Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
54 commits
Select commit Hold shift + click to select a range
06b4802
initial
jonas0b1011001 Sep 21, 2024
64db9f9
fix anonymize ip
jonas0b1011001 Sep 21, 2024
b0a9540
1.6 compatibility
jonas0b1011001 Mar 8, 2025
f2ef5e4
fix: multipart parsing for HTTP/2 support in ClamAV plugin
rayshoo Jun 23, 2025
b8f5d54
plugin generator for creating a new plugin structure
Michal-Koeckeis-Fresel Jun 25, 2025
c9de31d
fixed errors in generate_readme function
Michal-Koeckeis-Fresel Jun 25, 2025
7481b60
Create README.md
Michal-Koeckeis-Fresel Jun 25, 2025
b3ff4c4
adopt CSS
Michal-Koeckeis-Fresel Jun 25, 2025
a75a2eb
errors during start of test-plugin
Michal-Koeckeis-Fresel Jun 25, 2025
a2a281c
disable modsec template - needs fix
Michal-Koeckeis-Fresel Jun 25, 2025
51133f4
fix plugin format
Michal-Koeckeis-Fresel Jun 25, 2025
79b9065
restore modsecurity content
Michal-Koeckeis-Fresel Jun 25, 2025
4ebd4da
Update create_bunkerweb_plugin.sh
Michal-Koeckeis-Fresel Jun 25, 2025
04fb46a
rename env var
Michal-Koeckeis-Fresel Jun 25, 2025
29f9f90
Update create_bunkerweb_plugin.sh
Michal-Koeckeis-Fresel Jun 26, 2025
c5f5674
feat: add initial configuration for CodeRabbit integration
TheophileDiot Apr 13, 2026
ec0a592
feat: add CLAUDE.md for plugin development guidance
TheophileDiot Apr 13, 2026
45fcc23
created basic plugin
Jun 7, 2026
a21c596
improved readme
Jun 7, 2026
16ed8f0
added the option to forward identity headers
Jun 7, 2026
1b33b02
fixed some issues that coderabbit found
Jun 7, 2026
bed5ef3
deps/gha: bump github/codeql-action from 3.28.11 to 4.36.2
dependabot[bot] Jun 25, 2026
7935fa3
deps/gha: bump docker/login-action from 3.3.0 to 4.2.0
dependabot[bot] Jun 25, 2026
9c4b02c
deps/gha: bump actions/checkout from 4.2.2 to 7.0.0
dependabot[bot] Jun 25, 2026
08b4b11
Merge pull request #197 from bunkerity/dependabot/github_actions/dev/…
TheophileDiot Jun 25, 2026
0eddf47
Merge pull request #190 from bunkerity/dependabot/github_actions/dev/…
TheophileDiot Jun 25, 2026
da3d025
Merge pull request #194 from bunkerity/dependabot/github_actions/dev/…
TheophileDiot Jun 25, 2026
d83fee6
Potential fix for pull request finding
daemon-byte Jun 25, 2026
b1e45fc
fix(authentik): harden identity-header handling, docs, and tests
TheophileDiot Jun 25, 2026
8e5a54c
Merge pull request #200 from daemon-byte/main
TheophileDiot Jun 25, 2026
152fe33
Merge pull request #202 from bunkerity/authentik-pr200-fixes
TheophileDiot Jun 25, 2026
02af274
fix(templates): make plugin generator produce loadable, BW-conformant…
TheophileDiot Jun 25, 2026
a24b3a2
Merge pull request #150 from Michal-Koeckeis-Fresel/template_generator
TheophileDiot Jun 25, 2026
7de8ced
test: parallelize CI into a matrix, cover notifier plugins, add unit …
TheophileDiot Jun 25, 2026
19a9c17
Merge pull request #203 from bunkerity/improve-tests-matrix
TheophileDiot Jun 25, 2026
7536321
fix(tests): add Lua toolchain installation for pre-commit hook
TheophileDiot Jun 25, 2026
33a18cb
fix(matrix): harden plugin before merge
TheophileDiot Jun 25, 2026
790b97c
Merge pull request #106 from jonas0b1011001/matrix
TheophileDiot Jun 25, 2026
336ef63
Merge pull request #147 from rayshoo/main
TheophileDiot Jun 25, 2026
a861776
test: harden notifier/virustotal tests, add coraza go edge cases
TheophileDiot Jun 25, 2026
2900f53
fix(clamav): revert HTTP/2 rewrite, harden multipart filename detecti…
TheophileDiot Jun 25, 2026
e1b26b8
test: add matrix coverage and deepen plugin test suites
TheophileDiot Jun 25, 2026
67f2fa3
ci: test against latest stable BunkerWeb, add release workflow, bump …
TheophileDiot Jun 25, 2026
34cba8f
fix(notifiers): redact credential headers, harden http error paths
TheophileDiot Jun 25, 2026
0e8dc0b
chore(coraza): bump coraza to v3.7.0, go 1.25, CRS v4.25.0
TheophileDiot Jun 25, 2026
3a234a9
deps/gha: bump actions/setup-go from 5.2.0 to 6.5.0
dependabot[bot] Jun 26, 2026
4a58828
docs: replace plugin diagrams with inline Mermaid
TheophileDiot Jun 26, 2026
28814b9
feat(cloudflare): add Cloudflare plugin (real IP, origin CA, mTLS, ed…
TheophileDiot Jun 26, 2026
880d1ae
chore(ci): modernize pre-commit hooks, bump Python to 3.11
TheophileDiot Jun 26, 2026
4718f3e
deps/gha: bump actions/setup-python from 5.3.0 to 6.3.0
dependabot[bot] Jun 26, 2026
8a1a11d
fix(tests): stop cloudflare e2e pinning host-colliding subnets
TheophileDiot Jun 26, 2026
0a0a957
docs(plugins): bring every plugin README to authentik parity
TheophileDiot Jun 26, 2026
e770ae1
Merge pull request #205 from bunkerity/dependabot/github_actions/dev/…
TheophileDiot Jun 26, 2026
f2a2a8c
Merge pull request #204 from bunkerity/dependabot/github_actions/dev/…
TheophileDiot Jun 26, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions .busted
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
return {
default = {
-- Run from the repo root so `require("authentik/authentik_helpers")`
-- resolves authentik/authentik_helpers.lua, mirroring how BunkerWeb
-- requires plugins ("<id>/<id>").
lpath = "./?.lua",
ROOT = { "spec" },
pattern = "_spec",
},
}
333 changes: 333 additions & 0 deletions .coderabbit.yaml

