From 04aa5eec61310b2b6616a0a0a9c96f4db4abb79d Mon Sep 17 00:00:00 2001
From: rugk <rugk+git@posteo.de>
Date: Wed, 1 Nov 2023 23:38:20 +0100
Subject: [PATCH 1/5] Create OWASP security scan of Docker container

Based on https://github.com/PrivateBin/docker-nginx-fpm-alpine/blob/master/.github/workflows/owasp.yml

Fixes the security part of https://github.com/Ravinou/borgwarehouse/issues/67

Note the results may include some false-positives. You can later ignore these via [creating a `rules.tsv` file](https://github.com/PrivateBin/docker-nginx-fpm-alpine/blob/master/.github/rules.tsv), but I've commented this for now.

See https://github.com/zaproxy/action-full-scan
---
 .github/workflows/owasp.yml | 49 +++++++++++++++++++++++++++++++++++++
 1 file changed, 49 insertions(+)
 create mode 100644 .github/workflows/owasp.yml

diff --git a/.github/workflows/owasp.yml b/.github/workflows/owasp.yml
new file mode 100644
index 0000000..86dde7a
--- /dev/null
+++ b/.github/workflows/owasp.yml
@@ -0,0 +1,49 @@
+# This is a basic workflow to help you get started with Actions
+
+name: Security-scan
+
+# Controls when the action will run. 
+on:
+  schedule:
+    - cron: '0 3 * * *' # everyday at 03:00 UTC
+  pull_request:
+    branches: master
+  push:
+    branches: master
+    tags: '*'
+
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+  
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: master
+    
+      # Runs a single command using the runners shell
+      - name: Pull and start docker via docker-compose
+        run: docker-compose up -d
+
+      # Run OWASP scan
+      - name: OWASP ZAP Full Scan
+        uses: zaproxy/action-full-scan@v0.8.0
+        with:
+          # GitHub Token to create issues in the repository
+          #token: # optional, default is ${{ github.token }}
+          # Target URL
+          target: http://localhost:3000 
+          # Relative path of the ZAP configuration file (e.g. for exclusions)
+          # rules_file_name: ".github/rules.tsv" # optional
+          # The Docker file to be executed
+          #docker_name: # default is owasp/zap2docker-stable
+          # Additional command line options
+          #cmd_options: # optional
+          # The title for the GitHub issue to be created
+          #issue_title: # optional, default is ZAP Full Scan Report
+          # The action status will be set to fail if ZAP identifies any alerts during the full scan
+          #fail_action: # optional

From 513e066b037cd79bac680504635ff448f5adc683 Mon Sep 17 00:00:00 2001
From: rugk <rugk+git@posteo.de>
Date: Wed, 1 Nov 2023 23:38:59 +0100
Subject: [PATCH 2/5] Fix branch name

---
 .github/workflows/owasp.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/owasp.yml b/.github/workflows/owasp.yml
index 86dde7a..009b260 100644
--- a/.github/workflows/owasp.yml
+++ b/.github/workflows/owasp.yml
@@ -7,9 +7,9 @@ on:
   schedule:
     - cron: '0 3 * * *' # everyday at 03:00 UTC
   pull_request:
-    branches: master
+    branches: main
   push:
-    branches: master
+    branches: main
     tags: '*'
 
   # Allows you to run this workflow manually from the Actions tab

From 1c598b6ae4796d34be54b966bb7ac3a28ffa8d5d Mon Sep 17 00:00:00 2001
From: rugk <rugk+git@posteo.de>
Date: Wed, 1 Nov 2023 23:39:58 +0100
Subject: [PATCH 3/5] Fix branch name again

---
 .github/workflows/owasp.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/owasp.yml b/.github/workflows/owasp.yml
index 009b260..c790c6c 100644
--- a/.github/workflows/owasp.yml
+++ b/.github/workflows/owasp.yml
@@ -23,7 +23,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
         with:
-          ref: master
+          ref: main
     
       # Runs a single command using the runners shell
       - name: Pull and start docker via docker-compose

From 6e1e841778f9f06db8470f293a1b95d360a37158 Mon Sep 17 00:00:00 2001
From: rugk <rugk+git@posteo.de>
Date: Fri, 3 Nov 2023 18:00:51 +0000
Subject: [PATCH 4/5] Adjust OWASP scanning to work with new Docker-Compose env
 variables

---
 .github/workflows/owasp.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/owasp.yml b/.github/workflows/owasp.yml
index c790c6c..0ade064 100644
--- a/.github/workflows/owasp.yml
+++ b/.github/workflows/owasp.yml
@@ -24,10 +24,16 @@ jobs:
         uses: actions/checkout@v4
         with:
           ref: main
+
+      - name: Copy .env file
+        run: mv .env.sample .env
     
       # Runs a single command using the runners shell
       - name: Pull and start docker via docker-compose
         run: docker-compose up -d
+        env:
+          UID: $USER
+          GID: $USER
 
       # Run OWASP scan
       - name: OWASP ZAP Full Scan

From c0e59231ec6a3fffa80493ec941c76e56eed0fc9 Mon Sep 17 00:00:00 2001
From: rugk <rugk+git@posteo.de>
Date: Fri, 3 Nov 2023 18:01:17 +0000
Subject: [PATCH 5/5] Refactor action to link instead of copy .env file

---
 .github/workflows/owasp.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/owasp.yml b/.github/workflows/owasp.yml
index 0ade064..a75b9cf 100644
--- a/.github/workflows/owasp.yml
+++ b/.github/workflows/owasp.yml
@@ -25,8 +25,8 @@ jobs:
         with:
           ref: main
 
-      - name: Copy .env file
-        run: mv .env.sample .env
+      - name: Link .env file
+        run: ln -s .env.sample .env
     
       # Runs a single command using the runners shell
       - name: Pull and start docker via docker-compose