From 1390a6c50a0103d90741b80bd55e045d68900506 Mon Sep 17 00:00:00 2001 From: alex-nightvision Date: Mon, 26 Feb 2024 12:22:15 -0500 Subject: [PATCH] add CI/CD scan --- .github/workflows/nightvision.yml | 46 +++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 .github/workflows/nightvision.yml diff --git a/.github/workflows/nightvision.yml b/.github/workflows/nightvision.yml new file mode 100644 index 0000000..211d62f --- /dev/null +++ b/.github/workflows/nightvision.yml @@ -0,0 +1,46 @@ +name: Test Case - FastAPI App + +on: + push: + workflow_dispatch: + +env: + NIGHTVISION_TOKEN: ${{ secrets.NIGHTVISION_TOKEN }} + NIGHTVISION_TARGET: xssfastapi + NIGHTVISION_APP: xssfastapi + NIGHTVISION_AUTH: xssfastapi + +jobs: + test: + permissions: + security-events: write + runs-on: ubuntu-latest + steps: + - name: (1) Clone Code + uses: actions/checkout@v3 + + - name: (2) Install NightVision + run: | + wget -c https://downloads.nightvision.net/binaries/latest/nightvision_latest_linux_amd64.tar.gz -O - | tar -xz; sudo mv nightvision /usr/local/bin/ + python -m pip install semgrep --user + + # - name: (3) Extract API documentation from code + # run: | + # nightvision swagger extract ./ -t ${NIGHTVISION_TARGET} --lang python || true + # if [ ! -e openapi-spec.yml ]; then + # cp backup-openapi-spec.yml openapi-spec.yml + # fi + + - name: (4) Start the app + run: docker-compose up -d; sleep 10 + + - name: (5) Scan the API + run: | + nightvision scan -t ${NIGHTVISION_TARGET} -a ${NIGHTVISION_APP} > scan-results.txt + nightvision export sarif -s "$(head -n 1 scan-results.txt)" --swagger-file openapi-spec.yml + + - name: (6) Upload SARIF file to GitHub Security Alerts if vulnerabilities are found + uses: github/codeql-action/upload-sarif@v2 + if: success() + with: + sarif_file: results.sarif \ No newline at end of file