This repository has been archived by the owner on May 1, 2023. It is now read-only.
generated from cds-snc/project-template
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* feat: ecs container that orchestrates zap scans * chore: cleanup zap shell script * feat: exit with error if zap proxy isn't ready within 5 minutes * chore: exclude pdf when running zap scan and updated filename generation to include nanoseconds * chore: added french logout text to scan exclusion list * chore: tighter logout exclusion regex * chore: removed unused github action output
- Loading branch information
Showing
8 changed files
with
94 additions
and
9 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
FROM python:3.8-alpine | ||
|
||
WORKDIR /scan | ||
|
||
RUN apk update \ | ||
&& apk upgrade \ | ||
&& apk add --update curl bash jq | ||
|
||
RUN pip install --upgrade zapcli awscli | ||
COPY entrypoint.sh /entrypoint.sh | ||
|
||
# Launch OWASP scan | ||
ENTRYPOINT ["/entrypoint.sh"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
#!/bin/sh -l | ||
|
||
#Check if running locally or in ECS | ||
if [[ -z "${ECS_CONTAINER_METADATA_URI}" ]]; then | ||
# ECS environment variable not detected so use local docker networking | ||
HOST_IP="172.17.0.1" | ||
else | ||
# Use ECS host IP | ||
HOST_IP=$(curl -s "$ECS_CONTAINER_METADATA_URI" | jq -r '.Networks[].IPv4Addresses[0]') | ||
fi | ||
|
||
echo "Host ip: $HOST_IP and Port:${ZAP_PORT}" | ||
|
||
# Wait for ZAP proxy to init | ||
CHECKS=0 | ||
while ! eval "$(curl -sSf "$HOST_IP":"${ZAP_PORT}" > /dev/null 2>&1)" | ||
do | ||
echo "Waiting for proxy to start..." | ||
sleep 3 | ||
CHECKS=$((CHECKS+1)) | ||
if [ $CHECKS -gt 100 ] | ||
then | ||
echo "Proxy failed to start within 5 minutes, exiting" | ||
exit 1 | ||
fi | ||
done | ||
sleep 3 | ||
|
||
date=$(date +\"%Y-%m-%dT%H:%M:%S:%N\") | ||
fDate=$(echo "$date" | sed -e 's/[^A-Za-z0-9._-]/_/g') | ||
# Convert URL into a valid filename for the report | ||
FILENAME=$(echo "$SCAN_URL" | sed -e 's/[^A-Za-z0-9._-]/_/g')-$fDate | ||
|
||
zap-cli --port "${ZAP_PORT}" --zap-url "http://$HOST_IP" exclude "^.*/(logout|log-out|signout|sign-out|deconnecter)/?$" | ||
zap-cli --port "${ZAP_PORT}" --zap-url "http://$HOST_IP" exclude "^.*\.(css|gif|jpe?g|tiff|png|webp|bmp|ico|svg|js|jsx|pdf)$" | ||
zap-cli --port "${ZAP_PORT}" --zap-url "http://$HOST_IP" open-url "${SCAN_URL}" | ||
zap-cli --port "${ZAP_PORT}" --zap-url "http://$HOST_IP" spider "${SCAN_URL}" | ||
zap-cli --port "${ZAP_PORT}" --zap-url "http://$HOST_IP" ajax-spider "${SCAN_URL}" | ||
|
||
# Timeout scan after 1 hour to prevent running indefinately if the OWASP ZAP container crashes | ||
timeout 1h zap-cli --port "${ZAP_PORT}" --zap-url "http://$HOST_IP" active-scan --recursive "${SCAN_URL}" | ||
|
||
high_alerts=$( curl "http://$HOST_IP:${ZAP_PORT}/JSON/alert/view/alertsSummary/?baseurl=${SCAN_URL}" | jq -r '.alertsSummary.High') | ||
|
||
echo "high alerts are $high_alerts" | ||
|
||
curl "http://$HOST_IP:${ZAP_PORT}/OTHER/core/other/jsonreport/" | jq . > zap-scan-results.json | ||
|
||
if [[ -z "${PUSH_TO_SECURITYHUB}" ]]; then | ||
IMPORTVULTOSECURITYHUB=false | ||
else | ||
IMPORTVULTOSECURITYHUB=true | ||
fi | ||
|
||
jq "{ \"messageType\": \"ScanReport\", \"reportType\": \"OWASP-Zap\", \"createdAt\": $(date +\"%Y-%m-%dT%H:%M:%S\"),\"importToSecurityhub\": \"$IMPORTVULTOSECURITYHUB\",\"scanUrl\": \"$SCAN_URL\",\"s3Bucket\": \"${S3_BUCKET}\",\"key\": \"Reports/$FILENAME.xml\", \"report\": . }" zap-scan-results.json > payload.json | ||
|
||
aws s3 cp payload.json s3://"${S3_BUCKET}"/Reports/"$FILENAME".json | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters