Skip to content

Commit

Permalink
Run Mayhem for API as a GitHub Workflow
Browse files Browse the repository at this point in the history
Sheldon Warkentin committed Feb 8, 2022

Verified

This commit was signed with the committer’s verified signature.
LeoColomb Léo Colombaro
1 parent 29f9aa3 commit e302e49
Showing 3 changed files with 11,502 additions and 0 deletions.
9,287 changes: 9,287 additions & 0 deletions .github/api/openapi_16.0.yml

Large diffs are not rendered by default.

2,131 changes: 2,131 additions & 0 deletions .github/test-fixtures/test-realm.json

Large diffs are not rendered by default.

84 changes: 84 additions & 0 deletions .github/workflows/mapi.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
name: 'Mayhem for API'
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v2

# Create environment to run API
- name: Build the wildfly image
run: |
cd server
docker build -t keycloak-wildfly .
# Run API in dev mode
- name: Run API
run: |
docker run -p 8080:8080 \
-v $(pwd)/.github/test-fixtures/test-realm.json:/realms/test-realm.json \
-e KEYCLOAK_USER=admin \
-e KEYCLOAK_PASSWORD=admin \
-e KEYCLOAK_IMPORT=/realms/test-realm.json \
keycloak-wildfly \
--debug & \
timeout 60 bash -c 'until curl --fail localhost:8080; do sleep 2; done'
# Get Bearer Token
- name: Get Token
run: |
token=$( curl -X POST \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'username=admin&password=admin&client_id=admin-cli&grant_type=password' \
http://localhost:8080/auth/realms/master/protocol/openid-connect/token | jq -j ".access_token")
echo "AUTH_TOKEN=$token" >> "$GITHUB_ENV"
# Run Mayhem for API
- name: Run Mayhem for API to check for vulnerabilities
uses: ForAllSecure/mapi-action@v1
continue-on-error: true
with:
mapi-token: ${{ secrets.MAPI_TOKEN }}
api-url: http://localhost:8080/auth/admin/realms
api-spec: .github/api/openapi_16.0.yml
target: forallsecure/keycloak-wildfly
duration: 1min
sarif-report: mapi.sarif
html-report: mapi.html
#
# Keycloak REST APIs are generated from HTML and then manually
# adjusted for each version. This means that the specification
# will not be as accurate as one generated from source or maintained
# by hand. The InvalidResponseSpec rule is ignored in order to
# reduce the number of warnings raised against this generated
# specification.
#
# https://github.com/ccouzens/keycloak-openapi
#
run-args: |
--concurrency
4
--header-auth
Authorization:Bearer ${{ env.AUTH_TOKEN }}
--ignore-rule
InvalidResponseSpec
--ignore-endpoint
.*logout.*
# Archive HTML report
- name: Archive Mayhem for API report
uses: actions/upload-artifact@v2
with:
name: mapi-report
path: mapi.html

# Upload SARIF file (only available on public repos or github enterprise)
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: mapi.sarif

0 comments on commit e302e49

Please sign in to comment.