Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security pipeline #41

Open
wants to merge 30 commits into
base: main
Choose a base branch
from
Open

Security pipeline #41

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
30 commits
Select commit Hold shift + click to select a range
7fec802
Add in workflow for sec
TawneeOwl Sep 19, 2024
c8911fe
WIP update workflow
TawneeOwl Sep 19, 2024
6375bbc
Change to run on dev
TawneeOwl Sep 19, 2024
c2184d9
Update permissions
TawneeOwl Sep 19, 2024
e219d4b
Amend layout
TawneeOwl Sep 19, 2024
2678450
Add upload location
TawneeOwl Sep 19, 2024
4857f9a
Change to artifcat name
TawneeOwl Sep 19, 2024
830aaad
Remove upload
TawneeOwl Sep 19, 2024
1ad03c1
remove rules
TawneeOwl Sep 19, 2024
38fcfe2
Add cmd options
TawneeOwl Sep 20, 2024
e122377
Upload full report
TawneeOwl Sep 20, 2024
6ed84b2
Remove env variable
TawneeOwl Sep 20, 2024
4d6a9bb
change upload
TawneeOwl Sep 20, 2024
4c11fc3
Change to report html
TawneeOwl Sep 20, 2024
cef3de0
Add in comma
TawneeOwl Sep 20, 2024
ce6397b
add artifact name
TawneeOwl Sep 20, 2024
b1f84bf
Bump to v4
TawneeOwl Sep 20, 2024
79cd846
Use hostname env
TawneeOwl Sep 20, 2024
8aedb2f
try with cleanded branch name
TawneeOwl Sep 20, 2024
7ead8fe
export hostname
TawneeOwl Sep 20, 2024
a3f97e1
Use outputs
TawneeOwl Sep 20, 2024
04202d2
Change env format
TawneeOwl Sep 20, 2024
0b7ba16
Change to artifact
TawneeOwl Sep 20, 2024
8e74f87
Add in read step
TawneeOwl Sep 20, 2024
fc3ef6d
add http
TawneeOwl Sep 20, 2024
8d1a768
Add self hosted
TawneeOwl Sep 27, 2024
0d3d456
Self hosted
TawneeOwl Sep 27, 2024
9471762
Use legal aid runner
TawneeOwl Sep 27, 2024
f08e23b
Add self hosted back
TawneeOwl Sep 27, 2024
1091ca3
Revert to ubuntu latest
TawneeOwl Sep 27, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions .github/workflows/deploy-dev.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,8 @@ jobs:
name: Deploy
environment: ${{ inputs.environment }}
runs-on: ubuntu-latest
outputs:
hostname: ${{ steps.export-hostname.outputs.hostname }}
permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout
Expand Down Expand Up @@ -70,6 +72,8 @@ jobs:
export CLEANED_BRANCH_NAME=$(echo ${BRANCH_NAME} | sed 's/^feature[-/]//' | sed 's:^\w*\/::' | tr -s ' _/[]().' '-' | tr '[:upper:]' '[:lower:]' | cut -c1-28 | sed 's/-$//')
export HOST_NAME=${CLEANED_BRANCH_NAME}-${DEV_HOST}

echo "${HOST_NAME}" > hostname.txt

helm upgrade ${CLEANED_BRANCH_NAME} \
${HELM_DIR} \
--namespace=${{ secrets.KUBE_NAMESPACE }} \
Expand All @@ -82,3 +86,9 @@ jobs:
--set sharedIPRangesLAA=$SHARED_IP_RANGES_LAA \
--force \
--install

- name: Upload HOST_NAME as artifact
uses: actions/upload-artifact@v4
with:
name: host-name
path: hostname.txt
5 changes: 5 additions & 0 deletions .github/workflows/feature-branch.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,11 @@ jobs:
secrets:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

security:
name: Security
needs: deploy-dev
uses: ./.github/workflows/security.yml

build-and-push:
name: Build
uses: ./.github/workflows/build.yml
Expand Down
35 changes: 35 additions & 0 deletions .github/workflows/security.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
name: Security

on: workflow_call

jobs:
zap_scan:
runs-on: ubuntu-latest
name: Scan the web application
steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Download HOST_NAME artifact
uses: actions/download-artifact@v4
with:
name: host-name

- name: Read HOST_NAME from file
id: read-hostname
run: |
HOST_NAME=$(cat hostname.txt)
echo "HOST_NAME=${HOST_NAME}" >> $GITHUB_ENV

- name: ZAP Full Scan
uses: zaproxy/[email protected]
with:
target: "http://${{ env.HOST_NAME }}"
artifact_name: 'zap_report'
continue-on-error: true

- name: Upload ZAP Report
uses: actions/upload-artifact@v4
with:
name: zap_report
path: 'report_html.html'
Loading