mirror of
https://github.com/cisagov/manage.get.gov.git
synced 2025-08-04 00:42:16 +02:00
Merge pull request #160 from cisagov/nmb/scurity-scanning
Add security scanning to Github Actions
This commit is contained in:
Seamus Johnston
GitHub
commit
f130ffc9a8
10 changed files with 417 additions and 1 deletions
|
|
@ -22,7 +22,7 @@ services:
|
|||
# Tell Django where to find its configuration
|
||||
- DJANGO_SETTINGS_MODULE=registrar.config.settings
|
||||
# Set a local key for Django
|
||||
- DJANGO_SECRET_KEY=feedabee
|
||||
- DJANGO_SECRET_KEY=really-long-random-string-BNPecI7+s8jMahQcGHZ3XQ5yUfRrSibdapVLIz0UemdktVPofDKcoy
|
||||
# Run Django in debug mode on local
|
||||
- DJANGO_DEBUG=True
|
||||
# Tell Django where it is being hosted
|
||||
|
|
@ -71,3 +71,11 @@ services:
|
|||
- app
|
||||
profiles:
|
||||
- pa11y
|
||||
|
||||
owasp:
|
||||
image: owasp/zap2docker-stable
|
||||
command: zap-baseline.py -t http://app:8080 -c zap.conf -I -r zap_report.html
|
||||
volumes:
|
||||
- .:/zap/wrk/
|
||||
links: ["app"]
|
||||
profiles: ["owasp-scan"]
|
||||
|
|
|
|||
|
|
@ -228,6 +228,16 @@ SERVER_EMAIL = "root@get.gov"
|
|||
# endregion
|
||||
# region: Headers-----------------------------------------------------------###
|
||||
|
||||
# Content-Security-Policy configuration
|
||||
# this can be restrictive because we have few external scripts
|
||||
allowed_sources = ("'self'",)
|
||||
CSP_DEFAULT_SRC = allowed_sources
|
||||
# Most things fall back to default-src, but these two do not and should be
|
||||
# explicitly set
|
||||
CSP_FRAME_ANCESTORS = allowed_sources
|
||||
CSP_FORM_ACTION = allowed_sources
|
||||
|
||||
|
||||
# Content-Length header is set by django.middleware.common.CommonMiddleware
|
||||
|
||||
# X-Frame-Options header is set by
|
||||
|
|
|
|||
151
src/zap.conf
Normal file
151
src/zap.conf
Normal file
|
|
@ -0,0 +1,151 @@
|
|||
# zap-full-scan rule configuration file
|
||||
# Only the rule identifiers are used - the names are just for info
|
||||
# You can add your own messages to each rule by appending them after a tab on each line.
|
||||
0 FAIL (Directory Browsing - Active/release)
|
||||
10003 FAIL (Vulnerable JS Library - Passive/release)
|
||||
10010 FAIL (Cookie No HttpOnly Flag - Passive/release)
|
||||
10011 FAIL (Cookie Without Secure Flag - Passive/release)
|
||||
10015 FAIL (Incomplete or No Cache-control Header Set - Passive/release)
|
||||
10016 FAIL (Web Browser XSS Protection Not Enabled)
|
||||
10017 FAIL (Cross-Domain JavaScript Source File Inclusion - Passive/release)
|
||||
10019 FAIL (Content-Type Header Missing - Passive/release)
|
||||
10020 FAIL (X-Frame-Options Header - Passive/release)
|
||||
10021 FAIL (X-Content-Type-Options Header Missing - Passive/release)
|
||||
# With DEBUG=True Django's internal server serves static files without this
|
||||
# header, but it is not an issue in production
|
||||
10021 OUTOFSCOPE http://app:8080/public/.*$
|
||||
10023 FAIL (Information Disclosure - Debug Error Messages - Passive/release)
|
||||
# OIDC isn't configured in the test environment and DEBUG=True so the error messages
|
||||
# trigger this rule in a way that they don't in production
|
||||
10023 OUTOFSCOPE http://app:8080/openid/login/
|
||||
10024 FAIL (Information Disclosure - Sensitive Information in URL - Passive/release)
|
||||
10025 FAIL (Information Disclosure - Sensitive Information in HTTP Referrer Header - Passive/release)
|
||||
10026 FAIL (HTTP Parameter Override - Passive/beta)
|
||||
10027 FAIL (Information Disclosure - Suspicious Comments - Passive/release)
|
||||
# Debug toolbar contains the word "from" which is a false positive and also
|
||||
# it isn't installed in production (see word list at https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/zapHomeFiles/xml/suspicious-comments.txt)
|
||||
10027 OUTOFSCOPE http://app:8080/public/debug_toolbar/js/toolbar.js
|
||||
