From 5411f0cc3aced1a44acb1a73f707440b461186bd Mon Sep 17 00:00:00 2001
From: Daniele Iasella <2861984+overbit@users.noreply.github.com>
Date: Tue, 16 Apr 2024 17:14:11 +0100
Subject: [PATCH] chore: add pen-testing-api.yml

---
 .github/workflows/pen-testing-api.yml | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 .github/workflows/pen-testing-api.yml

diff --git a/.github/workflows/pen-testing-api.yml b/.github/workflows/pen-testing-api.yml
new file mode 100644
index 0000000..a1c383f
--- /dev/null
+++ b/.github/workflows/pen-testing-api.yml
@@ -0,0 +1,27 @@
+name: API Penetration testing
+on: 
+  # schedule:
+  #   - cron: '0 0 1 * *'
+  workflow_dispatch:
+    inputs:
+      target:
+        description: 'URL target of the pen testing'
+        required: true
+        default: 'https://server.amplication-sandbox.com/graphql'
+
+jobs:
+  zap_scan:
+    runs-on: ubuntu-latest
+    name: Scan the webapplication
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: ZAP Scan
+        uses: zaproxy/action-api-scan@v0.7.0
+        with:
+          target: ${{ github.event.inputs.target }}
+          format: openapi
+          cmd_options: '-m 30 -a'
+        env:
+          ZAP_AUTH_HEADER_VALUE: ${{ secrets.AMPLICATION_BOT_TOKEN }}
+          ZAP_AUTH_HEADER_SITE: ".amplication.com"
\ No newline at end of file