84a8191de9
* Add DocumentServer zap scanner * Fix zap target url from `http` to `https`
70 lines
2.7 KiB
YAML
70 lines
2.7 KiB
YAML
---
|
|
name: Scanning DocSpace with ZAP
|
|
|
|
run-name: >
|
|
ZAP DocumentServer ver: ${{ github.event.inputs.version }} from branch: ${{ github.event.inputs.branch }}
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
version:
|
|
description: 'Set DocSpace version that will be deployed'
|
|
type: string
|
|
required: true
|
|
branch:
|
|
description: 'The branch from which the scan will be performed'
|
|
type: string
|
|
required: true
|
|
jobs:
|
|
zap:
|
|
name: "Zap scanning DocumentServer"
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
issues: write
|
|
needs: build
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v3
|
|
|
|
- name: Run DS
|
|
id: run-ds
|
|
env:
|
|
TAG: ${{ github.event.inputs.version }}
|
|
run: |
|
|
# Create ssl certs
|
|
openssl genrsa -out tls.key 2048
|
|
openssl req -new -key tls.key -out tls.csr -subj "/C=RU/ST=NizhObl/L=NizhNov/O=RK-Tech/OU=TestUnit/CN=TestName"
|
|
openssl x509 -req -days 365 -in tls.csr -signkey tls.key -out tls.crt
|
|
openssl dhparam -out dhparam.pem 2048
|
|
sudo mkdir -p /app/onlyoffice/DocumentServer/data/certs
|
|
sudo cp ./tls.key /app/onlyoffice/DocumentServer/data/certs/
|
|
sudo cp ./tls.crt /app/onlyoffice/DocumentServer/data/certs/
|
|
sudo cp ./dhparam.pem /app/onlyoffice/DocumentServer/data/certs/
|
|
sudo chmod 400 /app/onlyoffice/DocumentServer/data/certs/tls.key
|
|
rm ./tls.key ./tls.crt ./dhparam.pem
|
|
|
|
# Run Ds with enabled ssl
|
|
export CONTAINER_NAME="documentserver"
|
|
sudo docker run -itd \
|
|
--name ${CONTAINER_NAME} \
|
|
-p 80:80 \
|
|
-p 443:443 \
|
|
-v /app/onlyoffice/DocumentServer/data:/var/www/onlyoffice/Data \
|
|
onlyoffice/4testing-documentserver:${TAG}
|
|
sleep 60
|
|
sudo docker exec ${CONTAINER_NAME} sudo supervisorctl start ds:example
|
|
LOCAL_IP=$(hostname -I | awk '{print $1}')
|
|
echo "local-ip=${LOCAL_IP}" >> "$GITHUB_OUTPUT"
|
|
|
|
# Scan DocumentServer with ZAP.
|
|
# NOTE: Full scan get a lot of time.
|
|
# If you want make scan more faster (but less accurate) remove `cmd options` field
|
|
# -j mean that scanning use AJAX Spider, with this spider the scan takes approximately an hour
|
|
# Without any cmd options will be used default spider and the scan takes approximately ~10-15 minutes
|
|
- name: ZAP Scan
|
|
uses: zaproxy/action-full-scan@v0.8.0
|
|
with:
|
|
token: ${{ secrets.GITHUB_TOKEN }}
|
|
docker_name: 'ghcr.io/zaproxy/zaproxy:stable'
|
|
target: 'https://${{ steps.run-ds.outputs.local-ip }}/'
|
|
cmd_options: '-j'
|