DevSecOps test

Author: Taofeeqib

.github/workflows/devsecops-pipeline.yml

@@ -187,6 +187,8 @@ jobs:
       - name: Ensure docs/reports directory exists
         run: mkdir -p ./docs/reports
 
+      - run: npm install
+      
       - name: Generate SBOM with CycloneDX
         uses: CycloneDX/gh-node-module-generatebom@master
         with:
@@ -251,8 +253,8 @@ jobs:
         with:
           target: 'http://localhost:4200'
           allow_issue_writing: true
-          # Generate reports and adjust options for better detection
-          cmd_options: '-a -j -T 60 -z "-config globalexcludeurl.url_list.url\(0\)=.*/favicon.ico$" -x /tmp/zap-output/zap-baseline-report.xml -J /tmp/zap-output/zap-baseline-report.json'
+          # Use default report formats (report_json.json, report_xml.xml, report_html.html, report_md.md)
+          cmd_options: '-a -j -T 60 -z "-config globalexcludeurl.url_list.url\(0\)=.*/favicon.ico$"'
           rules_file_name: 'zap-rules.tsv'
           issue_title: 'ZAP Baseline Scan Report'
           artifact_name: 'zap-baseline-report'

.github/workflows/scripts/copy-zap-reports.sh

@@ -1,26 +1,38 @@
 #!/bin/bash
 
-# Function to create ZAP XML placeholder
-function create_zap_xml_placeholder() {
-  echo '<?xml version="1.0" encoding="UTF-8"?>' > ./docs/reports/zap-baseline-report.xml
-  echo '<OWASPZAPReport version="2.11.0" generated="2025-09-07T12:00:00">' >> ./docs/reports/zap-baseline-report.xml
-  echo '  <site name="http://localhost:4200">' >> ./docs/reports/zap-baseline-report.xml
-  echo '    <alerts></alerts>' >> ./docs/reports/zap-baseline-report.xml
-  echo '  </site>' >> ./docs/reports/zap-baseline-report.xml
-  echo '</OWASPZAPReport>' >> ./docs/reports/zap-baseline-report.xml
+# Function to create ZAP default report placeholders
+function create_zap_default_placeholders() {
+  # Create JSON placeholder
+  echo '{' > ./docs/reports/report_json.json
+  echo '  "site": "http://localhost:4200",' >> ./docs/reports/report_json.json
+  echo '  "generated": "2025-09-07T12:00:00",' >> ./docs/reports/report_json.json
+  echo '  "version": "2.11.0",' >> ./docs/reports/report_json.json
+  echo '  "alerts": []' >> ./docs/reports/report_json.json
+  echo '}' >> ./docs/reports/report_json.json
+  
+  # Create XML placeholder
+  echo '<?xml version="1.0" encoding="UTF-8"?>' > ./docs/reports/report_xml.xml
+  echo '<OWASPZAPReport version="2.11.0" generated="2025-09-07T12:00:00">' >> ./docs/reports/report_xml.xml
+  echo '  <site name="http://localhost:4200">' >> ./docs/reports/report_xml.xml
+  echo '    <alerts></alerts>' >> ./docs/reports/report_xml.xml
+  echo '  </site>' >> ./docs/reports/report_xml.xml
+  echo '</OWASPZAPReport>' >> ./docs/reports/report_xml.xml
+  
+  # Create HTML placeholder
+  echo '<!DOCTYPE html>' > ./docs/reports/report_html.html
+  echo '<html><head><title>ZAP Scanning Report</title></head>' >> ./docs/reports/report_html.html
+  echo '<body><h1>ZAP Scanning Report</h1>' >> ./docs/reports/report_html.html
+  echo '<p>This is a placeholder for ZAP HTML report.</p>' >> ./docs/reports/report_html.html
+  echo '</body></html>' >> ./docs/reports/report_html.html
+  
+  # Create Markdown placeholder
+  echo '# ZAP Scanning Report' > ./docs/reports/report_md.md
+  echo 'Generated: 2025-09-07T12:00:00' >> ./docs/reports/report_md.md
+  echo '' >> ./docs/reports/report_md.md
+  echo 'This is a placeholder for ZAP Markdown report.' >> ./docs/reports/report_md.md
 }
 
-# Function to create ZAP JSON placeholder
-function create_zap_json_placeholder() {
-  echo '{' > ./docs/reports/zap-baseline-report.json
-  echo '  "site": "http://localhost:4200",' >> ./docs/reports/zap-baseline-report.json
-  echo '  "generated": "2025-09-07T12:00:00",' >> ./docs/reports/zap-baseline-report.json
-  echo '  "version": "2.11.0",' >> ./docs/reports/zap-baseline-report.json
-  echo '  "alerts": []' >> ./docs/reports/zap-baseline-report.json
-  echo '}' >> ./docs/reports/zap-baseline-report.json
-}
-
-echo "Looking for ZAP Baseline Scan report files..."
+echo "Looking for ZAP report files..."
 
