feat: penetration tests in cronjob (#658)

Co-authored-by: Chris Berg <[email protected]> Co-authored-by: cberg-aot <[email protected]>
bcgov · Sep 28, 2023 · f8c1a73 · f8c1a73
1 parent 9efb05a
commit f8c1a73
Show file tree

Hide file tree

Showing 4 changed files with 30 additions and 15 deletions.
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -14,11 +14,6 @@ on:
         default: 'test'
         required: true
         type: string
-      penetration_test:
-        description: 'If penetration test is required'
-        default: false
-        required: true
-        type: boolean
       vault_zone:
         description: 'Which vault zone to use'
         default: 'dev'
@@ -46,11 +41,6 @@ on:
         default: 'test'
         required: true
         type: string
-      penetration_test:
-        description: 'If penetration test is required'
-        default: false
-        required: true
-        type: boolean
       vault_zone:
         description: 'Which vault zone to use'
         default: 'dev'
@@ -168,5 +158,3 @@ jobs:
             -p MOTIPAY_MERCHANT_ID=${{steps.vault.outputs.VAULT_MOTIPAY_MERCHANT_ID}}
             -p MOTIPAY_BASE_URL=${{steps.vault.outputs.VAULT_MOTIPAY_BASE_URL}}
             ${{ matrix.parameters }}
-          penetration_test: ${{ github.event_name != 'pull_request'}}
-          penetration_test_issue: ${{ matrix.name }}
diff --git a/.github/workflows/merge-main.yml b/.github/workflows/merge-main.yml
@@ -69,7 +69,6 @@ jobs:
     with:
       environment: 'test'
       imagetag: 'latest'  # we promote AFTER successful deploy of candidate
-      penetration_test: true
       vault_zone: 'test'
       zone: 'test'
     secrets: inherit
@@ -192,7 +191,6 @@ jobs:
     with:
       environment: 'prod'
       imagetag: 'test'
-      penetration_test: false
       vault_zone: 'prod'
       zone: 'prod'
     secrets: inherit

diff --git a/.github/workflows/pentests.yml b/.github/workflows/pentests.yml
@@ -0,0 +1,29 @@
+name: Penetration Tests
+
+on:
+  schedule: [cron: "0 11 * * 6"] # 3 AM PST = 12 PM UDT, Saturdays
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  zap_scan:
+    name: Penetration Tests
+    env:
+      DOMAIN: apps.silver.devops.gov.bc.ca
+      PREFIX: ${{ github.event.repository.name }}-test
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        name: [backend-dops, backend-vehicles, frontend]
+    steps:
+      - name: ZAP Scan
+        uses: zaproxy/[email protected]
+        with:
+          allow_issue_writing: true
+          artifact_name: "zap_${{ matrix.name }}"
+          cmd_options: "-a"
+          issue_title: "ZAP: ${{ matrix.name }}"
+          target: https://${{ env.PREFIX }}-${{ matrix.name }}.${{ env.DOMAIN }}
diff --git a/.github/workflows/pr-open.yml b/.github/workflows/pr-open.yml
@@ -33,6 +33,7 @@ jobs:
 
             Once merged, code will be promoted and handed off to following workflow run.
             [Main Merge Workflow](https://github.com/${{ github.repository }}/actions/workflows/merge-main.yml)
+
   builds:
     name: Builds
     runs-on: ubuntu-22.04
@@ -66,7 +67,6 @@ jobs:
     with:
       environment: 'dev'
       imagetag: ${{ github.event.number }}
-      penetration_test: false
       vault_zone: 'dev'
       zone: ${{ github.event.number }}
     secrets: inherit