forked from project-zot/zot
-
Notifications
You must be signed in to change notification settings - Fork 0
67 lines (65 loc) · 1.91 KB
/
web-scan.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
name: 'Security web scan for zot'
on:
push:
branches:
- main
pull_request:
branches:
- main
release:
types:
- published
permissions:
contents: read
jobs:
zap_scan:
runs-on: ubuntu-latest
name: Scan ZOT using ZAP
strategy:
matrix:
flavor: [zot-linux-amd64-minimal, zot-linux-amd64]
steps:
- name: Install go
uses: actions/setup-go@v5
with:
cache: false
go-version: 1.23.x
- name: Checkout
uses: actions/checkout@v4
- name: Build zot
run: |
echo "Building $FLAVOR"
cd $GITHUB_WORKSPACE
if [[ $FLAVOR == "zot-linux-amd64-minimal" ]]; then
make binary-minimal
else
make binary
fi
ls -l bin/
env:
FLAVOR: ${{ matrix.flavor }}
- name: Bringup zot server
run: |
# upload images, zot can serve OCI image layouts directly like so
mkdir /tmp/zot
skopeo copy --format=oci docker://busybox:latest oci:/tmp/zot/busybox:latest
# start zot
if [[ $FLAVOR == "zot-linux-amd64-minimal" ]]; then
./bin/${{ matrix.flavor }} serve examples/config-conformance.json &
else
./bin/${{ matrix.flavor }} serve examples/config-ui.json &
fi
# wait until service is up
while true; do x=0; curl -f http://localhost:8080/v2/ || x=1; if [ $x -eq 0 ]; then break; fi; sleep 1; done
env:
FLAVOR: ${{ matrix.flavor }}
- name: ZAP Scan Rest API
uses: zaproxy/[email protected]
with:
token: ${{ secrets.GITHUB_TOKEN }}
docker_name: 'ghcr.io/zaproxy/zaproxy:stable'
target: 'http://localhost:8080/v2/'
rules_file_name: '.zap/rules.tsv'
cmd_options: '-a -j'
allow_issue_writing: false
fail_action: true