Skip to content

Merge pull request #208 from cerberauth/ci-http-misconfiguration #35

Merge pull request #208 from cerberauth/ci-http-misconfiguration

Merge pull request #208 from cerberauth/ci-http-misconfiguration #35

Workflow file for this run

name: Scans
on:
push:
branches:
- main
pull_request:
branches:
- main
env:
GO_VERSION: "1.23"
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions:
contents: read
packages: read
jobs:
run-jwt-scans:
name: JWT Scans
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
challenge:
[
"jwt-alg-none-bypass",
"jwt-blank-secret",
"jwt-not-verified",
"jwt-null-signature",
"jwt-weak-hmac-secret",
]
steps:
- uses: actions/checkout@v4
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Run Server
run: docker run -d -p 8080:8080 ghcr.io/cerberauth/api-vulns-challenges/${{ matrix.challenge }}:latest
- name: Get JWT
id: get-jwt
run: echo "jwt=$(docker run --rm ghcr.io/cerberauth/api-vulns-challenges/jwt-strong-eddsa-key:latest jwt)" >> $GITHUB_OUTPUT
- name: Setup Go environment
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
- name: Build
run: go build -v ./...
- name: VulnAPI
id: vulnapi
continue-on-error: true
run: |
go run main.go scan curl http://localhost:8080 -H "Authorization: Bearer ${{ steps.get-jwt.outputs.jwt }}"
- name: Check for vulnerabilities
if: ${{ steps.vulnapi.outputs.conclusion == 'failure' }}
run: echo "Vulnerabilities found in ${{ matrix.challenge }}"
- name: Stop Server
if: ${{ always() }}
run: docker stop $(docker ps -q --filter ancestor=ghcr.io/cerberauth/api-vulns-challenges/${{ matrix.challenge }}:latest)
run-http-misconfigurations-scans:
name: HTTP Misconfigurations Scans
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
include:
- challenge: "misconfiguration.http_headers"
url: "http://localhost:8080"
- challenge: "misconfiguration.http_headers"
url: "http://localhost:8080/headers/cors-wildcard"
- challenge: "misconfiguration.http_headers"
url: "http://localhost:8080/headers/csp-frame-ancestors"
- challenge: "misconfiguration.http_cookies"
url: "http://localhost:8080/cookies/unsecure"
- challenge: "misconfiguration.http_cookies"
url: "http://localhost:8080/cookies/not-httponly"
- challenge: "misconfiguration.http_cookies"
url: "http://localhost:8080/cookies/samesite-none"
- challenge: "misconfiguration.http_cookies"
url: "http://localhost:8080/cookies/no-expiration"
steps:
- uses: actions/checkout@v4
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Run Server
run: docker run -d -p 8080:8080 ghcr.io/cerberauth/api-vulns-challenges/http-misconfigurations:latest
- name: Setup Go environment
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
- name: Build
run: go build -v ./...
- name: VulnAPI
id: vulnapi
continue-on-error: true
run: |
go run main.go scan curl ${{ matrix.url }} --scans "${{ matrix.challenge }}"
- name: Check for vulnerabilities
if: ${{ steps.vulnapi.outputs.conclusion == 'failure' }}
run: echo "Vulnerabilities found in ${{ matrix.challenge }}"
- name: Stop Server
if: ${{ always() }}
run: docker stop $(docker ps -q --filter ancestor=ghcr.io/cerberauth/api-vulns-challenges/http-misconfigurations:latest)