ALCS-2533: Reconfigure OWASP ZAP scans

bcgov · Feb 27, 2025 · 692ce81 · 692ce81
1 parent cf0fde4
commit 692ce81
Show file tree

Hide file tree

Showing 4 changed files with 53 additions and 28 deletions.
diff --git a/.github/workflows/zap-scan.yml b/.github/workflows/zap-scan.yml
@@ -0,0 +1,50 @@
+name: Weekly OWASP ZAP Baseline Scan on DEV Site
+
+on:
+  schedule:
+    # Runs every week at 01:00 Sunday Morning.
+    - cron:  '0 1 * * 0'
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  issues: write
+
+jobs:
+  zap-scan-api:
+    name: OWASP ZAP API Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: API Scan
+        uses: zaproxy/[email protected]
+        with:
+          target: 'https://alcs-dev-api.apps.silver.devops.gov.bc.ca/docs'
+          issue_title: OWASP ZAP API Scan Results
+
+  zap-scan-frontend:
+    name: OWASP ZAP Frontend Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v4
+
+      - name: Frontend Scan
+        uses: zaproxy/[email protected]
+        with:
+          target: "https://alcs-dev.apps.silver.devops.gov.bc.ca"
+          issue_title: OWASP ZAP Frontend Scan Results
+          rules_file_name: .zap/frontend.tsv
+
+  zap-scan-portal:
+    name: OWASP ZAP Portal Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v4
+
+      - name: Portal Scan
+        uses: zaproxy/[email protected]
+        with:
+          target: "https://alcs-dev-portal.apps.silver.devops.gov.bc.ca"
+          issue_title: OWASP ZAP Portal Scan Results
+          rules_file_name: .zap/portal.tsv
diff --git a/.github/workflows/zap_api.yml b/.github/workflows/zap_api.yml
diff --git a/.github/workflows/zap_frontend.yml b/.github/workflows/zap_frontend.yml
diff --git a/.zap/portal.tsv b/.zap/portal.tsv
@@ -0,0 +1,3 @@
+10055	IGNORE	(CSP: style-src unsafe-inline)
+10015	IGNORE	(Incomplete or No Cache-control and Pragma HTTP Header Set)
+10110	IGNORE	(Dangerous JS Functions)