Large diffs are not rendered by default.

15 changes: 15 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,21 @@ updates:
prefix: "deps/gha"
target-branch: "dev"

# npm (Prettier tooling)
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "daily"
time: "09:00"
timezone: "Europe/Paris"
assignees:
- "TheophileDiot"
reviewers:
- "TheophileDiot"
commit-message:
prefix: "deps/npm"
target-branch: "dev"

# Coraza
- package-ecosystem: "docker"
directory: "/coraza/api"
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,13 +19,13 @@ jobs:
language: ["python", "go"]
steps:
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- name: Initialize CodeQL
uses: github/codeql-action/init@6bb031afdd8eb862ea3fc1848194185e076637e5 # v3.28.11
uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
with:
languages: ${{ matrix.language }}
config-file: ./.github/codeql.yml
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@6bb031afdd8eb862ea3fc1848194185e076637e5 # v3.28.11
uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
with:
category: "/language:${{matrix.language}}"
81 changes: 81 additions & 0 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,81 @@
name: Release

# Cut a GitHub release once per plugin version bump. Mirrors the release-creation
# step of bunkerity/bunkerweb (softprops/action-gh-release, pinned SHA, draft for
# human review) without the heavy build matrix the plugins repo does not need.
#
# Fires only after the "Tests" workflow succeeds on main, and only when the
# version in plugin.json does not already have a release — so a normal push to
# main that does not bump the version is a no-op.

