name: Perform Weekly Security Audit with ZAProxy
# Use ZAP Proxy to perform a full scan of the production site.
# Scan automatically opens an issue after completion
# with results of the audit.

on:
  schedule:
    # 00:00 UTC Midnight on Mondays
    - cron: '0 0 * * 1'

  # manually trigger workflow
  workflow_dispatch:

jobs:
  zap_scan: # https://github.com/zaproxy/action-full-scan
    runs-on: ubuntu-latest
    name: Scan Production Site
    steps:
      - name: Set Date (NOW) as Env Var
        run: |
          echo "::set-env name=NOW::$(date +'%Y-%m-%d')"

      - name: Checkout Main Branch for .zap/rules.tsv
        uses: actions/checkout@v4
        with:
          ref: 'main'

      - name: ZAP Scan
        uses: zaproxy/action-full-scan@v0.7.0
        with:
          target: 'https://chitchatter.im/'
          rules_file_name: '.zap/rules.tsv'
          issue_title: 'Security Report - ${{ env.NOW }}'
          artifact_name: 'zap_scan_${{ env.NOW }}'