Adds Github Action to Perform Weekly Security Audit with ZAProxy (#196)

* Adds Github Action to Perform Weekly Security Audit with ZAProxy --------- Co-authored-by: Jeremy Kahn <me@jeremyckahn.com>
2023-10-31 07:57:15 -04:00 · 2023-10-31 07:57:15 -04:00 · 24ccf44ce0
commit 24ccf44ce0
parent 4607562b7e
2 changed files with 42 additions and 0 deletions
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@ -0,0 +1,34 @@
+name: Perform Weekly Security Audit with ZAProxy
+# Use ZAP Proxy to perform a full scan of the production site.
+# Scan automatically opens an issue after completion
+# with results of the audit.
+
+on:
+  schedule:
+    # 00:00 UTC Midnight on Mondays
+    - cron: '0 0 * * 1'
+
+  # manually trigger workflow
+  workflow_dispatch:
+
+jobs:
+  zap_scan: # https://github.com/zaproxy/action-full-scan
+    runs-on: ubuntu-latest
+    name: Scan Production Site
+    steps:
+      - name: Set Date (NOW) as Env Var
+        run: |
+          echo "::set-env name=NOW::$(date +'%Y-%m-%d')"
+
+      - name: Checkout Main Branch for .zap/rules.tsv
+        uses: actions/checkout@v4
+        with:
+          ref: 'main'
+
+      - name: ZAP Scan
+        uses: zaproxy/action-full-scan@v0.7.0
+        with:
+          target: 'https://chitchatter.im/'
+          rules_file_name: '.zap/rules.tsv'
+          issue_title: 'Security Report - ${{ env.NOW }}'
+          artifact_name: 'zap_scan_${{ env.NOW }}'
--- a/.zap/rules.tsv
+++ b/.zap/rules.tsv
@ -0,0 +1,8 @@
+10020 IGNORE (Missing Anti-clickjacking Header)
+10021 IGNORE (X-Content-Type-Options Header Missing)
+10035 IGNORE (Strict-Transport-Security Header Not Set)
+10038 IGNORE (Content Security Policy (CSP) Header Not Set)
+10063 IGNORE (Permissions Policy Header Not Set)
+10096 IGNORE (Timestamp Disclosure - Unix)
+10098 IGNORE (Cross-Domain Misconfiguration)
+40040 IGNORE (CORS Misconfiguration)