From 6c58942b2e0aec419539b98050af8d4a42ba3f0f Mon Sep 17 00:00:00 2001 From: Iliyan Velichkov Date: Thu, 29 May 2025 12:17:52 +0300 Subject: [PATCH 01/15] add DAST --- .github/workflows/dast.yml | 49 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 .github/workflows/dast.yml diff --git a/.github/workflows/dast.yml b/.github/workflows/dast.yml new file mode 100644 index 000000000..c042e2734 --- /dev/null +++ b/.github/workflows/dast.yml @@ -0,0 +1,49 @@ +name: "DAST Scan with OWASP ZAP [Push & PR]" + +on: + push: + branches: + - main + pull_request: + branches: + - main + + +jobs: + zap_scan: + runs-on: ubuntu-latest + + services: + webapp: + image: ghcr.io/codbex/codbex-kronos:latest + ports: + - 80:80 + options: >- + --health-cmd "curl -f http://localhost:80/actuator/health || exit 1" + --health-interval 10s + --health-timeout 5s + --health-retries 10 + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Wait for Spring Boot App to Start + run: | + echo "Waiting for the Spring Boot app to be ready..." + sleep 30 # Adjust based on startup time + + - name: Run OWASP ZAP Full Scan + uses: zaproxy/action-full-scan@v0.12.0 + with: + target: 'http://localhost:80' + cmd_options: '-a -T 5 -j -r' # https://www.zaproxy.org/docs/docker/full-scan/ + artifact_name: zap-report + docker_name: 'owasp/zap2docker-stable' + allow_issue_writing: + + - name: Upload ZAP Report as artifact + uses: actions/upload-artifact@v4 + with: + name: zap-report + path: zap-report.html From eac96c414b2b85d9378be19d93a47c74757f0c7c Mon Sep 17 00:00:00 2001 From: Iliyan Velichkov Date: Thu, 29 May 2025 12:20:29 +0300 Subject: [PATCH 02/15] refactoring --- .github/workflows/dast.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/dast.yml b/.github/workflows/dast.yml index c042e2734..9e9c7abf5 100644 --- a/.github/workflows/dast.yml +++ b/.github/workflows/dast.yml @@ -10,7 +10,7 @@ on: jobs: - zap_scan: + dast_zap_scan: runs-on: ubuntu-latest services: @@ -38,12 +38,12 @@ jobs: with: target: 'http://localhost:80' cmd_options: '-a -T 5 -j -r' # https://www.zaproxy.org/docs/docker/full-scan/ - artifact_name: zap-report + artifact_name: dast_zap_report docker_name: 'owasp/zap2docker-stable' - allow_issue_writing: + allow_issue_writing: true - name: Upload ZAP Report as artifact uses: actions/upload-artifact@v4 with: - name: zap-report - path: zap-report.html + name: dast_zap_report + path: dast_zap_report.html From b6a772e439bc1babf36fa9610c8b34c319012072 Mon Sep 17 00:00:00 2001 From: Iliyan Velichkov Date: Thu, 29 May 2025 12:40:29 +0300 Subject: [PATCH 03/15] refactoring --- .github/workflows/dast.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/dast.yml b/.github/workflows/dast.yml index 9e9c7abf5..d56a096f4 100644 --- a/.github/workflows/dast.yml +++ b/.github/workflows/dast.yml @@ -19,9 +19,9 @@ jobs: ports: - 80:80 options: >- - --health-cmd "curl -f http://localhost:80/actuator/health || exit 1" + --health-cmd "curl -f http://localhost:80/actuator/health/readiness || exit 1" --health-interval 10s - --health-timeout 5s + --health-timeout 60s --health-retries 10 steps: From 37aaa08f6f59c11456a53ab986e5fb67e8233ed2 Mon Sep 17 00:00:00 2001 From: Iliyan Velichkov Date: Thu, 29 May 2025 12:50:37 +0300 Subject: [PATCH 04/15] refactoring --- .github/workflows/dast.