Docker-DocumentServer/.github/workflows/zap-ds.yaml

71 lines
2.8 KiB
YAML
Raw Normal View History

---
2023-12-21 13:22:02 +03:00
name: Scanning DocumentServer with ZAP
run-name: >
ZAP DocumentServer ver: ${{ github.event.inputs.version }} from branch: ${{ github.event.inputs.branch }}
on:
workflow_dispatch:
inputs:
version:
2023-12-21 13:22:02 +03:00
description: 'Set DocumentServer version that will be deployed'
type: string
required: true
branch:
description: 'The branch from which the scan will be performed'
type: string
required: true
jobs:
zap:
name: "Zap scanning DocumentServer"
runs-on: ubuntu-latest
permissions:
issues: write
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Run DS
id: run-ds
env:
TAG: ${{ github.event.inputs.version }}
run: |
# Create ssl certs
openssl genrsa -out tls.key 2048
openssl req -new -key tls.key -out tls.csr -subj "/C=RU/ST=NizhObl/L=NizhNov/O=RK-Tech/OU=TestUnit/CN=TestName"
openssl x509 -req -days 365 -in tls.csr -signkey tls.key -out tls.crt
openssl dhparam -out dhparam.pem 2048
sudo mkdir -p /app/onlyoffice/DocumentServer/data/certs
sudo cp ./tls.key /app/onlyoffice/DocumentServer/data/certs/
sudo cp ./tls.crt /app/onlyoffice/DocumentServer/data/certs/
sudo cp ./dhparam.pem /app/onlyoffice/DocumentServer/data/certs/
sudo chmod 400 /app/onlyoffice/DocumentServer/data/certs/tls.key
rm ./tls.key ./tls.crt ./dhparam.pem
# Run Ds with enabled ssl
export CONTAINER_NAME="documentserver"
sudo docker run -itd \
--name ${CONTAINER_NAME} \
-p 80:80 \
-p 443:443 \
-v /app/onlyoffice/DocumentServer/data:/var/www/onlyoffice/Data \
onlyoffice/4testing-documentserver:${TAG}
sleep 60
sudo docker exec ${CONTAINER_NAME} sudo supervisorctl start ds:example
LOCAL_IP=$(hostname -I | awk '{print $1}')
echo "local-ip=${LOCAL_IP}" >> "$GITHUB_OUTPUT"
# Scan DocumentServer with ZAP.
# NOTE: Full scan get a lot of time.
# If you want make scan more faster (but less accurate) remove `cmd options` field
# -j mean that scanning use AJAX Spider, with this spider the scan takes approximately an hour
# Without any cmd options will be used default spider and the scan takes approximately ~10-15 minutes
- name: ZAP Scan
uses: zaproxy/action-full-scan@v0.8.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
docker_name: 'ghcr.io/zaproxy/zaproxy:stable'
target: 'https://${{ steps.run-ds.outputs.local-ip }}/'
allow_issue_writing: false
cmd_options: '-j'