Merge pull request #160 from cisagov/nmb/scurity-scanning

Add security scanning to Github Actions
This commit is contained in:
Seamus Johnston 2022-10-11 13:14:21 +00:00 committed by GitHub
commit f130ffc9a8
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
10 changed files with 417 additions and 1 deletions

View file

@ -22,7 +22,7 @@ services:
# Tell Django where to find its configuration
- DJANGO_SETTINGS_MODULE=registrar.config.settings
# Set a local key for Django
- DJANGO_SECRET_KEY=feedabee
- DJANGO_SECRET_KEY=really-long-random-string-BNPecI7+s8jMahQcGHZ3XQ5yUfRrSibdapVLIz0UemdktVPofDKcoy
# Run Django in debug mode on local
- DJANGO_DEBUG=True
# Tell Django where it is being hosted
@ -71,3 +71,11 @@ services:
- app
profiles:
- pa11y
owasp:
image: owasp/zap2docker-stable
command: zap-baseline.py -t http://app:8080 -c zap.conf -I -r zap_report.html
volumes:
- .:/zap/wrk/
links: ["app"]
profiles: ["owasp-scan"]

View file

@ -228,6 +228,16 @@ SERVER_EMAIL = "root@get.gov"
# endregion
# region: Headers-----------------------------------------------------------###
# Content-Security-Policy configuration
# this can be restrictive because we have few external scripts
allowed_sources = ("'self'",)
CSP_DEFAULT_SRC = allowed_sources
# Most things fall back to default-src, but these two do not and should be
# explicitly set
CSP_FRAME_ANCESTORS = allowed_sources
CSP_FORM_ACTION = allowed_sources
# Content-Length header is set by django.middleware.common.CommonMiddleware
# X-Frame-Options header is set by

