PI-1954 Add ZAP scanning

.github/actionlint.yml

@@ -0,0 +1,3 @@
+self-hosted-runner:
+  labels:
+    - moj-cloud-platform

.github/actions/setup-zap/action.yml

@@ -0,0 +1,44 @@
+name: Setup OWASP ZAP
+description: Installs the OWASP ZAP tool
+
+inputs:
+  version:
+    description: ZAP version, defaults to latest
+    default: latest
+
+runs:
+  using: composite
+  steps:
+    - uses: actions/checkout@v4
+    - uses: actions/setup-java@v4
+      with:
+        distribution: temurin
+        java-version: 11
+
+    - name: Get ZAP version
+      id: latest
+      run: |
+        if [ "$version" = "latest" ]; then
+          version=$(curl -fsSL https://raw.githubusercontent.com/zaproxy/zap-admin/master/ZapVersions.xml | grep '<version>' | sed 's/.*<version>//;s/<\/version>.*//')
+        fi
+        echo "version=$version" | tee -a "$GITHUB_OUTPUT"
+      env:
+        version: ${{ inputs.version }}
+      shell: bash
+
+    - name: Install ZAP
+      run: |
+        if [ -d "${tool_cache}/zap/${version}" ]; then
+          echo "Using cached ZAP $version"
+        else
+          curl -fsSL "https://github.com/zaproxy/zaproxy/releases/download/v${version}/ZAP_${version}_Linux.tar.gz" | tar -xz
+          mkdir -p "${tool_cache}/zap" "${tool_cache}/bin"
+          mv ZAP_* "${tool_cache}/zap/${version}"
+          ln -sf "${tool_cache}/zap/${version}/zap.sh" "${tool_cache}/bin/owasp-zap"
+        fi
+        echo "${tool_cache}/bin" >> "$GITHUB_PATH"
+      env:
+        tool_cache: ${{ runner.tool_cache }}
+        version: ${{ steps.latest.outputs.version }}
+      shell: bash
+

.github/workflows/check.yml

@@ -0,0 +1,36 @@
+name: Check
+# Check source code before merging
+
+on:
+  push:
+    branches-ignore:
+      - main
+
+jobs:
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: read
+      statuses: write
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Lint changes
+        uses: github/super-linter/slim@v5
+        env:
+          DEFAULT_BRANCH: main
+          VALIDATE_ALL_CODEBASE: false # changes only
+          VALIDATE_BASH: true
+          VALIDATE_BASH_EXEC: true
+          VALIDATE_DOCKERFILE_HADOLINT: true
+          VALIDATE_GITHUB_ACTIONS: true
+          VALIDATE_RUBY: true
+          VALIDATE_XML: true
+          VALIDATE_YAML: true
+          LINTER_RULES_PATH: /
+          GITHUB_ACTIONS_CONFIG_FILE: .github/actionlint.yml
+          GITHUB_ACTIONS_COMMAND_ARGS: -ignore=SC.+:info:.+
+          GITHUB_TOKEN: ${{ github.token }}

.github/workflows/security.yml

@@ -0,0 +1,114 @@
+name: Security
+
+on:
+  schedule:
+    - cron: "30 5 * * MON-FRI" # Every weekday at 05:30 UTC
+  workflow_dispatch:
+  push: # TODO remove after testing
+
+jobs:
+  zap:
+    runs-on: moj-cloud-platform
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup ZAP
+        uses: ./.github/actions/setup-zap
+
+      - name: Setup Firefox
+        id: firefox
+        uses: browser-actions/setup-firefox@233224b712fc07910ded8c15fb95a555c86da76f # v1
+        with:
+          firefox-version: latest-esr
+
+      - name: Replace variables in config file
+        run: envsubst < "$CONFIG_FILE" > "$CONFIG_FILE.tmp" && mv "$CONFIG_FILE.tmp" "$CONFIG_FILE" && cat "$CONFIG_FILE"
+        env:
+          CONFIG_FILE: ${{ github.workspace }}/.zap/autorun.yml
+          SUMMARY_FILE: ${{ github.workspace }}/.zap/summary.json
+          ZAP_USERNAME: ${{ secrets.ZAP_USERNAME }}
+          ZAP_PASSWORD: ${{ secrets.ZAP_PASSWORD }}
+        shell: bash
+
+      - name: Run scan
+        run: owasp-zap -cmd -autorun "$CONFIG_FILE" -config selenium.firefoxBinary="$FIREFOX_BINARY"
+        env:
+          FIREFOX_BINARY: ${{ steps.firefox.outputs.firefox-path }}
+          CONFIG_FILE: ${{ github.workspace }}/.zap/autorun.yml
+        shell: bash
+
+      - name: Upload report
+        uses: actions/upload-artifact@v4
+        with:
+          name: zap-report
+          path: ${{ github.workspace }}/.zap/zap-report
+
+      - name: Publish HTML report
+        uses: JamesIves/github-pages-deploy-action@65b5dfd4f5bcd3a7403bbc2959c144256167464e # v4.5.0
+        with:
+          folder: ${{ github.workspace }}/.zap/zap-report
+          target-folder: zap-report
+
+      - name: Add HTML report URL to the job summary
+        run: echo '[🛡️ OWASP ZAP Report](https://ministryofjustice.github.io/hmpps-manage-a-supervision-ui/zap-report)' | tee -a "$GITHUB_STEP_SUMMARY"
+
+      - name: Parse summary
+        id: summary
+        run: |
+          cat "$SUMMARY_FILE"
+          echo "pass=$(jq '.pass // 0' "$SUMMARY_FILE")" | tee -a "$GITHUB_OUTPUT"
+          echo "fail=3" | tee -a "$GITHUB_OUTPUT"
+          echo "warn=$(jq '.warn // 0' "$SUMMARY_FILE")" | tee -a "$GITHUB_OUTPUT"
+        env:
+          SUMMARY_FILE: ${{ github.workspace }}/.zap/summary.json
+        shell: bash
+
+      - name: Send message to Slack
+        uses: slackapi/slack-github-action@6c661ce58804a1a20f6dc5fbee7f0381b469e001 # v1.25.0
+        if: steps.summary.outputs.fail != '0' || steps.summary.outputs.warn != '0'
+        with:
+          channel-id: probation-integration-notifications
+          payload: |
+            {
+              "blocks": [
+                {
+                  "type": "section",
+                  "text": {
+                    "type": "mrkdwn",
+                    "text": "🛡️ *Manage a Supervision* ZAP report"
+                  }
+                },
+                {
+                  "type": "context",
+                  "elements": [
+                    {
+                      "type": "mrkdwn",
+                      "text": ">${{ steps.summary.outputs.pass }} tests passed, ${{ steps.summary.outputs.fail }} failed, and there were ${{ steps.summary.outputs.warn }} warnings."
+                    }
+                  ]
+                },
+                {
+                  "type": "actions",
+                  "elements": [
+                    {
+                      "type": "button",
+                      "text": {
+                        "type": "plain_text",
+                        "text": "📈 Report"
+                      },
+                      "url": "https://ministryofjustice.github.io/hmpps-manage-a-supervision-ui/zap-report"
+                    },
+                    {
+                      "type": "button",
+                      "text": {
+                        "type": "plain_text",
+                        "text": "📝 Logs"
+                      },
+                      "url": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
+                    }
+                  ]
+                }
+              ]
+            }
+        env:
+          SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}

