angular-xss/.github/workflows/devsecops-pipeline.yml at main · Taofeeqib/angular-xss · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
name: DevSecOps Pipeline

on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]
  workflow_dispatch:

# Required permissions for code scanning API and committing reports
permissions:
  security-events: write
  actions: read
  contents: write  # Upgraded from 'read' to 'write' to allow committing files

jobs:
  secrets-scanning:
    name: Secrets Scanning
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      # Create docs/reports directory if it doesn't exist
      - name: Ensure docs/reports directory exists
        run: mkdir -p ./docs/reports

      - name: TruffleHog OSS
        uses: trufflesecurity/trufflehog@main
        with:
          extra_args: --debug --json

      # Generate TruffleHog report in docs/reports
      - name: Generate TruffleHog report
        run: |
          chmod +x ./.github/workflows/scripts/generate-trufflehog-report.sh
          ./.github/workflows/scripts/generate-trufflehog-report.sh

      # Upload TruffleHog results as artifact
      - name: Upload TruffleHog results
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: trufflehog-results
          path: ./docs/reports/trufflehog-results.json

  sast-scanning:
    name: Static Application Security Testing (CodeQL)
    runs-on: ubuntu-latest
    needs: secrets-scanning
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          token: ${{ github.token }}

      # Create docs/reports directory
      - name: Ensure docs/reports directory exists
        run: mkdir -p ./docs/reports

      # Initialize CodeQL
      - name: Initialize CodeQL
        uses: github/codeql-action/init@v3
        with:
          languages: javascript
          queries: security-and-quality

      # Autobuild (attempts to automatically build any compiled languages)
      - name: Autobuild
        uses: github/codeql-action/autobuild@v3

      # Run CodeQL Analysis - analyzes and produces SARIF file(s)
      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v3
        with:
          category: "javascript-analysis"
          output: ./docs/reports

      # Copy and consolidate results to docs/reports directory
      - name: Process CodeQL SARIF results
        run: |
          chmod +x ./.github/workflows/scripts/process-codeql-results.sh
          ./.github/workflows/scripts/process-codeql-results.sh

      # Save SARIF as artifact
      - name: Upload SARIF as artifact
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: codeql-results
          path: ./docs/reports/codeql-results.sarif

  sca-scanning:
    name: Software Composition Analysis
    runs-on: ubuntu-latest
    needs: sast-scanning
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          token: ${{ github.token }}

      - name: Create reports directory
        run: mkdir -p ./docs/reports

      - name: OWASP Dependency-Check Scan - Backend
        uses: dependency-check/Dependency-Check_Action@main
        with:
          project: 'Angular-XSS-Backend'
          path: './xss/api'
          format: 'SARIF'
          out: './docs/reports'
          args: >-
            --suppression ./dependency-check-suppressions.xml
            --failOnCVSS 11

      - name: OWASP Dependency-Check Scan - Frontend
        uses: dependency-check/Dependency-Check_Action@main
        with:
          project: 'Angular-XSS-Frontend'
          path: './xss/frontend'
          format: 'SARIF'
          out: './docs/reports'
          args: >-
            --suppression ./dependency-check-suppressions.xml
            --failOnCVSS 11

      - name: Check SARIF files
        run: |
          chmod +x ./.github/workflows/scripts/check-sca-results.sh
          ./.github/workflows/scripts/check-sca-results.sh

      - name: Find SARIF files
        id: find-sarif
        run: |
          chmod +x ./.github/workflows/scripts/find-sca-sarif.sh
          ./.github/workflows/scripts/find-sca-sarif.sh

      # Upload primary SARIF file
      - name: Upload primary SARIF file
        uses: github/codeql-action/upload-sarif@v3
        if: always()
        with:
          sarif_file: ${{ steps.find-sarif.outputs.primary_sarif }}
          category: dependency-check

      # Upload any additional SARIF files individually
      - name: Upload additional SARIF files
        run: |
          # Skip the first file as it was already uploaded
          COUNT=0
          for sarif_file in $(find ./docs/reports -name "*.sarif" -type f); do
            if [ $COUNT -gt 0 ]; then
              echo "Uploading additional SARIF file: $sarif_file"
              # Use the GitHub API to upload the SARIF file
              UPLOAD_URL="https://api.github.com/repos/$GITHUB_REPOSITORY/code-scanning/sarifs"
              curl -X POST \
                -H "Authorization: Bearer ${{ github.token }}" \
                -H "Accept: application/vnd.github.v3+json" \
                -H "Content-Type: application/json" \
                -d "{\"commit_sha\":\"$GITHUB_SHA\",\"ref\":\"$GITHUB_REF\",\"sarif\":\"$(base64 -w 0 $sarif_file)\",\"tool_name\":\"OWASP Dependency-Check (Additional)\"}" \
                $UPLOAD_URL || echo "Failed to upload additional SARIF file: $sarif_file"
            fi
            COUNT=$((COUNT + 1))
          done
        continue-on-error: true

      # Copy SARIF to artifact directory for persistent storage
      - name: Upload SCA Results as Artifact
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: sca-results
          path: ./docs/reports/

  sbom-generation:
    name: Software Bill of Materials
    runs-on: ubuntu-latest
    needs: sca-scanning
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      # Create docs/reports directory if it doesn't exist
      - name: Ensure docs/reports directory exists
        run: mkdir -p ./docs/reports

      # Generate SBOM using direct script
      - name: Generate XML BOMs using script
        run: |
          chmod +x ./.github/workflows/scripts/bom_generate.sh
          ./.github/workflows/scripts/bom_generate.sh

