From 9da00300d1468fad2a4e8da1e7573841f0cefbbb Mon Sep 17 00:00:00 2001 From: --show-origin Date: Sat, 17 Feb 2024 01:58:48 -0800 Subject: [PATCH 1/3] ci(owasp-dast): added workflow for DAST --- .github/workflows/owasp-dast.yaml | 111 ++++++++++++++++++++++++++++++ 1 file changed, 111 insertions(+) create mode 100644 .github/workflows/owasp-dast.yaml diff --git a/.github/workflows/owasp-dast.yaml b/.github/workflows/owasp-dast.yaml new file mode 100644 index 00000000..b3efc4ad --- /dev/null +++ b/.github/workflows/owasp-dast.yaml @@ -0,0 +1,111 @@ +# +# Copyright (c) 2023 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Apache License, Version 2.0 which is available at +# https://www.apache.org/licenses/LICENSE-2.0. +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# +name: ZAP_ALL + +on: + schedule: + - cron: '0 0 * * *' + workflow_dispatch: + +jobs: + zap_scan1: + runs-on: ubuntu-latest + name: OWASP ZAP API Scan + + steps: + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1 + with: + ref: main + fetch-depth: 0 + + - name: MAD Test + id: mad_test + run: | + # Perform API Test 1 and capture the response + response=$(curl -w "%{http_code}" -v GET https://puris-customer.int.demo.catena-x.net/catena/materials --header "X-Api-Key: ${{ secrets.API_KEY }}") + echo "Response: $response" + + - name: Stock View Test + id: stock_view_test + run: | + # Perform API Test 3 and capture the response + response=$(curl -X GET https://puris-customer.int.demo.catena-x.net/catena/stockView/product-stocks --header "X-Api-Key: ${{ secrets.API_KEY }}") + echo "Response: $response" + + - name: Generating report skeletons + if: success() || failure() + run: | + touch API_report.html + chmod a+w API_report.html + ls -lrt + + - name: Run ZAP API scan + run: | + set +e + + echo "Pulling ZAP image..." + docker pull ghcr.io/zaproxy/zaproxy:stable -q + echo "Starting ZAP Docker container..." + docker run -v ${GITHUB_WORKSPACE}:/zap/wrk/:rw ghcr.io/zaproxy/zaproxy:stable zap-api-scan.py -t https://puris-customer.int.demo.catena-x.net -f openapi -r API_report.html -T 1 + + echo "... done." + + - name: Upload HTML report + if: success() || failure() + uses: actions/upload-artifact@v3 + with: + name: ZAP_API scan report + path: ./API_report.html + retention-days: 1 + + zap_scan2: + runs-on: ubuntu-latest + name: OWASP ZAP FULL Scan + steps: + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1 + with: + ref: main + + - name: Generating report skeletons + if: success() || failure() + run: | + touch fullscan_report.html + chmod a+w fullscan_report.html + ls -lrt + + - name: Perform ZAP FULL scan + run: | + set +e + + echo "Pulling ZAP image..." + docker pull ghcr.io/zaproxy/zaproxy:stable -q + echo "Starting ZAP Docker container..." + docker run -v ${GITHUB_WORKSPACE}:/zap/wrk/:rw ghcr.io/zaproxy/zaproxy:stable zap-full-scan.py -t https://knowledge.dev.demo.catena-x.net -r fullscan_report.html -T 1 + + echo "... done." + + - name: Upload HTML report + if: success() || failure() + uses: actions/upload-artifact@v3 + with: + name: ZAP_FULL scan report + path: ./fullscan_report.html + retention-days: 1 From c16a08eeee3886a854ac7569001c3107ef377da6 Mon Sep 17 00:00:00 2001 From: --show-origin Date: Thu, 22 Feb 2024 03:07:34 -0800 Subject: [PATCH 2/3] fix(owasp-dast): updated backend addresses accordingly --- .github/workflows/owasp-dast.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/owasp-dast.yaml b/.github/workflows/owasp-dast.yaml index b3efc4ad..75ff7296 100644 --- a/.github/workflows/owasp-dast.yaml +++ b/.github/workflows/owasp-dast.yaml @@ -39,14 +39,14 @@ jobs: id: mad_test run: | # Perform API Test 1 and capture the response - response=$(curl -w "%{http_code}" -v GET https://puris-customer.int.demo.catena-x.net/catena/materials --header "X-Api-Key: ${{ secrets.API_KEY }}") + response=$(curl -w "%{http_code}" -v GET https://puris-backend-customer.int.demo.catena-x.net/catena/materials --header "X-Api-Key: ${{ secrets.API_KEY }}") echo "Response: $response" - name: Stock View Test id: stock_view_test run: | # Perform API Test 3 and capture the response - response=$(curl -X GET https://puris-customer.int.demo.catena-x.net/catena/stockView/product-stocks --header "X-Api-Key: ${{ secrets.API_KEY }}") + response=$(curl -X GET https://puris-backend-customer.int.demo.catena-x.net/catena/stockView/product-stocks --header "X-Api-Key: ${{ secrets.API_KEY }}") echo "Response: $response" - name: Generating report skeletons From c5dc4d23e40971a44d290041891181851f9c365e Mon Sep 17 00:00:00 2001 From: --show-origin Date: Fri, 23 Feb 2024 02:53:33 -0800 Subject: [PATCH 3/3] ci(oswasp): replaced secret by environemnt --- .github/workflows/owasp-dast.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/owasp-dast.yaml b/.github/workflows/owasp-dast.yaml index 75ff7296..44921105 100644 --- a/.github/workflows/owasp-dast.yaml +++ b/.github/workflows/owasp-dast.yaml @@ -39,14 +39,14 @@ jobs: id: mad_test run: | # Perform API Test 1 and capture the response - response=$(curl -w "%{http_code}" -v GET https://puris-backend-customer.int.demo.catena-x.net/catena/materials --header "X-Api-Key: ${{ secrets.API_KEY }}") + response=$(curl -w "%{http_code}" -v GET https://puris-backend-customer.int.demo.catena-x.net/catena/materials --header "X-Api-Key: ${{ API_KEY }}") echo "Response: $response" - name: Stock View Test id: stock_view_test run: | # Perform API Test 3 and capture the response - response=$(curl -X GET https://puris-backend-customer.int.demo.catena-x.net/catena/stockView/product-stocks --header "X-Api-Key: ${{ secrets.API_KEY }}") + response=$(curl -X GET https://puris-backend-customer.int.demo.catena-x.net/catena/stockView/product-stocks --header "X-Api-Key: ${{ API_KEY }}") echo "Response: $response" - name: Generating report skeletons