From 1bcd8ca886e97f7b08ae6ce361922951f516c247 Mon Sep 17 00:00:00 2001 From: "yu.otsubo" Date: Fri, 30 Dec 2022 21:33:10 +0900 Subject: [PATCH 01/31] [skip netlify] owaspzap --- .dockerignore | 1 + .github/workflows/owaspzap.yml | 20 ++++------------- owasp/Dockerfile | 8 +++++++ owasp/docker-compose-ci.yml | 40 +++++++++++++++++++++++++++++++++ owasp/docker-compose.yml | 41 ++++++++++++++++++++++++++++++++++ 5 files changed, 94 insertions(+), 16 deletions(-) create mode 100644 .dockerignore create mode 100644 owasp/Dockerfile create mode 100644 owasp/docker-compose-ci.yml create mode 100644 owasp/docker-compose.yml diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 0000000000..3c3629e647 --- /dev/null +++ b/.dockerignore @@ -0,0 +1 @@ +node_modules diff --git a/.github/workflows/owaspzap.yml b/.github/workflows/owaspzap.yml index 7d9bf70109..b8bd97e689 100644 --- a/.github/workflows/owaspzap.yml +++ b/.github/workflows/owaspzap.yml @@ -1,10 +1,7 @@ name: OWASP ZAP Actions on: workflow_dispatch: - inputs: - target_website: - default: "https://blog.tubone-project24.xyz" - type: string + push: jobs: website-scan: runs-on: ubuntu-latest @@ -13,15 +10,6 @@ jobs: - name: Checkout uses: actions/checkout@v2 - name: Action Full Scan - uses: zaproxy/action-full-scan@v0.4.0 - with: - token: ${{ secrets.GITHUB_TOKEN }} - docker_name: owasp/zap2docker-stable - target: ${{ inputs.target_website }} - cmd_options: > - -a - -j - -z " - -config alert.maxInstances=0 - -config view.locale=ja_JP - " + run: | + docker-compose -f owasp/docker-compose-ci.yml up -d + docker-compose -f owasp/docker-compose-ci.yml exec owasp zap-full-scan.py -t http://web:9000 -r report.html -a -d -j -z "-config alert.maxInstances=0 -config view.locale=ja_JP" diff --git a/owasp/Dockerfile b/owasp/Dockerfile new file mode 100644 index 0000000000..78144c2b72 --- /dev/null +++ b/owasp/Dockerfile @@ -0,0 +1,8 @@ +FROM node:16.17.0-buster-slim + +ENV NODE_ENV production +WORKDIR /app +COPY ["package.json", "./"] +COPY ["public", "public"] +RUN npm install -g serve +CMD ["serve", "-s", "-l", "9000", "public"] \ No newline at end of file diff --git a/owasp/docker-compose-ci.yml b/owasp/docker-compose-ci.yml new file mode 100644 index 0000000000..bb94bd18fe --- /dev/null +++ b/owasp/docker-compose-ci.yml @@ -0,0 +1,40 @@ +version: '3' + +services: + web: + container_name: web-target + build: + context: ../ + dockerfile: owasp/Dockerfile + command: + - "npx" + - "serve" + - "-s" + - "-l" + - "9000" + - "public" + ports: + - "9000:9000" # yarn serve + - "8000:8000" # yarn dev + networks: + - myNW + tty: true + + owasp: + container_name: owasp + image: owasp/zap2docker-stable + volumes: + - ./zap:/zap/wrk/ + ports: + - "18081:8080" + - "18090:8090" + depends_on: + - web + networks: + - myNW + - default + tty: true + +networks: + myNW: + internal: true diff --git a/owasp/docker-compose.yml b/owasp/docker-compose.yml new file mode 100644 index 0000000000..c4239ac636 --- /dev/null +++ b/owasp/docker-compose.yml @@ -0,0 +1,41 @@ +version: '3' + +services: + web: + container_name: web-target + build: + context: ../ + dockerfile: owasp/Dockerfile + command: + - "npx" + - "serve" + - "-s" + - "-l" + - "9000" + - "public" + ports: + - "9000:9000" # yarn serve + - "8000:8000" # yarn dev + networks: + - myNW + tty: true + + owasp: + container_name: owasp-web-ui + image: owasp/zap2docker-stable + command: bash -c "zap.sh -cmd -addonuninstall hud && zap-webswing.sh" + volumes: + - ./zap:/zap/wrk/ + ports: + - "18081:8080" + - "18090:8090" + depends_on: + - web + networks: + - myNW + - default + tty: true + +networks: + myNW: + internal: true From f75b6a205e25c9ba865cfd35a68d86a8ee6f347a Mon Sep 17 00:00:00 2001 From: "yu.otsubo" Date: Fri, 30 Dec 2022 21:36:11 +0900 Subject: [PATCH 02/31] [skip netlify] owaspzap --- .github/workflows/owaspzap.yml | 52 ++++++++++++++++++++++++++++++++-- 1 file changed, 50 insertions(+), 2 deletions(-) diff --git a/.github/workflows/owaspzap.yml b/.github/workflows/owaspzap.yml index b8bd97e689..9545b8d1d9 100644 --- a/.github/workflows/owaspzap.yml +++ b/.github/workflows/owaspzap.yml @@ -7,8 +7,56 @@ jobs: runs-on: ubuntu-latest name: DAST (Dynamic Application Security Testing) steps: - - name: Checkout - uses: actions/checkout@v2 + - name: Checkout source code + uses: actions/checkout@v3 + - name: Setup Node + uses: actions/setup-node@v3 + with: + node-version: 16.x + registry-url: https://npm.pkg.github.com/ + scope: '@tubone24' + - name: Get yarn cache directory path + id: yarn-cache-dir-path + run: echo "dir=$(yarn cache dir)" >> $GITHUB_OUTPUT + - name: Cache + uses: actions/cache@v3 + with: + path: | + ~/.cache + ${{ steps.yarn-cache-dir-path.outputs.dir }} + node_modules + .cache + public + key: ${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }} + restore-keys: | + ${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }} + ${{ runner.os }}-build- + ${{ runner.os }}- + - name: yarn install + env: + GATSBY_GITHUB_CLIENT_SECRET: ${{secrets.GATSBY_GITHUB_CLIENT_SECRET}} + GATSBY_GITHUB_CLIENT_ID: ${{secrets.GATSBY_GITHUB_CLIENT_ID}} + GATSBY_ALGOLIA_SEARCH_API_KEY: ${{secrets.GATSBY_ALGOLIA_SEARCH_API_KEY}} + GATSBY_ALGOLIA_INDEX_NAME: ${{secrets.GATSBY_ALGOLIA_INDEX_NAME}} + GATSBY_ALGOLIA_APP_ID: ${{secrets.GATSBY_ALGOLIA_APP_ID}} + GATSBY_ALGOLIA_ADMIN_API_KEY: ${{secrets.GATSBY_ALGOLIA_ADMIN_API_KEY}} + GATSBY_GITHUB_SHA: ${{ github.sha }} + FAUNADB_SERVER_SECRET: ${{secrets.FAUNADB_SERVER_SECRET}} + NETLIFY_ENV: deploy-preview + NODE_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}} + run: yarn install --frozen-lockfile + - name: yarn build + env: + GATSBY_GITHUB_CLIENT_SECRET: ${{secrets.GATSBY_GITHUB_CLIENT_SECRET}} + GATSBY_GITHUB_CLIENT_ID: ${{secrets.GATSBY_GITHUB_CLIENT_ID}} + GATSBY_ALGOLIA_SEARCH_API_KEY: ${{secrets.GATSBY_ALGOLIA_SEARCH_API_KEY}} + GATSBY_ALGOLIA_INDEX_NAME: ${{secrets.GATSBY_ALGOLIA_INDEX_NAME}} + GATSBY_ALGOLIA_APP_ID: ${{secrets.GATSBY_ALGOLIA_APP_ID}} + GATSBY_ALGOLIA_ADMIN_API_KEY: ${{secrets.GATSBY_ALGOLIA_ADMIN_API_KEY}} + GATSBY_GITHUB_SHA: ${{ github.sha }} + FAUNADB_SERVER_SECRET: ${{secrets.FAUNADB_SERVER_SECRET}} + NETLIFY_ENV: deploy-preview + run: yarn build - name: Action Full Scan run: | docker-compose -f owasp/docker-compose-ci.yml up -d From adcceaf52e9d97eb9a691ee2873233c7768869b0 Mon Sep 17 00:00:00 2001 From: "yu.otsubo" Date: Fri, 30 Dec 2022 21:42:38 +0900 Subject: [PATCH 03/31] [skip netlify] not tty --- owasp/docker-compose-ci.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/owasp/docker-compose-ci.yml b/owasp/docker-compose-ci.yml index bb94bd18fe..b81996793e 100644 --- a/owasp/docker-compose-ci.yml +++ b/owasp/docker-compose-ci.yml @@ -18,7 +18,6 @@ services: - "8000:8000" # yarn dev networks: - myNW - tty: true owasp: container_name: owasp @@ -33,7 +32,6 @@ services: networks: - myNW - default - tty: true networks: myNW: From 41d72031c2488cbdd96b5fca488694d058ff7fd6 Mon Sep 17 00:00:00 2001 From: "yu.otsubo" Date: Fri, 30 Dec 2022 21:54:12 +0900 Subject: [PATCH 04/31] [skip