|
| 1 | +name: ZAP API Active Scan (nightly) |
| 2 | + |
| 3 | +on: |
| 4 | + # schedule: |
| 5 | + # - cron: "0 3 * * *" # nightly 3am |
| 6 | + workflow_dispatch: |
| 7 | + inputs: |
| 8 | + target_env_oas: |
| 9 | + description: "Target proxygen environment OAS" |
| 10 | + required: true |
| 11 | + default: "internal-dev" |
| 12 | + # kid_name: |
| 13 | + # description: "KID name for JWT authentication" |
| 14 | + # required: true |
| 15 | + # default: "int-dev-1" |
| 16 | + |
| 17 | +jobs: |
| 18 | + metadata: |
| 19 | + name: "Set CI/CD metadata" |
| 20 | + runs-on: ubuntu-latest |
| 21 | + timeout-minutes: 1 |
| 22 | + outputs: |
| 23 | + build_datetime_london: ${{ steps.variables.outputs.build_datetime_london }} |
| 24 | + build_datetime: ${{ steps.variables.outputs.build_datetime }} |
| 25 | + build_timestamp: ${{ steps.variables.outputs.build_timestamp }} |
| 26 | + build_epoch: ${{ steps.variables.outputs.build_epoch }} |
| 27 | + nodejs_version: ${{ steps.variables.outputs.nodejs_version }} |
| 28 | + python_version: ${{ steps.variables.outputs.python_version }} |
| 29 | + terraform_version: ${{ steps.variables.outputs.terraform_version }} |
| 30 | + version: ${{ steps.variables.outputs.version }} |
| 31 | + is_version_prerelease: ${{ steps.variables.outputs.is_version_prerelease }} |
| 32 | + steps: |
| 33 | + - name: "Checkout code" |
| 34 | + uses: actions/checkout@v5 |
| 35 | + - name: "Set CI/CD variables" |
| 36 | + id: variables |
| 37 | + run: | |
| 38 | + datetime=$(date -u +'%Y-%m-%dT%H:%M:%S%z') |
| 39 | + version=$(head -n 1 .version 2> /dev/null || echo unknown) |
| 40 | + echo "build_datetime_london=$(TZ=Europe/London date --date=$datetime +'%Y-%m-%dT%H:%M:%S%z')" >> $GITHUB_OUTPUT |
| 41 | + echo "build_datetime=$datetime" >> $GITHUB_OUTPUT |
| 42 | + echo "build_timestamp=$(date --date=$datetime -u +'%Y%m%d%H%M%S')" >> $GITHUB_OUTPUT |
| 43 | + echo "build_epoch=$(date --date=$datetime -u +'%s')" >> $GITHUB_OUTPUT |
| 44 | + echo "nodejs_version=$(grep "^nodejs\s" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT |
| 45 | + echo "python_version=$(grep "^python\s" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT |
| 46 | + echo "terraform_version=$(grep "^terraform\s" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT |
| 47 | + echo "version=$(echo $version)" >> $GITHUB_OUTPUT |
| 48 | + echo "is_version_prerelease=$(if [[ $version == *-* ]]; then echo "true"; else echo "false"; fi)" >> $GITHUB_OUTPUT |
| 49 | + - name: "List variables" |
| 50 | + run: | |
| 51 | + export BUILD_DATETIME_LONDON="${{ steps.variables.outputs.build_datetime_london }}" |
| 52 | + export BUILD_DATETIME="${{ steps.variables.outputs.build_datetime }}" |
| 53 | + export BUILD_TIMESTAMP="${{ steps.variables.outputs.build_timestamp }}" |
| 54 | + export BUILD_EPOCH="${{ steps.variables.outputs.build_epoch }}" |
| 55 | + export NODEJS_VERSION="${{ steps.variables.outputs.nodejs_version }}" |
| 56 | + export PYTHON_VERSION="${{ steps.variables.outputs.python_version }}" |
| 57 | + export TERRAFORM_VERSION="${{ steps.variables.outputs.terraform_version }}" |
| 58 | + export VERSION="${{ steps.variables.outputs.version }}" |
| 59 | + export IS_VERSION_PRERELEASE="${{ steps.variables.outputs.is_version_prerelease }}" |
| 60 | + make list-variables |
| 61 | +
|
| 62 | + - name: "Build OAS spec" |
| 63 | + uses: ./.github/actions/build-oas-spec |
| 64 | + with: |
| 65 | + version: "${{ inputs.version }}" |
| 66 | + apimEnv: "${{ matrix.apimEnv }}" |
| 67 | + buildSandbox: false |
| 68 | + nodejs_version: ${{ inputs.nodejs_version }} |
| 69 | + NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
| 70 | + |
| 71 | + zap-api-scan: |
| 72 | + runs-on: ubuntu-latest |
| 73 | + steps: |
| 74 | + - name: Checkout |
| 75 | + uses: actions/checkout@v4 |
| 76 | + |
| 77 | + - name: Setup Node |
| 78 | + uses: actions/setup-node@v4 |
| 79 | + with: |
| 80 | + node-version: ${{ inputs.nodejs_version }} |
| 81 | + registry-url: "https://npm.pkg.github.com" |
| 82 | + |
