run ZAP API scan
+        run: |
+          set +e
+          
+          echo "Pulling ZAP image..."
+          docker pull ghcr.io/zaproxy/zaproxy:stable -q
+          echo "Starting ZAP Docker container..."
+          docker run -v ${GITHUB_WORKSPACE}:/zap/wrk/:rw ghcr.io/zaproxy/zaproxy:stable zap-api-scan.py -t https://puris-customer.int.demo.catena-x.net -f openapi -r API_report.html -T 1
+          
+          echo "... done."
+
+      - name: Upload HTML report
+        if: success() || failure()
+        uses: actions/upload-artifact@v3
+        with:
+          name: ZAP_API scan report
+          path: ./API_report.html
+          retention-days: 1
+
+  zap_scan2:
+    runs-on: ubuntu-latest
+    name: OWASP ZAP FULL Scan
+    steps:
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1
+        with:
+          ref: main
+
+      - name: Generating report skeletons
+        if: success() || failure()
+        run: |
+          touch fullscan_report.html
+          chmod a+w fullscan_report.html
+          ls -lrt
+
+      - name: Perform ZAP FULL scan
+        run: |
+          set +e
+          
+          echo "Pulling ZAP image..."
+          docker pull ghcr.io/zaproxy/zaproxy:stable -q
+          echo "Starting ZAP Docker container..."
+          docker run -v ${GITHUB_WORKSPACE}:/zap/wrk/:rw ghcr.io/zaproxy/zaproxy:stable zap-full-scan.py -t https://knowledge.dev.demo.catena-x.net -r fullscan_report.html -T 1
+          
+          echo "... done."
+
+      - name: Upload HTML report
+        if: success() || failure()
+        uses: actions/upload-artifact@v3
+        with:
+          name: ZAP_FULL scan report
+          path: ./fullscan_report.html
+          retention-days: 1