meta csp

tubone24 · Dec 31, 2022 · 2161097 · 2161097
1 parent 73f724c
commit 2161097
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 9 deletions.
diff --git a/.github/workflows/owaspzap.yml b/.github/workflows/owaspzap.yml
@@ -62,13 +62,11 @@ jobs:
           chmod 777 owasp/zap
           docker-compose -f owasp/docker-compose-ci.yml up -d
           docker-compose -f owasp/docker-compose-ci.yml exec -T owasp zap-full-scan.py -t http://web:9000 -r report.html -a -d -j -I -m 1 -z "-config alert.maxInstances=0 -config view.locale=ja_JP"
-      - name: cp report.html
-        run: mkdir public && cp report.html public
       - name: Deploy Report
         uses: peaceiris/actions-gh-pages@v3
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
-          publish_dir: ./public
+          publish_dir: ./owasp/zap/
           destination_dir: owasp
           keep_files: true
           exclude_assets: '*.cer,*.key'

diff --git a/README.md b/README.md
@@ -10,6 +10,7 @@
 [![storybook](https://raw.githubusercontent.com/storybookjs/brand/master/badge/badge-storybook.svg)](https://blog-storybook.netlify.app/)
 [![time tracker](https://wakatime.com/badge/github/tubone24/blog.svg)](https://wakatime.com/badge/github/tubone24/blog)
 <a href="https://validator.w3.org/feed/check.cgi?url=https%3A//blog.tubone-project24.xyz/rss.xml"><img src="https://validator.w3.org/feed/images/valid-rss-rogers.png" alt="[Valid RSS]" title="Validate my RSS feed" /></a>
+![blog Actions](https://api.meercode.io/badge/tubone24/blog?type=ci-score&lastDay=184)
 [![websiteup](https://img.shields.io/website.svg?down_color=red&down_message=down&up_color=green&up_message=up&url=https%3A%2F%2Fblog.tubone-project24.xyz)](https://blog.tubone-project24.xyz)
 
 ## What is this?
@@ -276,24 +277,39 @@ Use Terraform Cloud to change Netlify configuration values.
 
 [Workspace](https://app.terraform.io/app/tubone24-test/workspaces/blog)
 
-## Detect credentials leak
-
-[Gitguardian](https://www.gitguardian.com/)
-
 ## Alert monitoring
 
 Use [Sentry](https://sentry.io/organizations/tubone-project24/projects/)
 
-## Automatic security vulnerability
+## Automatic security and vulnerability check
+
+### Detect credentials leak
+
+There is a security risk of credentials getting into the code, but we use [Gitguardian](https://www.gitguardian.com/) to check each PR to make sure they are not mixed in.
+
+### API Based
 
 API request based security check is used by [Brightsec](https://brightsec.com/)
 
-Also, [Snyk](https://app.snyk.io/org/tubone24/project/f01f63e7-832e-45ca-a080-eb4d0da4b8e6), OSS Package check and code, IaC code check.
+### static code analysis for vulnerability
+
+We use [Snyk](https://app.snyk.io/org/tubone24/project/f01f63e7-832e-45ca-a080-eb4d0da4b8e6) for static code analysis.
+In addition to detecting vulnerabilities in the libraries used, we scan code and IaC tools.
 
 If you create PR, check security vulnerability for [snyk CLI](https://docs.snyk.io/snyk-cli) and push PR comment.
 
 ![snyk comments](https://i.imgur.com/fEL1cFj.png)
 
+### OWASP ZAP
+
+[OWASP ZAP](https://www.zaproxy.org/) [Full Scan](https://www.zaproxy.org/docs/docker/full-scan/) can be run securely against a locally built Docker container.
+
+The results can be viewed at the following URL
+
+<https://tubone24.github.io/blog/owasp/report.html>
+
+Full Scan of OWASP ZAP has a very long execution time, so manual execution with `workflow_dispatch` is recommended.
+
 # License
 
 - The source code under the MIT LICENSE.