| 83 | + - name: Npm install |
| 84 | + working-directory: . |
| 85 | + env: |
| 86 | + NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
| 87 | + run: npm ci |
| 88 | + shell: bash |
| 89 | + |
| 90 | + - name: Build OAS File |
| 91 | + working-directory: . |
| 92 | + shell: bash |
| 93 | + run: | |
| 94 | + echo "Building env specific JSON OAS spec" |
| 95 | + make build-json-oas-spec APIM_ENV=${{ inputs.target_env_oas }} |
| 96 | +
|
| 97 | + # - name: "Setup ASDF" |
| 98 | + # uses: asdf-vm/actions/setup@1902764435ca0dd2f3388eea723a4f92a4eb8302 |
| 99 | + |
| 100 | + # - name: Install python |
| 101 | + # run: | |
| 102 | + # asdf install python || true |
| 103 | + # echo "Installed python version:" |
| 104 | + # python --version |
| 105 | + |
| 106 | + # - name: Configure AWS Credentials |
| 107 | + # uses: aws-actions/configure-aws-credentials@v5 |
| 108 | + # with: |
| 109 | + # role-to-assume: arn:aws:iam::${{ secrets.SUPPLIERS_DEV_AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ASSUME_ROLE_NAME }} |
| 110 | + # role-session-name: ${{ github.run_id }} |
| 111 | + # aws-region: eu-west-2 |
| 112 | + # role-skip-session-tagging: true |
| 113 | + |
| 114 | + # - name: Fetch private key from SSM (parameter store) and save to file |
| 115 | + # id: fetch_key |
| 116 | + # run: | |
| 117 | + # aws ssm get-parameter --name "/jwt/kids/${KID_NAME}" --with-decryption --query "Parameter.Value" --output text > "${KID_NAME}.pem" |
| 118 | + # chmod 600 "${KID_NAME}.pem" |
| 119 | + # env: |
| 120 | + # KID_NAME: ${{ env.KID_NAME }} |
| 121 | + |
| 122 | + # - name: Get JWT bearer token (run your Python script) |
| 123 | + # id: get_token |
| 124 | + # run: | |
| 125 | + # python ./scripts/JWT/get_bearer_token.py --kid "${KID_NAME}.pem" --env "int" --appid "${{ secrets.APIGEE_APPKEY }}" > jwt_output.json |
| 126 | + |
| 127 | + # ACCESS_TOKEN=$(jq -r '.access_token // empty' jwt_output.json || true) |
| 128 | + |
| 129 | + # echo "token=$ACCESS_TOKEN" >> $GITHUB_OUTPUT |
| 130 | + # env: |
| 131 | + # KID_NAME: ${{ env.KID_NAME }} |
| 132 | + # APIGEE_APPKEY: ${{ secrets.APIGEE_APPKEY }} |
| 133 | + |
| 134 | + # - name: Install Proxygen client |
| 135 | + # shell: bash |
| 136 | + # run: | |
| 137 | + # # Install proxygen cli |
| 138 | + # pip install pipx |
| 139 | + # pipx install proxygen-cli |
| 140 | + |
| 141 | + # # Setup proxygen auth and settings |
| 142 | + # mkdir -p ${HOME}/.proxygen |
| 143 | + # echo -n $PROXYGEN_PRIVATE_KEY | base64 --decode > ${HOME}/.proxygen/key |
| 144 | + # envsubst < ./.github/proxygen-credentials-template.yaml > ${HOME}/.proxygen/credentials.yaml |
| 145 | + # envsubst < ./.github/proxygen-credentials-template.yaml | cat |
| 146 | + # envsubst < ./.github/proxygen-settings.yaml > ${HOME}/.proxygen/settings.yaml |
| 147 | + # envsubst < ./.github/proxygen-settings.yaml | cat |
| 148 | + |
| 149 | + # - name: Obtain OAS from target via Proxygen |
| 150 | + # run: | |
| 151 | + # proxygen instance get ${{ env.TARGET_ENV }} nhs-notify-supplier |
| 152 | + |
| 153 | + - name: Run ZAP API Scan (active) |
| 154 | + uses: zaproxy/action-api-scan@v0.10.0 |
| 155 | + env: |
| 156 | + # Set the Authorization header value for ZAP |
| 157 | + ZAP_AUTH_HEADER_VALUE: "Bearer ${{ secrets.TEMP_ACCESS_TOKEN }}" |
| 158 | + with: |
| 159 | + target: "./build/notify-supplier.json" |
| 160 | + format: openapi |
| 161 | + fail_action: true |
| 162 | + cmd_options: > |
| 163 | + -a |
| 164 | + -J zap-report.json |
| 165 | + -r zap-report.html |
| 166 | + --max-active-scan-threads 2 |
| 167 | + --scan-policy default |
| 168 | +
|
| 169 | + - name: Upload ZAP HTML report |
| 170 | + if: always() |
| 171 | + uses: actions/upload-artifact@v4 |
| 172 | + with: |
| 173 | + name: zap-report |
| 174 | + path: zap-report.html |
| 175 | + |
| 176 | + - name: Upload ZAP JSON report |
| 177 | + if: always() |
| 178 | + uses: actions/upload-artifact@v4 |
| 179 | + with: |
| 180 | + name: zap-report-json |
| 181 | + path: zap-report.json |
0 commit comments