ZAP Scan CD updation (AOT-Technologies#1777)

auslin-aot · Nov 24, 2023 · 71c7a84 · 71c7a84
1 parent 7beda8e
commit 71c7a84
Show file tree

Hide file tree

Showing 3 changed files with 55 additions and 3 deletions.
diff --git a/.github/workflows/forms-flow-bpm-cd.yml b/.github/workflows/forms-flow-bpm-cd.yml
@@ -74,7 +74,6 @@ jobs:
           key: ${{ runner.os }}-buildx-${{ matrix.name }}-${{ github.sha }}
           restore-keys: |
             ${{ runner.os }}-buildx-${{ matrix.name }}
-
       - name: Build and push Docker image - amd64
         if: ${{ github.ref != 'refs/heads/master' }}
         uses: docker/build-push-action@v4
@@ -133,4 +132,21 @@ jobs:
       - name: Deploy to eks
         run: |
           kubectl -n app2 patch deployment forms-flow-bpm -p '{"spec":{"template":{"spec":{"containers":[{"name":"forms-flow-bpm","image":"docker.io/formsflow/forms-flow-bpm:${{ env.VERSION }}"}]}}}}'
-          kubectl -n app2 rollout restart deployment forms-flow-bpm
+          kubectl -n app2 rollout restart deployment forms-flow-bpm
+
+  zap_scan:
+    runs-on: ubuntu-latest
+    name: Scan the webapplication
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+        with:
+          ref: master
+      - name: ZAP Scan
+        uses: zaproxy/[email protected]
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          docker_name: 'ghcr.io/zaproxy/zaproxy:stable'
+          target: 'https://bpm2.aot-technologies.com/camunda'
+          rules_file_name: '.zap/rules.tsv'
+          cmd_options: '-a'
diff --git a/.github/workflows/forms-flow-web-cd.yml b/.github/workflows/forms-flow-web-cd.yml
@@ -55,4 +55,21 @@ jobs:
         env:
           BUCKET: ${{ secrets.BUCKET}}
           VERSION: ${{ env.VERSION }}
-        working-directory: ./forms-flow-web/scripts
+        working-directory: ./forms-flow-web/scripts
+
+  zap_scan:
+    runs-on: ubuntu-latest
+    name: Scan the webapplication
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+        with:
+          ref: master
+      - name: ZAP Scan
+        uses: zaproxy/[email protected]
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          docker_name: 'ghcr.io/zaproxy/zaproxy:stable'
+          target: 'https://forms-flow-web-app2.aot-technologies.com/form'
+          rules_file_name: '.zap/rules.tsv'
+          cmd_options: '-a'
diff --git a/.zap/rules.tsv b/.zap/rules.tsv
@@ -0,0 +1,19 @@
+10109	IGNORE	(Modern Web Application)
+10035	IGNORE	(Strict-Transport-Security Header Not Set)
+10098	IGNORE	(Cross-Domain Misconfiguration)
+10017	IGNORE	(Cross-Domain JavaScript Source File Inclusion)
+10096	IGNORE	(Timestamp Disclosure - Unix)
+10015	IGNORE	(Incomplete or No Cache-control and Pragma HTTP Header Set)
+10038	IGNORE	(Content Security Policy (CSP) Header Not Set)
+10099	IGNORE	(Source Code Disclosure - Java)
+10027	IGNORE	(Information Disclosure - Suspicious Comments)
+10094	IGNORE	(Base64 Disclosure)
+10063	IGNORE	(Feature Policy Header Not Set)
+10049	IGNORE	(Storable but Non-Cacheable Content)
+10049	IGNORE	(Non-Storable Content)
+10110	IGNORE	(Dangerous JS Functions)
+90004	IGNORE	(Insufficient Site Isolation Against Spectre Vulnerability)
+90005	IGNORE	(Sec-Fetch-Dest Header is Missing)
+90005	IGNORE	(Sec-Fetch-Mode Header is Missing)
+90005	IGNORE	(Sec-Fetch-Site Header is Missing)
+90005	IGNORE	(Sec-Fetch-User Header is Missing)