From 24ccf44ce07c83ebf08298e88bbc6d5e1c81d2d5 Mon Sep 17 00:00:00 2001
From: Audiosutras <37882933+Audiosutras@users.noreply.github.com>
Date: Tue, 31 Oct 2023 07:57:15 -0400
Subject: [PATCH] Adds Github Action to Perform Weekly Security Audit with
 ZAProxy (#196)

* Adds Github Action to Perform Weekly Security Audit with ZAProxy

---------

Co-authored-by: Jeremy Kahn <me@jeremyckahn.com>
---
 .github/workflows/security.yml | 34 ++++++++++++++++++++++++++++++++++
 .zap/rules.tsv                 |  8 ++++++++
 2 files changed, 42 insertions(+)
 create mode 100644 .github/workflows/security.yml
 create mode 100644 .zap/rules.tsv

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
new file mode 100644
index 0000000..cc458cb
--- /dev/null
+++ b/.github/workflows/security.yml
@@ -0,0 +1,34 @@
+name: Perform Weekly Security Audit with ZAProxy
+# Use ZAP Proxy to perform a full scan of the production site.
+# Scan automatically opens an issue after completion
+# with results of the audit.
+
+on:
+  schedule:
+    # 00:00 UTC Midnight on Mondays
+    - cron: '0 0 * * 1'
+
+  # manually trigger workflow
+  workflow_dispatch:
+
+jobs:
+  zap_scan: # https://github.com/zaproxy/action-full-scan
+    runs-on: ubuntu-latest
+    name: Scan Production Site
+    steps:
+      - name: Set Date (NOW) as Env Var
+        run: |
+          echo "::set-env name=NOW::$(date +'%Y-%m-%d')"
+
+      - name: Checkout Main Branch for .zap/rules.tsv
+        uses: actions/checkout@v4
+        with:
+          ref: 'main'
+
+      - name: ZAP Scan
+        uses: zaproxy/action-full-scan@v0.7.0
+        with:
+          target: 'https://chitchatter.im/'
+          rules_file_name: '.zap/rules.tsv'
+          issue_title: 'Security Report - ${{ env.NOW }}'
+          artifact_name: 'zap_scan_${{ env.NOW }}'
diff --git a/.zap/rules.tsv b/.zap/rules.tsv
new file mode 100644
index 0000000..a4406f6
--- /dev/null
+++ b/.zap/rules.tsv
@@ -0,0 +1,8 @@
+10020 IGNORE (Missing Anti-clickjacking Header)
+10021 IGNORE (X-Content-Type-Options Header Missing)
+10035 IGNORE (Strict-Transport-Security Header Not Set)
+10038 IGNORE (Content Security Policy (CSP) Header Not Set)
+10063 IGNORE (Permissions Policy Header Not Set)
+10096 IGNORE (Timestamp Disclosure - Unix)
+10098 IGNORE (Cross-Domain Misconfiguration)
+40040 IGNORE (CORS Misconfiguration)