      # Generate JSON SBOM for Backend (API)
      - name: Generate API SBOM with CycloneDX
        uses: CycloneDX/gh-node-module-generatebom@master
        with:
          path: './xss/api'
          output: './docs/reports/angular-xss-api-sbom.json'

      # Generate JSON SBOM for Frontend
      - name: Generate Frontend SBOM with CycloneDX
        uses: CycloneDX/gh-node-module-generatebom@master
        with:
          path: './xss/frontend'
          output: './docs/reports/angular-xss-frontend-sbom.json'

      # Combine SBOMs or keep them separate for artifact upload
      - name: Combine SBOMs
        run: |
          # Create a directory for all SBOM files
          mkdir -p ./docs/reports/sbom
          # Copy the generated JSON SBOMs to this directory
          cp ./docs/reports/angular-xss-api-sbom.json ./docs/reports/sbom/
          cp ./docs/reports/angular-xss-frontend-sbom.json ./docs/reports/sbom/
          # Copy the generated XML SBOMs to this directory if they exist
          [ -f ./docs/reports/api-bom.xml ] && cp ./docs/reports/api-bom.xml ./docs/reports/sbom/
          [ -f ./docs/reports/frontend-bom.xml ] && cp ./docs/reports/frontend-bom.xml ./docs/reports/sbom/

      - name: Upload SBOM as artifact
        uses: actions/upload-artifact@v4
        with:
          name: angular-xss-sbom
          path: './docs/reports/sbom/'

  dast-scanning:
    name: Dynamic Application Security Testing
    runs-on: ubuntu-latest
    needs: sbom-generation
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      # Install necessary dependencies for ZAP scanning
      - name: Install dependencies for ZAP
        run: |
          # Check if curl is installed
          if ! command -v curl &> /dev/null; then
            echo "Installing curl"
            apt-get update && apt-get install -y curl
          fi

      # Install Docker Compose plugin if needed
      - name: Set up Docker Compose
        run: |
          chmod +x ./.github/workflows/scripts/setup-docker.sh
          ./.github/workflows/scripts/setup-docker.sh

      - name: Start Angular XSS application with Docker Compose
        run: |
          chmod +x ./.github/workflows/scripts/start-app.sh
          ./.github/workflows/scripts/start-app.sh

      # Create docs/reports directory if it doesn't exist
      - name: Ensure docs/reports directory exists
        run: mkdir -p ./docs/reports

      # Create and verify ZAP rules file for scanning
      - name: Set up ZAP rules file
        run: |
          chmod +x ./.github/workflows/scripts/setup-zap-rules.sh
          ./.github/workflows/scripts/setup-zap-rules.sh

      # Create a temporary directory with proper permissions for ZAP to write reports
      - name: Create writable temp directory for ZAP
        run: |
          mkdir -p /tmp/zap-output
          chmod 777 /tmp/zap-output
          echo "Created writable directory for ZAP reports at /tmp/zap-output"
          ls -la /tmp/zap-output

      - name: ZAP Baseline Scan
        uses: zaproxy/action-baseline@v0.11.0
        continue-on-error: true
        with:
          target: 'http://localhost:4200'
          allow_issue_writing: true
          # Use default report formats (report_json.json, report_xml.xml, report_html.html, report_md.md)
          cmd_options: '-a -j -T 60 -z "-config globalexcludeurl.url_list.url\(0\)=.*/favicon.ico$"'
          rules_file_name: 'zap-rules.tsv'
          issue_title: 'ZAP Baseline Scan Report'
          artifact_name: 'zap-baseline-report'
          docker_name: 'ghcr.io/zaproxy/zaproxy:stable'
          docker_args: '--network="host"'

      # Copy ZAP reports to docs/reports directory
      - name: Copy ZAP Baseline Scan reports
        run: |
          chmod +x ./.github/workflows/scripts/copy-zap-reports.sh
          ./.github/workflows/scripts/copy-zap-reports.sh

      - name: Upload ZAP Report
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: zap-reports
          path: ./docs/reports/

      - name: Stop Docker Containers
        if: always()
        run: |
          chmod +x ./.github/workflows/scripts/stop-app.sh
          ./.github/workflows/scripts/stop-app.sh

  save-reports:
    name: Save Scan Reports
    runs-on: ubuntu-latest
    needs: [secrets-scanning, sast-scanning, sca-scanning, sbom-generation, dast-scanning]
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          token: ${{ github.token }}  # Use GitHub token for authentication
          fetch-depth: 0  # Full history for proper commits

      - name: Download all artifacts
        uses: actions/download-artifact@v4
        with:
          path: ./artifacts

      - name: Ensure reports directory exists
        run: mkdir -p ./docs/reports

      - name: Save all scan reports to docs/reports
        run: |
          chmod +x ./.github/workflows/scripts/save-reports.sh
          ./.github/workflows/scripts/save-reports.sh

      # Commit and push the reports to the repository
      - name: Commit and push reports to the repository
        run: |
          chmod +x ./.github/workflows/scripts/commit-reports.sh
          ./.github/workflows/scripts/commit-reports.sh
        continue-on-error: true  # Continue workflow even if push fails

  defectdojo-import:
    name: Import Results to DefectDojo
    runs-on: ubuntu-latest
    needs: [save-reports]
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Download all artifacts
        uses: actions/download-artifact@v4
        with:
          path: ./artifacts

      # Copy artifacts to docs/reports for local usage
      - name: Copy artifacts to docs/reports
        run: |
          chmod +x ./.github/workflows/scripts/copy-artifacts.sh
          ./.github/workflows/scripts/copy-artifacts.sh