Add act workflow

Author: francisco-videira-nhs

.github/workflows/zap-active-scan-act.yml

@@ -0,0 +1,43 @@
+name: ZAP API Active Scan
+
+on:
+  workflow_dispatch:
+    inputs:
+      target_env_oas:
+        description: "Target proxygen environment OAS"
+        required: true
+        default: "internal-dev"
+
+jobs:
+  zap-api-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Run ZAP API Scan (active)
+        id: scan
+        uses: zaproxy/action-api-scan@v0.10.0
+        env:
+          # Set the Authorization header value for ZAP
+          ZAP_AUTH_HEADER_VALUE: "Bearer ${{ secrets.TEMP_ACCESS_TOKEN }}"
+        with:
+          target: "build/notify-supplier-int.json"
+          format: openapi
+          fail_action: true
+          cmd_options: "-a"
+          allow_issue_writing: false
+
+      - name: Upload ZAP HTML report
+        if: steps.scan.outcome == 'success'
+        uses: actions/upload-artifact@v4
+        with:
+          name: zap-report
+          path: report_html.html
+
+      - name: Upload ZAP JSON report
+        if: steps.scan.outcome == 'success'
+        uses: actions/upload-artifact@v4
+        with:
+          name: zap-report-json
+          path: report_json.json

.github/workflows/zap-active-scan.yml

@@ -0,0 +1,189 @@
+# name: ZAP API Active Scan
+
+# on:
+#   # schedule:
+#   #   - cron: "0 3 * * *" # nightly 3am
+#   workflow_dispatch:
+#     inputs:
+#       target_env_oas:
+#         description: "Target proxygen environment OAS"
+#         required: true
+#         default: "internal-dev"
+#     # kid_name:
+#     #   description: "KID name for JWT authentication"
+#     #   required: true
+#     #   default: "int-dev-1"
+
+# jobs:
+#   metadata:
+#     name: "Set CI/CD metadata"
+#     runs-on: ubuntu-latest
+#     timeout-minutes: 1
+#     outputs:
+#       build_datetime_london: ${{ steps.variables.outputs.build_datetime_london }}
+#       build_datetime: ${{ steps.variables.outputs.build_datetime }}
+#       build_timestamp: ${{ steps.variables.outputs.build_timestamp }}
+#       build_epoch: ${{ steps.variables.outputs.build_epoch }}
+#       nodejs_version: ${{ steps.variables.outputs.nodejs_version }}
+#       python_version: ${{ steps.variables.outputs.python_version }}
+#       terraform_version: ${{ steps.variables.outputs.terraform_version }}
+#       version: ${{ steps.variables.outputs.version }}
+#       is_version_prerelease: ${{ steps.variables.outputs.is_version_prerelease }}
+#     steps:
+#       - name: "Checkout code"
+#         uses: actions/checkout@v5
+#       - name: "Set CI/CD variables"
+#         id: variables
+#         run: |
+#           datetime=$(date -u +'%Y-%m-%dT%H:%M:%S%z')
+#           version=$(head -n 1 .version 2> /dev/null || echo unknown)
+#           echo "build_datetime_london=$(TZ=Europe/London date --date=$datetime +'%Y-%m-%dT%H:%M:%S%z')" >> $GITHUB_OUTPUT
+#           echo "build_datetime=$datetime" >> $GITHUB_OUTPUT
+#           echo "build_timestamp=$(date --date=$datetime -u +'%Y%m%d%H%M%S')" >> $GITHUB_OUTPUT
+#           echo "build_epoch=$(date --date=$datetime -u +'%s')" >> $GITHUB_OUTPUT
+#           echo "nodejs_version=$(grep "^nodejs\s" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
+#           echo "python_version=$(grep "^python\s" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
+#           echo "terraform_version=$(grep "^terraform\s" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
+#           echo "version=$(echo $version)" >> $GITHUB_OUTPUT
+#           echo "is_version_prerelease=$(if [[ $version == *-* ]]; then echo "true"; else echo "false"; fi)" >> $GITHUB_OUTPUT
+#       - name: "List variables"
+#         run: |
+#           export BUILD_DATETIME_LONDON="${{ steps.variables.outputs.build_datetime_london }}"
+#           export BUILD_DATETIME="${{ steps.variables.outputs.build_datetime }}"
+#           export BUILD_TIMESTAMP="${{ steps.variables.outputs.build_timestamp }}"
+#           export BUILD_EPOCH="${{ steps.variables.outputs.build_epoch }}"
+#           export NODEJS_VERSION="${{ steps.variables.outputs.nodejs_version }}"
+#           export PYTHON_VERSION="${{ steps.variables.outputs.python_version }}"
+#           export TERRAFORM_VERSION="${{ steps.variables.outputs.terraform_version }}"
+#           export VERSION="${{ steps.variables.outputs.version }}"
+#           export IS_VERSION_PRERELEASE="${{ steps.variables.outputs.is_version_prerelease }}"
+#           make list-variables
+
+#       # - name: "Build OAS spec"
+#       #   uses: ./.github/actions/build-oas-spec
+#       #   with:
+#       #     version: "${{ inputs.version }}"
+#       #     apimEnv: "${{ matrix.apimEnv }}"
