Add DocumentServer zap scanner (#685)

* Add DocumentServer zap scanner * Fix zap target url from `http` to `https`
2023-12-19 11:24:58 +03:00 · 2023-12-19 11:24:58 +03:00 · 84a8191de9
commit 84a8191de9
parent 6e424a5541
1 changed files with 70 additions and 0 deletions
--- a/.github/workflows/zap-ds.yaml
+++ b/.github/workflows/zap-ds.yaml
@ -0,0 +1,70 @@
+---
+name: Scanning DocSpace with ZAP
+
+run-name: > 
+      ZAP DocumentServer ver: ${{ github.event.inputs.version }} from branch: ${{ github.event.inputs.branch }}
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'Set DocSpace version that will be deployed'
+        type: string
+        required: true
+      branch:
+        description: 'The branch from which the scan will be performed'
+        type: string
+        required: true
+jobs:
+  zap:
+    name: "Zap scanning DocumentServer"
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+    needs: build
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Run DS
+        id: run-ds
+        env:
+          TAG: ${{ github.event.inputs.version }}
+        run: |
+           # Create ssl certs
+           openssl genrsa -out tls.key 2048
+           openssl req -new -key tls.key -out tls.csr -subj "/C=RU/ST=NizhObl/L=NizhNov/O=RK-Tech/OU=TestUnit/CN=TestName"
+           openssl x509 -req -days 365 -in tls.csr -signkey tls.key -out tls.crt
+           openssl dhparam -out dhparam.pem 2048
+           sudo mkdir -p /app/onlyoffice/DocumentServer/data/certs
+           sudo cp ./tls.key /app/onlyoffice/DocumentServer/data/certs/
+           sudo cp ./tls.crt /app/onlyoffice/DocumentServer/data/certs/
+           sudo cp ./dhparam.pem /app/onlyoffice/DocumentServer/data/certs/
+           sudo chmod 400 /app/onlyoffice/DocumentServer/data/certs/tls.key
+           rm ./tls.key ./tls.crt ./dhparam.pem
+
+           # Run Ds with enabled ssl
+           export CONTAINER_NAME="documentserver"
+           sudo docker run -itd \
+                           --name ${CONTAINER_NAME} \
+                           -p 80:80 \
+                           -p 443:443 \
+                           -v /app/onlyoffice/DocumentServer/data:/var/www/onlyoffice/Data \
+                           onlyoffice/4testing-documentserver:${TAG}
+           sleep 60
+           sudo docker exec ${CONTAINER_NAME} sudo supervisorctl start ds:example
+           LOCAL_IP=$(hostname -I | awk '{print $1}')
+           echo "local-ip=${LOCAL_IP}" >> "$GITHUB_OUTPUT"
+
+      # Scan DocumentServer with ZAP.
+      # NOTE: Full scan get a lot of time.
+      # If you want make scan more faster (but less accurate) remove `cmd options` field
+      # -j mean that scanning use AJAX Spider, with this spider the scan takes approximately an hour
+      # Without any cmd options will be used default spider and the scan takes approximately ~10-15 minutes
+      - name: ZAP Scan
+        uses: zaproxy/action-full-scan@v0.8.0
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          docker_name: 'ghcr.io/zaproxy/zaproxy:stable'
+          target: 'https://${{ steps.run-ds.outputs.local-ip }}/'
+          cmd_options: '-j'