Skip to content

feat: PoC - Pentest Pipeline with OWASP ZAP #18

feat: PoC - Pentest Pipeline with OWASP ZAP

feat: PoC - Pentest Pipeline with OWASP ZAP #18

Workflow file for this run

# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# GitHub recommends pinning actions to a commit SHA.
# To get a newer version, you will need to update the SHA.
# You can also reference a tag or branch, but the action may change without warning.
name: "Security C4PO Pentest Pipeline PoC"
branches: [ "main" ]
# schedule:
# Runs every sunday at 00:00.
# - cron: '0 0 * * 0'
ANGULAR_PATH: security-c4po-angular
API_PATH: security-c4po-api
REPORTING_PATH: security-c4po-reporting
CFG_PATH: security-c4po-cfg
name: "ZAP Baseline Job"
runs-on: ubuntu-latest
- name: "ZAP Baseline Scan"
# Focuses on identifying common and high impact vulnerabilites.
# Designed to catch low hanging fruit & well-known security issues (XXS, SQL-Injection, ...)
uses: zaproxy/[email protected]
token: ${{ secrets.GITHUB_TOKEN }}
docker_name: ''
target: ''
rules_file_name: '.zap/rules.tsv'
artifact_name: zap_baseline_scan
cmd_options: '-a'
name: "ZAP API Job"
runs-on: ubuntu-latest
- name: "ZAP API Scan"
# Focuses on scanning RESTful APIs
# Optional: The format of the defintion, openapi, soap, or graphql. (Default is openapi)
# Looks for a wide range of vulnerabilities (SQL-Injections, authentication issues, insecure direct object references, ...)
uses: zaproxy/[email protected]
token: ${{ secrets.GITHUB_TOKEN }}
docker_name: ''
format: openapi
target: ''
rules_file_name: '.zap/rules.tsv'
artifact_name: zap_api_scan
cmd_options: '-a'
# name: "ZAP Full Scan"
# runs-on: ubuntu-latest
# steps:
# - name: "ZAP Full Scan"
# Focuses on comprehensive and thorough security assessment of web-application.
# Scan includes passive & active scanning, spidering and more in-depth checks for vulnerabilities.
# uses: zaproxy/[email protected]
# with:
# token: ${{ secrets.GITHUB_TOKEN }}
# docker_name: ''
# target: ''
# rules_file_name: '.zap/rules.tsv'
# artifact_name: zap_full_scan
# cmd_options: '-a'