chore: add pen-testing-api.yml

.github/workflows/pen-testing-api.yml

@@ -0,0 +1,27 @@
+name: API Penetration testing
+on: 
+  # schedule:
+  #   - cron: '0 0 1 * *'
+  workflow_dispatch:
+    inputs:
+      target:
+        description: 'URL target of the pen testing'
+        required: true
+        default: 'https://server.amplication-sandbox.com/graphql'
+
+jobs:
+  zap_scan:
+    runs-on: ubuntu-latest
+    name: Scan the webapplication
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: ZAP Scan
+        uses: zaproxy/[email protected]
+        with:
+          target: ${{ github.event.inputs.target }}
+          format: openapi
+          cmd_options: '-m 30 -a'
+        env:
+          ZAP_AUTH_HEADER_VALUE: ${{ secrets.AMPLICATION_BOT_TOKEN }}
+          ZAP_AUTH_HEADER_SITE: ".amplication.com"