Skip to content

Commit 0df8e96

Browse files
committed
DevSecOps test
1 parent 0c6244b commit 0df8e96

2 files changed

Lines changed: 159 additions & 5 deletions

File tree

.github/workflows/devsecops-pipeline.yml

Lines changed: 95 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -427,30 +427,89 @@ jobs:
427427
echo "Created writable directory for ZAP reports at /tmp/zap-output"
428428
ls -la /tmp/zap-output
429429
430+
# Verify application is running and accessible
431+
- name: Verify application is running
432+
run: |
433+
# Use curl to verify application is accessible
434+
echo "Checking if application is running..."
435+
curl -v http://localhost:4200 || echo "Warning: Application may not be accessible via localhost"
436+
437+
# Check docker containers and network information
438+
echo "Docker container status:"
439+
docker ps
440+
echo "Docker network information:"
441+
docker network ls
442+
docker network inspect bridge
443+
430444
- name: ZAP Baseline Scan
431445
uses: zaproxy/action-baseline@v0.11.0
432446
continue-on-error: true
433447
with:
434448
target: 'http://localhost:4200'
435449
allow_issue_writing: true
436-
# Generate both XML and JSON format reports
437-
cmd_options: '-a -j -T 10 -x /tmp/zap-output/zap-baseline-report.xml -J /tmp/zap-output/zap-baseline-report.json'
450+
# Generate reports and adjust options for better detection
451+
cmd_options: '-a -j -T 60 -z "-config globalexcludeurl.url_list.url\(0\)=.*/favicon.ico$" -x /tmp/zap-output/zap-baseline-report.xml -J /tmp/zap-output/zap-baseline-report.json'
438452
rules_file_name: 'zap-rules.tsv'
439453
issue_title: 'ZAP Baseline Scan Report'
440454
artifact_name: 'zap-baseline-report'
441455
docker_name: 'ghcr.io/zaproxy/zaproxy:stable'
456+
docker_args: '--network="host"'
457+
458+
# Copy ZAP config file to workspace
459+
- name: Copy ZAP configuration files
460+
run: |
461+
# Ensure ZAP config file is accessible
462+
if [ -f "zap-advanced-config.conf" ]; then
463+
cp zap-advanced-config.conf /tmp/zap-advanced-config.conf
464+
chmod 644 /tmp/zap-advanced-config.conf
465+
echo "ZAP advanced config file copied to /tmp"
466+
else
467+
echo "Warning: ZAP advanced config file not found"
468+
fi
442469
443470
- name: ZAP Full Scan
444471
uses: zaproxy/action-full-scan@v0.8.0
445472
continue-on-error: true
446473
with:
447474
target: 'http://localhost:4200'
448475
allow_issue_writing: true
449-
# Generate both XML and JSON format reports
450-
cmd_options: '-a -j -T 10 -x /tmp/zap-output/zap-full-scan-report.xml -J /tmp/zap-output/zap-full-scan-report.json'
476+
# Use the advanced config and specify additional APIs to test
477+
cmd_options: '-a -j -T 90 -c /tmp/zap-advanced-config.conf -z "-configfile /tmp/zap-advanced-config.conf" -x /tmp/zap-output/zap-full-scan-report.xml -J /tmp/zap-output/zap-full-scan-report.json'
451478
rules_file_name: 'zap-rules.tsv'
452479
issue_title: 'ZAP Full Scan Report'
453480
docker_name: 'ghcr.io/zaproxy/zaproxy:stable'
481+
docker_args: '--network="host"'
482+
cmd_progress_timeout: 120
483+
484+
# Attempt to scan specific paths known to be vulnerable
485+
- name: ZAP Targeted Scan
486+
if: always() # Run even if full scan succeeds to ensure we test specific paths
487+
uses: zaproxy/action-full-scan@v0.8.0
488+
continue-on-error: true
489+
with:
490+
target: 'http://localhost:4200'
491+
allow_issue_writing: true
492+
# Focus specifically on XSS and other critical tests with known target URLs
493+
