Skip to content

ZAP Check - Dev

ZAP Check - Dev #135

name: ZAP Check - Dev
on:
schedule:
# Runs daily at 4am, Monday through Friday
- cron: "0 4 * * 1-5"
jobs:
security-checks-dev:
name: Run security checks against dev
runs-on: ubuntu-22.04
environment: development
# Permissions for OIDC authentication
permissions:
id-token: write
contents: write
issues: write
steps:
- name: Check out repository
uses: actions/checkout@v4
# Login to Azure using OIDC
- name: Login to Azure CLI
uses: azure/login@v2
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
# Change app setting for security scan and restart
- name: Change the IsPublic flag
run: |
az webapp config appsettings set --resource-group ${{ vars.RESOURCE_NAME_PREFIX }}-rg --name ${{ vars.WEBAPP_NAME }} --settings ServiceAccess__IsPublic=true
az webapp restart --resource-group ${{ vars.RESOURCE_NAME_PREFIX }}-rg --name ${{ vars.WEBAPP_NAME }}
# Run full ZAP scan
- name: ZAP Scan
uses: zaproxy/[email protected]
with:
token: ${{ secrets.GITHUB_TOKEN }}
docker_name: 'ghcr.io/zaproxy/zaproxy:stable'
target: https://${{ vars.WEBAPP_NAME }}.azurewebsites.net
allow_issue_writing: false
artifact_name: full_scan_dev
# Login to Azure (again) using OIDC
# ...the ZAP scan takes long enough that it is likely the Azure CLI login has expired by now
- name: Login to Azure CLI
uses: azure/login@v2
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
# Reset app setting following security scan and restart
- name: Reset the IsPublic flag
run: |
az webapp config appsettings set --resource-group ${{ vars.RESOURCE_NAME_PREFIX }}-rg --name ${{ vars.WEBAPP_NAME }} --settings ServiceAccess__IsPublic=false
az webapp restart --resource-group ${{ vars.RESOURCE_NAME_PREFIX }}-rg --name ${{ vars.WEBAPP_NAME }}