0
Fork 0
mirror of https://github.com/project-zot/zot.git synced 2024-12-16 21:56:37 -05:00
zot/.github/workflows/web-scan.yaml
Ramkumar Chinchani a31842bd7e
chore: fix dependabot alerts (#2684)
* chore: fix dependabot alerts

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>

* ci: fix clustering test by creating separate local dirs

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>

* ci: free up disk space in cluster tests

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>

* ci: revert to stacker v1.0.0-rc16

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>

* ci: fix revert to stacker v1.0.0-rc16

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>

---------

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
Co-authored-by: Andrei Aaron <aaaron@luxoft.com>
2024-10-01 11:11:27 +03:00

67 lines
1.9 KiB
YAML

name: 'Security web scan for zot'
on:
push:
branches:
- main
pull_request:
branches:
- main
release:
types:
- published
permissions:
contents: read
jobs:
zap_scan:
runs-on: ubuntu-latest
name: Scan ZOT using ZAP
strategy:
matrix:
flavor: [zot-linux-amd64-minimal, zot-linux-amd64]
steps:
- name: Install go
uses: actions/setup-go@v5
with:
cache: false
go-version: 1.22.x
- name: Checkout
uses: actions/checkout@v4
- name: Build zot
run: |
echo "Building $FLAVOR"
cd $GITHUB_WORKSPACE
if [[ $FLAVOR == "zot-linux-amd64-minimal" ]]; then
make binary-minimal
else
make binary
fi
ls -l bin/
env:
FLAVOR: ${{ matrix.flavor }}
- name: Bringup zot server
run: |
# upload images, zot can serve OCI image layouts directly like so
mkdir /tmp/zot
skopeo copy --format=oci docker://busybox:latest oci:/tmp/zot/busybox:latest
# start zot
if [[ $FLAVOR == "zot-linux-amd64-minimal" ]]; then
./bin/${{ matrix.flavor }} serve examples/config-conformance.json &
else
./bin/${{ matrix.flavor }} serve examples/config-ui.json &
fi
# wait until service is up
while true; do x=0; curl -f http://localhost:8080/v2/ || x=1; if [ $x -eq 0 ]; then break; fi; sleep 1; done
env:
FLAVOR: ${{ matrix.flavor }}
- name: ZAP Scan Rest API
uses: zaproxy/action-baseline@v0.13.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
docker_name: 'ghcr.io/zaproxy/zaproxy:stable'
target: 'http://localhost:8080/v2/'
rules_file_name: '.zap/rules.tsv'
cmd_options: '-a -j'
allow_issue_writing: false
fail_action: true