rearrange Zap test in pull request pipeline

OWASP · Oct 4, 2024 · 47206b7 · 47206b7
2 parents c5168c4 + e67624c
commit 47206b7
Show file tree

Hide file tree

Showing 6 changed files with 63 additions and 61 deletions.
diff --git a/.trivyignore → .github/workflows/.trivyignore b/.trivyignore → .github/workflows/.trivyignore
diff --git a/.github/workflows/housekeeping.yaml b/.github/workflows/housekeeping.yaml
@@ -6,7 +6,7 @@ on:
   workflow_dispatch:
 
 env:
-  IMAGE_NAME: threatdragon/owasp-threat-dragon
+  IMAGE_NAME: threatdragon/owasp-threat-dragon:latest
 
 # for security reasons the github actions are pinned to specific release versions
 jobs:
@@ -65,12 +65,13 @@ jobs:
         with:
           ref: main
 
-      - name: Run vulnerability scanner
+      - name: Run Trivy vulnerability scanner
         uses: aquasecurity/[email protected]
         with:
-          image-ref: '${{ env.IMAGE_NAME }}:latest'
+          image-ref: '${{ env.IMAGE_NAME }}'
           format: 'template'
           template: '@/contrib/sarif.tpl'
+          trivyignores: '.github/workflows/.trivyignore'
           output: 'trivy-results.sarif'
 
       - name: Upload scan results to GitHub Security tab

diff --git a/.github/workflows/pull_request.yaml b/.github/workflows/pull_request.yaml
@@ -13,8 +13,8 @@ env:
   ENCRYPTION_JWT_REFRESH_SIGNING_KEY: "${{ secrets.CI_JWT_REFRESH_SIGNING_KEY }}"
   ENCRYPTION_JWT_SIGNING_KEY: "${{ secrets.CI_JWT_SIGNING_KEY }}"
   ENCRYPTION_KEYS: "${{ secrets.CI_SESSION_ENCRYPTION_KEYS }}"
-  NODE_ENV: 'development'
-  SERVER_API_PROTOCOL: 'http'
+  NODE_ENV: development
+  SERVER_API_PROTOCOL: http
 
 # for security reasons the github actions are pinned to specific release versions
 jobs:
@@ -150,7 +150,7 @@ jobs:
         uses: github/codeql-action/[email protected]
 
   e2e_smokes:
-    name: Site e2e smokes
+    name: Local site e2e smokes
     runs-on: ubuntu-24.04
     needs: [site_unit_tests, server_unit_tests]
 
@@ -191,7 +191,7 @@ jobs:
         if: ${{ failure() && hashFiles('td.vue/tests/e2e/videos/') != '' }}
 
   e2e_tests:
-    name: Site e2e tests
+    name: Local site e2e tests
     runs-on: ubuntu-24.04
     needs: e2e_smokes
 
@@ -230,6 +230,45 @@ jobs:
           path: td.vue/tests/e2e/videos
         if: ${{ failure() && hashFiles('td.vue/tests/e2e/videos/') != '' }}
 
+  zap_scan_web_app:
+    name: Local site zap scan
+    runs-on: ubuntu-24.04
+    needs: e2e_tests
+
+    steps:
+      - name: Checkout
+        uses: actions/[email protected]
+
+      - name: Use node LTS 20.14.0
+        uses: actions/[email protected]
+        with:
+          node-version: '20.14.0'
+
+      - name: Cache NPM dir
+        uses: actions/[email protected]
+        with:
+          path: ~/.npm
+          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-node-
+
+      - name: Install packages
+        run: npm clean-install
+
+      - name: Build and run locally
+        run: npm start
+
+      - name: ZAP Scan
+        uses: zaproxy/[email protected]
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          target: 'http://localhost:8080'
+          rules_file_name: '.github/workflows/.zap-rules-web.tsv'
+          allow_issue_writing: false
+          fail_action: false
+          artifact_name: ${{ env.ZAP_FILE }}
+          cmd_options: '-a'
+
   build_docker_image:
     name: Build docker image
     runs-on: ubuntu-24.04
@@ -242,7 +281,7 @@ jobs:
 
       - name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v3.6.1
+        uses: docker/setup-buildx-action@v3.7.0
         with:
           install: true
 
@@ -287,60 +326,15 @@ jobs:
           rm -rf /tmp/.buildx-cache
           mv /tmp/.buildx-cache-new /tmp/.buildx-cache
 
