Add HTTP Misconfigurations scans #33
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Scans | |
| on: | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| branches: | |
| - main | |
| env: | |
| GO_VERSION: "1.23" | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read | |
| packages: read | |
| jobs: | |
| run-jwt-scans: | |
| name: JWT Scans | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| challenge: | |
| [ | |
| "jwt-alg-none-bypass", | |
| "jwt-blank-secret", | |
| "jwt-not-verified", | |
| "jwt-null-signature", | |
| "jwt-weak-hmac-secret", | |
| ] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Run Server | |
| run: docker run -d -p 8080:8080 ghcr.io/cerberauth/api-vulns-challenges/${{ matrix.challenge }}:latest | |
| - name: Get JWT | |
| id: get-jwt | |
| run: echo "jwt=$(docker run --rm ghcr.io/cerberauth/api-vulns-challenges/jwt-strong-eddsa-key:latest jwt)" >> $GITHUB_OUTPUT | |
| - name: Setup Go environment | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Build | |
| run: go build -v ./... | |
| - name: VulnAPI | |
| id: vulnapi | |
| continue-on-error: true | |
| run: | | |
| go run main.go scan curl http://localhost:8080 -H "Authorization: Bearer ${{ steps.get-jwt.outputs.jwt }}" | |
| - name: Check for vulnerabilities | |
| if: ${{ steps.vulnapi.outputs.conclusion == 'failure' }} | |
| run: echo "Vulnerabilities found in ${{ matrix.challenge }}" | |
| - name: Stop Server | |
| if: ${{ always() }} | |
| run: docker stop $(docker ps -q --filter ancestor=ghcr.io/cerberauth/api-vulns-challenges/${{ matrix.challenge }}:latest) | |
| run-http-misconfigurations-scans: | |
| name: HTTP Misconfigurations Scans | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - challenge: "misconfiguration.http_headers" | |
| url: "http://localhost:8080" | |
| - challenge: "misconfiguration.http_headers" | |
| url: "http://localhost:8080/headers/cors-wildcard" | |
| - challenge: "misconfiguration.http_headers" | |
| url: "http://localhost:8080/headers/csp-frame-ancestors" | |
| - challenge: "misconfiguration.http_cookies" | |
| url: "http://localhost:8080/cookies/unsecure" | |
| - challenge: "misconfiguration.http_cookies" | |
| url: "http://localhost:8080/cookies/not-httponly" | |
| - challenge: "misconfiguration.http_cookies" | |
| url: "http://localhost:8080/cookies/samesite-none" | |
| - challenge: "misconfiguration.http_cookies" | |
| url: "http://localhost:8080/cookies/no-expiration" | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Run Server | |
| run: docker run -d -p 8080:8080 ghcr.io/cerberauth/api-vulns-challenges/http-misconfigurations:latest | |
| - name: Setup Go environment | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Build | |
| run: go build -v ./... | |
| - name: VulnAPI | |
| id: vulnapi | |
| continue-on-error: true | |
| run: | | |
| go run main.go scan curl ${{ matrix.url }}" --scans "${{ matrix.challenge }}" | |
| - name: Check for vulnerabilities | |
| if: ${{ steps.vulnapi.outputs.conclusion == 'failure' }} | |
| run: echo "Vulnerabilities found in ${{ matrix.challenge }}" | |
| - name: Stop Server | |
| if: ${{ always() }} | |
| run: docker stop $(docker ps -q --filter ancestor=ghcr.io/cerberauth/api-vulns-challenges/http-misconfigurations:latest) |