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/dast.yml b/.github/workflows/dast.yml index d56a096f4..6ab59897d 100644 --- a/.github/workflows/dast.yml +++ b/.github/workflows/dast.yml @@ -14,23 +14,23 @@ jobs: runs-on: ubuntu-latest services: - webapp: + application: image: ghcr.io/codbex/codbex-kronos:latest ports: - 80:80 options: >- --health-cmd "curl -f http://localhost:80/actuator/health/readiness || exit 1" --health-interval 10s - --health-timeout 60s + --health-timeout 120s --health-retries 10 steps: - name: Checkout repository uses: actions/checkout@v4 - - name: Wait for Spring Boot App to Start + - name: Wait for App to Start run: | - echo "Waiting for the Spring Boot app to be ready..." + echo "Waiting for the app to be ready..." sleep 30 # Adjust based on startup time - name: Run OWASP ZAP Full Scan From a43762c4b8e3ec767631459d871af06a4bc1e036 Mon Sep 17 00:00:00 2001 From: Iliyan Velichkov Date: Thu, 29 May 2025 12:56:09 +0300 Subject: [PATCH 05/15] refactoring --- .github/workflows/dast.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/dast.yml b/.github/workflows/dast.yml index 6ab59897d..026960627 100644 --- a/.github/workflows/dast.yml +++ b/.github/workflows/dast.yml @@ -21,8 +21,8 @@ jobs: options: >- --health-cmd "curl -f http://localhost:80/actuator/health/readiness || exit 1" --health-interval 10s - --health-timeout 120s - --health-retries 10 + --health-timeout 60s + --health-retries 30 steps: - name: Checkout repository From b87f56112402b1acde5a10be7c29d729f6aa6582 Mon Sep 17 00:00:00 2001 From: Iliyan Velichkov Date: Thu, 29 May 2025 13:02:06 +0300 Subject: [PATCH 06/15] refactoring --- .github/workflows/dast.yml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/.github/workflows/dast.yml b/.github/workflows/dast.yml index 026960627..368a83697 100644 --- a/.github/workflows/dast.yml +++ b/.github/workflows/dast.yml @@ -20,8 +20,9 @@ jobs: - 80:80 options: >- --health-cmd "curl -f http://localhost:80/actuator/health/readiness || exit 1" - --health-interval 10s - --health-timeout 60s + --health-start-period 90s + --health-interval 5s + --health-timeout 10s --health-retries 30 steps: @@ -47,3 +48,7 @@ jobs: with: name: dast_zap_report path: dast_zap_report.html + + - name: Debug container logs + if: failure() + run: docker logs $(docker ps -qf "ancestor=ghcr.io/codbex/codbex-kronos:latest") From 47d7e397017efa366e99f68c57b78524e96d1a9d Mon Sep 17 00:00:00 2001 From: Iliyan Velichkov Date: Thu, 29 May 2025 13:04:41 +0300 Subject: [PATCH 07/15] change host in curl --- .github/workflows/dast.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dast.yml b/.github/workflows/dast.yml index 368a83697..ebb96add3 100644 --- a/.github/workflows/dast.yml +++ b/.github/workflows/dast.yml @@ -19,7 +19,7 @@ jobs: ports: - 80:80 options: >- - --health-cmd "curl -f http://localhost:80/actuator/health/readiness || exit 1" + --health-cmd "curl -f http://application:80/actuator/health/readiness || exit 1" --health-start-period 90s --health-interval 5s --health-timeout 10s From 420e60abccf74016526881c3550bd1ba05b38563 Mon Sep 17 00:00:00 2001 From: Iliyan Velichkov Date: Thu, 29 May 2025 13:11:55 +0300 Subject: [PATCH 08/15] refactoring --- .github/workflows/dast.