Application Security Engine support #17
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Appsec Rules Tests | |
| on: | |
| pull_request: | |
| branches: [ master ] | |
| paths: | |
| - 'appsec-configs/**.yaml' | |
| - 'appsec-configs/**.yml' | |
| - 'appsec-rules/**.yaml' | |
| - 'appsec-rules/**.yml' | |
| - '.github/workflows/test_appsec_rules.yaml' | |
| - '.appsec-tests/**' | |
| push: | |
| branches: [ master ] | |
| paths: | |
| - 'appsec-configs/**.yaml' | |
| - 'appsec-configs/**.yml' | |
| - 'appsec-rules/**.yaml' | |
| - 'appsec-rules/**.yml' | |
| - '.github/workflows/test_appsec_rules.yaml' | |
| - '.appsec-tests/**' | |
| jobs: | |
| run-hub-tests: | |
| runs-on: ubuntu-20.04 | |
| steps: | |
| - name: Check out code into the Go module directory | |
| uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v4 | |
| with: | |
| go-version: '1.21' | |
| - name: Install requirements | |
| run: | | |
| sudo apt install libre2-dev | |
| go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest | |
| - name: Install CrowdSec | |
| run: | | |
| git clone https://github.com/crowdsecurity/crowdsec.git | |
| cd crowdsec | |
| git checkout "coraza_poc_acquis" | |
| BUILD_STATIC=1 make release | |
| cd crowdsec-v* | |
| sudo ./wizard.sh --unattended | |
| - name: Install NGINX | |
| run: | | |
| sudo apt install nginx | |
| - name: Install CrowdSec NGINX Bouncer | |
| run: | | |
| git clone https://github.com/crowdsecurity/cs-nginx-bouncer.git | |
| cd cs-nginx-bouncer/ | |
| git checkout waf_integration | |
| make release | |
| tar xzvf crowdsec-nginx-bouncer.tgz | |
| cd crowdsec-nginx-bouncer-v* | |
| sudo ./install.sh -y | |
| - name: Setup NGINX Bouncer API key | |
| run: | | |
| sudo cscli bouncers add hubtestAppsec -k "this_is_a_bad_password" | |
| sudo sed -i 's/API_KEY=.*$/API_KEY=this_is_a_bad_password/' /etc/crowdsec/bouncers/crowdsec-nginx-bouncer.conf | |
| echo "WAF_URL=http://127.0.0.1:4241" | sudo tee -a /etc/crowdsec/bouncers/crowdsec-nginx-bouncer.conf | |
| sudo systemctl restart nginx | |
| - name: run tests on last crowdsec tag | |
| run: | | |
| cscli hubtest run --all --appsec | |
| echo "APPSEC_RULE_COV=$(cscli hubtest coverage --appsec --percent | cut -d '=' -f2)" >> $GITHUB_ENV | |
| APPSEC_RULE_COV_NUMBER=$(cscli hubtest coverage --appsec --percent | cut -d '=' -f2 | tr -d '%' | tr -d '[[:space:]]') | |
| echo "APPSEC_RULE_BADGE_COLOR=$(if [ "$APPSEC_RULE_COV_NUMBER" -lt "70" ]; then echo 'red'; else echo 'green'; fi)" >> $GITHUB_ENV | |
| - name: Create appsec badge | |
| uses: schneegans/[email protected] | |
| #if: ${{ github.ref == 'refs/heads/master' }} | |
| if: false | |
| with: | |
| auth: ${{ secrets.GIST_BADGES_SECRET }} | |
| gistID: ${{ secrets.GIST_BADGES_ID }} | |
| filename: hub_appsec_badge.json | |
| label: Hub Appsec | |
| message: ${{ env.APPSEC_RULE_COV }} | |
| color: ${{ env.APPSEC_RULE_BADGE_COLOR }} | |