-
Notifications
You must be signed in to change notification settings - Fork 2
127 lines (116 loc) · 4.03 KB
/
scheduled_job.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
name: Run Nuclei
on:
# Run every sunday
schedule:
- cron: "0 12 * * SUN"
workflow_dispatch:
env:
REPO_OWNER: ${{ github.repository_owner }}
NUCLEI_VERSION: '3.2.5'
jobs:
project-runner:
name: Project runner
# seaweed configurations
env:
TAG: "lfi,xss,fileupload,xxe,injection,traversal,disclosure,auth-bypass,ssrf,sqli,oast,rce"
runs-on: ubuntu-latest
services:
dummyhttp:
image: "svenstaro/dummyhttp:1.1.0@sha256:9bd5ee6432fbee297107529b1d96a59631f1cb9bcde92cc56b8fd17f688e1606"
waf:
image: "owasp/modsecurity-crs:4-apache-202404131004@sha256:9c20dd4756378de04c3587911efdf37c15614403c0540e008f16ca1cdbc63cba"
ports:
- 8080:8080
env:
MODSEC_RULE_ENGINE: "On"
SERVERNAME: "_default_"
MODSEC_AUDIT_LOG: "/var/log/apache2/modsec_audit.log"
BLOCKING_PARANOIA: 4
BACKEND: "http://dummyhttp:80"
steps:
- name: Nuclei - Vulnerability Scan
uses: projectdiscovery/nuclei-action@6a69b5015a4059e8804afcb33ff5e56bfd546908 # v2.0.1
with:
target: "http://127.0.0.1:8080"
flags: "-t http/cves -type http -stats -ni -sresp"
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: zip output
run: |
zip -qq -r output.zip output
- name: GitHub Workflow artifacts
uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4
with:
name: output
path: output.zip
process-artifacts:
name: Generate report
runs-on: ubuntu-latest
needs: [project-runner]
outputs:
total_requests: ${{ steps.report.outputs.total_requests }}
total_blocked: ${{ steps.report.outputs.total_blocked }}
total_not_blocked: ${{ steps.report.outputs.total_not_blocked }}
partially_blocked: ${{ steps.report.outputs.partially_blocked }}
steps:
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- name: Setup Go
uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5
with:
go-version: '^1.22.3'
- name: Download artifacts
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
with:
name: output
- name: Build report
id: report
run: |
go build
unzip -qq output.zip
./project-seaweed -o output >> "$GITHUB_OUTPUT"
slack-notification:
name: Send notification
runs-on: ubuntu-latest
needs: process-artifacts
env:
total_requests: ${{ needs.process-artifacts.outputs.total_requests }}
total_blocked: ${{ needs.process-artifacts.outputs.total_blocked }}
total_not_blocked: ${{ needs.process-artifacts.outputs.total_not_blocked }}
partially_blocked: ${{ needs.process-artifacts.outputs.partially_blocked }}
steps:
- name: Success
uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d # v2.0.0
with:
webhook: ${{ secrets.SLACK_WEBHOOK_URL }}
webhook-type: incoming-webhook
payload: |
{
"text": "Testing finished!",
"attachments": [
{
"color": "28a745",
"fields": [
{
"title": "Status",
"value": "Complete"
},
{
"title": "total requests - cves tested",
"value": ${{ env.total_requests }}
},
{
"title": "blocks",
"value": ${{ env.total_blocked }}
},
{
"title": "partially blocked",
"value": ${{ env.partially_blocked }}
},
{
"title": "non blocks",
"value": ${{ env.total_not_blocked }}
}
]
}
]
}