Skip to content

Latest commit

 

History

History
242 lines (159 loc) · 9.09 KB

README.md

File metadata and controls

242 lines (159 loc) · 9.09 KB

Quality gate

CodeQL Check Test Build Workflow CodeCov Publish Docker Image Workflow

Commitizen friendly Semantic-release: Commmitizen Active Development

Tomcat Webapp Boilerplate

Proof of concept for a tomcat webapp boilerplate with automated testing and security checks.

Many features are ported from https://github.com/gipo999/smispi, please refer to that repository for additional notes and documentation. Additional feats from that repo like pitest can be added to this one.

Features

  • gradle tasks,
  • docker standalone image with tomcat,
  • docker-compose for development,
  • pre, post commit, pre push git hooks to protect from secrets exposure and other issues,
  • github actions (health, security, static code analysis and Dynamic Application Security Testing (DAST), release, publish),
  • code coverage with codecov
  • semantic-release: more info on Release

Basics

Development

  • Live environment with a tomcat docker image
  • Auto-restart on code change with npm run dev utilizing docker-compose and nodemon
  • Linting with npm run lint (runs buildWar)
  • Fixing linting issues with npm run fix (runs spotless and rewrite)

Git Hooks

  • pre-commit
  • post-commit
  • pre-push

Github Actions

Must be buildable and pass all checks with gradlew buildWar

Verifies the war is runnable with a health check http request on the container.

Vulnerability assessment actions:

Reports that won't generate a sarif are uploaded to github pages or are made available with custom actions at issues

note: issues, pr comments, gh pages are considered vulnerabilities since they expose information

Please check gh pages

Read more at Sarif Reports

Release

  • Automatic release with semantic-release and commitizen

Uses commitizen for commit messages and automatically creates github tags+releases adding the WAR, javadoc and source code to the release at that point in time

Please check releases

  • automatic image publishing to dockerhub and github packages

Requires commits to be made following the commitizen format

  • Fix: bump patch version
  • Feat: bump minor version
  • BREAKING CHANGE: bump major version

Static code analyzers

  • semgrep
  • sonarqube
  • codeql
  • dependency review
  • dependabot security alerts
  • snyk open source
  • snyk container
  • snyk code

Dynamic Application Security Testing (DAST)

  • OWASP ZAP (Zed Attack Proxy)
  • nmap
  • load tester with wrk
  • wapiti
  • others can be added with custom actions or adding to the nmap cli tool created

Please check Alternative/Additions

Sarif Reports

Sarif reports can be uploaded to github with the upload-sarif action.

They provide a standard format for static analysis tools, and can be used in github security tab to have a better overview of the vulnerabilities and identify the tools that generated them.

Requires custom actions to parse bugged or missing sarif reports (zap, nmap, wapiti, snyk container).

Please check attack action for more info

Auto upload images

After a succesful release, the docker image is uploaded to dockerhub and github packages with tags latest, vX.Y.Z and sha

Env vars needed in github secrets

  • SEMGREP_APP_TOKEN
  • DOCKERHUB_TOKEN
  • DOCKERHUB_USERNAME
  • SNYK_TOKEN
  • PAT
  • CODECOV_TOKEN

Additional Tools and references

References

https://owasp.org/www-community/Free_for_Open_Source_Application_Security_Tools

Alternatives/Additions

Considered Strongest, but paid

others

https://owasp.org/www-community/api_security_tools

https://nordicapis.com/api-vulnerability-scanners/

https://github.com/arainho/awesome-api-security

https://github.com/sbilly/awesome-security

https://github.com/okhosting/awesome-cyber-security

Free

https://github.com/topics/vulnerability-assessment

Other static analysis tools

https://github.com/eclipse/steady

Find out more

Check more notes/todos @ github project, issues

You can take a look at other branches (.bak, etc) for older versions or different approaches.

Every file has comments with implementation details

Github actions interesting links

Artifacts

https://github.com/actions/upload-artifact

Expressions

https://docs.github.com/en/actions/learn-github-actions/expressions

Summaries

https://github.blog/2022-05-09-supercharging-github-actions-with-job-summaries/