Run ZAP-Based Security Controls on a GitHub-Hosted Runner
Overview
This page explains how to run ZAP-based security controls on a GitHub-hosted runner rather than Jit's job execution system. You may want to do this if the access to your WebApp is protected (no public IP / WAF).
ZAP-based security controls include the following:
Using the GitHub-hosted runner
Jit's configuration files, such as
jit-plan.yml
,jit-security.yml
, andjit-config.yml
, are located in the.jit
directory of the repository you selected for GitHub integration.
To switch to the GitHub-hosted runner—
Step 1 Add the following code snippet/s to your jit-plan.yml
file, depending on whether you want to run Ensure Your APIs are Secure (DAST), Scan Your Web Application for Vulnerabilities (DAST), or both via the GitHub-hosted runner.
override:
workflows:
api-security:
jobs:
api-security-detection:
runner:
setup:
checkout: false
type: github_actions
steps:
- name: Run ZAP
uses: registry.jit.io/zap:latest
with:
env:
AUTHENTICATION_VALUE: ${{ secrets.API_SCAN_AUTHENTICATION_VALUE }}
override:
workflows:
web-app-scanner:
jobs:
web-security-detection:
runner:
setup:
checkout: false
type: github_actions
steps:
- name: Run ZAP
with:
env:
AUTHENTICATION_VALUE: ${{ secrets.web_scan_authentication_value }}
override:
workflows:
api-security:
jobs:
api-security-detection:
runner:
setup:
checkout: false
type: github_actions
steps:
- name: Run ZAP
uses: registry.jit.io/zap:latest
with:
env:
AUTHENTICATION_VALUE: ${{ secrets.API_SCAN_AUTHENTICATION_VALUE }}
web-app-scanner:
jobs:
web-security-detection:
runner:
setup:
checkout: false
type: github_actions
steps:
- name: Run ZAP
with:
env:
AUTHENTICATION_VALUE: ${{ secrets.web_scan_authentication_value }}
Once you commit this change, a job is created, which you can view in jit-security.yml
.
api-security-detection:
if: fromJSON(github.event.inputs.client_payload).payload.workflow_job_name == 'api-security-detection' && fromJSON(github.event.inputs.client_payload).payload.workflow_slug == 'workflow-api-security'
runs-on: ubuntu-20.04
timeout-minutes: 20
steps:
- name: hardened-gerneric-runner
uses: jitsecurity-controls/[email protected]
with:
docker_user: jit-bot
docker_password: ${{fromJSON(github.event.inputs.client_payload).payload.container_registry_token}}
security_control: registry.jit.io/zap:not-hardened-gerneric-runner-zap
dispatch_type: workflow
context: ${{toJSON(fromJSON(github.event.inputs.client_payload).context)}}
runner_setup: ${{toJSON(fromJSON(github.event.inputs.client_payload).context.job.runner.setup)}}
inline_environment: -e AUTHENTICATION_VALUE="${{ secrets.API_SCAN_AUTHENTICATION_VALUE }}"
Step 2 Go to GitHub > your organization > Settings > Secrets and variables > Actions > Variables and set the variable API_SCAN_AUTHENTICATION_VALUE
to the authentication value you use for ZAP.
Step 3 Create a ZAP configuration in your jit-config.yml
file as shown below.
applications:
- api_domain: <api_domain_to_scan>
application_name: <aplication_name>
authentication_key: Authorization
authentication_mode: header-bearer
exclude_paths: []
target_url: https://***/openapi.json
type: api
Step 4: Add the following snippet to your jit-plan.yml
file to activate the plan item.
items:
- name: Scan your API for vulnerabilities
uses: jitsecurity-controls/jit-plans/items/runtime/item-api-security.yml@latest
ZAP-based security controls are now configured to run on the Github-hosted runner whenever they are triggered.
Updated about 1 year ago