reinit zaproxy PR

.github/workflows/zaproxy.yml

@@ -0,0 +1,50 @@
+name: Run ZAP Baseline Scan ⚙️
+
+on: [ push ]
+
+jobs:
+  main:
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: build and start containers using tests/test.env ⚙️
+      run: |
+        cp tests/test.env wis2box.env
+        python3 wis2box-ctl.py build
+        python3 wis2box-ctl.py start
+        python3 wis2box-ctl.py status -a
+        sleep 30
+        python3 wis2box-ctl.py status -a
+    - name: populate stations from CSV 📡
+      run: |
+        python3 wis2box-ctl.py execute wis2box metadata station publish-collection
+    - name: add Malawi synop data to the system 🇲🇼
+      env:
+        TOPIC_HIERARCHY: mw-mw_met_centre.data.core.weather.surface-based-observations.synop
+        CHANNEL: origin/a/wis2/mw-mw_met_centre/data/core/weather/surface-based-observations/synop
+        TERRITORY: MWI
+        DISCOVERY_METADATA: /data/wis2box/metadata/discovery/mw-surface-weather-observations.yml
+        DISCOVERY_METADATA_ID: urn:wmo:md:mw-mw_met_centre:surface-weather-observations
+      run: |
+        python3 wis2box-ctl.py execute wis2box dataset publish $DISCOVERY_METADATA
+        python3 wis2box-ctl.py execute wis2box metadata station add-topic --territory-name $TERRITORY  $CHANNEL
+        python3 wis2box-ctl.py execute wis2box data ingest -mdi $DISCOVERY_METADATA_ID -p $TEST_DATA
+        sleep 10
+    - name: ZAP baseline Scan on UI 🕵️‍♂️
+      uses: zaproxy/action-baseline@v0.12.0
+      with:
+        target: 'http://localhost'
+        rules_file_name: '.zap/rules.tsv'
+        allow_issue_writing: 'false'
+        fail_action: 'true'
+    - name: ZAP baseline Scan on wis2box-webapp 🕵️‍♂️
+      uses: zaproxy/action-baseline@v0.12.0
+      env:
+        ZAP_AUTH_HEADER_VALUE: "Basic d2lzMmJveC11c2VyOndpczJib3h0ZXN0MTIz"
+        ZAP_AUTH_HEADER: "Authorization"
+      with:
+        target: 'http://localhost/wis2box-webapp'
+        rules_file_name: '.zap/rules.tsv'
+        allow_issue_writing: 'false'
+        fail_action: 'true'

.zap/rules.tsv

@@ -0,0 +1,23 @@
+10202	IGNORE	Absence of Anti-CSRF Tokens	Medium
+10038	IGNORE	Content Security Policy (CSP) Header Not Set	Medium
+10098	IGNORE	Cross-Domain Misconfiguration	Medium
+10020	IGNORE	Missing Anti-clickjacking Header	Medium
+90003	IGNORE	Sub Resource Integrity Attribute Missing	Medium
+90022	IGNORE	Application Error Disclosure	Medium
+10054	IGNORE	Cookie with SameSite Attribute None	Low
+10017	IGNORE	Cross-Domain JavaScript Source File Inclusion	Low
+10023	IGNORE	Information Disclosure - Debug Error Messages	Low
+10063	IGNORE	Permissions Policy Header Not Set	Low
+10037	IGNORE	"Server Leaks Information via ""X-Powered-By"" HTTP Response Header Field(s)"	Low
+10096	IGNORE	Timestamp Disclosure - Unix	Low
+10021	IGNORE	X-Content-Type-Options Header Missing	Low
+10027	IGNORE	Information Disclosure - Suspicious Comments	Informational
+90033	IGNORE	Loosely Scoped Cookie	Informational
+10109	IGNORE	Modern Web Application	Informational
+10049	IGNORE	Non-Storable Content	Informational
+10112	IGNORE	Session Management Response Identified	Informational
+10049	IGNORE	Storable and Cacheable Content	Informational
+10009	IGNORE	In Page Banner Information Leak	Low
+10036	IGNORE	"Server Leaks Version Information via ""Server"" HTTP Response Header Field"	Low
+10110	IGNORE	Dangerous JS Functions	Low
+10105	IGNORE	Authentication Credentials Captured	Medium