zap-scan #1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: zap-scan | |
| on: | |
| workflow_dispatch: | |
| schedule: | |
| - cron: '0 0 1,15 * *' | |
| defaults: | |
| run: | |
| shell: bash | |
| jobs: | |
| zap_scan: | |
| runs-on: ubuntu-latest | |
| name: Scan the web application | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v2 | |
| with: | |
| ref: develop | |
| - name: ZAP Scan | |
| id: zap_scan | |
| uses: zaproxy/[email protected] | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| target: ${{ secrets.WEB_TARGET_URL }} | |
| rules_file_name: '.zap/rules.tsv' | |
| cmd_options: '-a -r report_html.html' | |
| - name: Upload ZAP Report to S3 | |
| if: always() | |
| run: | | |
| if [ -f report_html.html ]; then | |
| aws s3 cp report_html.html s3://${{ secrets.ZAP_REPORT_BUCKET }}/zap-reports/zap-report-$(TZ='Asia/Kolkata' date +%Y-%m-%d_%H-%M-%S).html | |
| else | |
| echo "ZAP report not found!" >&2 | |
| exit 1 | |
| fi | |
| env: | |
| AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| AWS_DEFAULT_REGION: ${{ secrets.REGION }} | |
| - name: Check ZAP Scan Result | |
| id: check_zap_result | |
| run: | | |
| if grep -q "High" report_html.html || grep -q "Medium" report_html.html; then | |
| echo "failures=1" >> $GITHUB_ENV | |
| else | |
| echo "failures=0" >> $GITHUB_ENV | |
| fi | |
| - name: Create Jira Issue | |
| id: create_ticket | |
| if: env.failures == '1' | |
| run: | | |
| current_time=$(TZ='Asia/Kolkata' date +"%m/%d/%Y-%I:%M %p") | |
| response=$(curl -X POST -u ${{ secrets.JIRA_USERNAME }}:${{ secrets.JIRA_API_TOKEN }} \ | |
| -H "Content-Type: application/json" \ | |
| --data '{ | |
| "fields": { | |
| "project": { | |
| "key": "'${{ secrets.JIRA_PROJECT_KEY }}'" | |
| }, | |
| "summary": "ZAP Scan detected issues in '${{ github.repository }}' at '"${current_time}"'", | |
| "description": "ZAP Scan found issues in the scan. Please review the attached report.", | |
| "issuetype": { | |
| "name": "Task" | |
| } | |
| } | |
| }' ${{ secrets.JIRA_BASE_URL }}/rest/api/2/issue/) | |
| issue_id=$(echo $response | jq -r '.id') | |
| if [[ "$issue_id" != "null" ]]; then | |
| curl -X POST -u ${{ secrets.JIRA_USERNAME }}:${{ secrets.JIRA_API_TOKEN }} \ | |
| -H "X-Atlassian-Token: no-check" \ | |
| -H "Content-Type: multipart/form-data" \ | |
| -F "file=@report_html.html" \ | |
| ${{ secrets.JIRA_BASE_URL }}/rest/api/2/issue/$issue_id/attachments | |
| echo "issue_id=$issue_id" >> $GITHUB_ENV | |
| echo "A new Jira ticket has been created with ID: $issue_id" | |
| else | |
| echo "Failed to create Jira issue" | |
| exit 1 | |
| fi | |
| - name: Notify team about new Jira ticket | |
| if: env.failures == '1' | |
| uses: SimonScholz/[email protected] | |
| with: | |
| webhookUrl: ${{ secrets.GOOGLE_CHAT_WEBHOOK_URL }} | |
| title: "New Jira ticket created" | |
| subtitle: "ZAP Scan detected issues" | |
| createDefaultSection: true | |
| collapsibleDefaultSection: true | |
| uncollapsibleWidgetsCount: 4 | |
| additionalSections: '[{ | |
| "header": "Repository", | |
| "widgets": [{ | |
| "decoratedText": { | |
| "text": "Repository: ${{ github.repository }}" | |
| } | |
| }, { | |
| "decoratedText": { | |
| "text": "Branch: ${{ github.ref }}" | |
| } | |
| }] | |
| }]' | |
| env: | |
| GOOGLE_CHAT_WEBHOOK_URL: ${{ secrets.GOOGLE_CHAT_WEBHOOK_URL }} | |
| notify_team: | |
| runs-on: ubuntu-latest | |
| name: Notify relevant team about scan failure | |
| needs: zap_scan | |
| if: failure() | |
| steps: | |
| - name: Send Google Chat Notification | |
| uses: SimonScholz/[email protected] | |
| with: | |
| webhookUrl: ${{ secrets.GOOGLE_CHAT_WEBHOOK_URL }} | |
| title: "ZAP Scan Failure" | |
| subtitle: "The ZAP scan failed in ${{ github.repository }}" | |
| createDefaultSection: true | |
| collapsibleDefaultSection: true | |
| uncollapsibleWidgetsCount: 4 | |
| additionalSections: '[{ | |
| "header": "Details", | |
| "widgets": [{ | |
| "decoratedText": { | |
| "text": "Branch: ${{ github.ref }}" | |
| } | |
| }, { | |
| "decoratedText": { | |
| "text": "Commit: ${{ github.sha }}" | |
| } | |
| }] | |
| }]' | |
| env: | |
| GOOGLE_CHAT_WEBHOOK_URL: ${{ secrets.GOOGLE_CHAT_WEBHOOK_URL }} |