netlify] not tty --- owasp/docker-compose-ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/owasp/docker-compose-ci.yml b/owasp/docker-compose-ci.yml index b81996793e..583b200eb8 100644 --- a/owasp/docker-compose-ci.yml +++ b/owasp/docker-compose-ci.yml @@ -22,6 +22,7 @@ services: owasp: container_name: owasp image: owasp/zap2docker-stable + command: bash -c "zap.sh -cmd -addonuninstall hud && zap-webswing.sh" volumes: - ./zap:/zap/wrk/ ports: From ff30a138fa7073b0ac2eb02b9faa9ad8bd50b985 Mon Sep 17 00:00:00 2001 From: "yu.otsubo" Date: Fri, 30 Dec 2022 22:00:24 +0900 Subject: [PATCH 05/31] [skip netlify] not tty --- owasp/docker-compose-ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/owasp/docker-compose-ci.yml b/owasp/docker-compose-ci.yml index 583b200eb8..40cc16b52b 100644 --- a/owasp/docker-compose-ci.yml +++ b/owasp/docker-compose-ci.yml @@ -33,6 +33,7 @@ services: networks: - myNW - default + tty: true networks: myNW: From 6cce14f98536a38339dd58d08362a1b1dbae1545 Mon Sep 17 00:00:00 2001 From: "tubone(Yu Otsubo)" Date: Fri, 30 Dec 2022 22:11:43 +0900 Subject: [PATCH 06/31] Update docker-compose-ci.yml --- owasp/docker-compose-ci.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/owasp/docker-compose-ci.yml b/owasp/docker-compose-ci.yml index 40cc16b52b..583b200eb8 100644 --- a/owasp/docker-compose-ci.yml +++ b/owasp/docker-compose-ci.yml @@ -33,7 +33,6 @@ services: networks: - myNW - default - tty: true networks: myNW: From 7f72678be35ccbb2b415fdb3973ce643de38fce2 Mon Sep 17 00:00:00 2001 From: "tubone(Yu Otsubo)" Date: Fri, 30 Dec 2022 22:12:27 +0900 Subject: [PATCH 07/31] Update owaspzap.yml --- .github/workflows/owaspzap.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/owaspzap.yml b/.github/workflows/owaspzap.yml index 9545b8d1d9..5d6bb5a19f 100644 --- a/.github/workflows/owaspzap.yml +++ b/.github/workflows/owaspzap.yml @@ -60,4 +60,4 @@ jobs: - name: Action Full Scan run: | docker-compose -f owasp/docker-compose-ci.yml up -d - docker-compose -f owasp/docker-compose-ci.yml exec owasp zap-full-scan.py -t http://web:9000 -r report.html -a -d -j -z "-config alert.maxInstances=0 -config view.locale=ja_JP" + docker-compose -f owasp/docker-compose-ci.yml exec -T owasp zap-full-scan.py -t http://web:9000 -r report.html -a -d -j -z "-config alert.maxInstances=0 -config view.locale=ja_JP" From 34f9c3a8893e1416399842dc30c2488303b03fff Mon Sep 17 00:00:00 2001 From: "yu.otsubo" Date: Fri, 30 Dec 2022 23:54:08 +0900 Subject: [PATCH 08/31] gitkeep --- owasp/zap/.gitkeep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 owasp/zap/.gitkeep diff --git a/owasp/zap/.gitkeep b/owasp/zap/.gitkeep new file mode 100644 index 0000000000..e69de29bb2 From 212eee3d36ad12fcfc8edbb7ab5ac5b17a180c31 Mon Sep 17 00:00:00 2001 From: "yu.otsubo" Date: Sat, 31 Dec 2022 10:18:42 +0900 Subject: [PATCH 09/31] [skip netlify] not tty --- .github/workflows/owaspzap.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/owaspzap.yml b/.github/workflows/owaspzap.yml index 5d6bb5a19f..a42e1f24d6 100644 --- a/.github/workflows/owaspzap.yml +++ b/.github/workflows/owaspzap.yml @@ -59,5 +59,6 @@ jobs: run: yarn build - name: Action Full Scan run: | + chmod 777 zap docker-compose -f owasp/docker-compose-ci.yml up -d docker-compose -f owasp/docker-compose-ci.yml exec -T owasp zap-full-scan.py -t http://web:9000 -r report.html -a -d -j -z "-config alert.maxInstances=0 -config view.locale=ja_JP" From 64ad96634a3ca3a469d23205642a1ceb2d4001ac Mon Sep 17 00:00:00 2001 From: "yu.otsubo" Date: Sat, 31 Dec 2022 10:26:31 +0900 Subject: [PATCH 10/31] [skip netlify] not tty --- .github/workflows/owaspzap.