From 84a8191de9105d7dd2f7bfb6c8a15aec3d4f9898 Mon Sep 17 00:00:00 2001 From: Danil Titarenko <77471369+danilapog@users.noreply.github.com> Date: Tue, 19 Dec 2023 11:24:58 +0300 Subject: [PATCH] Add DocumentServer zap scanner (#685) * Add DocumentServer zap scanner * Fix zap target url from `http` to `https` --- .github/workflows/zap-ds.yaml | 70 +++++++++++++++++++++++++++++++++++ 1 file changed, 70 insertions(+) create mode 100644 .github/workflows/zap-ds.yaml diff --git a/.github/workflows/zap-ds.yaml b/.github/workflows/zap-ds.yaml new file mode 100644 index 0000000..9f8a76b --- /dev/null +++ b/.github/workflows/zap-ds.yaml @@ -0,0 +1,70 @@ +--- +name: Scanning DocSpace with ZAP + +run-name: > + ZAP DocumentServer ver: ${{ github.event.inputs.version }} from branch: ${{ github.event.inputs.branch }} + +on: + workflow_dispatch: + inputs: + version: + description: 'Set DocSpace version that will be deployed' + type: string + required: true + branch: + description: 'The branch from which the scan will be performed' + type: string + required: true +jobs: + zap: + name: "Zap scanning DocumentServer" + runs-on: ubuntu-latest + permissions: + issues: write + needs: build + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Run DS + id: run-ds + env: + TAG: ${{ github.event.inputs.version }} + run: | + # Create ssl certs + openssl genrsa -out tls.key 2048 + openssl req -new -key tls.key -out tls.csr -subj "/C=RU/ST=NizhObl/L=NizhNov/O=RK-Tech/OU=TestUnit/CN=TestName" + openssl x509 -req -days 365 -in tls.csr -signkey tls.key -out tls.crt + openssl dhparam -out dhparam.pem 2048 + sudo mkdir -p /app/onlyoffice/DocumentServer/data/certs + sudo cp ./tls.key /app/onlyoffice/DocumentServer/data/certs/ + sudo cp ./tls.crt /app/onlyoffice/DocumentServer/data/certs/ + sudo cp ./dhparam.pem /app/onlyoffice/DocumentServer/data/certs/ + sudo chmod 400 /app/onlyoffice/DocumentServer/data/certs/tls.key + rm ./tls.key ./tls.crt ./dhparam.pem + + # Run Ds with enabled ssl + export CONTAINER_NAME="documentserver" + sudo docker run -itd \ + --name ${CONTAINER_NAME} \ + -p 80:80 \ + -p 443:443 \ + -v /app/onlyoffice/DocumentServer/data:/var/www/onlyoffice/Data \ + onlyoffice/4testing-documentserver:${TAG} + sleep 60 + sudo docker exec ${CONTAINER_NAME} sudo supervisorctl start ds:example + LOCAL_IP=$(hostname -I | awk '{print $1}') + echo "local-ip=${LOCAL_IP}" >> "$GITHUB_OUTPUT" + + # Scan DocumentServer with ZAP. + # NOTE: Full scan get a lot of time. + # If you want make scan more faster (but less accurate) remove `cmd options` field + # -j mean that scanning use AJAX Spider, with this spider the scan takes approximately an hour + # Without any cmd options will be used default spider and the scan takes approximately ~10-15 minutes + - name: ZAP Scan + uses: zaproxy/action-full-scan@v0.8.0 + with: + token: ${{ secrets.GITHUB_TOKEN }} + docker_name: 'ghcr.io/zaproxy/zaproxy:stable' + target: 'https://${{ steps.run-ds.outputs.local-ip }}/' + cmd_options: '-j'