Merge pull request #208 from cerberauth/ci-http-misconfiguration

Add HTTP Misconfigurations scans
cerberauth · Oct 20, 2024 · ed5d68b · ed5d68b
2 parents af50de3 + 59f985e
commit ed5d68b
Showing 1 changed file with 59 additions and 0 deletions.
diff --git a/.github/workflows/scans.yml b/.github/workflows/scans.yml
@@ -21,6 +21,7 @@ permissions:
 
 jobs:
   run-jwt-scans:
+    name: JWT Scans
     runs-on: ubuntu-latest
 
     strategy:
@@ -73,3 +74,61 @@ jobs:
       - name: Stop Server
         if: ${{ always() }}
         run: docker stop $(docker ps -q --filter ancestor=ghcr.io/cerberauth/api-vulns-challenges/${{ matrix.challenge }}:latest)
+
+  run-http-misconfigurations-scans:
+    name: HTTP Misconfigurations Scans
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - challenge: "misconfiguration.http_headers"
+            url: "http://localhost:8080"
+          - challenge: "misconfiguration.http_headers"
+            url: "http://localhost:8080/headers/cors-wildcard"
+          - challenge: "misconfiguration.http_headers"
+            url: "http://localhost:8080/headers/csp-frame-ancestors"
+          - challenge: "misconfiguration.http_cookies"
+            url: "http://localhost:8080/cookies/unsecure"
+          - challenge: "misconfiguration.http_cookies"
+            url: "http://localhost:8080/cookies/not-httponly"
+          - challenge: "misconfiguration.http_cookies"
+            url: "http://localhost:8080/cookies/samesite-none"
+          - challenge: "misconfiguration.http_cookies"
+            url: "http://localhost:8080/cookies/no-expiration"
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Run Server
+        run: docker run -d -p 8080:8080 ghcr.io/cerberauth/api-vulns-challenges/http-misconfigurations:latest
+
+      - name: Setup Go environment
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
+      - name: Build
+        run: go build -v ./...
+
+      - name: VulnAPI
+        id: vulnapi
+        continue-on-error: true
+        run: |
+          go run main.go scan curl ${{ matrix.url }} --scans "${{ matrix.challenge }}"
+
+      - name: Check for vulnerabilities
+        if: ${{ steps.vulnapi.outputs.conclusion == 'failure' }}
+        run: echo "Vulnerabilities found in ${{ matrix.challenge }}"
+
+      - name: Stop Server
+        if: ${{ always() }}
+        run: docker stop $(docker ps -q --filter ancestor=ghcr.io/cerberauth/api-vulns-challenges/http-misconfigurations:latest)