Generate Scan Policies from Policy Tags #1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Generate Scan Policies from Policy Tags | |
| on: | |
| schedule: # The start of every Friday | |
| - cron: '0 0 * * 5' | |
| workflow_dispatch: | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| jobs: | |
| update-policies: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| persist-credentials: false | |
| path: zap-extensions | |
| fetch-depth: 0 | |
| - name: Create Policies | |
| run: | | |
| # Run the ZAP script | |
| docker run -v $(pwd):/zap/wrk/:rw --user root -t ghcr.io/zaproxy/zaproxy:nightly ./zap.sh -addoninstall ascanrulesAlpha -silent -script /zap/wrk/zap-extensions/.github/scripts/generateScanPolicies.js -cmd | |
| - name: Attach Policies | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: Policies | |
| path: 'zap-extensions/addOns/scanpolicies/src/main/zapHomeFiles/policies/*.policy' | |
| - name: Update Scan Policies | |
| run: | | |
| export BASE=$(pwd) | |
| # Setup git details | |
| export GITHUB_USER=zapbot | |
| git config --global user.email "[email protected]" | |
| git config --global user.name $GITHUB_USER | |
| BRANCH=scan-policies-updt | |
| cd zap-extensions | |
| git remote add upstream https://github.com/zaproxy/zap-extensions.git | |
| SRC_BASE="zaproxy/zap-extensions@"$(git log -1 --format=format:%h) | |
| export GITHUB_TOKEN=${{ secrets.ZAPBOT_TOKEN }} | |
| git checkout -b $BRANCH | |
| # Update the index to be sure git is aware of changes | |
| git update-index -q --refresh | |
| git add . | |
| ## If there are changes: comment, commit, PR | |
| if ! git diff-index --quiet HEAD --; then | |
| ./gradlew :addOns:scanpolicies:updateChangelog --change="- Updated based on Rules' Policy Tag assignments." | |
| git remote set-url origin https://$GITHUB_USER:[email protected]/$GITHUB_USER/zap-extensions.git | |
| git add . | |
| git commit -m "Update scan policies based on Tags" -m "Updates based on $SRC_BASE" --signoff | |
| git push --set-upstream origin $BRANCH --force | |
| gh pr create -R zaproxy/zap-extensions --fill | |
| fi |