Merge pull request #227 from cerberauth/ci-tests #111
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Scans | |
on: | |
push: | |
branches: | |
- main | |
pull_request: | |
branches: | |
- main | |
env: | |
GO_VERSION: "1.23" | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: true | |
permissions: | |
contents: read | |
packages: read | |
jobs: | |
run-jwt-scans: | |
name: JWT Scans | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
challenge: | |
[ | |
"jwt-alg-none-bypass", | |
"jwt-blank-secret", | |
"jwt-not-verified", | |
"jwt-null-signature", | |
"jwt-weak-hmac-secret", | |
] | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@v3 | |
with: | |
registry: ghcr.io | |
username: ${{ github.repository_owner }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Run Server | |
run: docker run -d -p 8080:8080 ghcr.io/cerberauth/api-vulns-challenges/${{ matrix.challenge }}:latest | |
- name: Get JWT | |
id: get-jwt | |
run: echo "jwt=$(docker run --rm ghcr.io/cerberauth/api-vulns-challenges/jwt-strong-eddsa-key:latest jwt)" >> $GITHUB_OUTPUT | |
- name: Setup Go environment | |
uses: actions/setup-go@v5 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
- name: VulnAPI | |
id: vulnapi | |
continue-on-error: true | |
run: | | |
go run main.go scan curl http://localhost:8080 -H "Authorization: Bearer ${{ steps.get-jwt.outputs.jwt }}" --sqa-opt-out | |
- name: Check for vulnerabilities | |
if: ${{ steps.vulnapi.outputs.conclusion == 'failure' }} | |
run: echo "Vulnerabilities found in ${{ matrix.challenge }}" | |
- name: Stop Server | |
if: ${{ always() }} | |
run: docker stop $(docker ps -q --filter ancestor=ghcr.io/cerberauth/api-vulns-challenges/${{ matrix.challenge }}:latest) | |
run-api-key-scans: | |
name: JWT Scans | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@v3 | |
with: | |
registry: ghcr.io | |
username: ${{ github.repository_owner }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Run Server | |
run: docker run -d -p 8080:8080 ghcr.io/cerberauth/api-vulns-challenges/auth-not-verified:latest | |
- name: Setup Go environment | |
uses: actions/setup-go@v5 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
- name: VulnAPI | |
id: vulnapi | |
continue-on-error: true | |
run: | | |
go run main.go scan curl http://localhost:8080 -H "Authorization: Bearer abcdef1234" --sqa-opt-out | |
- name: Check for vulnerabilities | |
if: ${{ steps.vulnapi.outputs.conclusion == 'failure' }} | |
run: echo "Vulnerabilities found" | |
- name: Stop Server | |
if: ${{ always() }} | |
run: docker stop $(docker ps -q --filter ancestor=ghcr.io/cerberauth/api-vulns-challenges/auth-not-verified:latest) | |
run-http-misconfigurations-scans: | |
name: HTTP Misconfigurations Scans | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- challenge: "misconfiguration.http_headers" | |
url: "http://localhost:8080" | |
- challenge: "misconfiguration.http_headers" | |
url: "http://localhost:8080/headers/cors-wildcard" | |
- challenge: "misconfiguration.http_headers" | |
url: "http://localhost:8080/headers/csp-frame-ancestors" | |
- challenge: "misconfiguration.http_cookies" | |
url: "http://localhost:8080/cookies/unsecure" | |
- challenge: "misconfiguration.http_cookies" | |
url: "http://localhost:8080/cookies/not-httponly" | |
- challenge: "misconfiguration.http_cookies" | |
url: "http://localhost:8080/cookies/samesite-none" | |
- challenge: "misconfiguration.http_cookies" | |
url: "http://localhost:8080/cookies/no-expiration" | |
- challenge: "misconfiguration.http_method_override" | |
url: "http://localhost:8080/cookies/http-method-override" | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@v3 | |
with: | |
registry: ghcr.io | |
username: ${{ github.repository_owner }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Run Server | |
run: docker run -d -p 8080:8080 ghcr.io/cerberauth/api-vulns-challenges/http-misconfigurations:latest | |
- name: Setup Go environment | |
uses: actions/setup-go@v5 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
- name: VulnAPI | |
id: vulnapi | |
continue-on-error: true | |
run: | | |
go run main.go scan curl ${{ matrix.url }} --scans "${{ matrix.challenge }}" --sqa-opt-out | |
- name: Check for vulnerabilities | |
if: ${{ steps.vulnapi.outputs.conclusion == 'failure' }} | |
run: echo "Vulnerabilities found in ${{ matrix.challenge }}" | |
- name: Stop Server | |
if: ${{ always() }} | |
run: docker stop $(docker ps -q --filter ancestor=ghcr.io/cerberauth/api-vulns-challenges/http-misconfigurations:latest) | |
run-graphql-scans: | |
name: GraphQL Scans | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- challenge: "graphql.introspection_enabled" | |
url: "http://localhost:4000/graphql" | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@v3 | |
with: | |
registry: ghcr.io | |
username: ${{ github.repository_owner }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Run Server | |
run: docker run -d -p 4000:4000 ghcr.io/cerberauth/api-vulns-challenges/apollo:latest | |
- name: Setup Go environment | |
uses: actions/setup-go@v5 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
- name: VulnAPI | |
id: vulnapi | |
continue-on-error: true | |
run: | | |
go run main.go scan graphql ${{ matrix.url }} --scans "${{ matrix.challenge }}" --sqa-opt-out | |
- name: Check for vulnerabilities | |
if: ${{ steps.vulnapi.outputs.conclusion == 'failure' }} | |
run: echo "Vulnerabilities found in ${{ matrix.challenge }}" | |
- name: Stop Server | |
if: ${{ always() }} | |
run: docker stop $(docker ps -q --filter ancestor=ghcr.io/cerberauth/api-vulns-challenges/apollo:latest) | |
run-openapi-scans: | |
name: JWT Scans | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
openapi: | |
[ | |
"simple_api_key.openapi.json", | |
"simple_http_bearer_jwt.openapi.json", | |
"simple_http_bearer.openapi.json", | |
] | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@v3 | |
with: | |
registry: ghcr.io | |
username: ${{ github.repository_owner }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Run Server | |
run: docker run -d -p 8080:8080 ghcr.io/cerberauth/api-vulns-challenges/auth-not-verified:latest | |
- name: Get JWT | |
id: get-jwt | |
run: echo "jwt=$(docker run --rm ghcr.io/cerberauth/api-vulns-challenges/jwt-strong-eddsa-key:latest jwt)" >> $GITHUB_OUTPUT | |
- name: Setup Go environment | |
uses: actions/setup-go@v5 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
- name: VulnAPI | |
id: vulnapi | |
continue-on-error: true | |
run: | | |
go run main.go scan openapi ./test/stub/${{ matrix.openapi }} --sqa-opt-out | |
- name: Check for vulnerabilities | |
if: ${{ steps.vulnapi.outputs.conclusion == 'failure' }} | |
run: echo "Vulnerabilities found" | |
- name: Stop Server | |
if: ${{ always() }} | |
run: docker stop $(docker ps -q --filter ancestor=ghcr.io/cerberauth/api-vulns-challenges/auth-not-verified:latest) |