on:
workflow_run:
workflows: [Tests]
types: [completed]
branches: [main]

permissions:
contents: read

jobs:
release:
if: github.event.workflow_run.conclusion == 'success'
runs-on: ubuntu-latest
permissions:
contents: write # create the tag + release
steps:
- name: Checkout the tested commit
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
ref: ${{ github.event.workflow_run.head_sha }}
fetch-depth: 0 # full history so generated release notes are complete

- name: Resolve plugin version
id: version
run: |
# All plugin.json carry the same version (kept in lockstep by
# misc/update_version.sh), so any one of them is the source of truth.
version="$(jq -r .version clamav/plugin.json)"
case "$version" in
"" | null | *[!0-9.]*)
echo "::error::unexpected plugin version '$version'"
exit 1
;;
esac
echo "version=$version" >> "$GITHUB_OUTPUT"
echo "tag=v$version" >> "$GITHUB_OUTPUT"

- name: Skip if this version is already released
id: guard
env:
GH_TOKEN: ${{ github.token }}
TAG: ${{ steps.version.outputs.tag }}
run: |
# Match on tag_name across ALL releases, drafts included. A draft has
# no git tag until it is published, so `gh release view <tag>` would
# miss an unpublished draft and we'd create a duplicate on every push.
# The assignment aborts the step if `gh api` fails (no fail-open to
# "create" on an auth/network error).
tags="$(gh api "repos/$GITHUB_REPOSITORY/releases" --paginate --jq '.[].tag_name')"
if grep -Fxq "$TAG" <<<"$tags"; then
echo "exists=true" >> "$GITHUB_OUTPUT"
echo "Release $TAG already exists (including drafts) — nothing to do."
else
echo "exists=false" >> "$GITHUB_OUTPUT"
echo "No release for $TAG yet — creating a draft."
fi

- name: Create draft release
if: steps.guard.outputs.exists == 'false'
uses: softprops/action-gh-release@718ea10b132b3b2eba29c1007bb80653f286566b # v3.0.1
with:
tag_name: ${{ steps.version.outputs.tag }}
target_commitish: ${{ github.event.workflow_run.head_sha }}
name: ${{ steps.version.outputs.tag }}
draft: true # published by a maintainer after a quick review
generate_release_notes: true # auto-changelog from merged PRs/commits
body: |
BunkerWeb external plugins **${{ steps.version.outputs.tag }}**.

Install a plugin by mounting its directory into the scheduler's `/data/plugins`
(see the README). Coraza ships its WAF API as `bunkerity/bunkerweb-coraza`.
155 changes: 131 additions & 24 deletions .github/workflows/tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,10 @@ on:
push:
branches: [dev, main]

concurrency:
group: tests-${{ github.ref }}
cancel-in-progress: true

jobs:
codeql:
uses: ./.github/workflows/codeql.yml
Expand All @@ -12,40 +16,143 @@ jobs:
contents: read
security-events: write

setup:
tag:
runs-on: ubuntu-latest
outputs:
bw_tag: ${{ steps.tag.outputs.bw_tag }}
steps:
- name: Resolve latest stable BunkerWeb tag
id: tag
env:
GH_TOKEN: ${{ github.token }}
run: |
# Always test against the latest STABLE BunkerWeb release, resolved at
# runtime so it never goes stale. GitHub's releases/latest endpoint
# excludes drafts and pre-releases (rc/beta), giving us "stable".
# Same tag on every branch (dev and main) — there is no pinned version.
# `|| true`: a 404 (no stable release yet) or rate-limit makes gh exit
# non-zero, which under `bash -e` would abort the step here with a raw
# error. Swallow it so the empty tag falls through to the case below
# and reports our own diagnostic.
tag="$(gh api repos/bunkerity/bunkerweb/releases/latest --jq .tag_name || true)"
tag="${tag#v}" # release tag may be "v1.6.1"; Docker tags have no "v"
case "$tag" in
"" | *-*)
echo "::error::could not resolve a stable BunkerWeb tag (got '${tag:-<empty>}')"
exit 1
;;
esac
echo "Resolved latest stable BunkerWeb tag: $tag"
echo "bw_tag=$tag" >> "$GITHUB_OUTPUT"