# USWDS.min.js contains suspicious words "query", "select", "from" in ordinary usage
|
||||
10027 OUTOFSCOPE http://app:8080/public/js/uswds.min.js
|
||||
10028 FAIL (Open Redirect - Passive/beta)
|
||||
10029 FAIL (Cookie Poisoning - Passive/beta)
|
||||
10030 FAIL (User Controllable Charset - Passive/beta)
|
||||
10031 FAIL (User Controllable HTML Element Attribute (Potential XSS) - Passive/beta)
|
||||
10032 FAIL (Viewstate - Passive/release)
|
||||
10033 FAIL (Directory Browsing - Passive/beta)
|
||||
10034 FAIL (Heartbleed OpenSSL Vulnerability (Indicative) - Passive/beta)
|
||||
10035 FAIL (Strict-Transport-Security Header - Passive/beta)
|
||||
10036 FAIL (HTTP Server Response Header - Passive/beta)
|
||||
# With DEBUG=True Django's internal server sends the Server header, but
|
||||
# it is not an issue in production
|
||||
10036 OUTOFSCOPE http://app:8080.*$
|
||||
10037 FAIL (Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) - Passive/release)
|
||||
10038 FAIL (Content Security Policy (CSP) Header Not Set - Passive/beta)
|
||||
# With DEBUG=True, Django sends a 404 page without the CSP headers. This isn't true on production
|
||||
# For URLs that Zap gets that aren't present in the test environment, skip this false positive
|
||||
10038 OUTOFSCOPE http://app:8080/public/img/.*
|
||||
10038 OUTOFSCOPE http://app:8080/public/css/.*
|
||||
10038 OUTOFSCOPE http://app:8080/public/js/.*
|
||||
10038 OUTOFSCOPE http://app:8080/(robots.txt|sitemap.xml)
|
||||
# OIDC isn't configured in the test environment and DEBUG=True so this gives a 500 without CSP headers
|
||||
10038 OUTOFSCOPE http://app:8080/openid/login/
|
||||
10039 FAIL (X-Backend-Server Header Information Leak - Passive/beta)
|
||||
10040 FAIL (Secure Pages Include Mixed Content - Passive/release)
|
||||
10041 FAIL (HTTP to HTTPS Insecure Transition in Form Post - Passive/beta)
|
||||
10042 FAIL (HTTPS to HTTP Insecure Transition in Form Post - Passive/beta)
|
||||
10043 FAIL (User Controllable JavaScript Event (XSS) - Passive/beta)
|
||||
10044 FAIL (Big Redirect Detected (Potential Sensitive Information Leak) - Passive/beta)
|
||||
10045 FAIL (Source Code Disclosure - /WEB-INF folder - Active/release)
|
||||
10047 FAIL (HTTPS Content Available via HTTP - Active/beta)
|
||||
10048 FAIL (Remote Code Execution - Shell Shock - Active/beta)
|
||||
10050 FAIL (Retrieved from Cache - Passive/beta)
|
||||
10051 FAIL (Relative Path Confusion - Active/beta)
|
||||
10052 FAIL (X-ChromeLogger-Data (XCOLD) Header Information Leak - Passive/beta)
|
||||
10053 FAIL (Apache Range Header DoS (CVE-2011-3192) - Active/beta)
|
||||
10054 FAIL (Cookie without SameSite Attribute - Passive/release)
|
||||
10055 FAIL (CSP - Passive/release)
|
||||
10056 FAIL (X-Debug-Token Information Leak - Passive/release)
|
||||
10057 FAIL (Username Hash Found - Passive/release)
|
||||
10058 FAIL (GET for POST - Active/beta)
|
||||
10061 FAIL (X-AspNet-Version Response Header - Passive/release)
|
||||
10062 FAIL (PII Disclosure - Passive/beta)
|
||||
10095 FAIL (Backup File Disclosure - Active/beta)
|
||||
10096 FAIL (Timestamp Disclosure - Passive/release)
|
||||
10097 FAIL (Hash Disclosure - Passive/beta)
|
||||
10098 FAIL (Cross-Domain Misconfiguration - Passive/release)
|
||||
10104 FAIL (User Agent Fuzzer - Active/beta)
|
||||
10105 FAIL (Weak Authentication Method - Passive/release)
|
||||
10106 FAIL (HTTP Only Site - Active/beta)
|
||||
10107 FAIL (Httpoxy - Proxy Header Misuse - Active/beta)
|
||||
10108 FAIL (Reverse Tabnabbing - Passive/beta)
|
||||
10109 FAIL (Modern Web Application - Passive/beta)
|
||||
# With DEBUG=True Django's debug toolbar uses <a href="#"> links which triggers this rule
|
||||
# The debug toolbar doesn't run in production
|
||||
10109 OUTOFSCOPE http://app:8080.*
|
||||
10202 FAIL (Absence of Anti-CSRF Tokens - Passive/release)
|
||||
2 FAIL (Private IP Disclosure - Passive/release)
|
||||
20012 FAIL (Anti-CSRF Tokens Check - Active/beta)
|
||||
