Merge pull request #1184 from tubone24/owasp

[skip netlify] owaspzap

.dockerignore

@@ -0,0 +1 @@
+node_modules

.github/workflows/deploy.yml

@@ -28,8 +28,6 @@ jobs:
             ~/.cache
             ${{ steps.yarn-cache-dir-path.outputs.dir }}
             node_modules
-            .cache
-            public
           key: ${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }}
           restore-keys: |
             ${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }}
@@ -161,8 +159,6 @@ jobs:
             ~/.cache
             ${{ steps.yarn-cache-dir-path.outputs.dir }}
             node_modules
-            .cache
-            public
           key: ${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }}
           restore-keys: |
             ${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }}
@@ -224,8 +220,6 @@ jobs:
             ~/.cache
             ${{ steps.yarn-cache-dir-path.outputs.dir }}
             node_modules
-            .cache
-            public
           key: ${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }}
           restore-keys: |
             ${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }}

.github/workflows/owaspzap.yml

@@ -1,27 +1,77 @@
 name: OWASP ZAP Actions
 on:
   workflow_dispatch:
-    inputs:
-      target_website:
-        default: "https://blog.tubone-project24.xyz"
-        type: string
+env:
+  cache-version: v1
 jobs:
   website-scan:
     runs-on: ubuntu-latest
     name: DAST (Dynamic Application Security Testing)
     steps:
-      - name: Checkout
-        uses: actions/checkout@v2
+      - name: Checkout source code
+        uses: actions/checkout@v3
+      - name: Setup Node
+        uses: actions/setup-node@v3
+        with:
+          node-version: 16.x
+          registry-url: https://npm.pkg.github.com/
+          scope: '@tubone24'
+      - name: Get yarn cache directory path
+        id: yarn-cache-dir-path
+        run: echo "dir=$(yarn cache dir)" >> $GITHUB_OUTPUT
+      - name: Cache
+        uses: actions/cache@v3
+        with:
+          path: |
+            ~/.cache
+            ${{ steps.yarn-cache-dir-path.outputs.dir }}
+            node_modules
+          key: ${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }}
+            ${{ runner.os }}-build-
+            ${{ runner.os }}-
+      - name: yarn install
+        env:
+          GATSBY_GITHUB_CLIENT_SECRET: ${{secrets.GATSBY_GITHUB_CLIENT_SECRET}}
+          GATSBY_GITHUB_CLIENT_ID: ${{secrets.GATSBY_GITHUB_CLIENT_ID}}
+          GATSBY_ALGOLIA_SEARCH_API_KEY: ${{secrets.GATSBY_ALGOLIA_SEARCH_API_KEY}}
+          GATSBY_ALGOLIA_INDEX_NAME: ${{secrets.GATSBY_ALGOLIA_INDEX_NAME}}
+          GATSBY_ALGOLIA_APP_ID: ${{secrets.GATSBY_ALGOLIA_APP_ID}}
+          GATSBY_ALGOLIA_ADMIN_API_KEY: ${{secrets.GATSBY_ALGOLIA_ADMIN_API_KEY}}
+          GATSBY_GITHUB_SHA: ${{ github.sha }}
+          FAUNADB_SERVER_SECRET: ${{secrets.FAUNADB_SERVER_SECRET}}
+          NETLIFY_ENV: deploy-preview
+          NODE_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}}
+        run: yarn install --frozen-lockfile
+      - name: yarn build
+        env:
+          GATSBY_GITHUB_CLIENT_SECRET: ${{secrets.GATSBY_GITHUB_CLIENT_SECRET}}
+          GATSBY_GITHUB_CLIENT_ID: ${{secrets.GATSBY_GITHUB_CLIENT_ID}}
+          GATSBY_ALGOLIA_SEARCH_API_KEY: ${{secrets.GATSBY_ALGOLIA_SEARCH_API_KEY}}
+          GATSBY_ALGOLIA_INDEX_NAME: ${{secrets.GATSBY_ALGOLIA_INDEX_NAME}}
+          GATSBY_ALGOLIA_APP_ID: ${{secrets.GATSBY_ALGOLIA_APP_ID}}
+          GATSBY_ALGOLIA_ADMIN_API_KEY: ${{secrets.GATSBY_ALGOLIA_ADMIN_API_KEY}}
+          GATSBY_GITHUB_SHA: ${{ github.sha }}
+          FAUNADB_SERVER_SECRET: ${{secrets.FAUNADB_SERVER_SECRET}}
+          NETLIFY_ENV: deploy-preview
+        run: yarn build
       - name: Action Full Scan
-        uses: zaproxy/[email protected]
+        run: |
+          chmod 777 owasp/zap
+          docker-compose -f owasp/docker-compose-ci.yml up -d
+          docker-compose -f owasp/docker-compose-ci.yml exec -T owasp zap-full-scan.py -t http://web:9000 -r report.html -a -d -j -I -z "-config alert.maxInstances=0 -config view.locale=ja_JP"
+      - name: Deploy Report
+        uses: peaceiris/actions-gh-pages@v3
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          publish_dir: ./owasp/zap/
+          destination_dir: owasp
+          keep_files: true
+          exclude_assets: '*.cer,*.key'
+      - name: push report
+        if: always()
+        uses: actions/upload-artifact@v3
         with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          docker_name: owasp/zap2docker-stable
-          target: ${{ inputs.target_website }}
-          cmd_options: >
-            -a
-            -j
-            -z "
-            -config alert.maxInstances=0
-            -config view.locale=ja_JP
-            "
+          name: owasp-report
+          path: owasp/zap/report.html

