Update main.yml #42
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: SecureCodeBox Penetration Tests | |
on: | |
push: | |
branches: | |
- main | |
workflow_dispatch: | |
jobs: | |
penetration-tests: | |
runs-on: ubuntu-latest | |
steps: | |
# Step 1: Set up Kubernetes Kind cluster | |
- name: Set up kind cluster | |
uses: engineerd/setup-kind@v0.5.0 | |
with: | |
version: "v0.17.0" | |
# Step 2: Configure kubectl | |
- name: Set up kubectl | |
uses: azure/setup-kubectl@v3 | |
with: | |
version: v1.27.1 | |
# Step 3: Install Helm for SecureCodeBox operator installation | |
- name: Install Helm | |
uses: azure/setup-helm@v1 | |
with: | |
version: v3.8.0 | |
# Step 4: Deploy SecureCodeBox Operator using Helm from the OCI registry | |
- name: Deploy SecureCodeBox | |
run: | | |
helm --namespace securecodebox-system upgrade --install --create-namespace securecodebox-operator oci://ghcr.io/securecodebox/helm/operator | |
# Step 5: Deploy Juice-Shop demo target | |
- name: Deploy Juice-Shop Demo Target | |
run: | | |
helm upgrade --install juice-shop oci://ghcr.io/securecodebox/helm/juice-shop | |
# Step 6: Deploy ZAP-Advanced scanner | |
- name: Deploy ZAP-Advanced Scanner | |
run: | | |
helm upgrade --install zap-advanced oci://ghcr.io/securecodebox/helm/zap-advanced | |
# Step 7: Initiate ZAP Scan on the Juice-Shop target | |
- name: Download scan.yaml | |
run: | | |
curl -O https://raw.githubusercontent.com/GHARBIyasmine/SecureCodeBox-Penetration-testing/main/scan.yaml | |
- name: Apply scan.yaml | |
run: kubectl apply -f scan.yaml | |
# Step 8: Wait for ZAP Scan Completion | |
- name: Wait for ZAP Scan Results | |
run: | | |
# Start watch mode for kubectl get scan | |
#kubectl get scan zap-authenticated-full-scan-juiceshop -o wide --watch & | |
#kubectl wait --for=condition=Done scan/zap-authenticated-full-scan-juiceshop --timeout=1800s | |
# Continuously check scan status and print it | |
# Poll for the scan state to become "Done" | |
while true; do | |
# Fetch the scan status and check for "Done" state | |
scan_state=$(kubectl get scan zap-authenticated-full-scan-juiceshop -o=jsonpath='{.status.state}') | |
# Print the current scan state for debugging | |
echo "Current scan state: $scan_state" | |
# Break out of loop if scan is done | |
if [[ "$scan_state" == "Done" ]]; then | |
echo "Scan completed!" | |
break | |
fi | |
# Wait 30 seconds before checking again | |
sleep 30 | |
done | |
- name: Install jq | |
run: sudo apt-get install -y jq | |
- name: Checkout repository | |
uses: actions/checkout@v3 | |
# Step 9: Retrieve and save the ZAP scan results | |
- name: Retrieve ZAP Scan Results | |
run: | | |
kubectl port-forward -n securecodebox-system service/securecodebox-operator-minio 9000:9000 & | |
sleep 5 | |
curl -O https://dl.min.io/client/mc/release/linux-amd64/mc | |
chmod +x mc | |
sudo mv mc /usr/local/bin | |
mc alias set local http://localhost:9000 admin password | |
scan_uid=$(kubectl get scan zap-authenticated-full-scan-juiceshop -o=jsonpath='{.metadata.uid}') | |
# echo "SCAN_UID=${scan_uid}" >> $GITHUB_ENV | |
scan_name=$(kubectl get scan zap-authenticated-full-scan-juiceshop -o=jsonpath='{.metadata.name}') | |
scan_findings_categories=$(kubectl get scan zap-authenticated-full-scan-juiceshop -o=jsonpath='{.status.findings.categories}') | |
scan_findings_categories=$(echo "$scan_findings_categories" | tr -d '\n') | |
scan_findings_count=$(kubectl get scan zap-authenticated-full-scan-juiceshop -o=jsonpath='{.status.findings.count}') | |
scan_findings_count=$(echo "$scan_findings_count" | tr -d '\n') | |
echo "Categories: ${scan_findings_categories}" | |
echo "Count: ${scan_findings_count}" | |
# Check if findings count is zero | |
if [[ "$scan_findings_count" -eq 0 ]]; then | |
echo "No issues found. Pipeline passes." | |
exit 0 | |
fi | |
