Add DocumentServer zap scanner (#685)
* Add DocumentServer zap scanner * Fix zap target url from `http` to `https`
This commit is contained in:
parent
6e424a5541
commit
84a8191de9
1 changed files with 70 additions and 0 deletions
70
.github/workflows/zap-ds.yaml
vendored
Normal file
70
.github/workflows/zap-ds.yaml
vendored
Normal file
|
@ -0,0 +1,70 @@
|
|||
---
|
||||
name: Scanning DocSpace with ZAP
|
||||
|
||||
run-name: >
|
||||
ZAP DocumentServer ver: ${{ github.event.inputs.version }} from branch: ${{ github.event.inputs.branch }}
|
||||
|
||||
on:
|
||||
workflow_dispatch:
|
||||
inputs:
|
||||
version:
|
||||
description: 'Set DocSpace version that will be deployed'
|
||||
type: string
|
||||
required: true
|
||||
branch:
|
||||
description: 'The branch from which the scan will be performed'
|
||||
type: string
|
||||
required: true
|
||||
jobs:
|
||||
zap:
|
||||
name: "Zap scanning DocumentServer"
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
issues: write
|
||||
needs: build
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v3
|
||||
|
||||
- name: Run DS
|
||||
id: run-ds
|
||||
env:
|
||||
TAG: ${{ github.event.inputs.version }}
|
||||
run: |
|
||||
# Create ssl certs
|
||||
openssl genrsa -out tls.key 2048
|
||||
openssl req -new -key tls.key -out tls.csr -subj "/C=RU/ST=NizhObl/L=NizhNov/O=RK-Tech/OU=TestUnit/CN=TestName"
|
||||
openssl x509 -req -days 365 -in tls.csr -signkey tls.key -out tls.crt
|
||||
openssl dhparam -out dhparam.pem 2048
|
||||
sudo mkdir -p /app/onlyoffice/DocumentServer/data/certs
|
||||
sudo cp ./tls.key /app/onlyoffice/DocumentServer/data/certs/
|
||||
sudo cp ./tls.crt /app/onlyoffice/DocumentServer/data/certs/
|
||||
sudo cp ./dhparam.pem /app/onlyoffice/DocumentServer/data/certs/
|
||||
sudo chmod 400 /app/onlyoffice/DocumentServer/data/certs/tls.key
|
||||
rm ./tls.key ./tls.crt ./dhparam.pem
|
||||
|
||||
# Run Ds with enabled ssl
|
||||
export CONTAINER_NAME="documentserver"
|
||||
sudo docker run -itd \
|
||||
--name ${CONTAINER_NAME} \
|
||||
-p 80:80 \
|
||||
-p 443:443 \
|
||||
-v /app/onlyoffice/DocumentServer/data:/var/www/onlyoffice/Data \
|
||||
onlyoffice/4testing-documentserver:${TAG}
|
||||
sleep 60
|
||||
sudo docker exec ${CONTAINER_NAME} sudo supervisorctl start ds:example
|
||||
LOCAL_IP=$(hostname -I | awk '{print $1}')
|
||||
echo "local-ip=${LOCAL_IP}" >> "$GITHUB_OUTPUT"
|
||||
|
||||
# Scan DocumentServer with ZAP.
|
||||
# NOTE: Full scan get a lot of time.
|
||||
# If you want make scan more faster (but less accurate) remove `cmd options` field
|
||||
# -j mean that scanning use AJAX Spider, with this spider the scan takes approximately an hour
|
||||
# Without any cmd options will be used default spider and the scan takes approximately ~10-15 minutes
|
||||
- name: ZAP Scan
|
||||
uses: zaproxy/action-full-scan@v0.8.0
|
||||
with:
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
docker_name: 'ghcr.io/zaproxy/zaproxy:stable'
|
||||
target: 'https://${{ steps.run-ds.outputs.local-ip }}/'
|
||||
cmd_options: '-j'
|
Loading…
Reference in a new issue