.github/workflows/previewDeploy.yml

@@ -42,8 +42,6 @@ jobs:
             ~/.cache
             ${{ steps.yarn-cache-dir-path.outputs.dir }}
             node_modules
-            .cache
-            public
           key: ${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }}
           restore-keys: |
             ${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }}
@@ -126,8 +124,6 @@ jobs:
             ~/.cache
             ${{ steps.yarn-cache-dir-path.outputs.dir }}
             node_modules
-            .cache
-            public
           key: ${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }}
           restore-keys: |
             ${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }}
@@ -175,8 +171,6 @@ jobs:
             ~/.cache
             ${{ steps.yarn-cache-dir-path.outputs.dir }}
             node_modules
-            .cache
-            public
           key: ${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }}
           restore-keys: |
             ${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }}
@@ -262,8 +256,6 @@ jobs:
             ~/.cache
             ${{ steps.yarn-cache-dir-path.outputs.dir }}
             node_modules
-            .cache
-            public
           key: ${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }}
           restore-keys: |
             ${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }}
@@ -330,8 +322,6 @@ jobs:
             ~/.cache
             ${{ steps.yarn-cache-dir-path.outputs.dir }}
             node_modules
-            .cache
-            public
           key: ${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }}
           restore-keys: |
             ${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }}
@@ -360,10 +350,10 @@ jobs:
       - name: summarize
         run: |
           cat test/memlab/data/out/leaks.txt
-          sed -i '1s/^/## Memlab leaks report\\n\`\`\`\\n/g' test/memlab/data/out/leaks.txt
+          sed -i '1s/^/## Memlab leaks report\\n\<details\>\\n\\n\`\`\`\\n/g' test/memlab/data/out/leaks.txt
           sed -i -z 's/\n/\\n/g' test/memlab/data/out/leaks.txt
           sed -i -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})*)?m//g" test/memlab/data/out/leaks.txt
-          echo -n "\\n \`\`\` \\n " >> test/memlab/data/out/leaks.txt
+          echo -n "\\n \`\`\` \\n</details>\\n " >> test/memlab/data/out/leaks.txt
       - name: Post Memlab Report Comment
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -394,8 +384,6 @@ jobs:
             ~/.cache
             ${{ steps.yarn-cache-dir-path.outputs.dir }}
             node_modules
-            .cache
-            public
           key: ${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }}
           restore-keys: |
             ${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }}
@@ -432,17 +420,28 @@ jobs:
           echo '# Snyk vulnerability report' >> summarize.txt
           echo '## OSS packages' >> summarize.txt
           echo '' >> summarize.txt
+          echo '' >> summarize.txt
+          echo '<details>' >> summarize.txt
           cat snyk.txt | sed -z 's/\n/\\n/g' >> summarize.txt
+          echo '</details>' >> summarize.txt
           echo '' >> summarize.txt
           echo '' >> summarize.txt
           echo '## Application' >> summarize.txt
           echo '' >> summarize.txt
+          echo '' >> summarize.txt
+          echo '<details>' >> summarize.txt
           cat snyk_code.txt | sed -z 's/\n/\\n/g' >> summarize.txt
+          echo '</details>' >> summarize.txt
           echo '' >> summarize.txt
           echo '' >> summarize.txt
           echo '## IaC' >> summarize.txt
           echo '' >> summarize.txt
+          echo '' >> summarize.txt
+          echo '<details>' >> summarize.txt
+          echo '' >> summarize.txt
           cat snyk_iac.txt | sed -z 's/\n/\\n/g' >> summarize.txt
+          echo '' >> summarize.txt
+          echo '</details>' >> summarize.txt
           sed -i -z 's/\n/\\n/g' summarize.txt
           sed -i 's/Testing \.\.\.\.//g' summarize.txt
           sed -i 's/Testing \. \.\.\.//g' summarize.txt
@@ -461,7 +460,7 @@ jobs:
       - name: Checkout source code
         uses: actions/checkout@v3
       - name: "depcheck"
-        uses: tubone24/depcheck_action@v1.1.0
+        uses: tubone24/depcheck_action@v1.2.0
         with:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           PR_COMMENT_URL: ${{ github.event.pull_request.comments_url }}
@@ -485,8 +484,6 @@ jobs:
             ~/.cache
             ${{ steps.yarn-cache-dir-path.outputs.dir }}
             node_modules
-            .cache
-            public
           key: ${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }}
           restore-keys: |
             ${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }}
@@ -519,8 +516,6 @@ jobs:
             ~/.cache
             ${{ steps.yarn-cache-dir-path.outputs.dir }}
             node_modules
-            .cache
-            public
           key: ${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }}
           restore-keys: |
             ${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }}
@@ -577,3 +572,18 @@ jobs:
                -d "{\"body\": \"$(cat cli.txt)\"}" \
                ${URL}
 