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/owaspzap.yml b/.github/workflows/owaspzap.yml index a42e1f24d6..36a985a32c 100644 --- a/.github/workflows/owaspzap.yml +++ b/.github/workflows/owaspzap.yml @@ -59,6 +59,11 @@ jobs: run: yarn build - name: Action Full Scan run: | - chmod 777 zap + chmod 777 owasp/zap docker-compose -f owasp/docker-compose-ci.yml up -d docker-compose -f owasp/docker-compose-ci.yml exec -T owasp zap-full-scan.py -t http://web:9000 -r report.html -a -d -j -z "-config alert.maxInstances=0 -config view.locale=ja_JP" + - name: push report + uses: actions/upload-artifact@v3 + with: + name: owasp-report + path: owasp/zap/report.html From f61b0e6262e27af1ca5735468628e50ac593a5e8 Mon Sep 17 00:00:00 2001 From: "yu.otsubo" Date: Sat, 31 Dec 2022 10:52:15 +0900 Subject: [PATCH 11/31] [skip netlify] not tty --- .github/workflows/owaspzap.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/owaspzap.yml b/.github/workflows/owaspzap.yml index 36a985a32c..65c30d7b01 100644 --- a/.github/workflows/owaspzap.yml +++ b/.github/workflows/owaspzap.yml @@ -62,6 +62,14 @@ jobs: chmod 777 owasp/zap docker-compose -f owasp/docker-compose-ci.yml up -d docker-compose -f owasp/docker-compose-ci.yml exec -T owasp zap-full-scan.py -t http://web:9000 -r report.html -a -d -j -z "-config alert.maxInstances=0 -config view.locale=ja_JP" + - name: Capture Webpage Screenshot + uses: saadmk11/comment-website-screenshot@v0.5 + with: + upload_to: github_branch + capture_changed_html_files: yes + # Comma separated paths to any other HTML File + capture_html_file_paths: "owasp/zap/report.html" + - name: push report uses: actions/upload-artifact@v3 with: From 7bf326dc2d88a62d409ca34ea613539c21af87fc Mon Sep 17 00:00:00 2001 From: "yu.otsubo" Date: Sat, 31 Dec 2022 11:40:02 +0900 Subject: [PATCH 12/31] [skip netlify] not tty --- .github/workflows/owaspzap.yml | 3 ++- .github/workflows/previewDeploy.yml | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/owaspzap.yml b/.github/workflows/owaspzap.yml index 65c30d7b01..d28e07fcc3 100644 --- a/.github/workflows/owaspzap.yml +++ b/.github/workflows/owaspzap.yml @@ -63,14 +63,15 @@ jobs: docker-compose -f owasp/docker-compose-ci.yml up -d docker-compose -f owasp/docker-compose-ci.yml exec -T owasp zap-full-scan.py -t http://web:9000 -r report.html -a -d -j -z "-config alert.maxInstances=0 -config view.locale=ja_JP" - name: Capture Webpage Screenshot + if: always() uses: saadmk11/comment-website-screenshot@v0.5 with: upload_to: github_branch capture_changed_html_files: yes - # Comma separated paths to any other HTML File capture_html_file_paths: "owasp/zap/report.html" - name: push report + if: always() uses: actions/upload-artifact@v3 with: name: owasp-report diff --git a/.github/workflows/previewDeploy.yml b/.github/workflows/previewDeploy.yml index 110137267d..24055682d2 100644 --- a/.github/workflows/previewDeploy.yml +++ b/.github/workflows/previewDeploy.yml @@ -461,7 +461,7 @@ jobs: - name: Checkout source code uses: actions/checkout@v3 - name: "depcheck" - uses: tubone24/depcheck_action@v1.1.0 + uses: tubone24/depcheck_action@main with: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} PR_COMMENT_URL: ${{ github.event.pull_request.comments_url }} From 0a280d11803b1a37597141dd214e0239fa0f8790 Mon Sep 17 00:00:00 2001 From: "yu.otsubo" Date: Sat, 31 Dec 2022 11:59:06 +0900 Subject: [PATCH 13/31] [skip netlify] snyk --- .github/workflows/previewDeploy.yml | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/.github/workflows/previewDeploy.yml b/.github/workflows/previewDeploy.yml index 24055682d2..80cbf9008f 100644 --- a/.github/workflows/previewDeploy.yml +++ b/.github/workflows/previewDeploy.yml @@ -432,17 +432,28 @@ jobs: echo '# Snyk vulnerability report' >> summarize.txt echo '## OSS packages' >> summarize.txt echo '' >> summarize.txt + echo '' >> summarize.txt + echo '
