Skip to content

Security

Security #262

Workflow file for this run

name: Security
on:
schedule:
- cron: "30 8 * * MON-FRI" # Every weekday at 08:30 UTC
workflow_dispatch:
jobs:
trivy:
uses: ministryofjustice/hmpps-github-actions/.github/workflows/security_trivy.yml@8cb19358c0575f37e48937fb8ff462beca6c4f6a # v1
with:
channel_id: probation-integration-notifications
secrets:
HMPPS_SRE_SLACK_BOT_TOKEN: ${{ secrets.HMPPS_SRE_SLACK_BOT_TOKEN }}
zap:
runs-on: moj-cloud-platform
env:
CONFIG_FILE: ${{ github.workspace }}/.zap/autorun.yml
REPORT_DIR: ${{ github.workspace }}/.zap/zap-report
steps:
- uses: actions/checkout@v4
- name: Setup ZAP
uses: ./.github/actions/setup-zap
- name: Setup Firefox
id: firefox
uses: browser-actions/setup-firefox@955a5d42b5f068a8917c6a4ff1656a2235c66dfb # v1
with:
firefox-version: latest-esr
- name: Replace variables in config file
run: envsubst < "$CONFIG_FILE" > "$CONFIG_FILE.tmp" && mv "$CONFIG_FILE.tmp" "$CONFIG_FILE" && cat "$CONFIG_FILE"
env:
ZAP_USERNAME: ${{ secrets.ZAP_USERNAME }}
ZAP_PASSWORD: ${{ secrets.ZAP_PASSWORD }}
shell: bash
- name: Run scan
run: owasp-zap -cmd -autorun "$CONFIG_FILE" -config selenium.firefoxBinary="$FIREFOX_BINARY"
env:
FIREFOX_BINARY: ${{ steps.firefox.outputs.firefox-path }}
shell: bash
- name: Upload report
uses: actions/upload-artifact@v4
with:
name: zap-report
path: ${{ env.REPORT_DIR }}
- name: Publish HTML report
uses: JamesIves/github-pages-deploy-action@15de0f09300eea763baee31dff6c6184995c5f6a # v4.7.2
with:
folder: ${{ env.REPORT_DIR }}
target-folder: zap-report
- name: Add HTML report URL to the job summary
run: echo '[🛡️ OWASP ZAP Report](https://ministryofjustice.github.io/hmpps-manage-people-on-probation-ui/zap-report)' | tee -a "$GITHUB_STEP_SUMMARY"
- name: Parse JSON report
id: json
run: |
risk_counts=$(jq -r '[.site[].alerts[]] | group_by(.riskcode) | map({ (.[0].riskcode): length }) | add' "$JSON_FILE")
echo "info=$(echo "$risk_counts" | jq '."0" // 0')" | tee -a "$GITHUB_OUTPUT"
echo "low=$(echo "$risk_counts" | jq '."1" // 0')" | tee -a "$GITHUB_OUTPUT"
echo "medium=$(echo "$risk_counts" | jq '."2" // 0')" | tee -a "$GITHUB_OUTPUT"
echo "high=$(echo "$risk_counts" | jq '."3" // 0')" | tee -a "$GITHUB_OUTPUT"
env:
JSON_FILE: ${{ env.REPORT_DIR }}/report.json
shell: bash
- name: Send message to Slack
uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d # v2.0.0
if: steps.json.outputs.high != '0' || steps.json.outputs.medium != '0'
with:
payload: |
{
"channel": "probation-integration-notifications",
"blocks": [
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "🛡️ *Manage a Supervision* ZAP report"
}
},
{
"type": "context",
"elements": [
{
"type": "mrkdwn",
"text": ">${{ steps.json.outputs.high }} high risk, ${{ steps.json.outputs.medium }} medium risk, and ${{ steps.json.outputs.low }} low risk issues were found."
}
]
},
{
"type": "actions",
"elements": [
{
"type": "button",
"text": {
"type": "plain_text",
"text": "📈 Report"
},
"url": "https://ministryofjustice.github.io/hmpps-manage-people-on-probation-ui/zap-report"
},
{
"type": "button",
"text": {
"type": "plain_text",
"text": "📝 Logs"
},
"url": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
}
]
}
]
}
token: ${{ secrets.SLACK_BOT_TOKEN }}
- name: Send failure message to Slack
uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d # v2.0.0
if: failure()
with:
payload: |
{
"channel": "probation-integration-notifications",
"blocks": [
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "❌ Failed to generate *Manage a Supervision* ZAP report"
}
},
{
"type": "actions",
"elements": [
{
"type": "button",
"text": {
"type": "plain_text",
"text": "📝 Logs"
},
"url": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
}
]
}
]
}
token: ${{ secrets.SLACK_BOT_TOKEN }}