Skip to content

Update report-summary.json #44

Update report-summary.json

Update report-summary.json #44

Workflow file for this run

name: SecureCodeBox Penetration Tests
on:
push:
branches:
- main
workflow_dispatch:
jobs:
penetration-tests:
runs-on: ubuntu-latest
steps:
# Step 1: Set up Kubernetes Kind cluster
- name: Set up kind cluster
uses: engineerd/setup-kind@v0.5.0
with:
version: "v0.17.0"
# Step 2: Configure kubectl
- name: Set up kubectl
uses: azure/setup-kubectl@v3
with:
version: v1.27.1
# Step 3: Install Helm for SecureCodeBox operator installation
- name: Install Helm
uses: azure/setup-helm@v1
with:
version: v3.8.0
# Step 4: Deploy SecureCodeBox Operator using Helm from the OCI registry
- name: Deploy SecureCodeBox
run: |
helm --namespace securecodebox-system upgrade --install --create-namespace securecodebox-operator oci://ghcr.io/securecodebox/helm/operator
# Step 5: Deploy Juice-Shop demo target
- name: Deploy Juice-Shop Demo Target
run: |
helm upgrade --install juice-shop oci://ghcr.io/securecodebox/helm/juice-shop
# Step 6: Deploy ZAP-Advanced scanner
- name: Deploy ZAP-Advanced Scanner
run: |
helm upgrade --install zap-advanced oci://ghcr.io/securecodebox/helm/zap-advanced
# Step 7: Initiate ZAP Scan on the Juice-Shop target
- name: Download scan.yaml
run: |
curl -O https://raw.githubusercontent.com/GHARBIyasmine/SecureCodeBox-Penetration-testing/main/scan.yaml
- name: Apply scan.yaml
run: kubectl apply -f scan.yaml
# Step 8: Wait for ZAP Scan Completion
- name: Wait for ZAP Scan Results
run: |
# Start watch mode for kubectl get scan
#kubectl get scan zap-authenticated-full-scan-juiceshop -o wide --watch &
#kubectl wait --for=condition=Done scan/zap-authenticated-full-scan-juiceshop --timeout=1800s
# Continuously check scan status and print it
# Poll for the scan state to become "Done"
while true; do
# Fetch the scan status and check for "Done" state
scan_state=$(kubectl get scan zap-authenticated-full-scan-juiceshop -o=jsonpath='{.status.state}')
# Print the current scan state for debugging
echo "Current scan state: $scan_state"
# Break out of loop if scan is done
if [[ "$scan_state" == "Done" ]]; then
echo "Scan completed!"
break
fi
# Wait 30 seconds before checking again
sleep 30
done
- name: Install jq
run: sudo apt-get install -y jq
- name: Checkout repository
uses: actions/checkout@v3
# Step 9: Retrieve and save the ZAP scan results
- name: Retrieve ZAP Scan Results
run: |
kubectl port-forward -n securecodebox-system service/securecodebox-operator-minio 9000:9000 &
sleep 5
curl -O https://dl.min.io/client/mc/release/linux-amd64/mc
chmod +x mc
sudo mv mc /usr/local/bin
mc alias set local http://localhost:9000 admin password
scan_uid=$(kubectl get scan zap-authenticated-full-scan-juiceshop -o=jsonpath='{.metadata.uid}')
# echo "SCAN_UID=${scan_uid}" >> $GITHUB_ENV
scan_name=$(kubectl get scan zap-authenticated-full-scan-juiceshop -o=jsonpath='{.metadata.name}')
scan_findings_categories=$(kubectl get scan zap-authenticated-full-scan-juiceshop -o=jsonpath='{.status.findings.categories}')
scan_findings_categories=$(echo "$scan_findings_categories" | tr -d '\n')
scan_findings_count=$(kubectl get scan zap-authenticated-full-scan-juiceshop -o=jsonpath='{.status.findings.count}')
scan_findings_count=$(echo "$scan_findings_count" | tr -d '\n')
echo "Categories: ${scan_findings_categories}"
echo "Count: ${scan_findings_count}"
# Check if findings count is zero
if [[ "$scan_findings_count" -eq 0 ]]; then
echo "No issues found. Pipeline passes."