' >> summarize.txt cat snyk.txt | sed -z 's/\n/\\n/g' >> summarize.txt + echo '
' >> summarize.txt echo '' >> summarize.txt echo '' >> summarize.txt echo '## Application' >> summarize.txt echo '' >> summarize.txt + echo '' >> summarize.txt + echo '
' >> summarize.txt cat snyk_code.txt | sed -z 's/\n/\\n/g' >> summarize.txt + echo '
' >> summarize.txt echo '' >> summarize.txt echo '' >> summarize.txt echo '## IaC' >> summarize.txt echo '' >> summarize.txt + echo '' >> summarize.txt + echo '
' >> summarize.txt + echo '' >> summarize.txt cat snyk_iac.txt | sed -z 's/\n/\\n/g' >> summarize.txt + echo '' >> summarize.txt + echo '
' >> summarize.txt sed -i -z 's/\n/\\n/g' summarize.txt sed -i 's/Testing \.\.\.\.//g' summarize.txt sed -i 's/Testing \. \.\.\.//g' summarize.txt @@ -461,7 +472,7 @@ jobs: - name: Checkout source code uses: actions/checkout@v3 - name: "depcheck" - uses: tubone24/depcheck_action@main + uses: tubone24/depcheck_action@v1.2.0 with: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} PR_COMMENT_URL: ${{ github.event.pull_request.comments_url }} From 0bf35c0bcc4ea905f1fd000379b393326d63546e Mon Sep 17 00:00:00 2001 From: "yu.otsubo" Date: Sat, 31 Dec 2022 12:09:29 +0900 Subject: [PATCH 14/31] [skip netlify] snyk --- .github/workflows/previewDeploy.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/previewDeploy.yml b/.github/workflows/previewDeploy.yml index 80cbf9008f..0ebe3ab91a 100644 --- a/.github/workflows/previewDeploy.yml +++ b/.github/workflows/previewDeploy.yml @@ -360,10 +360,10 @@ jobs: - name: summarize run: | cat test/memlab/data/out/leaks.txt - sed -i '1s/^/## Memlab leaks report\\n\`\`\`\\n/g' test/memlab/data/out/leaks.txt + sed -i '1s/^/## Memlab leaks report\\n\`\`\`\\n\\\n/g' test/memlab/data/out/leaks.txt sed -i -z 's/\n/\\n/g' test/memlab/data/out/leaks.txt sed -i -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})*)?m//g" test/memlab/data/out/leaks.txt - echo -n "\\n \`\`\` \\n " >> test/memlab/data/out/leaks.txt + echo -n "\\n \`\`\` \\n\\n " >> test/memlab/data/out/leaks.txt - name: Post Memlab Report Comment env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 167f06066c03a1dd540143aac0151515dc22576e Mon Sep 17 00:00:00 2001 From: "yu.otsubo" Date: Sat, 31 Dec 2022 13:23:19 +0900 Subject: [PATCH 15/31] [skip netlify] snyk --- .github/workflows/previewDeploy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/previewDeploy.yml b/.github/workflows/previewDeploy.yml index 0ebe3ab91a..8e90085511 100644 --- a/.github/workflows/previewDeploy.yml +++ b/.github/workflows/previewDeploy.yml @@ -360,7 +360,7 @@ jobs: - name: summarize run: | cat test/memlab/data/out/leaks.txt - sed -i '1s/^/## Memlab leaks report\\n\`\`\`\\n\\\n/g' test/memlab/data/out/leaks.txt + sed -i '1s/^/## Memlab leaks report\\n\\\n\\n\`\`\`\\n/g' test/memlab/data/out/leaks.txt sed -i -z 's/\n/\\n/g' test/memlab/data/out/leaks.txt sed -i -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})*)?m//g" test/memlab/data/out/leaks.txt echo -n "\\n \`\`\` \\n\\n " >> test/memlab/data/out/leaks.txt From 1edf994b96353b84c73194ffffc9c0cfad80eed5 Mon Sep 17 00:00:00 2001 From: "yu.otsubo" Date: Sat, 31 Dec 2022 13:41:05 +0900 Subject: [PATCH 16/31] [skip netlify] snyk --- .github/workflows/deploy.yml | 6 ------ .github/workflows/owaspzap.yml | 4 +--- .github/workflows/previewDeploy.yml | 16 ---------------- 3 files changed, 1 insertion(+), 25 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index a315066c41..3fb2af0003 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -28,8 +28,6 @@ jobs: ~/.cache ${{ steps.yarn-cache-dir-path.outputs.dir }} node_modules - .cache - public key: ${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }} restore-keys: | ${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }} @@ -161,8 +159,6 @@ jobs: ~/.cache ${{ steps.yarn-cache-dir-path.outputs.dir }} node_modules - .cache - public key: ${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }} restore-keys: | ${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }} @@ -224,8 +220,6 @@ jobs: ~/.cache ${{ steps.yarn-cache-dir-path.outputs.dir }} node_modules - .cache - public key: ${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }} restore-keys: | ${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }} diff --git a/.github/workflows/owaspzap.yml b/.github/workflows/owaspzap.yml index d28e07fcc3..429396fe92 100644 --- a/.github/workflows/owaspzap.yml +++ b/.github/workflows/owaspzap.yml @@ -25,8 +25,6 @@ jobs: ~/.cache ${{ steps.yarn-cache-dir-path.outputs.dir }} node_modules - .cache - public key: ${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }} restore-keys: | ${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }} @@ -61,7 +59,7 @@ jobs: run: | chmod 777 owasp/zap docker-compose -f owasp/docker-compose-ci.yml up -d - docker-compose -f owasp/docker-compose-ci.yml exec -T owasp zap-full-scan.py -t http://web:9000 -r report.html -a -d -j -z "-config alert.maxInstances=0 -config view.locale=ja_JP" + docker-compose -f owasp/docker-compose-ci.yml exec -T owasp zap-full-scan.py -t http://web:9000 -r report.html -a -d -j -I -m 1 -z "-config alert.maxInstances=0 -config view.locale=ja_JP" - name: Capture Webpage Screenshot if: always() uses: saadmk11/comment-website-screenshot@v0.5 diff --git a/.github/workflows/previewDeploy.yml b/.github/workflows/previewDeploy.yml index 8e90085511..ba63724548 100644 --- a/.github/workflows/previewDeploy.yml +++ b/.github/workflows/previewDeploy.yml @@ -42,8 +42,6 @@ jobs: ~/.cache ${{ steps.yarn-cache-dir-path.outputs.dir }} node_modules - .cache - public key: ${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }} restore-keys: | ${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }} @@ -126,8 +124,6 @@ jobs: ~/.cache ${{ steps.yarn-cache-dir-path.outputs.dir }} node_modules - .cache - public key: ${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }} restore-keys: | ${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }} @@ -175,8 +171,6 @@ jobs: ~/.cache ${{ steps.yarn-cache-dir-path.outputs.dir }} node_modules - .cache - public key: ${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }} restore-keys: | ${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }} @@ -262,8 +256,6 @@ jobs: ~/.cache ${{ steps.yarn-cache-dir-path.outputs.dir }} node_modules - .cache - public key: ${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }} restore-keys: | ${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }} @@ -330,8 +322,6 @@ jobs: ~/.cache ${{ steps.yarn-cache-dir-path.outputs.dir }} node_modules - .cache - public key: ${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }} restore-keys: | ${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }} @@ -394,8 +384,6 @@ jobs: ~/.cache ${{ steps.yarn-cache-dir-path.outputs.dir }} node_modules - .cache - public key: ${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }} restore-keys: | ${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }} @@ -496,8 +484,6 @@ jobs: ~/.cache ${{ steps.yarn-cache-dir-path.outputs.dir }} node_modules - .cache - public key: ${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }} restore-keys: | ${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }} @@ -530,8 +516,6 @@ jobs: ~/.cache ${{ steps.yarn-cache-dir-path.outputs.dir }} node_modules - .cache - public key: ${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }} restore-keys: | ${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }} From 51bd6011a360ce29f9b69c160c1be84610163c02 Mon Sep 17 00:00:00 2001 From: "yu.otsubo" Date: Sat, 31 Dec 2022 14:13:13 +0900 Subject: [PATCH 17/31] [skip netlify] deploy report --- .github/workflows/owaspzap.yml | 9 ++++++++- owasp/docker-compose-ci.yml | 1 - 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/.github/workflows/owaspzap.yml b/.github/workflows/owaspzap.yml index 429396fe92..cf62378623 100644 --- a/.github/workflows/owaspzap.yml +++ b/.github/workflows/owaspzap.yml @@ -67,7 +67,14 @@ jobs: upload_to: github_branch capture_changed_html_files: yes capture_html_file_paths: "owasp/zap/report.html" - + - name: Deploy Report + uses: peaceiris/actions-gh-pages@v3 + with: + github_token: ${{ secrets.GITHUB_TOKEN }} + publish_dir: ./public + destination_dir: owasp + keep_files: true + exclude_assets: '*.cer,*.key' - name: push report if: always() uses: actions/upload-artifact@v3 diff --git a/owasp/docker-compose-ci.yml b/owasp/docker-compose-ci.yml index 583b200eb8..dcf2f1cbdc 100644 --- a/owasp/docker-compose-ci.yml +++ b/owasp/docker-compose-ci.yml @@ -32,7 +32,6 @@ services: - web networks: - myNW - - default networks: myNW: From 16c1b785f66e5fab10a597ef2d23e14015e7da03 Mon Sep 17 00:00:00 2001 From: "yu.otsubo" Date: Sat, 31 Dec 2022 14:34:53 +0900 Subject: [PATCH 18/31] [skip netlify] deploy report --- .github/workflows/owaspzap.yml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/.github/workflows/owaspzap.yml b/.github/workflows/owaspzap.yml index cf62378623..978f669fa7 100644 --- a/.github/workflows/owaspzap.yml +++ b/.github/workflows/owaspzap.yml @@ -60,13 +60,6 @@ jobs: chmod 777 owasp/zap docker-compose -f owasp/docker-compose-ci.yml up -d docker-compose -f owasp/docker-compose-ci.yml exec -T owasp zap-full-scan.py -t http://web:9000 -r report.html -a -d -j -I -m 1 -z "-config alert.maxInstances=0 -config view.locale=ja_JP" - - name: Capture Webpage Screenshot - if: always() - uses: saadmk11/comment-website-screenshot@v0.5 - with: - upload_to: github_branch - capture_changed_html_files: yes - capture_html_file_paths: "owasp/zap/report.html" - name: Deploy Report uses: peaceiris/actions-gh-pages@v3 with: From e1258315883dd4355ebcde8ab7f0b2128feb75a8 Mon Sep 17 00:00:00 2001 From: "yu.otsubo" Date: Sat, 31 Dec 2022 14:54:54 +0900 Subject: [PATCH 19/31] Add CSP --- src/html.tsx | 5 ++++- static/_headers | 2 ++ 2 files changed, 6 insertions(+), 1 deletion(-) create mode 100644 static/_headers diff --git a/src/html.tsx b/src/html.tsx index 4002dc3826..06b433b273 100644 --- a/src/html.tsx +++ b/src/html.tsx @@ -32,7 +32,10 @@ const HTML = ({ {preBodyComponents}