Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[skip netlify] owaspzap #1184

Merged
merged 31 commits into from
Dec 31, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
31 commits
Select commit Hold shift + click to select a range
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .dockerignore
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
node_modules
6 changes: 0 additions & 6 deletions .github/workflows/deploy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -28,8 +28,6 @@ jobs:
~/.cache
${{ steps.yarn-cache-dir-path.outputs.dir }}
node_modules
.cache
public
key: ${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }}
restore-keys: |
${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }}
Expand Down Expand Up @@ -161,8 +159,6 @@ jobs:
~/.cache
${{ steps.yarn-cache-dir-path.outputs.dir }}
node_modules
.cache
public
key: ${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }}
restore-keys: |
${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }}
Expand Down Expand Up @@ -224,8 +220,6 @@ jobs:
~/.cache
${{ steps.yarn-cache-dir-path.outputs.dir }}
node_modules
.cache
public
key: ${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }}
restore-keys: |
${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }}
Expand Down
84 changes: 67 additions & 17 deletions .github/workflows/owaspzap.yml
Original file line number Diff line number Diff line change
@@ -1,27 +1,77 @@
name: OWASP ZAP Actions
on:
workflow_dispatch:
inputs:
target_website:
default: "https://blog.tubone-project24.xyz"
type: string
env:
cache-version: v1
jobs:
website-scan:
runs-on: ubuntu-latest
name: DAST (Dynamic Application Security Testing)
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Checkout source code
uses: actions/checkout@v3
- name: Setup Node
uses: actions/setup-node@v3
with:
node-version: 16.x
registry-url: https://npm.pkg.github.com/
scope: '@tubone24'
- name: Get yarn cache directory path
id: yarn-cache-dir-path
run: echo "dir=$(yarn cache dir)" >> $GITHUB_OUTPUT
- name: Cache
uses: actions/cache@v3
with:
path: |
~/.cache
${{ steps.yarn-cache-dir-path.outputs.dir }}
node_modules
key: ${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }}
restore-keys: |
${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }}
${{ runner.os }}-build-
${{ runner.os }}-
- name: yarn install
env:
GATSBY_GITHUB_CLIENT_SECRET: ${{secrets.GATSBY_GITHUB_CLIENT_SECRET}}
GATSBY_GITHUB_CLIENT_ID: ${{secrets.GATSBY_GITHUB_CLIENT_ID}}
GATSBY_ALGOLIA_SEARCH_API_KEY: ${{secrets.GATSBY_ALGOLIA_SEARCH_API_KEY}}
GATSBY_ALGOLIA_INDEX_NAME: ${{secrets.GATSBY_ALGOLIA_INDEX_NAME}}
GATSBY_ALGOLIA_APP_ID: ${{secrets.GATSBY_ALGOLIA_APP_ID}}
GATSBY_ALGOLIA_ADMIN_API_KEY: ${{secrets.GATSBY_ALGOLIA_ADMIN_API_KEY}}
GATSBY_GITHUB_SHA: ${{ github.sha }}
FAUNADB_SERVER_SECRET: ${{secrets.FAUNADB_SERVER_SECRET}}
NETLIFY_ENV: deploy-preview
NODE_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}}
run: yarn install --frozen-lockfile
- name: yarn build
env:
GATSBY_GITHUB_CLIENT_SECRET: ${{secrets.GATSBY_GITHUB_CLIENT_SECRET}}
GATSBY_GITHUB_CLIENT_ID: ${{secrets.GATSBY_GITHUB_CLIENT_ID}}
GATSBY_ALGOLIA_SEARCH_API_KEY: ${{secrets.GATSBY_ALGOLIA_SEARCH_API_KEY}}
GATSBY_ALGOLIA_INDEX_NAME: ${{secrets.GATSBY_ALGOLIA_INDEX_NAME}}
GATSBY_ALGOLIA_APP_ID: ${{secrets.GATSBY_ALGOLIA_APP_ID}}
GATSBY_ALGOLIA_ADMIN_API_KEY: ${{secrets.GATSBY_ALGOLIA_ADMIN_API_KEY}}
GATSBY_GITHUB_SHA: ${{ github.sha }}
FAUNADB_SERVER_SECRET: ${{secrets.FAUNADB_SERVER_SECRET}}
NETLIFY_ENV: deploy-preview
run: yarn build
- name: Action Full Scan
uses: zaproxy/[email protected]
run: |
chmod 777 owasp/zap
docker-compose -f owasp/docker-compose-ci.yml up -d
docker-compose -f owasp/docker-compose-ci.yml exec -T owasp zap-full-scan.py -t http://web:9000 -r report.html -a -d -j -I -z "-config alert.maxInstances=0 -config view.locale=ja_JP"
- name: Deploy Report
uses: peaceiris/actions-gh-pages@v3
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
publish_dir: ./owasp/zap/
destination_dir: owasp
keep_files: true
exclude_assets: '*.cer,*.key'
- name: push report
if: always()
uses: actions/upload-artifact@v3
with:
token: ${{ secrets.GITHUB_TOKEN }}
docker_name: owasp/zap2docker-stable
target: ${{ inputs.target_website }}
cmd_options: >
-a
-j
-z "
-config alert.maxInstances=0
-config view.locale=ja_JP
"
name: owasp-report