exit 0
fi
# Create summary file and findings file
summary_file="$GITHUB_WORKSPACE/report-summary.json"
echo "SUMMARY_FILE=${summary_file}" >> $GITHUB_ENV
echo "{
\"scan_name\": \"${scan_name}\",
\"scan_uid\": \"${scan_uid}\",
\"findings\": {
\"count\": ${scan_findings_count},
\"categories\": ${scan_findings_categories}
}
}" > ${summary_file}
mc cp local/securecodebox/scan-${scan_uid}/findings.json $GITHUB_WORKSPACE/findings.json
echo "Reports saved locally."
- name: Configure Git
run: |
git config --global user.name "github-actions[bot]"
git config --global user.email "github-actions[bot]@users.noreply.github.com"
# Step 2: Retrieve the Baseline Report
- name: Retrieve Baseline Report
run: |
BASELINE_DIR="$GITHUB_WORKSPACE/baseline"
mkdir -p "$BASELINE_DIR"
# Copy the baseline report from the repository to the temporary directory
git ls-files | grep '^report-summary\.json$' | xargs -I{} cp {} "$BASELINE_DIR/"
BASELINE_REPORT="$BASELINE_DIR/report-summary.json"
if [[ ! -f "$BASELINE_REPORT" ]]; then
echo "::warning::No baseline report found. Skipping comparison. Treating as new issues."
mv "$SUMMARY_FILE" "$BASELINE_DIR/report-summary.json"
git add "$BASELINE_DIR/report-summary.json" findings.json
git commit -m "Set initial baseline report"
git push
exit 1
fi
echo "Baseline report located at: $BASELINE_REPORT"
# Step 3: Check for Baseline and Compare Reports
- name: Check Baseline and Compare
run: |
BASELINE_REPORT="$GITHUB_WORKSPACE/baseline/report-summary.json"
CURRENT_REPORT="$SUMMARY_FILE"
BASELINE_CATEGORIES=$(jq -r '.findings.categories' "$BASELINE_REPORT")
CURRENT_CATEGORIES=$(jq -r '.findings.categories' "$CURRENT_REPORT")
echo "Baseline found. Proceeding with comparison."
echo "Comparing $CURRENT_REPORT with $BASELINE_REPORT"
echo "Baseline Categories: $BASELINE_CATEGORIES"
echo "Current Categories: $CURRENT_CATEGORIES"
for category in $(echo "$CURRENT_CATEGORIES" | jq -r '.[]'); do
if [[ ! $(echo "$BASELINE_CATEGORIES" | jq -r ".[]" | grep -w "$category") ]]; then
echo "::warning::New category detected: $category"
else
BASELINE_COUNT=$(jq -r ".findings.categories | .[\"$category\"]" "$BASELINE_REPORT")
CURRENT_COUNT=$(jq -r ".findings.categories | .[\"$category\"]" "$CURRENT_REPORT")
if [[ "$CURRENT_COUNT" -gt "$BASELINE_COUNT" ]]; then
echo "::warning::Category '$category' count increased from $BASELINE_COUNT to $CURRENT_COUNT."
elif [[ "$CURRENT_COUNT" -lt "$BASELINE_COUNT" ]]; then
echo "Category '$category' count decreased from $BASELINE_COUNT to $CURRENT_COUNT. Improvement noted."
else
echo "Category '$category' count remains the same: $CURRENT_COUNT. Persistent issue."
fi
fi
done
for baseline_category in $(echo "$BASELINE_CATEGORIES" | jq -r '.[]'); do
if [[ ! $(echo "$CURRENT_CATEGORIES" | jq -r ".[]" | grep -w "$baseline_category") ]]; then
echo "Category '$baseline_category' is no longer present. Improvement noted."
fi
done
# - name: Move files to repo root
# run: |
# mv findings.json $GITHUB_WORKSPACE/
# mv report-summary-*.json $GITHUB_WORKSPACE/
- name: Debug file paths
run: ls -al $GITHUB_WORKSPACE/
- name: Save Reports and Fail Pipeline
run: |
BASELINE_REPORT="$GITHUB_WORKSPACE/baseline/report-summary.json"
CURRENT_REPORT="$SUMMARY_FILE"
mv "$CURRENT_REPORT" "$BASELINE_REPORT"
git add "$BASELINE_REPORT" findings.json
git commit -m "Update findings and report summaries [skip ci]" || echo "No changes to commit"
git push
echo "::error::Pipeline failed due to new issues."
exit 1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}