From d2887acf371508b7795ef2853490f66f71da6a87 Mon Sep 17 00:00:00 2001 From: Calin Lupas Date: Mon, 21 Apr 2025 10:54:58 -0400 Subject: [PATCH 1/2] Add DAST ZAP full scan workflow configuration --- .../DAST-ZAP-Zed-Attach-Proxy-Checkmarx.yml | 51 +++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 .github/workflows/DAST-ZAP-Zed-Attach-Proxy-Checkmarx.yml diff --git a/.github/workflows/DAST-ZAP-Zed-Attach-Proxy-Checkmarx.yml b/.github/workflows/DAST-ZAP-Zed-Attach-Proxy-Checkmarx.yml new file mode 100644 index 0000000..760b3bd --- /dev/null +++ b/.github/workflows/DAST-ZAP-Zed-Attach-Proxy-Checkmarx.yml @@ -0,0 +1,51 @@ +# https://www.zaproxy.org/ +# https://www.zaproxy.org/docs/ +# https://github.com/zaproxy/ +# https://www.zaproxy.org/docs/automate/ +# https://github.com/zaproxy/action-full-scan + +name: DAST - Zed Attack Proxy (ZAP) Full Scan + +on: + push: + branches: [main] + schedule: + - cron: 0 1 * * 0 + +env: + ZAP_TARGET: "http://127.0.0.1:8080/" # Change this to your target URL + buildAndStart: "true" # Change to "true" to build and start the application if not running + imageName: "webapp01" + tag: ${{ github.sha }} + HOST_PORT: "8080" + CONTAINER_PORT: "8000" + +jobs: + zap_scan: + name: ZAP Full Scan + runs-on: ubuntu-latest + + permissions: + contents: read + issues: write # to create issues for alerts + + steps: + - uses: actions/checkout@v4 + # build and start your application here + # conditionally run the build step + # assuming the application is a Docker container + - name: Check if application is running, if not, build and start it + if: env.buildAndStart == 'true' + run: | + if ! curl -s --head --request GET ${{ env.ZAP_TARGET }} | grep "200 OK" > /dev/null; then + echo "Application is not running. Building and starting the application..." + docker build ./src/webapp01 --file ./src/webapp01/Dockerfile -t ${{ env.imageName }}:${{ env.tag }} + docker run -d --rm -p ${{ env.HOST_PORT }}:${{ env.CONTAINER_PORT }} ${{ env.imageName }}:${{ env.tag }} + else + echo "Application is already running." + fi + - name: Run ZAP Scan + uses: zaproxy/action-full-scan@v0.12.0 + id: zap + with: + target: "${{ env.ZAP_TARGET }}" From ea23dece65fa9f9c40323a66cda41ec68845e600 Mon Sep 17 00:00:00 2001 From: Calin Lupas Date: Mon, 21 Apr 2025 11:09:18 -0400 Subject: [PATCH 2/2] Refactor permissions in DAST ZAP workflow to streamline configuration --- .../workflows/DAST-ZAP-Zed-Attach-Proxy-Checkmarx.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/.github/workflows/DAST-ZAP-Zed-Attach-Proxy-Checkmarx.yml b/.github/workflows/DAST-ZAP-Zed-Attach-Proxy-Checkmarx.yml index 760b3bd..521bdc8 100644 --- a/.github/workflows/DAST-ZAP-Zed-Attach-Proxy-Checkmarx.yml +++ b/.github/workflows/DAST-ZAP-Zed-Attach-Proxy-Checkmarx.yml @@ -20,15 +20,14 @@ env: HOST_PORT: "8080" CONTAINER_PORT: "8000" +permissions: + contents: read + jobs: zap_scan: name: ZAP Full Scan runs-on: ubuntu-latest - - permissions: - contents: read - issues: write # to create issues for alerts - + steps: - uses: actions/checkout@v4 # build and start your application here