diff --git a/.github/workflows/zap-api-scan.yml b/.github/workflows/zap-api-scan.yml new file mode 100644 index 000000000..7744c1220 --- /dev/null +++ b/.github/workflows/zap-api-scan.yml @@ -0,0 +1,63 @@ +name: OWASP ZAP API Scan + +on: + workflow_dispatch: + pull_request: + types: [opened, synchronize, reopened] + +jobs: + zap-api-scan: + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Set up JDK 17 + uses: actions/setup-java@v4 + with: + java-version: '17' + distribution: 'temurin' + cache: maven + + - name: Build application + run: ./mvnw -B -DskipTests package + + - name: Start Petclinic API + run: | + nohup java -jar target/*.jar > petclinic.log 2>&1 & + + - name: Wait for API availability + run: | + timeout=90 + until curl -fsS http://localhost:9966/petclinic/actuator/health > /dev/null; do + echo "Waiting for Petclinic API..." + sleep 2 + timeout=$((timeout - 2)) + if [ "$timeout" -le 0 ]; then + echo "Petclinic API did not become ready in time." + echo "Application log follows:" + cat petclinic.log || true + exit 1 + fi + done + curl -fsS http://localhost:9966/petclinic/v3/api-docs > /dev/null + + - name: Run OWASP ZAP API Scan + uses: zaproxy/action-api-scan@v0.10.0 + with: + target: 'http://localhost:9966/petclinic/v3/api-docs' + format: openapi + docker_name: 'ghcr.io/zaproxy/zaproxy:stable' + cmd_options: '-a' + allow_issue_writing: false + fail_action: false + artifact_name: 'petclinic-t5-zap-api-scan' + + - name: Upload Petclinic log + if: always() + uses: actions/upload-artifact@v4 + with: + name: petclinic-t5-app-log + path: petclinic.log