path: owasp/zap/report.html
48 changes: 29 additions & 19 deletions .github/workflows/previewDeploy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -42,8 +42,6 @@ jobs:
~/.cache
${{ steps.yarn-cache-dir-path.outputs.dir }}
node_modules
.cache
public
key: ${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }}
restore-keys: |
${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }}
Expand Down Expand Up @@ -126,8 +124,6 @@ jobs:
~/.cache
${{ steps.yarn-cache-dir-path.outputs.dir }}
node_modules
.cache
public
key: ${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }}
restore-keys: |
${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }}
Expand Down Expand Up @@ -175,8 +171,6 @@ jobs:
~/.cache
${{ steps.yarn-cache-dir-path.outputs.dir }}
node_modules
.cache
public
key: ${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }}
restore-keys: |
${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }}
Expand Down Expand Up @@ -262,8 +256,6 @@ jobs:
~/.cache
${{ steps.yarn-cache-dir-path.outputs.dir }}
node_modules
.cache
public
key: ${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }}
restore-keys: |
${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }}
Expand Down Expand Up @@ -330,8 +322,6 @@ jobs:
~/.cache
${{ steps.yarn-cache-dir-path.outputs.dir }}
node_modules
.cache
public
key: ${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }}
restore-keys: |
${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }}
Expand Down Expand Up @@ -360,10 +350,10 @@ jobs:
- name: summarize
run: |
cat test/memlab/data/out/leaks.txt
sed -i '1s/^/## Memlab leaks report\\n\`\`\`\\n/g' test/memlab/data/out/leaks.txt
sed -i '1s/^/## Memlab leaks report\\n\<details\>\\n\\n\`\`\`\\n/g' test/memlab/data/out/leaks.txt
sed -i -z 's/\n/\\n/g' test/memlab/data/out/leaks.txt
sed -i -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})*)?m//g" test/memlab/data/out/leaks.txt
echo -n "\\n \`\`\` \\n " >> test/memlab/data/out/leaks.txt
echo -n "\\n \`\`\` \\n</details>\\n " >> test/memlab/data/out/leaks.txt
- name: Post Memlab Report Comment
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Expand Down Expand Up @@ -394,8 +384,6 @@ jobs:
~/.cache
${{ steps.yarn-cache-dir-path.outputs.dir }}
node_modules
.cache
public
key: ${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }}
restore-keys: |
${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }}
Expand Down Expand Up @@ -432,17 +420,28 @@ jobs:
echo '# Snyk vulnerability report' >> summarize.txt
echo '## OSS packages' >> summarize.txt
echo '' >> summarize.txt
echo '' >> summarize.txt
echo '<details>' >> summarize.txt
cat snyk.txt | sed -z 's/\n/\\n/g' >> summarize.txt
echo '</details>' >> summarize.txt
echo '' >> summarize.txt
echo '' >> summarize.txt
echo '## Application' >> summarize.txt
echo '' >> summarize.txt
echo '' >> summarize.txt
echo '<details>' >> summarize.txt
cat snyk_code.txt | sed -z 's/\n/\\n/g' >> summarize.txt
echo '</details>' >> summarize.txt
echo '' >> summarize.txt
echo '' >> summarize.txt
echo '## IaC' >> summarize.txt
echo '' >> summarize.txt
echo '' >> summarize.txt
echo '<details>' >> summarize.txt
echo '' >> summarize.txt
cat snyk_iac.txt | sed -z 's/\n/\\n/g' >> summarize.txt
echo '' >> summarize.txt
echo '</details>' >> summarize.txt
sed -i -z 's/\n/\\n/g' summarize.txt
sed -i 's/Testing \.\.\.\.//g' summarize.txt
sed -i 's/Testing \. \.\.\.//g' summarize.txt
Expand All @@ -461,7 +460,7 @@ jobs:
- name: Checkout source code
uses: actions/checkout@v3
- name: "depcheck"
uses: tubone24/depcheck_action@v1.1.0
uses: tubone24/depcheck_action@v1.2.0
with:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PR_COMMENT_URL: ${{ github.event.pull_request.comments_url }}
Expand All @@ -485,8 +484,6 @@ jobs:
~/.cache
${{ steps.yarn-cache-dir-path.outputs.dir }}
node_modules
.cache
public
key: ${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }}
restore-keys: |
${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }}
Expand Down Expand Up @@ -519,8 +516,6 @@ jobs:
~/.cache
${{ steps.yarn-cache-dir-path.outputs.dir }}
node_modules
.cache
public
key: ${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }}
restore-keys: |
${{ runner.os }}-build-${{ env.cache-version }}-${{ hashFiles('**/yarn.lock') }}
Expand Down Expand Up @@ -577,3 +572,18 @@ jobs:
-d "{\"body\": \"$(cat cli.txt)\"}" \
${URL}