 # Check in /tmp/zap-output where we directed ZAP to write reports
 echo "Checking in /tmp/zap-output:"
@@ -32,33 +44,33 @@ if [ -d "/tmp/zap-output" ]; then
   cp -v /tmp/zap-output/*.* ./docs/reports/ 2>/dev/null || echo "No files to copy from /tmp/zap-output"
 fi
 
-# Look for baseline scan reports only
+# Look for default ZAP report formats
 for report in \
-  ./zap-baseline-report.xml \
-  ./zap-baseline-report.json \
   ./report_json.json \
   ./report_xml.xml \
   ./report_html.html \
   ./report_md.md \
-  /tmp/zap-output/zap-baseline-report.xml \
-  /tmp/zap-output/zap-baseline-report.json \
-  /tmp/zap-baseline-report.xml \
-  /tmp/zap-baseline-report.json \
-  /zap/wrk/zap-baseline-report.xml \
-  /zap/wrk/zap-baseline-report.json; do
+  /tmp/zap-output/report_json.json \
+  /tmp/zap-output/report_xml.xml \
+  /tmp/zap-output/report_html.html \
+  /tmp/zap-output/report_md.md \
+  /zap/wrk/report_json.json \
+  /zap/wrk/report_xml.xml \
+  /zap/wrk/report_html.html \
+  /zap/wrk/report_md.md; do
   if [ -f "$report" ]; then
     echo "Found report: $report"
     cp -v "$report" ./docs/reports/
   fi
 done
 
-# If no reports were found, create placeholders
-if [ ! -f "./docs/reports/zap-baseline-report.xml" ] && [ ! -f "./docs/reports/zap-baseline-report.json" ]; then
-  echo "Creating placeholder for ZAP baseline reports (XML and JSON)"
-  create_zap_xml_placeholder
-  create_zap_json_placeholder
+# Check if we found any of the default ZAP reports
+if [ ! -f "./docs/reports/report_json.json" ] && [ ! -f "./docs/reports/report_xml.xml" ] && 
+   [ ! -f "./docs/reports/report_html.html" ] && [ ! -f "./docs/reports/report_md.md" ]; then
+  echo "No default ZAP reports found. Creating placeholders."
+  create_zap_default_placeholders
 fi
 
 # Check if any reports were copied or created
 echo "Contents of docs/reports directory:"
-ls -la ./docs/reports/
+ls -la ./docs/reports/

.gitignore

@@ -38,3 +38,7 @@ testem.log
 .DS_Store
 Thumbs.db
 .vscode/extensions.json
+
+# DefectDojo
+/django-DefectDojo
+django-DefectDojo/

README.md

@@ -7,7 +7,7 @@ This project implements a comprehensive DevSecOps pipeline for a deliberately vu
 The pipeline includes the following security stages:
 
 1. **Secrets Scanning** - Using TruffleHog OSS to detect exposed credentials
-2. **Static Application Security Testing (SAST)** - Using Semgrep with JavaScript, Angular, and Node.js rulesets
+2. **Static Application Security Testing (SAST)** - Using CodeQL with JavaScript, Angular, and Node.js rulesets
 3. **Software Composition Analysis (SCA)** - Using OWASP Dependency-Check to identify vulnerable dependencies
 4. **Software Bill of Materials (SBOM)** - Using CycloneDX to generate a comprehensive inventory of components
 5. **Dynamic Application Security Testing (DAST)** - Using OWASP ZAP to perform runtime security testing
@@ -46,7 +46,6 @@ The pipeline is designed to detect:
 1. Secrets and credentials exposed in code
 2. XSS vulnerabilities in Angular code
 3. Vulnerable dependencies in both frontend and backend
-4. Other security issues defined in Semgrep rules
 
 ## Integration with DefectDojo
 
@@ -57,7 +56,7 @@ Scan results from all security tools are aggregated in DefectDojo for:
 - Historical security trend analysis
 
 ### Note on ZAP Reports
-When importing ZAP scan results into DefectDojo, use the XML format (`zap-baseline-report.xml`) which is specifically formatted for DefectDojo compatibility. The XML report requires properly formatted URLs with fully qualified domain names to be parsed correctly by DefectDojo's ZAP parser.
+When importing ZAP scan results into DefectDojo, use the XML format (`report_xml.xml`) which is specifically formatted for DefectDojo compatibility. The XML report requires properly formatted URLs with fully qualified domain names to be parsed correctly by DefectDojo's ZAP parser.
 
 ## Screenshots
 
@@ -75,21 +74,12 @@ All security scan results are stored in the `docs/reports` directory for easy ac
 - **OWASP Dependency-Check Results** - `dependency-check-*.sarif`
 - **CycloneDX SBOM** - `angular-xss-sbom.json`
 - **ZAP DAST Reports** - Multiple formats available:
-  - XML format: `zap-baseline-report.xml` (DefectDojo compatible format)
-  - JSON format: `zap-baseline-report.json` and `report_json.json`
-  - Markdown format: `zap-baseline-report.md` and `report_md.md`
-  - HTML format: `report_html.html` (contains detailed findings with risk levels)
+  - JSON format: `report_json.json`
+  - Markdown format: `report_md.md`
+  - HTML format: `report_html.html` 
 
-A comprehensive report index is available at `docs/reports/README.md`.
 
 To view SARIF files, you can use:
 - GitHub Security Code Scanning dashboard
 - [SARIF Viewer VSCode Extension](https://marketplace.visualstudio.com/items?itemName=MS-SarifVSCode.sarif-viewer)
 - [SARIF Web Viewer](https://microsoft.github.io/sarif-web-component/)
-
-## Future Enhancements
-
-- Implement container scanning
-- Add automated security regression testing
-- Enhance Semgrep rules for custom vulnerabilities
-- Add GitHub Pages to host scan reports

docs/screenshots/DefectDojo_SAST.png

@@ -114,7 +114,7 @@ else
 fi
 
 # Import ZAP report
-for zap_file in "$REPORTS_DIR/zap-baseline-report.xml" "$REPORTS_DIR/report_html.html" "$REPORTS_DIR/zap-baseline-report.json"; do
+for zap_file in "$REPORTS_DIR/report_xml.xml" "$REPORTS_DIR/report_html.html" "$REPORTS_DIR/report_json.json"; do
   if [ -f "$zap_file" ] && [ -s "$zap_file" ]; then
     echo "Importing ZAP report: $zap_file"
     IMPORT_RESPONSE=$(curl -s -X POST \