20014 FAIL (HTTP Parameter Pollution - Active/beta)
|
||||
20015 FAIL (Heartbleed OpenSSL Vulnerability - Active/beta)
|
||||
20016 FAIL (Cross-Domain Misconfiguration - Active/beta)
|
||||
20017 FAIL (Source Code Disclosure - CVE-2012-1823 - Active/beta)
|
||||
20018 FAIL (Remote Code Execution - CVE-2012-1823 - Active/beta)
|
||||
20019 FAIL (External Redirect - Active/release)
|
||||
3 FAIL (Session ID in URL Rewrite - Passive/release)
|
||||
30001 FAIL (Buffer Overflow - Active/release)
|
||||
30002 FAIL (Format String Error - Active/release)
|
||||
30003 FAIL (Integer Overflow Error - Active/beta)
|
||||
40003 FAIL (CRLF Injection - Active/release)
|
||||
40008 FAIL (Parameter Tampering - Active/release)
|
||||
40009 FAIL (Server Side Include - Active/release)
|
||||
40012 FAIL (Cross Site Scripting (Reflected) - Active/release)
|
||||
40013 FAIL (Session Fixation - Active/beta)
|
||||
40014 FAIL (Cross Site Scripting (Persistent) - Active/release)
|
||||
40016 FAIL (Cross Site Scripting (Persistent) - Prime - Active/release)
|
||||
40017 FAIL (Cross Site Scripting (Persistent) - Spider - Active/release)
|
||||
40018 FAIL (SQL Injection - Active/release)
|
||||
40019 FAIL (SQL Injection - MySQL - Active/beta)
|
||||
40020 FAIL (SQL Injection - Hypersonic SQL - Active/beta)
|
||||
40021 FAIL (SQL Injection - Oracle - Active/beta)
|
||||
40022 FAIL (SQL Injection - PostgreSQL - Active/beta)
|
||||
40023 FAIL (Possible Username Enumeration - Active/beta)
|
||||
40024 FAIL (SQL Injection - SQLite - Active/beta)
|
||||
40025 FAIL (Proxy Disclosure - Active/beta)
|
||||
40026 FAIL (Cross Site Scripting (DOM Based) - Active/beta)
|
||||
40027 FAIL (SQL Injection - MsSQL - Active/beta)
|
||||
40028 FAIL (ELMAH Information Leak - Active/release)
|
||||
40029 FAIL (Trace.axd Information Leak - Active/beta)
|
||||
40032 FAIL (.htaccess Information Leak - Active/release)
|
||||
40034 FAIL (.env Information Leak - Active/beta)
|
||||
40035 FAIL (Hidden File Finder - Active/beta)
|
||||
41 FAIL (Source Code Disclosure - Git - Active/beta)
|
||||
42 FAIL (Source Code Disclosure - SVN - Active/beta)
|
||||
43 FAIL (Source Code Disclosure - File Inclusion - Active/beta)
|
||||
50000 FAIL (Script Active Scan Rules - Active/release)
|
||||
50001 FAIL (Script Passive Scan Rules - Passive/release)
|
||||
6 FAIL (Path Traversal - Active/release)
|
||||
7 FAIL (Remote File Inclusion - Active/release)
|
||||
90001 FAIL (Insecure JSF ViewState - Passive/release)
|
||||
90011 FAIL (Charset Mismatch - Passive/release)
|
||||
90017 FAIL (XSLT Injection - Active/beta)
|
||||
90019 FAIL (Server Side Code Injection - Active/release)
|
||||
90020 FAIL (Remote OS Command Injection - Active/release)
|
||||
90021 FAIL (XPath Injection - Active/beta)
|
||||
90022 FAIL (Application Error Disclosure - Passive/release)
|
||||
# OIDC isn't configured in the test environment and DEBUG=True so these error pages
|
||||
# trigger this rule in a way that they won't in production
|
||||
90022 OUTOFSCOPE http://app:8080/openid/login/
|
||||
90023 FAIL (XML External Entity Attack - Active/beta)
|
||||
90024 FAIL (Generic Padding Oracle - Active/beta)
|
||||
90025 FAIL (Expression Language Injection - Active/beta)
|
||||
90026 FAIL (SOAP Action Spoofing - Active/alpha)
|
||||
90027 FAIL (Cookie Slack Detector - Active/beta)
|
||||
90028 FAIL (Insecure HTTP Method - Active/beta)
|
||||
90029 FAIL (SOAP XML Injection - Active/alpha)
|
||||
90030 FAIL (WSDL File Detection - Passive/alpha)
|
||||
90033 FAIL (Loosely Scoped Cookie - Passive/release)
|
||||
# With DEBUG=True Django's internal server returns a Set-Cookie header that appears
|
||||
# to trigger this rule even though it has no domain scope. And the cookie header
|
||||
# isn't sent this way on production
|
||||
90033 OUTOFSCOPE http://app:8080.*$
|
||||
90034 FAIL (Cloud Metadata Potentially Exposed - Active/beta)
|
||||
Loading…
Add table
Add a link
Reference in a new issue