Skip to content

feat: PoC - Pentest Pipeline with OWASP ZAP #15

feat: PoC - Pentest Pipeline with OWASP ZAP

feat: PoC - Pentest Pipeline with OWASP ZAP #15

Workflow file for this run

# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# GitHub recommends pinning actions to a commit SHA.
# To get a newer version, you will need to update the SHA.
# You can also reference a tag or branch, but the action may change without warning.
name: "Security C4PO Pentest Pipeline PoC"
on:
pull_request:
branches: [ "main" ]
#on:
# schedule:
# Runs every sunday at 00:00.
#- cron: '0 0 * * 0'
env:
ANGULAR_PATH: security-c4po-angular
API_PATH: security-c4po-api
REPORTING_PATH: security-c4po-reporting
CFG_PATH: security-c4po-cfg
ANGULAR_CLI_VERSION: 13
jobs:
zap_baseline_scan:
name: "ZAP Baseline Job"
runs-on: ubuntu-latest
steps:
- name: "ZAP Baseline Scan"
# Focuses on identifying common and high impact vulnerabilites.
# Designed to catch low hanging fruit & well-known security issues (XXS, SQL-Injection, ...)
uses: zaproxy/[email protected]
with:
token: ${{ secrets.GITHUB_TOKEN }}
docker_name: 'ghcr.io/zaproxy/zaproxy:stable'
target: 'https://security.c4po.dev'
rules_file_name: '.zap/rules.tsv'
artifact_name: zap_baseline_scan
cmd_options: '-a'
- name: "Upload baseline report"
uses: actions/upload-artifact@v3
with:
name: zap_baseline_scan.zip
path: zap_scan.zip
zap_api_scan:
name: "ZAP API Job"
runs-on: ubuntu-latest
steps:
- name: "ZAP API Scan"
# Focuses on scanning RESTful APIs
# Optional: The format of the defintion, openapi, soap, or graphql. (Default is openapi)
# Looks for a wide range of vulnerabilities (SQL-Injections, authentication issues, insecure direct object references, ...)
uses: zaproxy/[email protected]
with:
token: ${{ secrets.GITHUB_TOKEN }}
docker_name: 'ghcr.io/zaproxy/zaproxy:stable'
format: openapi
target: 'https://security.c4po.dev'
rules_file_name: '.zap/rules.tsv'
artifact_name: zap_api_scan
cmd_options: '-a'
- name: "Upload api report"
uses: actions/upload-artifact@v3
with:
name: zap_api_scan.zip
path: zap_scan.zip
# - name: "ZAP Full Scan"
# Focuses on comprehensive and thorough security assessment of web-application.
# Scan includes passive & active scanning, spidering and more in-depth checks for vulnerabilities.
# uses: zaproxy/[email protected]
# with:
# token: ${{ secrets.GITHUB_TOKEN }}
# docker_name: 'ghcr.io/zaproxy/zaproxy:stable'
# target: 'https://security.c4po.dev'
# rules_file_name: '.zap/rules.tsv'
# cmd_options: '-a'