Adds Github Action to Perform Weekly Security Audit with ZAProxy (#196)
* Adds Github Action to Perform Weekly Security Audit with ZAProxy --------- Co-authored-by: Jeremy Kahn <me@jeremyckahn.com>
This commit is contained in:
		
							parent
							
								
									4607562b7e
								
							
						
					
					
						commit
						24ccf44ce0
					
				
							
								
								
									
										34
									
								
								.github/workflows/security.yml
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										34
									
								
								.github/workflows/security.yml
									
									
									
									
										vendored
									
									
										Normal file
									
								
							| @ -0,0 +1,34 @@ | |||||||
|  | name: Perform Weekly Security Audit with ZAProxy | ||||||
|  | # Use ZAP Proxy to perform a full scan of the production site. | ||||||
|  | # Scan automatically opens an issue after completion | ||||||
|  | # with results of the audit. | ||||||
|  | 
 | ||||||
|  | on: | ||||||
|  |   schedule: | ||||||
|  |     # 00:00 UTC Midnight on Mondays | ||||||
|  |     - cron: '0 0 * * 1' | ||||||
|  | 
 | ||||||
|  |   # manually trigger workflow | ||||||
|  |   workflow_dispatch: | ||||||
|  | 
 | ||||||
|  | jobs: | ||||||
|  |   zap_scan: # https://github.com/zaproxy/action-full-scan | ||||||
|  |     runs-on: ubuntu-latest | ||||||
|  |     name: Scan Production Site | ||||||
|  |     steps: | ||||||
|  |       - name: Set Date (NOW) as Env Var | ||||||
|  |         run: | | ||||||
|  |           echo "::set-env name=NOW::$(date +'%Y-%m-%d')" | ||||||
|  | 
 | ||||||
|  |       - name: Checkout Main Branch for .zap/rules.tsv | ||||||
|  |         uses: actions/checkout@v4 | ||||||
|  |         with: | ||||||
|  |           ref: 'main' | ||||||
|  | 
 | ||||||
|  |       - name: ZAP Scan | ||||||
|  |         uses: zaproxy/action-full-scan@v0.7.0 | ||||||
|  |         with: | ||||||
|  |           target: 'https://chitchatter.im/' | ||||||
|  |           rules_file_name: '.zap/rules.tsv' | ||||||
|  |           issue_title: 'Security Report - ${{ env.NOW }}' | ||||||
|  |           artifact_name: 'zap_scan_${{ env.NOW }}' | ||||||
							
								
								
									
										8
									
								
								.zap/rules.tsv
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										8
									
								
								.zap/rules.tsv
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,8 @@ | |||||||
|  | 10020 IGNORE (Missing Anti-clickjacking Header) | ||||||
|  | 10021 IGNORE (X-Content-Type-Options Header Missing) | ||||||
|  | 10035 IGNORE (Strict-Transport-Security Header Not Set) | ||||||
|  | 10038 IGNORE (Content Security Policy (CSP) Header Not Set) | ||||||
|  | 10063 IGNORE (Permissions Policy Header Not Set) | ||||||
|  | 10096 IGNORE (Timestamp Disclosure - Unix) | ||||||
|  | 10098 IGNORE (Cross-Domain Misconfiguration) | ||||||
|  | 40040 IGNORE (CORS Misconfiguration) | ||||||
| 
 | 
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user