cmd_options: '-a -j -T 60 -c /tmp/zap-advanced-config.conf -z "-configfile /tmp/zap-advanced-config.conf -config scanner.attackStrength=INSANE -config rules.ascanrules.xss.strength=INSANE" -x /tmp/zap-output/zap-targeted-report.xml -J /tmp/zap-output/zap-targeted-report.json'
494+
rules_file_name: 'zap-rules.tsv'
495+
issue_title: 'ZAP Targeted Scan Report'
496+
docker_name: 'ghcr.io/zaproxy/zaproxy:stable'
497+
docker_args: '--network="host"'
498+
cmd_progress_timeout: 120
499+
500+
# Try scanning the API directly as a separate test
501+
- name: ZAP API Scan
502+
if: always() # Run regardless of other scan results
503+
continue-on-error: true
504+
run: |
505+
echo "Running direct API scan..."
506+
# Try to access API endpoints directly with ZAP
507+
docker run --rm --network="host" -v /tmp:/zap/wrk/:rw -t ghcr.io/zaproxy/zaproxy:stable zap-full-scan.py -t http://localhost:8000 -J /zap/wrk/zap-api-scan-report.json -x /zap/wrk/zap-api-scan-report.xml -r /zap/wrk/zap-api-scan-report.html -a -d -T 60 -j --hook=/zap/auth_hook.py || echo "API scan failed but continuing"
508+
509+
# Check if reports were generated
510+
if [ -f "/tmp/zap-api-scan-report.json" ]; then
511+
cp /tmp/zap-api-scan-report.* ./docs/reports/ 2>/dev/null || echo "Could not copy API scan reports"
512+
fi
454513
455514
# Copy ZAP reports to docs/reports directory
456515
- name: Copy ZAP reports to docs/reports
@@ -471,22 +530,53 @@ jobs:
471530
cp -v /tmp/zap-output/*.* ./docs/reports/ 2>/dev/null || echo "No files to copy from /tmp/zap-output"
472531
fi
473532
533+
# Copy all ZAP reports from various directories
534+
echo "Using find to locate all ZAP report files across multiple locations..."
535+
find /tmp -name "*report*.json" -o -name "*report*.xml" -o -name "*report*.html" 2>/dev/null | while read report; do
536+
echo "Found report via find: $report"
537+
cp -v "$report" ./docs/reports/ 2>/dev/null || echo "Failed to copy $report"
538+
done
539+
474540
# Then try multiple possible filenames and locations for the reports
475541
for report in \
476542
./zap-baseline-report.xml \
477543
./zap-baseline-report.json \
478544
./zap-full-scan-report.xml \
479545
./zap-full-scan-report.json \
546+
./zap-targeted-report.xml \
547+
./zap-targeted-report.json \
548+
./zap-api-scan-report.xml \
549+
./zap-api-scan-report.json \
550+
./zap-api-scan-report.html \
480551
./report_json.json \
481552
./report_xml.xml \
553+
/tmp/zap-output/zap-baseline-report.xml \
554+
/tmp/zap-output/zap-baseline-report.json \
555+
/tmp/zap-output/zap-full-scan-report.xml \
556+
/tmp/zap-output/zap-full-scan-report.json \
557+
/tmp/zap-output/zap-targeted-report.xml \
558+
/tmp/zap-output/zap-targeted-report.json \
559+
/tmp/zap-api-scan-report.xml \
560+
/tmp/zap-api-scan-report.json \
561+
/tmp/zap-api-scan-report.html \
482562
/tmp/zap-baseline-report.xml \
483563
/tmp/zap-baseline-report.json \
484564
/tmp/zap-full-scan-report.xml \
485565
/tmp/zap-full-scan-report.json \
566+
/tmp/zap-targeted-report.xml \
567+
/tmp/zap-targeted-report.json \
568+
/tmp/zap-api-scan-report.xml \
569+
/tmp/zap-api-scan-report.json \
570+
/tmp/zap-api-scan-report.html \
486571
/zap/wrk/zap-baseline-report.xml \
487572
/zap/wrk/zap-baseline-report.json \
488573
/zap/wrk/zap-full-scan-report.xml \
489-
/zap/wrk/zap-full-scan-report.json; do
574+
/zap/wrk/zap-full-scan-report.json \
575+
/zap/wrk/zap-targeted-report.xml \
576+
/zap/wrk/zap-targeted-report.json \
577+
/zap/wrk/zap-api-scan-report.xml \
578+
/zap/wrk/zap-api-scan-report.json \
579+
/zap/wrk/zap-api-scan-report.html; do
490580
if [ -f "$report" ]; then
491581
echo "Found report: $report"
492582
cp -v "$report" ./docs/reports/