+
+  webscreenshot:
+    runs-on: ubuntu-latest
+    needs:
+      - build
+      - check-skip-flags
+    steps:
+      - uses: actions/checkout@v3
+      - name: Capture Webpage Screenshot
+        if: ${{ !contains(needs.check-skip-flags.outputs.head-commit-message, '[skip netlify]') }}
+        uses: saadmk11/[email protected]
+        with:
+          upload_to: github_branch
+          capture_changed_html_files: yes
+          capture_urls: ${{ needs.build.outputs.draftUrl }}

.gitignore

@@ -41,3 +41,7 @@ test/memlab/data
 
 # synk
 .dccache
+
+# OWASPZAP
+owasp/zap/*.key
+owasp/zap/*.cer

README.md

@@ -10,6 +10,7 @@
 [![storybook](https://raw.githubusercontent.com/storybookjs/brand/master/badge/badge-storybook.svg)](https://blog-storybook.netlify.app/)
 [![time tracker](https://wakatime.com/badge/github/tubone24/blog.svg)](https://wakatime.com/badge/github/tubone24/blog)
 <a href="https://validator.w3.org/feed/check.cgi?url=https%3A//blog.tubone-project24.xyz/rss.xml"><img src="https://validator.w3.org/feed/images/valid-rss-rogers.png" alt="[Valid RSS]" title="Validate my RSS feed" /></a>
+![blog Actions](https://api.meercode.io/badge/tubone24/blog?type=ci-score&lastDay=184)
 [![websiteup](https://img.shields.io/website.svg?down_color=red&down_message=down&up_color=green&up_message=up&url=https%3A%2F%2Fblog.tubone-project24.xyz)](https://blog.tubone-project24.xyz)
 
 ## What is this?
@@ -67,6 +68,8 @@ Special, thanks!
 - unused dependencies check by [depcheck](https://www.npmjs.com/package/depcheck) in [depcheck_action](https://github.com/tubone24/depcheck_action)
 - Update dependencies by [Renovate](https://www.whitesourcesoftware.com/free-developer-tools/renovate/)
 - Detect browser's memory leaks by [memlab](https://github.com/facebookincubator/memlab)
+- Detect vulnerability by [Snyk](https://app.snyk.io/)
+- Detect vulnerability by [OWASP ZAP](https://www.zaproxy.org/)
 
