Merge pull request #232 from cerberauth/fix-broken-authentication-fal… #132
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Scans | |
| on: | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| branches: | |
| - main | |
| env: | |
| GO_VERSION: "1.23" | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read | |
| packages: read | |
| jobs: | |
| run-jwt-scans: | |
| name: JWT Scans | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| challenge: | |
| [ | |
| "jwt-alg-none-bypass", | |
| "jwt-blank-secret", | |
| "jwt-not-verified", | |
| "jwt-null-signature", | |
| "jwt-weak-hmac-secret", | |
| ] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Run Server | |
| run: docker run -d -p 8080:8080 ghcr.io/cerberauth/api-vulns-challenges/${{ matrix.challenge }}:latest | |
| - name: Get JWT | |
| id: get-jwt | |
| run: echo "jwt=$(docker run --rm ghcr.io/cerberauth/api-vulns-challenges/jwt-strong-eddsa-key:latest jwt)" >> $GITHUB_OUTPUT | |
| - name: Setup Go environment | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: VulnAPI | |
| id: vulnapi | |
| continue-on-error: true | |
| run: | | |
| go run main.go scan curl http://localhost:8080 -H "Authorization: Bearer ${{ steps.get-jwt.outputs.jwt }}" --sqa-opt-out | |
| - name: Check for vulnerabilities | |
| if: ${{ steps.vulnapi.outputs.conclusion == 'failure' }} | |
| run: echo "Vulnerabilities found in ${{ matrix.challenge }}" | |
| - name: Stop Server | |
| if: ${{ always() }} | |
| run: docker stop $(docker ps -q --filter ancestor=ghcr.io/cerberauth/api-vulns-challenges/${{ matrix.challenge }}:latest) | |
| run-header-strong-api-key-scan: | |
| name: Strong API Key Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Run Server | |
| run: docker run -d -p 8080:8080 ghcr.io/cerberauth/api-vulns-challenges/strong-api-key:latest | |
| - name: Setup Go environment | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: VulnAPI | |
| id: vulnapi | |
| run: | | |
| go run main.go scan curl http://localhost:8080 -H "X-API-Key: abcdef1234" --sqa-opt-out | |
| - name: Stop Server | |
| if: ${{ always() }} | |
| run: docker stop $(docker ps -q --filter ancestor=ghcr.io/cerberauth/api-vulns-challenges/strong-api-key:latest) | |
| run-header-api-key-scan: | |
| name: API Key in header Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Run Server | |
| run: docker run -d -p 8080:8080 ghcr.io/cerberauth/api-vulns-challenges/auth-not-verified:latest | |
| - name: Setup Go environment | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: VulnAPI | |
| id: vulnapi | |
| continue-on-error: true | |
| run: | | |
| go run main.go scan curl http://localhost:8080 -H "X-API-Key: abcdef1234" --sqa-opt-out | |
| - name: Check for vulnerabilities | |
| if: ${{ steps.vulnapi.outputs.conclusion == 'failure' }} | |
| run: echo "Vulnerabilities found" | |
| - name: Stop Server | |
| if: ${{ always() }} | |
| run: docker stop $(docker ps -q --filter ancestor=ghcr.io/cerberauth/api-vulns-challenges/auth-not-verified:latest) | |
| run-bearer-api-key-scan: | |
| name: Bearer API Key Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Run Server | |
| run: docker run -d -p 8080:8080 ghcr.io/cerberauth/api-vulns-challenges/auth-not-verified:latest | |
| - name: Setup Go environment | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: VulnAPI | |
| id: vulnapi | |
| continue-on-error: true | |
| run: | | |
| go run main.go scan curl http://localhost:8080 -H "Authorization: Bearer abcdef1234" --sqa-opt-out | |
| - name: Check for vulnerabilities | |
| if: ${{ steps.vulnapi.outputs.conclusion == 'failure' }} | |
| run: echo "Vulnerabilities found" | |
| - name: Stop Server | |
| if: ${{ always() }} | |
| run: docker stop $(docker ps -q --filter ancestor=ghcr.io/cerberauth/api-vulns-challenges/auth-not-verified:latest) | |
