Skip to content
This repository has been archived by the owner on May 1, 2023. It is now read-only.
/ scan-websites Public archive
generated from cds-snc/project-template

On-demand scanning of websites for accessibility and security vulnerabilities/compliance / Analyse à la demande des sites Web pour les vulnérabilités/conformité en matière d'accessibilité et de sécurité

scan-websites.alpha.canada.ca

License

MIT license
12 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

cds-snc/scan-websites

BranchesTags

Repository files navigation

Scan Websites

On-demand scanning of websites for accessibility and security vulnerabilities/compliance / Analyse à la demande des sites Web pour les vulnérabilités/conformité en matière d'accessibilité et de sécurité

Adding new scanner

  • Create new alembic database migration to insert new scan_type
  • Add new scan_type to AvailableScans class in /pub_sub/
  • Associate validator_list to new scan_type in /pub_sub/
  • Add new SNS topic for the new scan (api terraform)
  • Add new S3 report bucket via terraform + IAM permissions to store results for processing by the api (api terraform)
  • Add new lambda function via terraform + IAM permissions to be invoked by SNS
  • Update api terraform outputs.tf to include newly created items
  • Create a new lambda nodejs project in /scanners/
    • If using ECS
      • Create a runner under /runners/. This will be invoked by your nodejs lambda.
      • Create ECS task definition TF and associated container definition .json
  • Create new entries for your scanner under the various actions in /.github/
    • TF plan (CI only)
    • TF apply (Make changes to Production)
    • Build container to test dockerbuild (CI only)
    • Build and push container to ECR (Push to Production)
  • Profit 🎉

Adding new scan

name: Scan for security vulnerabilities (Weekly on Sunday)

on:
  schedule:
  - cron: "0 12 * * 0"

jobs:
  security-scan:
    name: Run scan websites (security)
    uses: cds-snc/scan-websites/.github/workflows/start_scan.yml@main
    with:
      dynamic: true
    secrets:
      scan_websites_key: ${{ secrets.SCAN_WEBSITES_KEY }}
      scan_websites_template: ${{ secrets.SCAN_WEBSITES_TEMPLATE }}
  • You can also trigger a scan directly in a workflow with:
curl -X GET -H 'X-API-KEY: ${{ secrets.SCAN_WEBSITES_KEY }}' -H 'X-TEMPLATE-TOKEN: ${{ secrets.SCAN_WEBSITES_TEMPLATE }}' https://scan-websites.alpha.canada.ca/scans/start

Run Locally

Run this in a dev container.

To interact with aws localstack use laws

Initial Run Reqs

make install && make install-dev

Seed local database

cd api && make seed

Example - List buckets

laws s3api list-buckets
laws s3api list-objects --bucket oswasp-zap-report-data --prefix Reports

Example - Create folder, copy file, and delete file

laws s3api put-object --bucket owasp-zap-report-data --key Reports/
laws s3 cp zap_report.json s3://owasp-zap-report-data/Reports/
laws s3 rm s3://owasp-zap-report-data/Reports/zap_report.json

Example - View SNS messages as they get posted

docker ps
docker logs --follow [localstack CONTAINER_ID]

About

On-demand scanning of websites for accessibility and security vulnerabilities/compliance / Analyse à la demande des sites Web pour les vulnérabilités/conformité en matière d'accessibilité et de sécurité

scan-websites.alpha.canada.ca

Resources

Readme

License

MIT license

Code of conduct

Code of conduct

Security policy

Security policy
Activity
Custom properties

Stars

12 stars

Watchers

16 watching

Forks

1 fork
Report repository

Contributors 10

Languages