-
Notifications
You must be signed in to change notification settings - Fork 4
138 lines (110 loc) · 4.2 KB
/
zap-publish-image-rdb.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
name: Create and publish a package
on:
push:
branches:
- 'release-**'
- 'automated_tests'
env:
IMAGE_NAME: ooicgsn-roundabout
jobs:
# OWASP Dependency Check & ZAP Scan
depchecktest:
runs-on: ubuntu-latest
name: OWASP
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Build RDB project
run: |
- name: OWASP Dependency Check
uses: dependency-check/Dependency-Check_Action@main
id: Depcheck
with:
project: 'ooicgsn-roundabout'
path: '.'
format: 'HTML'
args: >
--failOnCVSS 7
--enableRetired
--enableExperimental
- name: Upload Test results
uses: actions/upload-artifact@master
with:
name: Dependency Check Report
path: ${{github.workspace}}/reports
- name: OWASP ZAP Scan
# Full scan runs spider and then performs attacks on target website
# uses: zaproxy/[email protected]
run: |
# Build and Run RDB
mv .envs.example .envs
docker-compose -f docker-compose-testing.yml build
docker-compose -f docker-compose-testing.yml up --detach
sh -c "until curl -Is http://localhost:8000; do echo 'waiting for http://localhost:8000'; sleep 10; done"
# Pull the OWASP ZAP Docker Image
docker pull zaproxy/zap-stable
# Run OWASP ZAP Scan
pwd
cp .github/zap/rdb.context .
ls
# Needed for Zap
chmod a+rw $(pwd)
docker run --network roundabout-network \
-v "/$(pwd):/zap/wrk/:rw" \
-t zaproxy/zap-stable zap-baseline.py -j \
-t http://django:8000 \
-I \
-d \
-r rdb-zap-baseline-scan.html \
-n rdb.context \
-U admin
# -t zaproxy/zap-stable zap-baseline.py -j \ no high alerts
# -t zaproxy/zap-stable zap-full-scan.py \ runs 6+ hrs and timesout, includes high alerts
# -t zaproxy/zap-weekly zap-full-scan.py -j \ runs for 6+ hours - times out
- name: Archive production artifacts
uses: actions/upload-artifact@v4
with:
name: Zap Report
path: |
./rdb-zap-baseline-scan.html
- name: Stopping RDB application
run: docker-compose --file docker-compose-testing.yml down
# RDB Automated Testing and Tagging
setup-build-publish:
name: RDB Setup, Build, and Publish
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Running Automated tests
run: |
# Build and run development version of Django
mv .envs.example .envs
docker-compose -f docker-compose-testing.yml build
docker-compose -f docker-compose-testing.yml up --detach
#sleep 60
sh -c "until curl -Is http://localhost:8000; do echo 'waiting for http://localhost:8000'; sleep 10; done"
# Run automated tests
docker-compose -f docker-compose-testing.yml run tests ./RunAllTests-Chrome-Linux.bat
- name: Build, Tag & Push Production Image
if: contains(github.ref, 'release')
run: |
echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
IMAGE_ID=ghcr.io/${{ github.repository }}
# Change all uppercase to lowercase
IMAGE_ID=$(echo $IMAGE_ID | tr '[A-Z]' '[a-z]')
# Strip git ref prefix from branch
BRANCH=$(echo "${{ github.ref }}" | sed -e 's,.*/\(.*\),\1,')
# Strip "release-" prefix from version
VERSION=$(echo $BRANCH | sed -e 's/.*-//')
echo "IMAGE_ID:"
echo $IMAGE_ID
echo "VERSION:"
echo $VERSION
# Build Production Django Container
docker build -f compose/production/django/Dockerfile -t $IMAGE_ID .
docker image ls
docker tag $IMAGE_ID $IMAGE_ID:$VERSION
docker push $IMAGE_ID:$VERSION
- name: Stopping RDB application
run: docker-compose --file docker-compose-testing.yml down