| run-http-misconfigurations-scans: | |
| name: HTTP Misconfigurations Scans | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - challenge: "misconfiguration.http_headers" | |
| url: "http://localhost:8080" | |
| - challenge: "misconfiguration.http_headers" | |
| url: "http://localhost:8080/headers/cors-wildcard" | |
| - challenge: "misconfiguration.http_headers" | |
| url: "http://localhost:8080/headers/csp-frame-ancestors" | |
| - challenge: "misconfiguration.http_cookies" | |
| url: "http://localhost:8080/cookies/unsecure" | |
| - challenge: "misconfiguration.http_cookies" | |
| url: "http://localhost:8080/cookies/not-httponly" | |
| - challenge: "misconfiguration.http_cookies" | |
| url: "http://localhost:8080/cookies/samesite-none" | |
| - challenge: "misconfiguration.http_cookies" | |
| url: "http://localhost:8080/cookies/no-expiration" | |
| - challenge: "misconfiguration.http_method_override" | |
| url: "http://localhost:8080/cookies/http-method-override" | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Run Server | |
| run: docker run -d -p 8080:8080 ghcr.io/cerberauth/api-vulns-challenges/http-misconfigurations:latest | |
| - name: Setup Go environment | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: VulnAPI | |
| id: vulnapi | |
| continue-on-error: true | |
| run: | | |
| go run main.go scan curl ${{ matrix.url }} --scans "${{ matrix.challenge }}" --sqa-opt-out | |
| - name: Check for vulnerabilities | |
| if: ${{ steps.vulnapi.outputs.conclusion == 'failure' }} | |
| run: echo "Vulnerabilities found in ${{ matrix.challenge }}" | |
| - name: Stop Server | |
| if: ${{ always() }} | |
| run: docker stop $(docker ps -q --filter ancestor=ghcr.io/cerberauth/api-vulns-challenges/http-misconfigurations:latest) | |
| run-graphql-scans: | |
| name: GraphQL Scans | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - challenge: "graphql.introspection_enabled" | |
| url: "http://localhost:4000/graphql" | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Run Server | |
| run: docker run -d -p 4000:4000 ghcr.io/cerberauth/api-vulns-challenges/apollo:latest | |
| - name: Setup Go environment | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: VulnAPI | |
| id: vulnapi | |
| continue-on-error: true | |
| run: | | |
| go run main.go scan graphql ${{ matrix.url }} --scans "${{ matrix.challenge }}" --sqa-opt-out | |
| - name: Check for vulnerabilities | |
| if: ${{ steps.vulnapi.outputs.conclusion == 'failure' }} | |
| run: echo "Vulnerabilities found in ${{ matrix.challenge }}" | |
| - name: Stop Server | |
| if: ${{ always() }} | |
| run: docker stop $(docker ps -q --filter ancestor=ghcr.io/cerberauth/api-vulns-challenges/apollo:latest) | |
| run-openapi-scans: | |
| name: OpenAPI Scans | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| openapi: | |
| [ | |
| "simple_api_key.openapi.json", | |
| "simple_http_bearer_jwt.openapi.json", | |
| "simple_http_bearer.openapi.json", | |
| "complex.openapi.json", | |
| ] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Run Server | |
| run: docker run -d -p 8080:8080 ghcr.io/cerberauth/api-vulns-challenges/auth-not-verified:latest | |
| - name: Setup Go environment | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: VulnAPI | |
| id: vulnapi | |
| continue-on-error: true | |
| run: | | |
| go run main.go scan openapi ./test/stub/${{ matrix.openapi }} --sqa-opt-out | |
| - name: Check for vulnerabilities | |
| if: ${{ steps.vulnapi.outputs.conclusion == 'failure' }} | |
| run: echo "Vulnerabilities found" | |
| - name: Stop Server | |
| if: ${{ always() }} | |
| run: docker stop $(docker ps -q --filter ancestor=ghcr.io/cerberauth/api-vulns-challenges/auth-not-verified:latest) |