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/dast.yml b/.github/workflows/dast.yml index ebb96add3..94b0e379a 100644 --- a/.github/workflows/dast.yml +++ b/.github/workflows/dast.yml @@ -18,21 +18,21 @@ jobs: image: ghcr.io/codbex/codbex-kronos:latest ports: - 80:80 - options: >- - --health-cmd "curl -f http://application:80/actuator/health/readiness || exit 1" - --health-start-period 90s - --health-interval 5s - --health-timeout 10s - --health-retries 30 steps: - name: Checkout repository uses: actions/checkout@v4 - - name: Wait for App to Start + - name: Wait for readiness run: | - echo "Waiting for the app to be ready..." - sleep 30 # Adjust based on startup time + for i in {1..30}; do + echo "Checking readiness... attempt $i" + if curl -f http://localhost:80/actuator/health/readiness; then + echo "Application is ready." + break + fi + sleep 5 + done - name: Run OWASP ZAP Full Scan uses: zaproxy/action-full-scan@v0.12.0 From 29b025624bf1ec9e94cc30ea1ea2d6f9fe97cbee Mon Sep 17 00:00:00 2001 From: Iliyan Velichkov Date: Thu, 29 May 2025 13:15:42 +0300 Subject: [PATCH 09/15] remove docker name --- .github/workflows/dast.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/dast.yml b/.github/workflows/dast.yml index 94b0e379a..f9a9221a6 100644 --- a/.github/workflows/dast.yml +++ b/.github/workflows/dast.yml @@ -40,7 +40,6 @@ jobs: target: 'http://localhost:80' cmd_options: '-a -T 5 -j -r' # https://www.zaproxy.org/docs/docker/full-scan/ artifact_name: dast_zap_report - docker_name: 'owasp/zap2docker-stable' allow_issue_writing: true - name: Upload ZAP Report as artifact From 9515c4b414a788899883afc41835288890aa8fd3 Mon Sep 17 00:00:00 2001 From: Iliyan Velichkov Date: Thu, 29 May 2025 13:21:12 +0300 Subject: [PATCH 10/15] refactoring --- .github/workflows/dast.yml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/.github/workflows/dast.yml b/.github/workflows/dast.yml index f9a9221a6..dd71d7c4b 100644 --- a/.github/workflows/dast.yml +++ b/.github/workflows/dast.yml @@ -14,7 +14,7 @@ jobs: runs-on: ubuntu-latest services: - application: + app: image: ghcr.io/codbex/codbex-kronos:latest ports: - 80:80 @@ -23,11 +23,13 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 - - name: Wait for readiness + - name: Wait for app to start run: | + URL='http://localhost:80/actuator/health/readiness' for i in {1..30}; do - echo "Checking readiness... attempt $i" - if curl -f http://localhost:80/actuator/health/readiness; then + echo "Checking readiness at $URL... attempt $i" + if curl -f $URL; then + echo '----------------------' echo "Application is ready." break fi @@ -37,7 +39,7 @@ jobs: - name: Run OWASP ZAP Full Scan uses: zaproxy/action-full-scan@v0.12.0 with: - target: 'http://localhost:80' + target: 'http://app:80' cmd_options: '-a -T 5 -j -r' # https://www.zaproxy.org/docs/docker/full-scan/ artifact_name: dast_zap_report allow_issue_writing: true From af25b30804f772bb8b5b01fda3d193b046f3fff2 Mon Sep 17 00:00:00 2001 From: Iliyan Velichkov Date: Thu, 29 May 2025 13:23:39 +0300 Subject: [PATCH 11/15] refactoring --- .github/workflows/dast.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dast.yml b/.github/workflows/dast.yml index dd71d7c4b..325cb0876 100644 --- a/.github/workflows/dast.yml +++ b/.github/workflows/dast.yml @@ -40,7 +40,7 @@ jobs: uses: zaproxy/action-full-scan@v0.12.0 with: target: 'http://app:80' - cmd_options: '-a -T 5 -j -r' # https://www.zaproxy.org/docs/docker/full-scan/ + cmd_options: '-a -T 10' # https://www.zaproxy.org/docs/docker/full-scan/ artifact_name: dast_zap_report allow_issue_writing: true From 0da40afa0e0c90950190246aa1c176a8dc574517 Mon Sep 17 00:00:00 2001 From: Iliyan Velichkov Date: Thu, 29 May 2025 13:30:54 +0300 Subject: [PATCH 12/15] use localhost --- .github/workflows/dast.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dast.yml b/.github/workflows/dast.yml index 325cb0876..1ea333d83 100644 --- a/.github/workflows/dast.yml +++ b/.github/workflows/dast.yml @@ -39,7 +39,7 @@ jobs: - name: Run OWASP ZAP Full Scan uses: zaproxy/action-full-scan@v0.12.0 with: - target: 'http://app:80' + target: 'http://localhost:80' cmd_options: '-a -T 10' # https://www.zaproxy.org/docs/docker/full-scan/ artifact_name: dast_zap_report allow_issue_writing: true From 2909ffc942268924d69ba229f5b4b93349016697 Mon Sep 17 00:00:00 2001 From: Iliyan Velichkov Date: Thu, 29 May 2025 13:32:32 +0300 Subject: [PATCH 13/15] add issue_title --- .github/workflows/dast.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/dast.yml b/.github/workflows/dast.yml index 1ea333d83..d885c1ce6 100644 --- a/.github/workflows/dast.yml +++ b/.github/workflows/dast.yml @@ -43,6 +43,7 @@ jobs: cmd_options: '-a -T 10' # https://www.zaproxy.org/docs/docker/full-scan/ artifact_name: dast_zap_report allow_issue_writing: true + issue_title: '[DAST] ZAP Full Scan Report' - name: Upload ZAP Report as artifact uses: actions/upload-artifact@v4 From 9ea1270d83d3dcb81cbbfad401626786ed883266 Mon Sep 17 00:00:00 2001 From: Iliyan Velichkov Date: Thu, 29 May 2025 13:36:25 +0300 Subject: [PATCH 14/15] remove -a --- .github/workflows/dast.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dast.yml b/.github/workflows/dast.yml index d885c1ce6..56ec6af82 100644 --- a/.github/workflows/dast.yml +++ b/.github/workflows/dast.yml @@ -40,7 +40,7 @@ jobs: uses: zaproxy/action-full-scan@v0.12.0 with: target: 'http://localhost:80' - cmd_options: '-a -T 10' # https://www.zaproxy.org/docs/docker/full-scan/ + cmd_options: '-T 10' # https://www.zaproxy.org/docs/docker/full-scan/ artifact_name: dast_zap_report allow_issue_writing: true issue_title: '[DAST] ZAP Full Scan Report' From 6a774df72420418b95233d2db9ea307de36d0742 Mon Sep 17 00:00:00 2001 From: Iliyan Velichkov Date: Thu, 29 May 2025 13:52:58 +0300 Subject: [PATCH 15/15] refactoring --- .github/workflows/dast.yml | 13 ++----------- 1 file changed, 2 insertions(+), 11 deletions(-) diff --git a/.github/workflows/dast.yml b/.github/workflows/dast.yml index 56ec6af82..3a7c19f8d 100644 --- a/.github/workflows/dast.yml +++ b/.github/workflows/dast.yml @@ -41,16 +41,7 @@ jobs: with: target: 'http://localhost:80' cmd_options: '-T 10' # https://www.zaproxy.org/docs/docker/full-scan/ - artifact_name: dast_zap_report - allow_issue_writing: true + artifact_name: dast_zap_report # all results will be uploaded with an artifact with this name + allow_issue_writing: false # create an issue with the results issue_title: '[DAST] ZAP Full Scan Report' - - name: Upload ZAP Report as artifact - uses: actions/upload-artifact@v4 - with: - name: dast_zap_report - path: dast_zap_report.html - - - name: Debug container logs - if: failure() - run: docker logs $(docker ps -qf "ancestor=ghcr.io/codbex/codbex-kronos:latest")