lint:
runs-on: ubuntu-latest
steps:
- name: Checkout source code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- name: Set up Python
uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0
with:
python-version: "3.11"
- name: Install pre-commit
run: pip install pre-commit
- name: Install Lua toolchain
# The luacheck pre-commit hook is language:lua and needs luarocks on the
# runner to bootstrap its environment.
run: |
sudo apt-get update
sudo apt-get install -y lua5.4 liblua5.4-dev luarocks
- name: Set up Node
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: "22"
cache: "npm"
- name: Install Prettier
# The prettier hook is language:system and resolves prettier from the
# repo's pinned package-lock.json via npx.
run: npm ci
- name: Run pre-commit
run: pre-commit run --all-files

unit:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
lang: [go, python, lua]
steps:
- name: Checkout source code
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0

# --- Go : coraza API service ---
- name: Set up Go
if: matrix.lang == 'go'
uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0
with:
go-version: "1.25"
- name: Run Go unit tests
if: matrix.lang == 'go'
working-directory: coraza/api
run: |
# No go.sum is committed (the Dockerfile resolves deps at build time),
# so populate it before testing. Build tag must match the binary.
go mod tidy
go test -tags=coraza.rule.multiphase_evaluation ./...

# --- Python : ui/actions.py ---
- name: Set up Python
if: matrix.lang == 'python'
uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0
with:
python-version: "3.11"
- name: Run Python unit tests
if: matrix.lang == 'python'
run: |
pip install pytest
pytest tests/ -q

- name: Get BW tag
# --- Lua : busted specs ---
- name: Run Lua unit tests
if: matrix.lang == 'lua'
run: |
if [ "$GITHUB_REF" = "refs/heads/main" ] ; then
echo "BW_TAG=1.6.1" >> $GITHUB_ENV
else
echo "BW_TAG=dev" >> $GITHUB_ENV
fi
sudo apt-get update
# liblua5.4-dev provides headers for busted's C deps; pin the luarocks
# tree to 5.4 so the busted CLI runs against the lua5.4 we installed.
sudo apt-get install -y lua5.4 liblua5.4-dev luarocks
sudo luarocks --lua-version=5.4 install busted
busted

integration:
needs: [tag, lint, unit]
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
plugin: [clamav, cloudflare, coraza, virustotal, authentik, notifier]
steps:
- name: Checkout source code
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- name: Login to Docker Hub
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}

- name: Pull and build BW
run: ./.tests/bw.sh "${{ env.BW_TAG }}"

- name: Run ClamAV tests
run: ./.tests/clamav.sh

- name: Run Coraza tests
run: ./.tests/coraza.sh

- name: Run VirusTotal tests
run: ./.tests/virustotal.sh
env:
VIRUSTOTAL_API_KEY: ${{ secrets.VIRUSTOTAL_API_KEY }}
run: bash .tests/bw.sh "${{ needs.tag.outputs.bw_tag }}"
- name: Run ${{ matrix.plugin }} tests
run: bash .tests/${{ matrix.plugin }}.sh

build-push:
needs: [tag, integration]
if: github.ref == 'refs/heads/main'
runs-on: ubuntu-latest
steps:
- name: Checkout source code
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- name: Login to Docker Hub
uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Build and push APIs
if: env.BW_TAG == '1.6.1'
run: ./.tests/build-push.sh "${{ env.BW_TAG }}"
run: bash .tests/build-push.sh "${{ needs.tag.outputs.bw_tag }}"
9 changes: 9 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -4,3 +4,12 @@
env
node_modules
style.css
.idea

# Python test artifacts
__pycache__/
*.pyc
.pytest_cache/

# Go: deps are resolved at build time; go.sum is regenerated, not committed
coraza/api/go.sum
Loading
Loading