automatic-website-scanning/.github/workflows/oswasp-zap-default.yml at main · cds-snc/automatic-website-scanning · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
name: Runs OWASP ZAP baseline scans
on:
  workflow_dispatch:
  schedule:
    - cron: "23 16 * * 0"

jobs:
  # https://github.com/marketplace/actions/zap-baseline-scan
  owasp-zap:
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        domain:
          - https://encrypted-message.cdssandbox.xyz
          - http://encrypted-message.cdssandbox.xyz
          - https://staging.notification.cdssandbox.xyz
          - http://staging.notification.cdssandbox.xyz
          - https://superset.cdssandbox.xyz/
          - https://login.alpha.canada.ca/
          - http://connexion.alpha.canada.ca/
          - https://app.login-connexion.alpha.canada.ca/
    steps:
      - name: Checkout
        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0

      - name: Extract domain name # Extract domain name from URL
        id: extract_domain
        run: |
          STRIPPED_DOMAIN=$(echo "${{ matrix.domain }}" | sed -E 's|^https?://||' | sed 's|/.*||')
          echo "domain_name=$STRIPPED_DOMAIN" >> $GITHUB_OUTPUT

      - name: OWASP ZAP - Baseline Vulnerability Scan
        uses: zaproxy/action-baseline@de8ad967d3548d44ef623df22cf95c3b0baf8b25 # v0.15.0
        with:
          allow_issue_writing: false
          # -s short output format - dont show PASSes or example URLs
          # -j use the Ajax spider in addition to the traditional one
          cmd_options: '-s -j'
          target: ${{ matrix.domain }}
          rules_file_name: "owasp_zap_rules.tsv"
          artifact_name: "zap_scan_${{ steps.extract_domain.outputs.domain_name }}_${{ github.run_id }}"

      - name: Extract alerts
        run: |
          jq -c '.site[] as $site | .site[] | .alerts[] | .host = $site."@host" | .' report_json.json > output.jsonl
          sort -u output.jsonl > unique_output.jsonl

      - name: Forward results to Sentinel
        uses: cds-snc/sentinel-forward-data-action@main
        with:
          file_name: unique_output.jsonl
          log_type: CDS_OWASPZap_Results
          log_analytics_workspace_id: ${{ secrets.LOG_ANALYTICS_WORKSPACE_ID }}
          log_analytics_workspace_key: ${{ secrets.LOG_ANALYTICS_WORKSPACE_KEY }}