diff --git a/.github/workflows/scans.yml b/.github/workflows/scans.yml new file mode 100644 index 00000000..ed8f41d6 --- /dev/null +++ b/.github/workflows/scans.yml @@ -0,0 +1,74 @@ +name: Scans + +on: + push: + branches: + - main + pull_request: + branches: + - main + +env: + GO_VERSION: "1.23" + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: + contents: read + packages: read + +jobs: + run-jwt-scans: + runs-on: ubuntu-latest + + strategy: + fail-fast: false + matrix: + challenge: + [ + "jwt-alg-none-bypass", + "jwt-blank-secret", + "jwt-not-verified", + "jwt-null-signature", + ] + + steps: + - uses: actions/checkout@v4 + + - name: Login to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Run Server + run: docker run -d -p 8080:8080 ghcr.io/cerberauth/api-vulns-challenges/${{ matrix.challenge }}:latest + + - name: Get JWT + id: get-jwt + run: echo "jwt=$(docker run --rm ghcr.io/cerberauth/api-vulns-challenges/jwt-strong-eddsa-key:latest jwt)" >> $GITHUB_OUTPUT + + - name: Setup Go environment + uses: actions/setup-go@v5 + with: + go-version: ${{ env.GO_VERSION }} + + - name: Build + run: go build -v ./... + + - name: VulnAPI + id: vulnapi + continue-on-error: true + run: | + go run main.go scan curl http://localhost:8080 -H "Authorization: Bearer ${{ steps.get-jwt.outputs.jwt }}" + + - name: Check for vulnerabilities + if: ${{ steps.vulnapi.outputs.conclusion == 'failure' }} + run: echo "Vulnerabilities found in ${{ matrix.challenge }}" + + - name: Stop Server + if: ${{ always() }} + run: docker stop $(docker ps -q --filter ancestor=ghcr.io/cerberauth/api-vulns-challenges/${{ matrix.challenge }}:latest)