DevSecOps test

Author: Taofeeqib

.github/workflows/devsecops-pipeline.yml

@@ -319,12 +319,35 @@ jobs:
       - name: Ensure docs/reports directory exists
         run: mkdir -p ./docs/reports
 
-      # Copy ZAP rules file to the workspace root for the scan
-      - name: Copy ZAP rules file to workspace root
+      # Create and verify ZAP rules file for scanning
+      - name: Set up ZAP rules file
         run: |
-          cp ./zap-rules.tsv ./
-          echo "Verifying ZAP rules file location:"
-          ls -la zap-rules.tsv || echo "ZAP rules file not found in root"
+          # Check if zap-rules.tsv exists in the repo
+          echo "Checking for ZAP rules files..."
+          echo "Current directory: $(pwd)"
+          ls -la
+          
+          if [ -f "zap-rules.tsv" ]; then
+            echo "ZAP rules file already exists in the root directory"
+          elif [ -f "./angular-xss/zap-rules.tsv" ]; then
+            echo "Found ZAP rules in angular-xss directory, copying to root"
+            cp ./angular-xss/zap-rules.tsv ./
+          else
+            echo "ZAP rules file not found, creating a basic one"
+            cat > zap-rules.tsv << 'EOL'
+10016	IGNORE	http://localhost:4200	(IGNORE: A technology has been identified)
+10020	IGNORE	http://localhost:4200	(IGNORE: X-Frame-Options Header Not Set)
+10021	IGNORE	http://localhost:4200	(IGNORE: X-Content-Type-Options Header Missing)
+10038	IGNORE	http://localhost:4200	(IGNORE: Content Security Policy (CSP) Header Not Set)
+10049	IGNORE	http://localhost:4200	(IGNORE: Non-Storable Content)
+40012	FAIL	http://localhost:4200	(FAIL: Cross Site Scripting (Reflected))
+EOL
+          fi
+          
+          # Verify the rules file exists and show content
+          echo "Verifying ZAP rules file location and content:"
+          ls -la zap-rules.tsv
+          cat zap-rules.tsv
 
       - name: ZAP Baseline Scan
         uses: zaproxy/action-baseline@v0.11.0