webscreenshot:
runs-on: ubuntu-latest
needs:
- build
- check-skip-flags
steps:
- uses: actions/checkout@v3
- name: Capture Webpage Screenshot
if: ${{ !contains(needs.check-skip-flags.outputs.head-commit-message, '[skip netlify]') }}
uses: saadmk11/[email protected]
with:
upload_to: github_branch
capture_changed_html_files: yes
capture_urls: ${{ needs.build.outputs.draftUrl }}
4 changes: 4 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -41,3 +41,7 @@ test/memlab/data

# synk
.dccache

# OWASPZAP
owasp/zap/*.key
owasp/zap/*.cer
52 changes: 44 additions & 8 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@
[![storybook](https://raw.githubusercontent.com/storybookjs/brand/master/badge/badge-storybook.svg)](https://blog-storybook.netlify.app/)
[![time tracker](https://wakatime.com/badge/github/tubone24/blog.svg)](https://wakatime.com/badge/github/tubone24/blog)
<a href="https://validator.w3.org/feed/check.cgi?url=https%3A//blog.tubone-project24.xyz/rss.xml"><img src="https://validator.w3.org/feed/images/valid-rss-rogers.png" alt="[Valid RSS]" title="Validate my RSS feed" /></a>
![blog Actions](https://api.meercode.io/badge/tubone24/blog?type=ci-score&lastDay=184)
[![websiteup](https://img.shields.io/website.svg?down_color=red&down_message=down&up_color=green&up_message=up&url=https%3A%2F%2Fblog.tubone-project24.xyz)](https://blog.tubone-project24.xyz)

