forked from zaproxy/action-baseline
-
Notifications
You must be signed in to change notification settings - Fork 0
/
index.js
89 lines (73 loc) · 3.71 KB
/
index.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
const core = require('@actions/core');
const exec = require('@actions/exec');
const common = require('@zaproxy/actions-common-scans');
const _ = require('lodash');
import { Auth } from 'aws-amplify';
// Default file names
let jsonReportName = 'report_json.json';
let mdReportName = 'report_md.md';
let htmlReportName = 'report_html.html';
async function getBearerToken(username, password) {
const user = await Auth.signIn(username, password);
const credentials = await Auth.currentCredentials();
return credentials.identityId;
}
async function run() {
try {
let workspace = process.env.GITHUB_WORKSPACE;
let currentRunnerID = process.env.GITHUB_RUN_ID;
let repoName = process.env.GITHUB_REPOSITORY;
let token = core.getInput('token');
let docker_name = core.getInput('docker_name');
let target = core.getInput('target');
let rulesFileLocation = core.getInput('rules_file_name');
let cmdOptions = core.getInput('cmd_options');
let issueTitle = core.getInput('issue_title');
let failAction = core.getInput('fail_action');
let allowIssueWriting = core.getInput('allow_issue_writing');
let createIssue = true;
if (!(String(failAction).toLowerCase() === 'true' || String(failAction).toLowerCase() === 'false')) {
console.log('[WARNING]: \'fail_action\' action input should be either \'true\' or \'false\'');
}
if (String(allowIssueWriting).toLowerCase() === 'false') {
createIssue = false;
}
console.log('starting the program');
console.log('github run id :' + currentRunnerID);
let plugins = [];
if (rulesFileLocation) {
plugins = await common.helper.processLineByLine(`${workspace}/${rulesFileLocation}`);
}
// Generate Cognito ID token. We'll use this for our bearer token.
let cognito_id_token = getBearerToken(process.env.USERNAME, process.env.PASSWORD);
await exec.exec(`docker pull ${docker_name} -q`);
// In this case, we're okay with this token showing up in command line history-- it's for an unprivileged account in dev, and it's logged out
// when this test concludes, restricting its viability to the JWT's lifetime only.
let command = (`docker run --env ZAP_AUTH_HEADER_VALUE="Bearer ${cognito_id_token}" --user root -v ${workspace}:/zap/wrk/:rw --network="host" ` +
`-t ${docker_name} zap-baseline.py -t ${target} -J ${jsonReportName} -w ${mdReportName} -r ${htmlReportName} ${cmdOptions}`);
if (plugins.length !== 0) {
command = command + ` -c ${rulesFileLocation}`
}
try {
await exec.exec(command);
} catch (err) {
if (err.toString().includes('exit code 3')) {
core.setFailed('failed to scan the target: ' + err.toString());
return
}
if ((err.toString().includes('exit code 2') || err.toString().includes('exit code 1'))
&& String(failAction).toLowerCase() === 'true') {
console.log(`[info] By default ZAP Docker container will fail if it identifies any alerts during the scan!`);
core.setFailed('Scan action failed as ZAP has identified alerts, starting to analyze the results. ' + err.toString());
} else {
console.log('Scanning process completed, starting to analyze the results!')
}
}
await common.main.processReport(token, workspace, plugins, currentRunnerID, issueTitle, repoName, createIssue);
// Sign out so our bearer token is no longer valid.
await Auth.signOut();
} catch (error) {
core.setFailed(error.message);
}
}
run();