-
Notifications
You must be signed in to change notification settings - Fork 286
130 lines (104 loc) · 7.99 KB
/
.dast-nuclei-cmd-api-server.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
name: DAST_Scan_Nuclei
env:
NODEJS_VERSION: v18.18.2
on:
push:
branches: [main, dev]
pull_request:
branches: [main, dev]
jobs:
nuclei-scan:
runs-on: ubuntu-22.04
steps:
- name: Install Indy SDK
run: >
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys CE7709D068DB5E88 \
&& sudo add-apt-repository "deb https://repo.sovrin.org/sdk/deb bionic stable" \
&& sudo apt-get update \
&& sudo apt-get install -y \
libindy \
libnullpay \
libvcx \
indy-cli \
&& sudo rm -f /etc/apt/sources.list.d/sovrin.list*
- name: Set up NodeJS ${{ env.NODEJS_VERSION }}
uses: actions/[email protected]
with:
node-version: ${{ env.NODEJS_VERSION }}
- name: Install jq
run: sudo apt update && sudo apt install -y jq
- name: Verify jq
run: jq --version
- uses: actions/[email protected]
- uses: actions/[email protected]
with:
go-version: 1.23
- run: go install -v github.com/projectdiscovery/nuclei/v3/cmd/[email protected]
- run: nuclei --version
- run: npm run configure
- name: Create URLs file for Nuclei
run: |
echo https://localhost:4000/ > urls.txt
{
echo https://localhost:4000/api/v1/api-server/healthcheck
echo https://localhost:4000/api/v1/plugins/@hyperledger/cactus-plugin-consortium-manual/node/jws
echo https://localhost:4000/api/v1/plugins/@hyperledger/cactus-plugin-consortium-manual/consortium/jws
echo https://localhost:4000/api/v1/plugins/@hyperledger/cactus-plugin-consortium-manual/get-prometheus-exporter-metrics
echo https://localhost:4000/api/v1/plugins/@hyperledger/cactus-plugin-ledger-connector-fabric/run-transaction
echo https://localhost:4000/api/v1/plugins/@hyperledger/cactus-plugin-ledger-connector-fabric/get-transaction-receipt-by-txid
echo https://localhost:4000/api/v1/plugins/@hyperledger/cactus-plugin-ledger-connector-fabric/deploy-contract-go-source
echo https://localhost:4000/api/v1/plugins/@hyperledger/cactus-plugin-ledger-connector-fabric/deploy-contract
echo https://localhost:4000/api/v1/plugins/@hyperledger/cactus-plugin-ledger-connector-fabric/get-prometheus-exporter-metrics
echo https://localhost:4000/api/v1/plugins/@hyperledger/cactus-plugin-ledger-connector-besu/deploy-contract-solidity-bytecode
echo https://localhost:4000/api/v1/plugins/@hyperledger/cactus-plugin-ledger-connector-besu/get-balance
echo https://localhost:4000/api/v1/plugins/@hyperledger/cactus-plugin-ledger-connector-besu/get-block
echo https://localhost:4000/api/v1/plugins/@hyperledger/cactus-plugin-ledger-connector-besu/run-transaction
echo https://localhost:4000/api/v1/plugins/@hyperledger/cactus-plugin-ledger-connector-besu/get-transaction
echo https://localhost:4000/api/v1/plugins/@hyperledger/cactus-plugin-ledger-connector-besu/get-past-logs
echo https://localhost:4000/api/v1/plugins/@hyperledger/cactus-plugin-ledger-connector-besu/invoke-contract
echo https://localhost:4000/api/v1/plugins/@hyperledger/cactus-plugin-ledger-connector-besu/sign-transaction
echo https://localhost:4000/api/v1/plugins/@hyperledger/cactus-plugin-ledger-connector-besu/get-prometheus-exporter-metrics
echo https://localhost:4000/api/v1/plugins/@hyperledger/cactus-plugin-ledger-connector-besu/get-besu-record
} >> urls.txt
- run: yarn generate-api-server-config
- run: jq '.authorizationProtocol = "NONE"' .config.json > .config2.json && mv .config2.json .config.json
# Delete the first and the second items in the array (remove keychain and manual consortium plugins)
- run: jq 'del(.plugins[0,1])' .config.json > .config2.json && mv .config2.json .config.json