zap-advanced-config.conf

Lines changed: 64 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,64 @@
1+
# ZAP Advanced Configuration for Angular XSS Application
2+
3+
# Scanner settings
4+
scanner.attackStrength=HIGH
5+
scanner.maxRuleDurationInMins=5
6+
scanner.level=ATTACK
7+
8+
# AJAX Spider settings (for SPA applications like Angular)
9+
ajax.browserid=chrome-headless
10+
ajax.maxDuration=5
11+
ajax.timeout=60
12+
ajax.maxCrawlDepth=10
13+
ajax.clickDefaultElems=true
14+
ajax.clickElemsOnce=true
15+
ajax.eventWait=2000
16+
17+
# Spider settings
18+
spider.maxDepth=10
19+
spider.maxDuration=5
20+
spider.maxParseSizeBytes=2621440
21+
spider.postForm=true
22+
spider.processForm=true
23+
spider.threadCount=10
24+
spider.sendRefererHeader=true
25+
26+
# Authentication settings
27+
authentication.loginUrl=http://localhost:4200/login
28+
authentication.loginRequestData=username=admin@test.com&password=Password123
29+
authentication.loggedInIndicator=\\Q"authenticated":true\\E
30+
31+
# Attack settings
32+
rules.ascanrules.xss.strength=INSANE
33+
rules.ascanrules.sqlinjection.strength=INSANE
34+
rules.ascanrules.xss.threshold=LOW
35+
rules.ascanrules.sqlinjection.threshold=LOW
36+
37+
# Include form-based authentication
38+
spider.formFillMode=SPECIFY_FORM_FIELD_NAMES
39+
spider.formFillNames=username,password,email
40+
spider.formFillValues=admin@test.com,Password123,admin@test.com
41+
42+
# API configuration
43+
api.disablekey=true
44+
api.addrs.addr.name=.*
45+
api.addrs.addr.regex=true
46+
47+
# Exclude URLs to improve performance
48+
globalexcludeurl.url_list.url.1=.*\\.js$
49+
globalexcludeurl.url_list.url.2=.*\\.css$
50+
globalexcludeurl.url_list.url.3=.*\\.png$
51+
globalexcludeurl.url_list.url.4=.*\\.jpg$
52+
globalexcludeurl.url_list.url.5=.*\\.gif$
53+
globalexcludeurl.url_list.url.6=.*\\.svg$
54+
globalexcludeurl.url_list.url.7=.*favicon\\.ico$
55+
56+
# Include specifically vulnerable pages
57+
includeInScope.url_list.url.1=http://localhost:4200/login
58+
includeInScope.url_list.url.2=http://localhost:4200/signup
59+
includeInScope.url_list.url.3=http://localhost:4200/profile
60+
includeInScope.url_list.url.4=http://localhost:4200/user
61+
includeInScope.url_list.url.5=http://localhost:4200/search
62+
includeInScope.url_list.url.6=http://localhost:8000/api/
63+
includeInScope.url_list.url.7=http://localhost:8000/login
64+
includeInScope.url_list.url.8=http://localhost:8000/user

0 commit comments

Comments
 (0)