Security web scan for zot #2
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: 'Security web scan for zot' | |
on: | |
push: | |
branches: | |
- main | |
pull_request: | |
branches: | |
- main | |
release: | |
types: | |
- published | |
permissions: | |
contents: read | |
jobs: | |
zap_scan: | |
runs-on: ubuntu-latest-4-cores | |
name: Scan ZOT using ZAP | |
strategy: | |
matrix: | |
flavor: [zot-linux-amd64-minimal, zot-linux-amd64] | |
steps: | |
- name: Install go | |
uses: actions/setup-go@v5 | |
with: | |
cache: false | |
go-version: 1.20.x | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Build zot | |
run: | | |
echo "Building $FLAVOR" | |
cd $GITHUB_WORKSPACE | |
if [[ $FLAVOR == "zot-linux-amd64-minimal" ]]; then | |
make binary-minimal | |
else | |
make binary | |
fi | |
ls -l bin/ | |
env: | |
FLAVOR: ${{ matrix.flavor }} | |
- name: Bringup zot server | |
run: | | |
# upload images, zot can serve OCI image layouts directly like so | |
mkdir /tmp/zot | |
skopeo copy --format=oci docker://busybox:latest oci:/tmp/zot/busybox:latest | |
# start zot | |
if [[ $FLAVOR == "zot-linux-amd64-minimal" ]]; then | |
./bin/${{ matrix.flavor }} serve examples/config-conformance.json & | |
else | |
./bin/${{ matrix.flavor }} serve examples/config-ui.json & | |
fi | |
# wait until service is up | |
while true; do x=0; curl -f http://localhost:8080/v2/ || x=1; if [ $x -eq 0 ]; then break; fi; sleep 1; done | |
env: | |
FLAVOR: ${{ matrix.flavor }} | |
- name: ZAP Scan Rest API | |
uses: zaproxy/[email protected] | |
with: | |
token: ${{ secrets.GITHUB_TOKEN }} | |
docker_name: 'owasp/zap2docker-stable' | |
target: 'http://localhost:8080/v2/' | |
rules_file_name: '.zap/rules.tsv' | |
cmd_options: '-a -j' | |
allow_issue_writing: false | |
fail_action: true |