 ### For contributor of articles
 
@@ -214,7 +217,7 @@ cp .env.example .env
 | STORYBOOK_ALGOLIA_INDEX_NAME     | Algolia search's APP ID                                  | posts   | 
 | STORYBOOK_ALGOLIA_SEARCH_API_KEY | Algolia search's index name                              | -       | 
 | GATSBY_GITHUB_CLIENT_ID          | GitHub oAuth Client ID, use Gitalk                       | -       | 
-| GATSBY_GITHUB_CLIENT_SECRET      | GitHub oAuth Client Secret, use Gitalk                   | -       | 
+| GATSBY_GITHUB_CLIENT_SECRET      | GitHub oAuth Client Secret, use Gitalk                   | -       |
 | FAUNADB_SERVER_SECRET            | FaunaDB's Secret, use FaunaDB                            | -       | 
 
 ## CI/CD
@@ -270,30 +273,63 @@ I use [textlint](https://textlint.github.io/) to proofread my blog text.
 yarn textlint
 ```
 
-## Change Netlify Config
+## Infrastructure
+
+### Change Netlify Config
 
 Use Terraform Cloud to change Netlify configuration values.
 
 [Workspace](https://app.terraform.io/app/tubone24-test/workspaces/blog)
 
-## Detect credentials leak
-
-[Gitguardian](https://www.gitguardian.com/)
-
 ## Alert monitoring
 
 Use [Sentry](https://sentry.io/organizations/tubone-project24/projects/)
 
-## Automatic security vulnerability
+## Automatic security and vulnerability check
+
+### Detect credentials leak
+
+There is a security risk of credentials getting into the code, but we use [Gitguardian](https://www.gitguardian.com/) to check each PR to make sure they are not mixed in.
+
+### API Based
 
 API request based security check is used by [Brightsec](https://brightsec.com/)
 
-Also, [Snyk](https://app.snyk.io/org/tubone24/project/f01f63e7-832e-45ca-a080-eb4d0da4b8e6), OSS Package check and code, IaC code check.
+### static code analysis for vulnerability
+
+We use [Snyk](https://app.snyk.io/org/tubone24/project/f01f63e7-832e-45ca-a080-eb4d0da4b8e6) for static code analysis.
+In addition to detecting vulnerabilities in the libraries used, we scan code and IaC tools.
 
 If you create PR, check security vulnerability for [snyk CLI](https://docs.snyk.io/snyk-cli) and push PR comment.
 
 ![snyk comments](https://i.imgur.com/fEL1cFj.png)
 
+### OWASP ZAP
+
+[OWASP ZAP](https://www.zaproxy.org/) [Full Scan](https://www.zaproxy.org/docs/docker/full-scan/) can be run securely against a locally built Docker container.
+
+The results can be viewed at the following URL
+
+<https://tubone24.github.io/blog/owasp/report.html>
+
+Full Scan of OWASP ZAP has a very long execution time, so manual execution with [workflow_dispatch](https://github.com/tubone24/blog/actions/workflows/owaspzap.yml) is recommended.
+
+## CI Healthy
+
+Last 14 days, CI Score by [meercode.io](https://meercode.io)
+
+### CI Score
+
+![blog Actions](https://api.meercode.io/badge/tubone24/blog?type=ci-score&lastDay=14)
+
+### CI Count
+
+![blog Actions](https://api.meercode.io/badge/tubone24/blog?type=ci-count&lastDay=14)
+
+### CI Success Rate
+
+![blog Actions](https://api.meercode.io/badge/tubone24/blog?type=ci-success-rate&lastDay=14)
+
 # License
 
 - The source code under the MIT LICENSE.

owasp/Dockerfile

@@ -0,0 +1,8 @@
+FROM node:16.17.0-buster-slim
+
+ENV NODE_ENV production
+WORKDIR /app
+COPY ["package.json", "./"]
+COPY ["public", "public"]
+RUN npm install -g serve
+CMD ["serve", "-s", "-l", "9000", "public"]