.github/workflows/zap-scan.yml

name: zap-scan

on:
  workflow_dispatch:
  schedule:
    - cron: '0 0 1,15 * *'

defaults:
  run:
    shell: bash

jobs:

  zap_scan:
    runs-on: ubuntu-latest
    name: Scan the web application
    steps:
      - name: Checkout
        uses: actions/checkout@v2
        with:
          ref: develop

      - name: ZAP Scan
        id: zap_scan
        uses: zaproxy/action-full-scan@v0.8.0
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          target: ${{ secrets.WEB_TARGET_URL }}
          rules_file_name: '.zap/rules.tsv'
          cmd_options: '-a -r report_html.html'

      - name: Upload ZAP Report to S3
        if: always()
        run: |
          if [ -f report_html.html ]; then
            aws s3 cp report_html.html s3://${{ secrets.ZAP_REPORT_BUCKET }}/zap-reports/zap-report-$(TZ='Asia/Kolkata' date +%Y-%m-%d_%H-%M-%S).html
          else
            echo "ZAP report not found!" >&2
            exit 1
          fi
        env:
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          AWS_DEFAULT_REGION: ${{ secrets.REGION }}

      - name: Check ZAP Scan Result
        id: check_zap_result
        run: |
          if grep -q "High" report_html.html || grep -q "Medium" report_html.html; then
            echo "failures=1" >> $GITHUB_ENV
          else
            echo "failures=0" >> $GITHUB_ENV
          fi
      - name: Create Jira Issue
        id: create_ticket
        if: env.failures == '1'
        run: |
          current_time=$(TZ='Asia/Kolkata' date +"%m/%d/%Y-%I:%M %p")

          response=$(curl -X POST -u ${{ secrets.JIRA_USERNAME }}:${{ secrets.JIRA_API_TOKEN }} \
          -H "Content-Type: application/json" \
          --data '{
            "fields": {
              "project": {
                "key": "'${{ secrets.JIRA_PROJECT_KEY }}'"
              },
              "summary": "ZAP Scan detected issues in '${{ github.repository }}' at '"${current_time}"'",
              "description": "ZAP Scan found issues in the scan. Please review the attached report.",
              "issuetype": {
                "name": "Task"
              }
            }
          }' ${{ secrets.JIRA_BASE_URL }}/rest/api/2/issue/)
          issue_id=$(echo $response | jq -r '.id')
          if [[ "$issue_id" != "null" ]]; then
            curl -X POST -u ${{ secrets.JIRA_USERNAME }}:${{ secrets.JIRA_API_TOKEN }} \
            -H "X-Atlassian-Token: no-check" \
            -H "Content-Type: multipart/form-data" \
            -F "file=@report_html.html" \
            ${{ secrets.JIRA_BASE_URL }}/rest/api/2/issue/$issue_id/attachments
            
            echo "issue_id=$issue_id" >> $GITHUB_ENV
            echo "A new Jira ticket has been created with ID: $issue_id"
          else
            echo "Failed to create Jira issue"
            exit 1
          fi
      - name: Notify team about new Jira ticket
        if: env.failures == '1'
        uses: SimonScholz/google-chat-action@v1.1.0
        with:
          webhookUrl: ${{ secrets.GOOGLE_CHAT_WEBHOOK_URL }}
          
          title: "New Jira ticket created"
          subtitle: "ZAP Scan detected issues"
          createDefaultSection: true
          collapsibleDefaultSection: true
          uncollapsibleWidgetsCount: 4
          additionalSections: '[{
            "header": "Repository",
            "widgets": [{
              "decoratedText": {
                "text": "Repository: ${{ github.repository }}"
              }
            }, {
              "decoratedText": {
                "text": "Branch: ${{ github.ref }}"
              }
            }]
          }]'
        env:
          GOOGLE_CHAT_WEBHOOK_URL: ${{ secrets.GOOGLE_CHAT_WEBHOOK_URL }}

  notify_team:
    runs-on: ubuntu-latest
    name: Notify relevant team about scan failure
    needs: zap_scan
    if: failure()
    steps:
      - name: Send Google Chat Notification
        uses: SimonScholz/google-chat-action@v1.1.0
        with:
          webhookUrl: ${{ secrets.GOOGLE_CHAT_WEBHOOK_URL }}
          title: "ZAP Scan Failure"
          subtitle: "The ZAP scan failed in ${{ github.repository }}"
          createDefaultSection: true
          collapsibleDefaultSection: true
          uncollapsibleWidgetsCount: 4
          additionalSections: '[{
            "header": "Details",
            "widgets": [{
              "decoratedText": {
                "text": "Branch: ${{ github.ref }}"
              }
            }, {
              "decoratedText": {
                "text": "Commit: ${{ github.sha }}"
              }
            }]
          }]'
        env:
          GOOGLE_CHAT_WEBHOOK_URL: ${{ secrets.GOOGLE_CHAT_WEBHOOK_URL }}