-  zap_scan_web_app:
-    name: Local site zap scan
-    runs-on: ubuntu-24.04
-    needs: build_docker_image
-
-    steps:
-      - name: Download docker local image
-        uses: actions/[email protected]
-        with:
-          name: ${{ env.IMAGE_NAME }}
-          path: /tmp
-
-      - name: Load docker local image
-        run: |
-          docker load --input /tmp/${{ env.IMAGE_NAME }}.tar
-
-      - name: Run Threat Dragon
-        run: |
-          docker run -d \
-            -p 3000:3000 \
-            -e GITHUB_CLIENT_ID='${{ env.GITHUB_CLIENT_ID }}' \
-            -e GITHUB_CLIENT_SECRET='${{ env.GITHUB_CLIENT_SECRET }}' \
-            -e ENCRYPTION_JWT_REFRESH_SIGNING_KEY='${{ env.ENCRYPTION_JWT_REFRESH_SIGNING_KEY }}' \
-            -e ENCRYPTION_JWT_SIGNING_KEY='${{ env.ENCRYPTION_JWT_SIGNING_KEY }}' \
-            -e ENCRYPTION_KEYS='${{ env.ENCRYPTION_KEYS }}' \
-            -e NODE_ENV='development' \
-            -e SERVER_API_PROTOCOL='http' \
-            ${{ env.IMAGE_NAME }}
-
-      - name: Checkout
-        uses: actions/[email protected]
-
-      - name: ZAP Scan
-        uses: zaproxy/[email protected]
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          target: 'http://localhost:3000'
-          rules_file_name: '.github/workflows/.zap-rules-web.tsv'
-          allow_issue_writing: false
-          fail_action: true
-          artifact_name: ${{ env.ZAP_FILE }}
-          cmd_options: '-a'
-
   scan_image_with_trivy:
     name: Scan with trivy
     runs-on: ubuntu-24.04
     needs: build_docker_image
     permissions:
       contents: write
-      security-events: write
     if: ${{ ! always() }}
 
     steps:
-      # Need .trivyignore
       - name: Checkout
         uses: actions/[email protected]
 
@@ -359,4 +353,5 @@ jobs:
         with:
           image-ref: '${{ env.IMAGE_NAME }}'
           format: 'table'
+          trivyignores: '.github/workflows/.trivyignore'
           exit-code: 1
diff --git a/.github/workflows/push.yaml b/.github/workflows/push.yaml
@@ -12,7 +12,7 @@ env:
   # threatdragon is the working area on docker hub so use this area
   # owasp/threat-dragon is the final release area so DO NOT use that
   IMAGE_NAME: threatdragon/owasp-threat-dragon:latest
-  ZAP_FILE: "zap-scan-pr-${{ github.event.number }}"
+  ZAP_FILE: zap-scan-push
 
 # for security reasons the github actions are pinned to specific release versions
 jobs:
@@ -172,7 +172,7 @@ jobs:
 
       - name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v3.6.1
+        uses: docker/setup-buildx-action@v3.7.0
         with:
           install: true
 
@@ -441,16 +441,22 @@ jobs:
     if: ${{ ! always() }}
 
     steps:
-      # Need .trivyignore
       - name: Checkout
         uses: actions/[email protected]
 
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/[email protected]
         with:
           image-ref: '${{ env.IMAGE_NAME }}'
-          format: 'table'
-          exit-code: 1
+          format: 'template'
+          template: '@/contrib/sarif.tpl'
+          trivyignores: '.github/workflows/.trivyignore'
+          output: 'trivy-results.sarif'
+
+      - name: Upload scan results to GitHub Security tab
+        uses: github/codeql-action/[email protected]
+        with:
+          sarif_file: 'trivy-results.sarif'
 
   desktop_windows_test:
     name: Windows desktop build test

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -358,7 +358,7 @@ jobs:
 
       - name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v3.6.1
+        uses: docker/setup-buildx-action@v3.7.0
         with:
           install: true
 

diff --git a/td.vue/package.json b/td.vue/package.json
@@ -27,8 +27,8 @@
     "test:e2e:local": "vue-cli-service test:e2e -C e2e.local.config.js --url http://localhost:8080/",
     "test:e2e-ci": "vue-cli-service test:e2e  -C e2e.ci.config.js --browser chromium --headless --url http://localhost:3000/",
     "test:e2e-ci-smokes": "vue-cli-service test:e2e -C e2e.smokes.ci.config.js --browser chromium --headless --url http://localhost:3000/",
-    "test:e2e-pr": "vue-cli-service test:e2e  -C e2e.ci.config.js --browser chrome --headless --url http://localhost:8080/",
-    "test:e2e-pr-smokes": "vue-cli-service test:e2e -C e2e.smokes.ci.config.js --browser chrome --headless --url http://localhost:8080/",
+    "test:e2e-pr": "vue-cli-service test:e2e  -C e2e.ci.config.js --browser chromium --headless --url http://localhost:8080/",
+    "test:e2e-pr-smokes": "vue-cli-service test:e2e -C e2e.smokes.ci.config.js --browser chromium --headless --url http://localhost:8080/",
     "test:e2e-smokes": "browserstack-cypress run --cf browserstack.smokes.json --sync",
     "test:e2e-smokes:local": "vue-cli-service test:e2e -C e2e.smokes.local.config.js --url http://localhost:8080/",
     "test:e2e-nightly": "browserstack-cypress run --cf browserstack.nightly.json --sync",