generated from ministryofjustice/hmpps-template-typescript
-
Notifications
You must be signed in to change notification settings - Fork 0
115 lines (104 loc) · 4.15 KB
/
security.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
name: Security
on:
schedule:
- cron: "30 5 * * MON-FRI" # Every weekday at 05:30 UTC
workflow_dispatch:
push: # TODO testing
jobs:
zap:
runs-on: moj-cloud-platform
env:
CONFIG_FILE: ${{ github.workspace }}/.zap/autorun.yml
REPORT_DIR: ${{ github.workspace }}/.zap/zap-report
steps:
- uses: actions/checkout@v4
- name: Setup ZAP
uses: ./.github/actions/setup-zap
- name: Setup Firefox
id: firefox
uses: browser-actions/setup-firefox@233224b712fc07910ded8c15fb95a555c86da76f # v1
with:
firefox-version: latest-esr
- name: Replace variables in config file
run: envsubst < "$CONFIG_FILE" > "$CONFIG_FILE.tmp" && mv "$CONFIG_FILE.tmp" "$CONFIG_FILE" && cat "$CONFIG_FILE"
env:
ZAP_USERNAME: ${{ secrets.ZAP_USERNAME }}
ZAP_PASSWORD: ${{ secrets.ZAP_PASSWORD }}
shell: bash
- name: Run scan
run: owasp-zap -cmd -autorun "$CONFIG_FILE" -config selenium.firefoxBinary="$FIREFOX_BINARY"
env:
FIREFOX_BINARY: ${{ steps.firefox.outputs.firefox-path }}
shell: bash
- name: Upload report
uses: actions/upload-artifact@v4
with:
name: zap-report
path: ${{ env.REPORT_DIR }}
- name: Publish HTML report
uses: JamesIves/github-pages-deploy-action@65b5dfd4f5bcd3a7403bbc2959c144256167464e # v4.5.0
with:
folder: ${{ env.REPORT_DIR }}
target-folder: zap-report
- name: Add HTML report URL to the job summary
run: echo '[🛡️ OWASP ZAP Report](https://ministryofjustice.github.io/hmpps-manage-a-supervision-ui/zap-report)' | tee -a "$GITHUB_STEP_SUMMARY"
- name: Parse JSON report
id: json
run: |
risk_counts=$(cat "$JSON_FILE" | jq -r '[.site[].alerts[]] | group_by(.riskcode) | map({ (.[0].riskcode): length }) | add')
echo "info=$(echo "$risk_counts" | jq '."0" // 0')" | tee -a "$GITHUB_OUTPUT"
echo "low=$(echo "$risk_counts" | jq '."1" // 0')" | tee -a "$GITHUB_OUTPUT"
echo "medium=$(echo "$risk_counts" | jq '."2" // 0')" | tee -a "$GITHUB_OUTPUT"
echo "high=$(echo "$risk_counts" | jq '."3" // 0')" | tee -a "$GITHUB_OUTPUT"
env:
JSON_FILE: ${{ env.REPORT_DIR }}/report.json
shell: bash
- name: Send message to Slack
uses: slackapi/slack-github-action@6c661ce58804a1a20f6dc5fbee7f0381b469e001 # v1.25.0
if: steps.json.outputs.high != '0' || steps.json.outputs.medium != '0'
with:
channel-id: probation-integration-notifications
payload: |
{
"blocks": [
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "🛡️ *Manage a Supervision* ZAP report"
}
},
{
"type": "context",
"elements": [
{
"type": "mrkdwn",
"text": ">${{ steps.json.outputs.high }} high risk, ${{ steps.json.outputs.medium }} medium risk, and ${{ steps.json.outputs.low }} low risk issues were found."
}
]
},
{
"type": "actions",
"elements": [
{
"type": "button",
"text": {
"type": "plain_text",
"text": "📈 Report"
},
"url": "https://ministryofjustice.github.io/hmpps-manage-a-supervision-ui/zap-report"
},
{
"type": "button",
"text": {
"type": "plain_text",
"text": "📝 Logs"
},
"url": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
}
]
}
]
}
env:
SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}