Merge pull request #333 from DFE-Digital/owasp-zap-ci

Add security tests workflow
DFE-Digital · Jun 22, 2023 · 7753681 · 7753681
2 parents e8cb114 + 3b9b238
commit 7753681
Show file tree

Hide file tree

Showing 3 changed files with 60 additions and 6 deletions.
diff --git a/.github/workflows/build-and-push-image.yml b/.github/workflows/build-and-push-image.yml
@@ -156,7 +156,7 @@ jobs:
         run: npm install
 
       - name: Run cypress
-        run: npm run cy:run -- --env apiKey="${{ secrets.TRAMS_API_KEY }}",url="${{ secrets.TRAMS_API_BASE_URL }}",authKey="${{ secrets.ZAP_API_KEY }}"
+        run: npm run cy:run -- --env apiKey="${{ secrets.TRAMS_API_KEY }}",url="${{ secrets.TRAMS_API_BASE_URL }}"
 
       - name: Upload screenshots
         if: ${{ failure() }}

diff --git a/.github/workflows/security-tests.yml b/.github/workflows/security-tests.yml
@@ -0,0 +1,53 @@
+name: Security scanner tests
+
+on:
+  workflow_run:
+    workflows: ["Deploy to environment"]
+    types:
+      - completed
+
+jobs:
+  run-tests-with-zap:
+    name: Run Cypress tests with OWASP ZAP
+    environment: development
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Run tests with scanner
+        env:
+          API_KEY: ${{ secrets.TRAMS_API_KEY }}
+          HTTP_PROXY: http://zap:8080
+          NO_PROXY: "*.google-analytics.com,*.googletagmanager.com,*.microsoftonline.com"
+          URL: ${{ secrets.TRAMS_API_BASE_URL }}
+          ZAP_API_KEY: ${{ secrets.ZAP_API_KEY }}
+        run: |
+          docker-compose -f CypressTests/docker-compose.yml up --exit-code-from cypress
+
+      - name: Get git sha
+        if: '!cancelled()'
+        run: |
+          CHECKED_OUT_SHA="$(git log -1 '--format=format:%H')"
+          echo "checked_out_sha=${CHECKED_OUT_SHA}" >> $GITHUB_ENV
+
+      - name: Azure login with SPN
+        if: '!cancelled()'
+        uses: azure/login@v1
+        with:
+          creds: ${{ secrets.OWASP_AZ_CREDENTIALS }}
+
+      - name: Push report to blob storage
+        if: '!cancelled()'
+        uses: azure/CLI@v1
+        id: azure
+        with:
+          azcliversion: 2.49.0
+          inlineScript: |
+            az storage blob upload \
+              --container-name ${{ secrets.OWASP_STORAGE_CONTAINER_NAME }} \
+              --account-name ${{ secrets.OWASP_STORAGE_ACCOUNT_NAME }} \
+              --file "CypressTests/reports/ZAP-Report.html" \
+              --name "TramsDataApi/${{ env.checked_out_sha }}/ZAP-Report.html" \
+              --auth-mode login \
+              --overwrite
diff --git a/CypressTests/docker-compose.yml b/CypressTests/docker-compose.yml
@@ -2,10 +2,8 @@ version: "3.8"
 services:
   zap:
     container_name: zap
-    image: owasp/zap2docker-stable:2.11.1 # pinned until alpn config issue is resolved - https://github.com/zaproxy/zaproxy/issues/7699
-    command: "zap.sh -daemon -port 8080 -host 0.0.0.0 -config api.key=${ZAP_API_KEY} -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true"
-    ports:
-      - 8080:8080
+    image: owasp/zap2docker-stable
+    command: "zap.sh -daemon -port 8080 -host 0.0.0.0 -config api.key=${ZAP_API_KEY} -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true -config network.localServers.mainProxy.alpn.enabled=false -config network.localServers.mainProxy.address=0.0.0.0"
     user: zap
   cypress:
     build:
@@ -15,5 +13,8 @@ services:
     depends_on:
       zap:
         condition: service_healthy
+    environment:
+      - HTTP_PROXY=${HTTP_PROXY}
+      - NO_PROXY="${NO_PROXY}"
     volumes:
-      - ./:/reports
+      - .reports/:/reports