-
Notifications
You must be signed in to change notification settings - Fork 0
60 lines (52 loc) · 2.22 KB
/
dev-security-check.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
name: ZAP Check - Dev
on:
schedule:
# Runs daily at 4am, Monday through Friday
- cron: "0 4 * * 1-5"
jobs:
security-checks-dev:
name: Run security checks against dev
runs-on: ubuntu-22.04
environment: development
# Permissions for OIDC authentication
permissions:
id-token: write
contents: write
issues: write
steps:
- name: Check out repository
uses: actions/checkout@v4
# Login to Azure using OIDC
- name: Login to Azure CLI
uses: azure/login@v2
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
# Change app setting for security scan and restart
- name: Change the IsPublic flag
run: |
az webapp config appsettings set --resource-group ${{ vars.RESOURCE_NAME_PREFIX }}-rg --name ${{ vars.WEBAPP_NAME }} --settings ServiceAccess__IsPublic=true
az webapp restart --resource-group ${{ vars.RESOURCE_NAME_PREFIX }}-rg --name ${{ vars.WEBAPP_NAME }}
# Run full ZAP scan
- name: ZAP Scan
uses: zaproxy/[email protected]
with:
token: ${{ secrets.GITHUB_TOKEN }}
docker_name: 'ghcr.io/zaproxy/zaproxy:stable'
target: https://${{ vars.WEBAPP_NAME }}.azurewebsites.net
allow_issue_writing: false
artifact_name: full_scan_dev
# Login to Azure (again) using OIDC
# ...the ZAP scan takes long enough that it is likely the Azure CLI login has expired by now
- name: Login to Azure CLI
uses: azure/login@v2
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
# Reset app setting following security scan and restart
- name: Reset the IsPublic flag
run: |
az webapp config appsettings set --resource-group ${{ vars.RESOURCE_NAME_PREFIX }}-rg --name ${{ vars.WEBAPP_NAME }} --settings ServiceAccess__IsPublic=false
az webapp restart --resource-group ${{ vars.RESOURCE_NAME_PREFIX }}-rg --name ${{ vars.WEBAPP_NAME }}