## What is this?
Expand Down Expand Up @@ -67,6 +68,8 @@ Special, thanks!
- unused dependencies check by [depcheck](https://www.npmjs.com/package/depcheck) in [depcheck_action](https://github.com/tubone24/depcheck_action)
- Update dependencies by [Renovate](https://www.whitesourcesoftware.com/free-developer-tools/renovate/)
- Detect browser's memory leaks by [memlab](https://github.com/facebookincubator/memlab)
- Detect vulnerability by [Snyk](https://app.snyk.io/)
- Detect vulnerability by [OWASP ZAP](https://www.zaproxy.org/)

### For contributor of articles

Expand Down Expand Up @@ -214,7 +217,7 @@ cp .env.example .env
| STORYBOOK_ALGOLIA_INDEX_NAME | Algolia search's APP ID | posts |
| STORYBOOK_ALGOLIA_SEARCH_API_KEY | Algolia search's index name | - |
| GATSBY_GITHUB_CLIENT_ID | GitHub oAuth Client ID, use Gitalk | - |
| GATSBY_GITHUB_CLIENT_SECRET | GitHub oAuth Client Secret, use Gitalk | - |
| GATSBY_GITHUB_CLIENT_SECRET | GitHub oAuth Client Secret, use Gitalk | - |
| FAUNADB_SERVER_SECRET | FaunaDB's Secret, use FaunaDB | - |

## CI/CD
Expand Down Expand Up @@ -270,30 +273,63 @@ I use [textlint](https://textlint.github.io/) to proofread my blog text.
yarn textlint
```

## Change Netlify Config
## Infrastructure

### Change Netlify Config

Use Terraform Cloud to change Netlify configuration values.

[Workspace](https://app.terraform.io/app/tubone24-test/workspaces/blog)

## Detect credentials leak

[Gitguardian](https://www.gitguardian.com/)

## Alert monitoring

Use [Sentry](https://sentry.io/organizations/tubone-project24/projects/)

## Automatic security vulnerability
## Automatic security and vulnerability check

### Detect credentials leak

There is a security risk of credentials getting into the code, but we use [Gitguardian](https://www.gitguardian.com/) to check each PR to make sure they are not mixed in.

### API Based

API request based security check is used by [Brightsec](https://brightsec.com/)

Also, [Snyk](https://app.snyk.io/org/tubone24/project/f01f63e7-832e-45ca-a080-eb4d0da4b8e6), OSS Package check and code, IaC code check.
### static code analysis for vulnerability

We use [Snyk](https://app.snyk.io/org/tubone24/project/f01f63e7-832e-45ca-a080-eb4d0da4b8e6) for static code analysis.
In addition to detecting vulnerabilities in the libraries used, we scan code and IaC tools.

If you create PR, check security vulnerability for [snyk CLI](https://docs.snyk.io/snyk-cli) and push PR comment.

![snyk comments](https://i.imgur.com/fEL1cFj.png)

### OWASP ZAP

[OWASP ZAP](https://www.zaproxy.org/) [Full Scan](https://www.zaproxy.org/docs/docker/full-scan/) can be run securely against a locally built Docker container.

The results can be viewed at the following URL

<https://tubone24.github.io/blog/owasp/report.html>

Full Scan of OWASP ZAP has a very long execution time, so manual execution with [workflow_dispatch](https://github.com/tubone24/blog/actions/workflows/owaspzap.yml) is recommended.

## CI Healthy

Last 14 days, CI Score by [meercode.io](https://meercode.io)

### CI Score

![blog Actions](https://api.meercode.io/badge/tubone24/blog?type=ci-score&lastDay=14)

### CI Count

![blog Actions](https://api.meercode.io/badge/tubone24/blog?type=ci-count&lastDay=14)

### CI Success Rate

![blog Actions](https://api.meercode.io/badge/tubone24/blog?type=ci-success-rate&lastDay=14)

# License

- The source code under the MIT LICENSE.
Expand Down
8 changes: 8 additions & 0 deletions owasp/Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
FROM node:16.17.0-buster-slim

ENV NODE_ENV production
WORKDIR /app
COPY ["package.json", "./"]
COPY ["public", "public"]
RUN npm install -g serve
CMD ["serve", "-s", "-l", "9000", "public"]
Loading