-
Notifications
You must be signed in to change notification settings - Fork 285
150 lines (120 loc) · 8.71 KB
/
.dast-nuclei-cmd-api-server.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
name: DAST_Scan_Nuclei
env:
NODEJS_VERSION: v18.18.2
on:
push:
branches: [main, dev]
pull_request:
branches: [main, dev]
jobs:
nuclei-scan:
runs-on: ubuntu-22.04
steps:
- name: Install Indy SDK
run: >
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys CE7709D068DB5E88 \
&& sudo add-apt-repository "deb https://repo.sovrin.org/sdk/deb bionic stable" \
&& sudo apt-get update \
&& sudo apt-get install -y \
libindy \
libnullpay \
libvcx \
indy-cli \
&& sudo rm -f /etc/apt/sources.list.d/sovrin.list*
- name: Set up NodeJS ${{ env.NODEJS_VERSION }}
uses: actions/[email protected]
with:
node-version: ${{ env.NODEJS_VERSION }}
- name: Install jq
run: sudo apt update && sudo apt install -y jq
- name: Verify jq
run: jq --version
- uses: actions/[email protected]
- uses: actions/[email protected]
with:
go-version: 1.17
- run: go install -v github.com/projectdiscovery/nuclei/v2/cmd/[email protected]
- run: nuclei --version
- run: npm run configure
- name: Create URLs file for Nuclei
run: |
echo https://localhost:4000/ > urls.txt
{
echo https://localhost:4000/api/v1/api-server/healthcheck
echo https://localhost:4000/api/v1/plugins/@hyperledger/cactus-plugin-consortium-manual/node/jws
echo https://localhost:4000/api/v1/plugins/@hyperledger/cactus-plugin-consortium-manual/consortium/jws
echo https://localhost:4000/api/v1/plugins/@hyperledger/cactus-plugin-consortium-manual/get-prometheus-exporter-metrics
echo https://localhost:4000/api/v1/plugins/@hyperledger/cactus-plugin-ledger-connector-fabric/run-transaction
echo https://localhost:4000/api/v1/plugins/@hyperledger/cactus-plugin-ledger-connector-fabric/get-transaction-receipt-by-txid
echo https://localhost:4000/api/v1/plugins/@hyperledger/cactus-plugin-ledger-connector-fabric/deploy-contract-go-source
echo https://localhost:4000/api/v1/plugins/@hyperledger/cactus-plugin-ledger-connector-fabric/deploy-contract
echo https://localhost:4000/api/v1/plugins/@hyperledger/cactus-plugin-ledger-connector-fabric/get-prometheus-exporter-metrics
echo https://localhost:4000/api/v1/plugins/@hyperledger/cactus-plugin-ledger-connector-besu/deploy-contract-solidity-bytecode
echo https://localhost:4000/api/v1/plugins/@hyperledger/cactus-plugin-ledger-connector-besu/get-balance
echo https://localhost:4000/api/v1/plugins/@hyperledger/cactus-plugin-ledger-connector-besu/get-block
echo https://localhost:4000/api/v1/plugins/@hyperledger/cactus-plugin-ledger-connector-besu/run-transaction
echo https://localhost:4000/api/v1/plugins/@hyperledger/cactus-plugin-ledger-connector-besu/get-transaction
echo https://localhost:4000/api/v1/plugins/@hyperledger/cactus-plugin-ledger-connector-besu/get-past-logs
echo https://localhost:4000/api/v1/plugins/@hyperledger/cactus-plugin-ledger-connector-besu/invoke-contract
echo https://localhost:4000/api/v1/plugins/@hyperledger/cactus-plugin-ledger-connector-besu/sign-transaction
echo https://localhost:4000/api/v1/plugins/@hyperledger/cactus-plugin-ledger-connector-besu/get-prometheus-exporter-metrics
echo https://localhost:4000/api/v1/plugins/@hyperledger/cactus-plugin-ledger-connector-besu/get-besu-record
} >> urls.txt
- name: Show file content
run: |
pwd
ls -la
cat urls.txt
# TODO: Clean up comments
# TODO: Remove --debug flag
- run: yarn generate-api-server-config
- run: jq '.authorizationProtocol = "NONE"' .config.json > .config2.json && mv .config2.json .config.json
# Delete the first and the second items in the array (remove keychain and manual consortium plugins)
- run: jq 'del(.plugins[0,1])' .config.json > .config2.json && mv .config2.json .config.json
- name: Install Keychain manual plugin into the API server
