-
Notifications
You must be signed in to change notification settings - Fork 2
/
action.yml
226 lines (218 loc) · 10.7 KB
/
action.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
name: 'SOOS DAST'
author: 'SOOS'
description: 'The SOOS GitHub Action to perform the DAST Analysis.'
branding:
icon: 'alert-triangle'
color: 'blue'
inputs:
client_id:
description: 'SOOS Client ID.'
required: true
api_key:
description: 'SOOS API Key.'
required: true
project_name:
description: 'The project name that will be displayed on the dashboard. By Default is owner/repository_name.'
required: true
default: ${{ github.repository }}
scan_mode:
description: 'SOOS DAST scan mode. Values available: baseline (Default), fullscan, and apiscan.'
required: true
default: 'baseline'
on_failure:
description: 'Action to perform when the scan fails. Values available: fail_the_build, continue_on_failure (Default)'
required: false
default: 'continue_on_failure'
api_url:
description: 'SOOS API URL.'
required: true
default: 'https://api.soos.io/api/'
target_url:
description: 'Target URL to perform the scan against.'
required: true
debug:
description: 'Show debug messages.'
required: false
default: 'false'
ajax_spider:
description: 'Enable the Ajax spider in addition to the traditional one.'
required: false
default: 'false'
context_file:
description: 'Context file which will be loaded prior to scanning the target.'
required: false
disable_rules:
description: 'Comma separated list of ZAP rules IDs to disable. List for reference https://www.zaproxy.org/docs/alerts/. (e.g. 10001,10002)'
required: false
full_scan_minutes:
description: 'The number of minutes for spider to run (required if scanmode is fullScan).'
required: false
api_scan_format:
description: 'Target API format: openapi, soap, or graphql. Required for scan_mode: apiscan.'
required: false
log_level:
description: 'Log level to show: DEBUG, INFO, WARN, ERROR, CRITICAL.'
required: false
default: 'INFO'
branch_uri:
description: 'URI to branch from SCM system.'
required: false
default: '${{ github.server_url }}/${{ github.repository }}/tree/${{ github.ref_name }}'
branch_name:
description: 'Branch Name to create scan under'
required: false
default: '${{ github.ref_name }}'
build_version:
description: 'Version of application build artifacts.'
required: false
default: ''
build_uri:
description: 'URI to CI build info.'
required: false
default: ''
operating_environment:
description: 'System info regarding operating system, etc.'
required: false
default: ${{ runner.os }}
output_format:
description: 'Output format for report to be generated (only sarif supported at the moment).'
required: false
default: ''
request_cookies:
description: 'Set Cookie values for the requests to the target URL.'
required: false
request_headers:
description: 'Set extra header requests.'
required: false
bearer_token:
description: 'Bearer token to include as authorization header in every request.'
required: false
auth_username:
description: 'Username to use in auth apps.'
required: false
auth_password:
description: 'Password to use in auth apps.'
required: false
auth_login_url:
description: 'Login url to use in auth apps.'
required: false
auth_username_field:
description: 'Username input id to use in auth apps.'
required: false
auth_password_field:
description: 'Password input id to use in auth apps.'
required: false
auth_submit_field:
description: 'Submit button id to use in auth apps.'
required: false
auth_second_submit_field:
description: 'Second submit button id to use in auth apps (for multi-page forms).'
required: false
auth_form_type:
description: 'simple (all fields are displayed at once), wait_for_password (Password field is displayed only after username is filled), or multi_page (Password field is displayed only after username is filled and submit is clicked)'
required: false
auth_delay_time:
description: 'Delay time in seconds to wait for the page to load after performing actions in the form. (Used only on authFormType: wait_for_password and multi_page)'
required: false
auth_submit_action:
description: 'Submit action to perform on form filled. Possible values are click or submit.'
required: false
oauth_token_url:
description: 'The fully qualified authentication URL that grants the access_token.'
required: false
oauth_parameters:
description: 'Parameters to be added to the oauth token request. (eg: client_id:value, client_secret:value, grant_type:value).'
required: false
auth_verification_url:
description: 'URL used to verify authentication success. If authentication fails when this URL is provided, the scan will be terminated.'
required: false
verbose:
description: 'Enable verbose logging.'
required: false
other_options:
description: 'Other command line arguments sent directly to the script for items not supported by other command line arguments'
required: false
image_tag:
description: 'The soos/dast image tag to use; defaults to latest'
required: false
default: 'latest'
runs:
using: "composite"
steps:
- name: Check version
shell: bash
env:
SOOS_ACTION_REF: ${{ github.action_ref }}
run: |
set +x # Turn off command echoing
printf '%.0s-' {1..80}
printf '\n'
response=$(curl -s https://api.github.com/repos/soos-io/soos-dast-github-action/releases/latest)
if [ $? -eq 0 ]; then
latest_tag=$(echo "$response" | grep -oP '"tag_name": "\K(.*)(?=")')
current_tag=$(echo "$SOOS_ACTION_REF" | awk -F'/' '{print $NF}')
latest_tag_major=$(echo "$latest_tag" | awk -F'.' '{print $1}')
echo "Your current version is: $current_tag, The latest version is: $latest_tag_major"
if [[ "$current_tag" != "$latest_tag_major"* ]]; then
echo "This action is outdated or using a commit reference. Please update to use the latest major version tag: $latest_tag_major"
elif [[ "$current_tag" == "$latest_tag" ]]; then
echo "It is recommended to use the major version tag, $latest_tag_major when referencing this action."
elif [[ "$current_tag" != "$latest_tag_major" ]]; then
echo "This action is out of date. It is recommended to use the major version tag, $latest_tag_major."
fi
else
echo "Can't check version."
fi
printf '%.0s-' {1..80}
printf '\n'
- name: Set Arguments
shell: bash
run: |
set +x # Turn off command echoing
args="--checkoutDir /zap/wrk --integrationName=Github --integrationType=Plugin "
[[ "${{ inputs.ajax_spider }}" == "true" ]] && args+="--ajaxSpider "
[ -n "${{ inputs.api_key }}" ] && args+="--apiKey=${{ inputs.api_key }} "
[ -n "${{ inputs.api_scan_format }}" ] && args+="--apiScanFormat=${{ inputs.api_scan_format }} "
[ -n "${{ inputs.api_url }}" ] && args+="--apiURL=${{ inputs.api_url }} "
[ -n "${{ inputs.auth_delay_time }}" ] && args+="--authDelayTime=${{ inputs.auth_delay_time }} "
[ -n "${{ inputs.auth_form_type }}" ] && args+="--authFormType=${{ inputs.auth_form_type }} "
[ -n "${{ inputs.auth_login_url }}" ] && args+="--authLoginURL=${{ inputs.auth_login_url }} "
[ -n "${{ inputs.auth_password }}" ] && args+="--authPassword=${{ inputs.auth_password }} "
[ -n "${{ inputs.auth_password_field }}" ] && args+="--authPasswordField=${{ inputs.auth_password_field }} "
[ -n "${{ inputs.auth_second_submit_field }}" ] && args+="--authSecondSubmitField=${{ inputs.auth_second_submit_field }} "
[ -n "${{ inputs.auth_submit_action }}" ] && args+="--authSubmitAction=${{ inputs.auth_submit_action }} "
[ -n "${{ inputs.auth_submit_field }}" ] && args+="--authSubmitField=${{ inputs.auth_submit_field }} "
[ -n "${{ inputs.auth_username }}" ] && args+="--authUsername=${{ inputs.auth_username }} "
[ -n "${{ inputs.auth_username_field }}" ] && args+="--authUsernameField=${{ inputs.auth_username_field }} "
[ -n "${{ inputs.auth_verification_url }}" ] && args+="--authVerificationURL=\"${{ inputs.auth_verification_url }}\" "
[ -n "${{ inputs.bearer_token }}" ] && args+="--bearerToken=${{ inputs.bearer_token }} "
[ -n "${{ inputs.branch_name }}" ] && args+="--branchName=${{ inputs.branch_name }} "
[ -n "${{ inputs.branch_uri }}" ] && args+="--branchURI=${{ inputs.branch_uri }} "
[ -n "${{ inputs.build_uri }}" ] && args+="--buildURI=${{ inputs.build_uri }} "
[ -n "${{ inputs.build_version }}" ] && args+="--buildVersion=${{ inputs.build_version }} "
[ -n "${{ inputs.client_id }}" ] && args+="--clientId=${{ inputs.client_id }} "
[ -n "${{ inputs.context_file }}" ] && args+="--contextFile=${{ inputs.context_file }} "
[ -n "${{ inputs.context_user }}" ] && args+="--contextUser=${{ inputs.context_user }} "
[[ "${{ inputs.debug }}" == "true" ]] && args+="--debug "
[[ "${{ inputs.disable_rules }}" == "true" ]] && args+="--disableRules "
[ -n "${{ inputs.full_scan_minutes }}" ] && args+="--fullScanMinutes=${{ inputs.full_scan_minutes }} "
[ -n "${{ inputs.log_level }}" ] && args+="--logLevel=${{ inputs.log_level }} "
[ -n "${{ inputs.oauth_parameters }}" ] && args+="--oauthParameters=\"${{ inputs.oauth_parameters }}\" "
[ -n "${{ inputs.oauth_token_url }}" ] && args+="--oauthTokenUrl=${{ inputs.oauth_token_url }} "
[ -n "${{ inputs.on_failure }}" ] && args+="--onFailure=${{ inputs.on_failure }} "
[ -n "${{ inputs.operating_environment }}" ] && args+="--operatingEnvironment=${{ inputs.operating_environment }} "
[ -n "${{ inputs.other_options }}" ] && args+="--otherOptions=\"${{ inputs.other_options }}\" "
[ -n "${{ inputs.output_format }}" ] && args+="--outputFormat=${{ inputs.output_format }} "
[ -n "${{ inputs.project_name }}" ] && args+="--projectName=\"${{ inputs.project_name }}\" "
[ -n "${{ inputs.request_cookies }}" ] && args+="--requestCookies=\"${{ inputs.request_cookies }}\" "
[ -n "${{ inputs.request_headers }}" ] && args+="--requestHeaders=\"${{ inputs.request_headers }}\" "
[ -n "${{ inputs.scan_mode }}" ] && args+="--scanMode=${{ inputs.scan_mode }} "
[[ "${{ inputs.verbose }}" == "true" ]] && args+="--verbose "
[ -n "${{ inputs.target_url }}" ] && args+="${{ inputs.target_url }}"
echo "Arguments: $args"
echo "args=$args" >> $GITHUB_ENV
- name: Run SOOS DAST
shell: bash
run: |
docker pull soosio/dast:${{ inputs.image_tag }}
eval "docker run -v ${{ github.workspace }}:/zap/wrk/:rw --rm soosio/dast:${{ inputs.image_tag }} $args"