+#       #     buildSandbox: false
+#       #     nodejs_version: ${{ inputs.nodejs_version }}
+#       #     NODE_AUTH_TOKEN: ${{ secrets.NODE_AUTH_TOKEN }}
+
+#   zap-api-scan:
+#     runs-on: ubuntu-latest
+#     steps:
+#       - name: Checkout
+#         uses: actions/checkout@v4
+
+#       - name: Setup Node
+#         uses: actions/setup-node@v4
+#         with:
+#           node-version: 22
+#           registry-url: "https://npm.pkg.github.com"
+#           scope: "@nhsdigital"
+#           always-auth: true
+
+#       - name: Npm install
+#         working-directory: .
+#         env:
+#           NODE_AUTH_TOKEN: ${{ secrets.NODE_AUTH_TOKEN }}
+#         run: npm ci
+#         shell: bash
+
+#       - name: Set up dependencies
+#         working-directory: .
+#         shell: bash
+#         run: |
+#           apt-get update && apt-get -y install gettext-base
+
+#       - name: Build OAS File
+#         working-directory: .
+#         shell: bash
+#         run: |
+#           echo "Building env specific JSON OAS spec"
+#           make build-json-oas-spec APIM_ENV=${{ inputs.target_env_oas }}
+#         # jq 'del(.servers[] | select(.url == "http://127.0.0.1:9000")) | .servers += [{ "url": "https://internal-dev.api.service.nhs.uk/nhs-notify-supplier"}]' build/notify-supplier.json > build/notify-supplier.json
+
+#       # - name: "Setup ASDF"
+#       #   uses: asdf-vm/actions/setup@1902764435ca0dd2f3388eea723a4f92a4eb8302
+
+#       # - name: Install python
+#       #   run: |
+#       #     asdf install python || true
+#       #     echo "Installed python version:"
+#       #     python --version
+
+#       # - name: Configure AWS Credentials
+#       #   uses: aws-actions/configure-aws-credentials@v5
+#       #   with:
+#       #     role-to-assume: arn:aws:iam::${{ secrets.SUPPLIERS_DEV_AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ASSUME_ROLE_NAME }}
+#       #     role-session-name: ${{ github.run_id }}
+#       #     aws-region: eu-west-2
+#       #     role-skip-session-tagging: true
+
+#       # - name: Fetch private key from SSM (parameter store) and save to file
+#       #   id: fetch_key
+#       #   run: |
+#       #     aws ssm get-parameter --name "/jwt/kids/${KID_NAME}" --with-decryption --query "Parameter.Value" --output text > "${KID_NAME}.pem"
+#       #     chmod 600 "${KID_NAME}.pem"
+#       #   env:
+#       #     KID_NAME: ${{ env.KID_NAME }}
+
+#       # - name: Get JWT bearer token (run your Python script)
+#       #   id: get_token
+#       #   run: |
+#       #     python ./scripts/JWT/get_bearer_token.py --kid "${KID_NAME}.pem" --env "int" --appid "${{ secrets.APIGEE_APPKEY }}" > jwt_output.json
+
+#       #     ACCESS_TOKEN=$(jq -r '.access_token // empty' jwt_output.json || true)
+
+#       #     echo "token=$ACCESS_TOKEN" >> $GITHUB_OUTPUT
+#       #   env:
+#       #     KID_NAME: ${{ env.KID_NAME }}
+#       #     APIGEE_APPKEY: ${{ secrets.APIGEE_APPKEY }}
+
+#       # - name: Install Proxygen client
+#       #   shell: bash
+#       #   run: |
+#       #     # Install proxygen cli
+#       #     pip install pipx
+#       #     pipx install proxygen-cli
+
+#       #     # Setup proxygen auth and settings
+#       #     mkdir -p ${HOME}/.proxygen
+#       #     echo -n $PROXYGEN_PRIVATE_KEY | base64 --decode > ${HOME}/.proxygen/key
+#       #     envsubst < ./.github/proxygen-credentials-template.yaml > ${HOME}/.proxygen/credentials.yaml
+#       #     envsubst < ./.github/proxygen-credentials-template.yaml | cat
+#       #     envsubst < ./.github/proxygen-settings.yaml > ${HOME}/.proxygen/settings.yaml
+#       #     envsubst < ./.github/proxygen-settings.yaml | cat
+
+#       # - name: Obtain OAS from target via Proxygen
+#       #   run: |
+#       #     proxygen instance get ${{ env.TARGET_ENV }} nhs-notify-supplier
+
+#       - name: Run ZAP API Scan (active)
+#         uses: zaproxy/action-api-scan@v0.10.0
+#         env:
+#           # Set the Authorization header value for ZAP
+#           ZAP_AUTH_HEADER_VALUE: "Bearer ${{ secrets.TEMP_ACCESS_TOKEN }}"
+#         with:
+#           target: "build/notify-supplier.json"
+#           format: openapi
+#           fail_action: true
+#           cmd_options: >
+#             -d
+#             -a
+#             -J zap-report.json
+#             -r zap-report.html
+
+#       - name: Upload ZAP HTML report
+#         if: always()
+#         uses: actions/upload-artifact@v4
+#         with:
+#           name: zap-report
+#           path: zap-report.html
+
+#       - name: Upload ZAP JSON report
+#         if: always()
+#         uses: actions/upload-artifact@v4
+#         with:
+#           name: zap-report-json
+#           path: zap-report.json