151
src/zap.conf Normal file
View file

@ -0,0 +1,151 @@
# zap-full-scan rule configuration file
# Only the rule identifiers are used - the names are just for info
# You can add your own messages to each rule by appending them after a tab on each line.
0 FAIL (Directory Browsing - Active/release)
10003 FAIL (Vulnerable JS Library - Passive/release)
10010 FAIL (Cookie No HttpOnly Flag - Passive/release)
10011 FAIL (Cookie Without Secure Flag - Passive/release)
10015 FAIL (Incomplete or No Cache-control Header Set - Passive/release)
10016 FAIL (Web Browser XSS Protection Not Enabled)
10017 FAIL (Cross-Domain JavaScript Source File Inclusion - Passive/release)
10019 FAIL (Content-Type Header Missing - Passive/release)
10020 FAIL (X-Frame-Options Header - Passive/release)
10021 FAIL (X-Content-Type-Options Header Missing - Passive/release)
# With DEBUG=True Django's internal server serves static files without this
# header, but it is not an issue in production
10021 OUTOFSCOPE http://app:8080/public/.*$
10023 FAIL (Information Disclosure - Debug Error Messages - Passive/release)
# OIDC isn't configured in the test environment and DEBUG=True so the error messages
# trigger this rule in a way that they don't in production
10023 OUTOFSCOPE http://app:8080/openid/login/
10024 FAIL (Information Disclosure - Sensitive Information in URL - Passive/release)
10025 FAIL (Information Disclosure - Sensitive Information in HTTP Referrer Header - Passive/release)
10026 FAIL (HTTP Parameter Override - Passive/beta)
10027 FAIL (Information Disclosure - Suspicious Comments - Passive/release)
# Debug toolbar contains the word "from" which is a false positive and also
# it isn't installed in production (see word list at https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/zapHomeFiles/xml/suspicious-comments.txt)
10027 OUTOFSCOPE http://app:8080/public/debug_toolbar/js/toolbar.js
# USWDS.min.js contains suspicious words "query", "select", "from" in ordinary usage
10027 OUTOFSCOPE http://app:8080/public/js/uswds.min.js
10028 FAIL (Open Redirect - Passive/beta)
10029 FAIL (Cookie Poisoning - Passive/beta)
10030 FAIL (User Controllable Charset - Passive/beta)
10031 FAIL (User Controllable HTML Element Attribute (Potential XSS) - Passive/beta)
10032 FAIL (Viewstate - Passive/release)
10033 FAIL (Directory Browsing - Passive/beta)
10034 FAIL (Heartbleed OpenSSL Vulnerability (Indicative) - Passive/beta)
10035 FAIL (Strict-Transport-Security Header - Passive/beta)
10036 FAIL (HTTP Server Response Header - Passive/beta)
# With DEBUG=True Django's internal server sends the Server header, but
# it is not an issue in production
10036 OUTOFSCOPE http://app:8080.*$
10037 FAIL (Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) - Passive/release)
10038 FAIL (Content Security Policy (CSP) Header Not Set - Passive/beta)
# With DEBUG=True, Django sends a 404 page without the CSP headers. This isn't true on production
# For URLs that Zap gets that aren't present in the test environment, skip this false positive
10038 OUTOFSCOPE http://app:8080/public/img/.*
10038 OUTOFSCOPE http://app:8080/public/css/.*
10038 OUTOFSCOPE http://app:8080/public/js/.*
10038 OUTOFSCOPE http://app:8080/(robots.txt|sitemap.xml)
# OIDC isn't configured in the test environment and DEBUG=True so this gives a 500 without CSP headers
10038 OUTOFSCOPE http://app:8080/openid/login/
10039 FAIL (X-Backend-Server Header Information Leak - Passive/beta)
10040 FAIL (Secure Pages Include Mixed Content - Passive/release)
10041 FAIL (HTTP to HTTPS Insecure Transition in Form Post - Passive/beta)
10042 FAIL (HTTPS to HTTP Insecure Transition in Form Post - Passive/beta)
10043 FAIL (User Controllable JavaScript Event (XSS) - Passive/beta)
10044 FAIL (Big Redirect Detected (Potential Sensitive Information Leak) - Passive/beta)
10045 FAIL (Source Code Disclosure - /WEB-INF folder - Active/release)
10047 FAIL (HTTPS Content Available via HTTP - Active/beta)
10048 FAIL (Remote Code Execution - Shell Shock - Active/beta)
10050 FAIL (Retrieved from Cache - Passive/beta)
10051 FAIL (Relative Path Confusion - Active/beta)
10052 FAIL (X-ChromeLogger-Data (XCOLD) Header Information Leak - Passive/beta)
10053 FAIL (Apache Range Header DoS (CVE-2011-3192) - Active/beta)
10054 FAIL (Cookie without SameSite Attribute - Passive/release)
10055 FAIL (CSP - Passive/release)
10056 FAIL (X-Debug-Token Information Leak - Passive/release)
10057 FAIL (Username Hash Found - Passive/release)
