From 6d03ce5f2db73e43343637b3af7e2ab3d5a1ed79 Mon Sep 17 00:00:00 2001 From: Ramkumar Chinchani Date: Tue, 7 Feb 2023 01:48:25 +0000 Subject: [PATCH] test(ui): add owasp zap scanner in ci/cd Signed-off-by: Ramkumar Chinchani --- .github/workflows/web-scan.yml | 48 ++++++++++++++++++++++++++++++++++ .zap/rules.tlv | 1 + 2 files changed, 49 insertions(+) create mode 100644 .github/workflows/web-scan.yml create mode 100644 .zap/rules.tlv diff --git a/.github/workflows/web-scan.yml b/.github/workflows/web-scan.yml new file mode 100644 index 00000000..54da7c50 --- /dev/null +++ b/.github/workflows/web-scan.yml @@ -0,0 +1,48 @@ +name: 'Security web scan for zot' +on: + push: + branches: + - main + pull_request: + branches: + - main + release: + types: + - published + +permissions: + contents: read + issues: write + +jobs: + zap_scan: + runs-on: ubuntu-latest + name: Scan the webapplication + strategy: + matrix: + flavor: [zot-minimal-linux-amd64, zot-linux-amd64] + steps: + - name: Checkout + uses: actions/checkout@v2 + with: + ref: main + - name: Setup + run: | + # upload images, zot can serve OCI image layouts directly like so + mkdir /tmp/zot + skopeo copy --format=oci docker://busybox:latest oci:/tmp/zot/busybox:latest + # start zot + docker pull ghcr.io/project-zot/zot-minimal-linux-amd64:latest + docker run -d --name zot -v /tmp/zot:/var/lib/registry -p 8000:5000 ghcr.io/project-zot/${{ matrix.flavor }}:latest + # wait until service is up + while true; do x=0; curl -f http://$REGISTRY_HOST/v2/ || x=1; if [ $x -eq 0 ]; then break; fi; sleep 1; done + env: + REGISTRY_HOST: localhost:8000 + - name: ZAP Scan + uses: zaproxy/action-baseline@v0.7.0 + with: + token: ${{ secrets.GITHUB_TOKEN }} + docker_name: 'owasp/zap2docker-stable' + target: 'http://localhost:8000' + rules_file_name: '.zap/rules.tsv' + cmd_options: '-a' diff --git a/.zap/rules.tlv b/.zap/rules.tlv new file mode 100644 index 00000000..1a51ea30 --- /dev/null +++ b/.zap/rules.tlv @@ -0,0 +1 @@ +10049 IGNORE (Storable and Cacheable Content)