From f8c1a73d1d8a3430341e17e89db770cdfc1dfdb5 Mon Sep 17 00:00:00 2001 From: Derek Roberts Date: Thu, 28 Sep 2023 15:31:39 -0700 Subject: [PATCH] feat: penetration tests in cronjob (#658) Co-authored-by: Chris Berg Co-authored-by: cberg-aot <93226309+cberg-aot@users.noreply.github.com> --- .github/workflows/deploy.yml | 12 ------------ .github/workflows/merge-main.yml | 2 -- .github/workflows/pentests.yml | 29 +++++++++++++++++++++++++++++ .github/workflows/pr-open.yml | 2 +- 4 files changed, 30 insertions(+), 15 deletions(-) create mode 100644 .github/workflows/pentests.yml diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 1bbf12331..1a26c5036 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -14,11 +14,6 @@ on: default: 'test' required: true type: string - penetration_test: - description: 'If penetration test is required' - default: false - required: true - type: boolean vault_zone: description: 'Which vault zone to use' default: 'dev' @@ -46,11 +41,6 @@ on: default: 'test' required: true type: string - penetration_test: - description: 'If penetration test is required' - default: false - required: true - type: boolean vault_zone: description: 'Which vault zone to use' default: 'dev' @@ -168,5 +158,3 @@ jobs: -p MOTIPAY_MERCHANT_ID=${{steps.vault.outputs.VAULT_MOTIPAY_MERCHANT_ID}} -p MOTIPAY_BASE_URL=${{steps.vault.outputs.VAULT_MOTIPAY_BASE_URL}} ${{ matrix.parameters }} - penetration_test: ${{ github.event_name != 'pull_request'}} - penetration_test_issue: ${{ matrix.name }} diff --git a/.github/workflows/merge-main.yml b/.github/workflows/merge-main.yml index 837405abc..53f65afc9 100644 --- a/.github/workflows/merge-main.yml +++ b/.github/workflows/merge-main.yml @@ -69,7 +69,6 @@ jobs: with: environment: 'test' imagetag: 'latest' # we promote AFTER successful deploy of candidate - penetration_test: true vault_zone: 'test' zone: 'test' secrets: inherit @@ -192,7 +191,6 @@ jobs: with: environment: 'prod' imagetag: 'test' - penetration_test: false vault_zone: 'prod' zone: 'prod' secrets: inherit diff --git a/.github/workflows/pentests.yml b/.github/workflows/pentests.yml new file mode 100644 index 000000000..521ed7a61 --- /dev/null +++ b/.github/workflows/pentests.yml @@ -0,0 +1,29 @@ +name: Penetration Tests + +on: + schedule: [cron: "0 11 * * 6"] # 3 AM PST = 12 PM UDT, Saturdays + workflow_dispatch: + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + zap_scan: + name: Penetration Tests + env: + DOMAIN: apps.silver.devops.gov.bc.ca + PREFIX: ${{ github.event.repository.name }}-test + runs-on: ubuntu-latest + strategy: + matrix: + name: [backend-dops, backend-vehicles, frontend] + steps: + - name: ZAP Scan + uses: zaproxy/action-full-scan@v0.7.0 + with: + allow_issue_writing: true + artifact_name: "zap_${{ matrix.name }}" + cmd_options: "-a" + issue_title: "ZAP: ${{ matrix.name }}" + target: https://${{ env.PREFIX }}-${{ matrix.name }}.${{ env.DOMAIN }} diff --git a/.github/workflows/pr-open.yml b/.github/workflows/pr-open.yml index 657c5e604..8ce9f1aeb 100644 --- a/.github/workflows/pr-open.yml +++ b/.github/workflows/pr-open.yml @@ -33,6 +33,7 @@ jobs: Once merged, code will be promoted and handed off to following workflow run. [Main Merge Workflow](https://github.com/${{ github.repository }}/actions/workflows/merge-main.yml) + builds: name: Builds runs-on: ubuntu-22.04 @@ -66,7 +67,6 @@ jobs: with: environment: 'dev' imagetag: ${{ github.event.number }} - penetration_test: false vault_zone: 'dev' zone: ${{ github.event.number }} secrets: inherit