10058 FAIL (GET for POST - Active/beta)
10061 FAIL (X-AspNet-Version Response Header - Passive/release)
10062 FAIL (PII Disclosure - Passive/beta)
10095 FAIL (Backup File Disclosure - Active/beta)
10096 FAIL (Timestamp Disclosure - Passive/release)
10097 FAIL (Hash Disclosure - Passive/beta)
10098 FAIL (Cross-Domain Misconfiguration - Passive/release)
10104 FAIL (User Agent Fuzzer - Active/beta)
10105 FAIL (Weak Authentication Method - Passive/release)
10106 FAIL (HTTP Only Site - Active/beta)
10107 FAIL (Httpoxy - Proxy Header Misuse - Active/beta)
10108 FAIL (Reverse Tabnabbing - Passive/beta)
10109 FAIL (Modern Web Application - Passive/beta)
# With DEBUG=True Django's debug toolbar uses <a href="#"> links which triggers this rule
# The debug toolbar doesn't run in production
10109 OUTOFSCOPE http://app:8080.*
10202 FAIL (Absence of Anti-CSRF Tokens - Passive/release)
2 FAIL (Private IP Disclosure - Passive/release)
20012 FAIL (Anti-CSRF Tokens Check - Active/beta)
20014 FAIL (HTTP Parameter Pollution - Active/beta)
20015 FAIL (Heartbleed OpenSSL Vulnerability - Active/beta)
20016 FAIL (Cross-Domain Misconfiguration - Active/beta)
20017 FAIL (Source Code Disclosure - CVE-2012-1823 - Active/beta)
20018 FAIL (Remote Code Execution - CVE-2012-1823 - Active/beta)
20019 FAIL (External Redirect - Active/release)
3 FAIL (Session ID in URL Rewrite - Passive/release)
30001 FAIL (Buffer Overflow - Active/release)
30002 FAIL (Format String Error - Active/release)
30003 FAIL (Integer Overflow Error - Active/beta)
40003 FAIL (CRLF Injection - Active/release)
40008 FAIL (Parameter Tampering - Active/release)
40009 FAIL (Server Side Include - Active/release)
40012 FAIL (Cross Site Scripting (Reflected) - Active/release)
40013 FAIL (Session Fixation - Active/beta)
40014 FAIL (Cross Site Scripting (Persistent) - Active/release)
40016 FAIL (Cross Site Scripting (Persistent) - Prime - Active/release)
40017 FAIL (Cross Site Scripting (Persistent) - Spider - Active/release)
40018 FAIL (SQL Injection - Active/release)
40019 FAIL (SQL Injection - MySQL - Active/beta)
40020 FAIL (SQL Injection - Hypersonic SQL - Active/beta)
40021 FAIL (SQL Injection - Oracle - Active/beta)
40022 FAIL (SQL Injection - PostgreSQL - Active/beta)
40023 FAIL (Possible Username Enumeration - Active/beta)
40024 FAIL (SQL Injection - SQLite - Active/beta)
40025 FAIL (Proxy Disclosure - Active/beta)
40026 FAIL (Cross Site Scripting (DOM Based) - Active/beta)
40027 FAIL (SQL Injection - MsSQL - Active/beta)
40028 FAIL (ELMAH Information Leak - Active/release)
40029 FAIL (Trace.axd Information Leak - Active/beta)
40032 FAIL (.htaccess Information Leak - Active/release)
40034 FAIL (.env Information Leak - Active/beta)
40035 FAIL (Hidden File Finder - Active/beta)
41 FAIL (Source Code Disclosure - Git - Active/beta)
42 FAIL (Source Code Disclosure - SVN - Active/beta)
43 FAIL (Source Code Disclosure - File Inclusion - Active/beta)
50000 FAIL (Script Active Scan Rules - Active/release)
50001 FAIL (Script Passive Scan Rules - Passive/release)
6 FAIL (Path Traversal - Active/release)
7 FAIL (Remote File Inclusion - Active/release)
90001 FAIL (Insecure JSF ViewState - Passive/release)
90011 FAIL (Charset Mismatch - Passive/release)
90017 FAIL (XSLT Injection - Active/beta)
90019 FAIL (Server Side Code Injection - Active/release)
90020 FAIL (Remote OS Command Injection - Active/release)
90021 FAIL (XPath Injection - Active/beta)
90022 FAIL (Application Error Disclosure - Passive/release)
# OIDC isn't configured in the test environment and DEBUG=True so these error pages
# trigger this rule in a way that they won't in production
90022 OUTOFSCOPE http://app:8080/openid/login/
90023 FAIL (XML External Entity Attack - Active/beta)
90024 FAIL (Generic Padding Oracle - Active/beta)
90025 FAIL (Expression Language Injection - Active/beta)
90026 FAIL (SOAP Action Spoofing - Active/alpha)
90027 FAIL (Cookie Slack Detector - Active/beta)
90028 FAIL (Insecure HTTP Method - Active/beta)
90029 FAIL (SOAP XML Injection - Active/alpha)
90030 FAIL (WSDL File Detection - Passive/alpha)
90033 FAIL (Loosely Scoped Cookie - Passive/release)
# With DEBUG=True Django's internal server returns a Set-Cookie header that appears
# to trigger this rule even though it has no domain scope. And the cookie header
# isn't sent this way on production
90033 OUTOFSCOPE http://app:8080.*$
90034 FAIL (Cloud Metadata Potentially Exposed - Active/beta)