run: jq '.plugins += [{ "packageName":"@hyperledger/cactus-plugin-keychain-memory","type":"org.hyperledger.cactus.plugin_import_type.LOCAL","action":"org.hyperledger.cactus.plugin_import_action.INSTALL","options":{"packageSrc":"/home/runner/work/cacti/cacti/packages/cactus-plugin-keychain-memory/","instanceId":"0daacd05-d1cd-4eab-9332-4ad1aff4b909","keychainId":"d29d728e-eaa0-4e2d-b187-d132242b0d9a"}}]' .config.json > .config2.json && mv .config2.json .config.json
- name: Install Fabric connector into the API server
run: jq '.plugins += [{ "packageName":"@hyperledger/cactus-plugin-ledger-connector-fabric", "type":"org.hyperledger.cactus.plugin_import_type.LOCAL", "action":"org.hyperledger.cactus.plugin_import_action.INSTALL", "options":{ "packageSrc":"/home/runner/work/cacti/cacti/packages/cactus-plugin-ledger-connector-fabric/", "instanceId":"some-unique-fabric-connector-instance-id", "peerBinary":"/fabric-samples/bin/peer", "connectionProfile":"{}", "dockerBinary":"usr/local/bin/docker","cliContainerEnv":{"CORE_PEER_LOCALMSPID":"Org1MSP","CORE_PEER_ADDRESS":"peer0.org1.example.com:7051","CORE_PEER_MSPCONFIGPATH":"/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/users/[email protected]/msp","CORE_PEER_TLS_ROOTCERT_FILE":"/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt","ORDERER_TLS_ROOTCERT_FILE":"/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem"},"discoveryOptions":{"enabled":true,"asLocalhost":true}}}] ' .config.json > .config2.json && mv .config2.json .config.json
- name: Install Besu connector into the API server
run: jq '.plugins += [{"packageName":"@hyperledger/cactus-plugin-ledger-connector-besu","type":"org.hyperledger.cactus.plugin_import_type.LOCAL","action":"org.hyperledger.cactus.plugin_import_action.INSTALL","options":{"packageSrc":"/home/runner/work/cacti/cacti/packages/cactus-plugin-ledger-connector-besu/", "rpcApiHttpHost":"http://localhost:8545", "rpcApiWsHost":"ws://localhost:8546", "instanceId":"some-unique-besu-connector-instance-id"}}]' .config.json > .config2.json && mv .config2.json .config.json
- name: Run Besu all-in-one image
run: |
docker run -d -p 0.0.0.0:8545:8545/tcp -p 0.0.0.0:8546:8546/tcp -p 0.0.0.0:8888:8888/tcp -p 0.0.0.0:9001:9001/tcp -p 0.0.0.0:9545:9545/tcp ghcr.io/hyperledger/cactus-besu-all-in-one:2022-04-14-dda3f00
until curl --fail -X POST --data '{"jsonrpc":"2.0","method":"eth_chainId","params":[],"id":1}' localhost:8545; do sleep 5; done
# - run: |
# touch ~/nuclei-github-config.yaml \
# && echo -e "severity: critical,high" >> ~/nuclei-github-config.yaml \
# && echo -e "github:" >> ~/nuclei-github-config.yaml \
# && echo -e " username: \"$GITHUB_ACTOR\"" >> ~/nuclei-github-config.yaml \
# && echo -e " owner: \"${GITHUB_REPOSITORY%%/*}\"" >> ~/nuclei-github-config.yaml \
# && echo -e " token: \"${{ inputs.github-token }}\"" >> ~/nuclei-github-config.yaml \
# && echo -e " project-name: \"${GITHUB_REPOSITORY#*/}\"" >> ~/nuclei-github-config.yaml \
# && echo -e " issue-label: \"Nuclei\"" >> ~/nuclei-github-config.yaml \
# && echo "githubconfig=-rc ~/nuclei-github-config.yaml" >> $GITHUB_ENV
# shell: bash
# - run: ls -alt
- name: Start API Server & Run DAST
uses: BerniWittmann/[email protected]
env:
# Needed because the wait-on syntax otherwise keeps thinking that
# there is a problem due to our self signed certificates on the
# test instance of the API server
NODE_TLS_REJECT_UNAUTHORIZED: 0
with:
build: yarn --version
start: yarn start:api-server
command: "nuclei -update-templates --config=.nuclei-config.yaml --list=urls.txt --sarif-export ~/nuclei.sarif --output nuclei.log"
wait-on: "https://localhost:4000/api/v1/api-server/healthcheck"
# wait for 10 minutes for the server to respond
wait-on-timeout: 120
- run: pwd
- run: ls -alt
- name: GitHub Workflow artifacts
uses: actions/[email protected]
with:
name: nuclei.log
path: nuclei.log
# - name: GitHub Security Dashboard Alerts update
# uses: github/codeql-action/upload-sarif@v1
# with:
# sarif_file: ~/nuclei.sarif