# Create summary file and findings file | |
summary_file="$GITHUB_WORKSPACE/report-summary.json" | |
echo "SUMMARY_FILE=${summary_file}" >> $GITHUB_ENV | |
echo "{ | |
\"scan_name\": \"${scan_name}\", | |
\"scan_uid\": \"${scan_uid}\", | |
\"findings\": { | |
\"count\": ${scan_findings_count}, | |
\"categories\": ${scan_findings_categories} | |
} | |
}" > ${summary_file} | |
mc cp local/securecodebox/scan-${scan_uid}/findings.json $GITHUB_WORKSPACE/findings.json | |
echo "Reports saved locally." | |
- name: Configure Git | |
run: | | |
git config --global user.name "github-actions[bot]" | |
git config --global user.email "github-actions[bot]@users.noreply.github.com" | |
# Step 2: Retrieve the Baseline Report | |
- name: Retrieve Baseline Report | |
run: | | |
BASELINE_DIR="$GITHUB_WORKSPACE/baseline" | |
mkdir -p "$BASELINE_DIR" | |
# Copy the baseline report from the repository to the temporary directory | |
git ls-files | grep '^report-summary\.json$' | xargs -I{} cp {} "$BASELINE_DIR/" | |
BASELINE_REPORT="$BASELINE_DIR/report-summary.json" | |
if [[ ! -f "$BASELINE_REPORT" ]]; then | |
echo "::warning::No baseline report found. Skipping comparison. Treating as new issues." | |
mv "$SUMMARY_FILE" "$BASELINE_DIR/report-summary.json" | |
git add "$BASELINE_DIR/report-summary.json" findings.json | |
git commit -m "Set initial baseline report" | |
git push | |
exit 1 | |
fi | |
echo "Baseline report located at: $BASELINE_REPORT" | |
# Step 3: Check for Baseline and Compare Reports | |
- name: Check Baseline and Compare | |
run: | | |
BASELINE_REPORT="$GITHUB_WORKSPACE/baseline/report-summary.json" | |
CURRENT_REPORT="$SUMMARY_FILE" | |
BASELINE_CATEGORIES=$(jq -r '.findings.categories' "$BASELINE_REPORT") | |
CURRENT_CATEGORIES=$(jq -r '.findings.categories' "$CURRENT_REPORT") | |
echo "Baseline found. Proceeding with comparison." | |
echo "Comparing $CURRENT_REPORT with $BASELINE_REPORT" | |
echo "Baseline Categories: $BASELINE_CATEGORIES" | |
echo "Current Categories: $CURRENT_CATEGORIES" | |
for category in $(echo "$CURRENT_CATEGORIES" | jq -r '.[]'); do | |
if [[ ! $(echo "$BASELINE_CATEGORIES" | jq -r ".[]" | grep -w "$category") ]]; then | |
echo "::warning::New category detected: $category" | |
else | |
BASELINE_COUNT=$(jq -r ".findings.categories | .[\"$category\"]" "$BASELINE_REPORT") | |
CURRENT_COUNT=$(jq -r ".findings.categories | .[\"$category\"]" "$CURRENT_REPORT") | |
if [[ "$CURRENT_COUNT" -gt "$BASELINE_COUNT" ]]; then | |
echo "::warning::Category '$category' count increased from $BASELINE_COUNT to $CURRENT_COUNT." | |
elif [[ "$CURRENT_COUNT" -lt "$BASELINE_COUNT" ]]; then | |
echo "Category '$category' count decreased from $BASELINE_COUNT to $CURRENT_COUNT. Improvement noted." | |
else | |
echo "Category '$category' count remains the same: $CURRENT_COUNT. Persistent issue." | |
fi | |
fi | |
done | |
for baseline_category in $(echo "$BASELINE_CATEGORIES" | jq -r '.[]'); do | |
if [[ ! $(echo "$CURRENT_CATEGORIES" | jq -r ".[]" | grep -w "$baseline_category") ]]; then | |
echo "Category '$baseline_category' is no longer present. Improvement noted." | |
fi | |
done | |
# - name: Move files to repo root | |
# run: | | |
# mv findings.json $GITHUB_WORKSPACE/ | |
# mv report-summary-*.json $GITHUB_WORKSPACE/ | |
- name: Debug file paths | |
run: ls -al $GITHUB_WORKSPACE/ | |
- name: Save Reports and Fail Pipeline | |
run: | | |
BASELINE_REPORT="$GITHUB_WORKSPACE/baseline/report-summary.json" | |
CURRENT_REPORT="$SUMMARY_FILE" | |
mv "$CURRENT_REPORT" "$BASELINE_REPORT" | |
git add "$BASELINE_REPORT" findings.json | |
git commit -m "Update findings and report summaries [skip ci]" || echo "No changes to commit" | |
git push | |
echo "::error::Pipeline failed due to new issues." | |
exit 1 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |