-
Notifications
You must be signed in to change notification settings - Fork 7
Expand file tree
/
Copy pathgithub-ephemeral-app-blocking-mode.yaml
More file actions
192 lines (166 loc) · 6.26 KB
/
github-ephemeral-app-blocking-mode.yaml
File metadata and controls
192 lines (166 loc) · 6.26 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
# Ephemeral App in blocking mode
name: CI
on:
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]
workflow_dispatch:
jobs:
build:
runs-on: ubuntu-latest
steps:
# Step 1
- name: Checkout code
uses: actions/checkout@v4
# Step 2: Set up Docker
- name: Set up Docker
uses: docker/setup-buildx-action@v2
# Step 3: Create a custom Docker network
- name: Create custom Docker network
run: docker network create custom-network
# Step 4: Build and run the Docker app container
- name: Build and run app container
run: |
# Build the Docker image
docker build -t test-app .
# Run the Docker container with a custom hostname
docker run --name test-app \
--hostname custom-web-app \
--network custom-network \
-p 8080:8080 \
-d test-app
# Step 5: Get container IP
- name: Get container IP address
run: |
CONTAINER_IP=$(docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' test-app)
echo "Container IP is $CONTAINER_IP"
# Add the custom hostname to the /etc/hosts file
echo "$CONTAINER_IP ${{ vars.TARGET_HOSTNAME }} ${{ vars.TARGET_HOSTNAME }}." | sudo tee -a /etc/hosts
cat /etc/hosts # confirm host is on /etc/hosts
# Step 6: Wait for the app to start
- name: Wait for app to start
run: |
# Wait until the container is ready
for i in {1..10}; do
if curl -s ${{ vars.TARGET_URL }} > /dev/null; then
echo "App is up!";
break;
fi
echo "Waiting for the app to be ready...";
sleep 2;
done
# Step 7: Test application with curl
- name: Test application with curl
run: |
# Make a request to the web app using the custom hostname
RESPONSE=$(curl -s -o /dev/null -w "%{http_code}" ${{ vars.TARGET_URL }})
if [ "$RESPONSE" -ne 200 ]; then
echo "App test failed with HTTP status $RESPONSE";
exit 1;
fi
curl -s -i ${{ vars.TARGET_URL }}
echo "App test passed with HTTP status $RESPONSE";
# Setp 8: Start scanning agent
- name: Start Scanning Agent
run: |
# Using docker agent
docker run -d --name probely-agent \
--cap-add NET_ADMIN \
--network custom-network \
-e FARCASTER_AGENT_TOKEN=${{ secrets.AGENT_TOKEN }} \
--device /dev/net/tun probely/farcaster-onprem-agent:v2
# Using userspace agent
# chmod +x scanning-agent/farcasterd-linux-amd64-0.4.3
# ./scanning-agent/farcasterd-linux-amd64-0.4.3 --token ${{ secrets.AGENT_TOKEN }} &
# Step 9: Wait for agent to stat
- name: Wait for agent to stat
run: |
# Wait until the probely-agent is ready
for i in {1..10}; do
echo "-----------------------------------"
AGENT_RUNNING=$(docker logs probely-agent | grep 'Running...' | wc -l)
if [ $AGENT_RUNNING == "1" ]; then
echo "Agent is running!";
echo "------------------------"
docker logs probely-agent
echo "------------------------"
sleep 10
break;
fi
sleep 2;
done
# Step 10: Install Probely CLI
- name: Install Probely CLI
run: |
# Install Probely CLI
pip install probely
# Test probely GET TARGETS
probely targets get --api-key ${{ secrets.PROBELY_API_KEY }}
# Step 11: Start Scan
- name: Start Scan
run: |
for i in {1..20}; do
echo "-----------------------------------"
SCAN_ID=$(probely targets start-scan ${{ vars.TARGET_ID }} -o IDS_ONLY --api-key ${{ secrets.PROBELY_API_KEY }})
echo ${SCAN_ID}
if [ -f ${SCAN_ID} ]; then
echo "Scan didn't start... Retry start-scan"
else
echo "Scan started with SCAN ID: ${SCAN_ID}";
echo "SCAN_ID=${SCAN_ID}" >> $GITHUB_ENV
break;
fi
sleep 5
done
if [ -f $SCAN_ID ]; then
echo "No Scan ID, aborting..."
docker stop test-app
docker stop probely-agent
docker rm test-app
docker rm probely-agent
docker network rm custom-network
exit 1
fi
# Step 12: Wait for scan to end
- name: Wait for scan to end
run: |
# Wait until scan ends
while true; do
echo "-----------------------------------"
SCAN_OUTPUT=$(probely scans get ${SCAN_ID} --api-key ${{ secrets.PROBELY_API_KEY }} | tail -1)
echo ${SCAN_OUTPUT}
echo "-----------------------------------"
SCAN_STATUS=$(probely scans get ${SCAN_ID} --api-key ${{ secrets.PROBELY_API_KEY }} -o JSON | jq -r '.status')
if [ $SCAN_STATUS == "started" ] || [ $SCAN_STATUS == "queued" ]; then
echo "Scan is running or queued!";
else
echo "Scan is not running... finishing"
break;
fi
sleep 30;
done
# Step 13: check high vulnerabities
- name: Check for high vulnerabilities
run: |
HIGH_VULNS=$(probely scans get ${SCAN_ID} --api-key ${{ secrets.PROBELY_API_KEY }} -o JSON | jq -r '.highs')
echo "HIGH vulnerabilities: ${HIGH_VULNS}"
if [ $HIGH_VULNS -gt 0 ]; then
echo "Scan has High vulnerabilities... aborting"
docker stop test-app
docker stop probely-agent
docker rm test-app
docker rm probely-agent
docker network rm custom-network
exit 1
else
echo "Scan doesn't have high vulnerabilities"
fi
# Step 14: Clean up
- name: Clean up Docker resources
run: |
docker stop test-app
docker stop probely-agent
docker rm test-app
docker rm probely-agent
docker network rm custom-network