.zap/autorun.yml

@@ -0,0 +1,69 @@
+--- # ZAP automation configuration file, for more details see https://www.zaproxy.org/docs/automate/automation-framework/
+env:
+  contexts:
+    - name: HMPPSAuth
+      urls:
+        - "https://manage-a-supervision-dev.hmpps.service.justice.gov.uk"
+      includePaths:
+        - "https://manage-a-supervision-dev.hmpps.service.justice.gov.uk.*"
+      excludePaths:
+        - "https://sign-in-dev.hmpps.service.justice.gov.uk.*"
+      authentication:
+        method: browser
+        parameters:
+          loginPageUrl: "https://sign-in-dev.hmpps.service.justice.gov.uk/auth/sign-in?redirect_uri=https://manage-a-supervision-dev.hmpps.service.justice.gov.uk/sign-in/callback"
+          loginRequestUrl: "https://sign-in-dev.hmpps.service.justice.gov.uk/auth/sign-in?redirect_uri=https://manage-a-supervision-dev.hmpps.service.justice.gov.uk/sign-in/callback"
+        verification:
+          method: "poll"
+          pollUrl: "https://manage-a-supervision-dev.hmpps.service.justice.gov.uk/"
+          pollFrequency: 1
+          pollUnits: "requests"
+          loggedInRegex: "\\Q 200\\E"
+          loggedOutRegex: "\\Q 302\\E"
+      sessionManagement:
+        method: "cookie"
+      users:
+      - name: "TestUser"
+        credentials:
+          username: "$ZAP_USERNAME"
+          password: "$ZAP_PASSWORD"
+  parameters:
+    failOnError: true
+    failOnWarning: false
+    progressToStdout: true
+
+jobs:
+  - type: spider
+    parameters:
+      context: "HMPPSAuth"
+      user: "TestUser"
+      url: "https://manage-a-supervision-dev.hmpps.service.justice.gov.uk/case/X756510"
+      maxDuration: 5 # minutes
+  - name: "Add script"
+    type: script
+    parameters:
+      action: "add"
+      type: "active"
+      engine: "ECMAScript : Oracle Nashorn"
+      name: "traverse.js"
+      file: "traverse.js"
+  - name: "List pages"
+    type: script
+    parameters:
+      action: "run"
+      type: "standalone"
+      engine: ""
+      name: "traverse.js"
+  - type: activeScan
+    parameters:
+      context: "HMPPSAuth"
+      user: "TestUser"
+      maxScanDurationInMins: 1 # minutes
+  - type: outputSummary
+    parameters:
+      format: "Short"
+      summaryFile: "$SUMMARY_FILE"
+  - type: report
+    parameters:
+      reportDir: "zap-report"
+      reportFile: "index.html"

.zap/traverse.js

@@ -0,0 +1,11 @@
+function listChildren(node, level) {
+  var j
+  for (j = 0; j < node.getChildCount(); j++) {
+    print(Array(level + 1).join('    ') + node.getChildAt(j).getNodeName())
+    listChildren(node.getChildAt(j), level + 1)
+  }
+}
+
+root = model.getSession().getSiteTree().getRoot()
+
+listChildren(root, 0)