- name: Install Keychain manual plugin into the API server
run: jq '.plugins += [{ "packageName":"@hyperledger/cactus-plugin-keychain-memory","type":"org.hyperledger.cactus.plugin_import_type.LOCAL","action":"org.hyperledger.cactus.plugin_import_action.INSTALL","options":{"packageSrc":"/home/runner/work/cacti/cacti/packages/cactus-plugin-keychain-memory/","instanceId":"0daacd05-d1cd-4eab-9332-4ad1aff4b909","keychainId":"d29d728e-eaa0-4e2d-b187-d132242b0d9a"}}]' .config.json > .config2.json && mv .config2.json .config.json
- name: Install Fabric connector into the API server
run: jq '.plugins += [{ "packageName":"@hyperledger/cactus-plugin-ledger-connector-fabric", "type":"org.hyperledger.cactus.plugin_import_type.LOCAL", "action":"org.hyperledger.cactus.plugin_import_action.INSTALL", "options":{ "packageSrc":"/home/runner/work/cacti/cacti/packages/cactus-plugin-ledger-connector-fabric/", "instanceId":"some-unique-fabric-connector-instance-id", "peerBinary":"/fabric-samples/bin/peer", "connectionProfile":"{}", "dockerBinary":"usr/local/bin/docker","cliContainerEnv":{"CORE_PEER_LOCALMSPID":"Org1MSP","CORE_PEER_ADDRESS":"peer0.org1.example.com:7051","CORE_PEER_MSPCONFIGPATH":"/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/users/[email protected]/msp","CORE_PEER_TLS_ROOTCERT_FILE":"/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt","ORDERER_TLS_ROOTCERT_FILE":"/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem"},"discoveryOptions":{"enabled":true,"asLocalhost":true}}}] ' .config.json > .config2.json && mv .config2.json .config.json
- name: Install Besu connector into the API server
run: jq '.plugins += [{"packageName":"@hyperledger/cactus-plugin-ledger-connector-besu","type":"org.hyperledger.cactus.plugin_import_type.LOCAL","action":"org.hyperledger.cactus.plugin_import_action.INSTALL","options":{"packageSrc":"/home/runner/work/cacti/cacti/packages/cactus-plugin-ledger-connector-besu/", "rpcApiHttpHost":"http://127.0.0.1:8545", "rpcApiWsHost":"ws://127.0.0.1:8546", "instanceId":"some-unique-besu-connector-instance-id"}}]' .config.json > .config2.json && mv .config2.json .config.json
- name: Run Besu all-in-one image
run: |
docker run -d -p 0.0.0.0:8545:8545/tcp -p 0.0.0.0:8546:8546/tcp -p 0.0.0.0:8888:8888/tcp -p 0.0.0.0:9001:9001/tcp -p 0.0.0.0:9545:9545/tcp ghcr.io/hyperledger/cactus-besu-all-in-one:v2.0.0-rc.7
until curl --fail -X POST --data '{"jsonrpc":"2.0","method":"eth_chainId","params":[],"id":1}' localhost:8545; do sleep 5; done
- name: Print API Server Config File - ./.config.json
run: cat .config.json
- name: Print Nuclei Config File - ./.nuclei-config.yaml
run: cat .nuclei-config.yaml
- name: Print Nuclei URL List File - ./urls.txt
run: cat urls.txt
- name: Start API Server & Run DAST
uses: BerniWittmann/[email protected]
env:
# Needed because the wait-on syntax otherwise keeps thinking that
# there is a problem due to our self signed certificates on the
# test instance of the API server
NODE_TLS_REJECT_UNAUTHORIZED: 0
with:
build: yarn --version
start: yarn start:api-server
command: "nuclei -version"
command-windows: echo "The project build is not supported on the Windows operating system. Please use Linux or macOS"
wait-on: "https://localhost:4000/api/v1/api-server/healthcheck"
# wait for 10 minutes for the server to respond
wait-on-timeout: 120
- name: Run the dast nuclei scan
run: "nuclei -list=urls.txt -dast -severity=high,critical -sarif-export ~/nuclei.sarif -output=nuclei.log"
- name: GitHub Workflow artifacts
uses: actions/[email protected]
with:
name: nuclei.log
path: nuclei.log