Security scanner tests #577

Workflow file for this run

.github/workflows/security-tests.yml at 7525760

	name: Security scanner tests

	on:
	workflow_dispatch:
	workflow_run:
	workflows: ["Deploy to environment"]
	types:
	- completed

	env:
	ZAP_ADDRESS: localhost
	ZAP_PORT: 9876

	jobs:
	run-tests-with-zap:
	name: Run Cypress tests with OWASP ZAP
	environment: Dev
	runs-on: ubuntu-latest
	defaults:
	run:
	working-directory: Dfe.PrepareConversions/Dfe.PrepareConversions.CypressTests
	steps:
	- name: Checkout code
	uses: actions/checkout@v4

	- name: Create directory on runner
	run: \|
	mkdir -m 777 ${{ github.workspace }}/zapoutput

	- name: Get latest ZAP container version
	run: \|
	ZAP_VERSION="$(wget -q -O - "https://hub.docker.com/v2/repositories/softwaresecurityproject/zap-stable/tags?page_size=2" \| grep -o '"name": "[^"]' \| grep -o '[^"]*$' \| tail -n 1)"
	echo "ZAP_VERSION=${ZAP_VERSION}">> $GITHUB_ENV

	- name: Restore ZAP container from cache if exists
	id: cache-docker-zap
	uses: actions/cache@v4
	with:
	path: ~/ci/cache/docker/softwaresecurityproject
	key: cache-docker-zap-${{ env.ZAP_VERSION }}

	- name: Use cached image if hit
	if: steps.cache-docker-zap.outputs.cache-hit == 'true'
	run: docker image load --input ~/ci/cache/docker/softwaresecurityproject/zap-stable-${{ env.ZAP_VERSION }}.tar

	- name: Pull image if no cache hit
	if: steps.cache-docker-zap.outputs.cache-hit != 'true'
	run: docker pull softwaresecurityproject/zap-stable:latest && mkdir -p ~/ci/cache/docker/softwaresecurityproject && docker image save softwaresecurityproject/zap-stable:latest --output ~/ci/cache/docker/softwaresecurityproject/zap-stable-${{ env.ZAP_VERSION }}.tar

	- name: Start ZAP container
	run: docker run --name zap_container --rm -d -v ${{ github.workspace }}/zapoutput/:/zap/wrk:rw -u zap -p ${{ env.ZAP_PORT }}:${{ env.ZAP_PORT }} -i softwaresecurityproject/zap-stable zap.sh -daemon -port ${{ env.ZAP_PORT }} -host 0.0.0.0 -config api.key=${{ secrets.ZAP_API_KEY }} -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true -config network.localServers.mainProxy.alpn.enabled=false -config network.localServers.mainProxy.address=0.0.0.0

	- name: Set up NodeJS
	uses: actions/setup-node@v4
	with:
	node-version: 18

	- name: Install dependencies
	run: npm ci

	- name: Run tests with scanner
	env:
	API_KEY: ${{ secrets.CYPRESS_TEST_SECRET }}
	db: ${{ secrets.DB_CONNECTION_STRING }}
	HTTP_PROXY: http://${{ env.ZAP_ADDRESS }}:${{ env.ZAP_PORT }}
	NO_PROXY: "google-analytics.com,googletagmanager.com,microsoftonline.com,gvt1.com"
	URL: ${{ secrets.AZURE_ENDPOINT }}
	ZAP: true
	ZAP_API_KEY: ${{ secrets.ZAP_API_KEY }}
	ZAP_ADDRESS: ${{ env.ZAP_ADDRESS }}
	ZAP_PORT: ${{ env.ZAP_PORT }}
	run: npm run cy:run -- --env url=$URL,cypressTestSecret=$API_KEY

	- name: Get git sha
	if: '!cancelled()'
	run: \|
	CHECKED_OUT_SHA="$(git log -1 '--format=format:%H')"
	echo "checked_out_sha=${CHECKED_OUT_SHA}" >> $GITHUB_ENV

	- name: Azure login with SPN
	if: '!cancelled()'
	uses: azure/login@v2
	with:
	creds: ${{ secrets.OWASP_AZ_CREDENTIALS }}

	- name: Push report to blob storage
	if: '!cancelled()'
	uses: azure/CLI@v2
	id: azure
	with:
	azcliversion: 2.49.0
	inlineScript: \|
	az storage blob upload \
	--container-name ${{ secrets.OWASP_STORAGE_CONTAINER_NAME }} \
	--account-name ${{ secrets.OWASP_STORAGE_ACCOUNT_NAME }} \
	--file "${{ github.workspace }}/zapoutput/ZAP-Report.html" \
	--name "Dfe.PrepareConversions/${{ env.checked_out_sha }}/ZAP-Report.html" \
	--auth-mode login \
	--overwrite

	- name: Stop ZAP container
	if: always()
	run: docker stop zap_container

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security scanner tests #577

Workflow file

Security scanner tests #577

Jobs

Run details

Workflow file for this run