BREAKING CHANGE: ZAP penetration tests are no longer supported (#85)

.github/workflows/pr-open.yml

@@ -40,15 +40,13 @@ jobs:
         uses: ./
         with:
           file: ${{ matrix.file }}
-          name: ${{ matrix.name }}
           oc_namespace: ${{ vars.OC_NAMESPACE }}
           oc_server: ${{ vars.OC_SERVER }}
           oc_token: ${{ secrets.OC_TOKEN }}
           oc_version: ${{ matrix.oc_version }}
           overwrite: ${{ matrix.overwrite }}
           parameters: -p ZONE=${{ github.event.number }} -p NAME=${{ github.event.repository.name }}
             ${{ matrix.parameters }}
-          penetration_test: ${{ matrix.penetration_test }}
           post_rollout: ${{ matrix.post_rollout }}
           verification_path: ${{ matrix.verification_path }}
       - id: trigger

README.md

@@ -8,9 +8,9 @@
 [issues]: https://docs.github.com/en/issues/tracking-your-work-with-issues/creating-an-issue
 [pull requests]: https://docs.github.com/en/desktop/contributing-and-collaborating-using-github-desktop/working-with-your-remote-repository-on-github-or-github-enterprise/creating-an-issue-or-pull-request
 
-# OpenShift Deployer with Route Verification or Penetration Testing
+# OpenShift Deployer with Route Verification
 
-GitHub Action. Deploy to OpenShift using templates. Runs route verification or penetration tests.  Most of the heavy lifting here is done in template configuration.
+GitHub Action. Deploy to OpenShift using templates. Runs route verification.  Most of the heavy lifting here is done in template configuration.
 
 Testing has only been done with public containers on ghcr.io (GitHub Container Registry) so far.
 
@@ -41,19 +41,12 @@ Testing has only been done with public containers on ghcr.io (GitHub Container R
 
     ### Typical / recommended
 
-    # Name for any penetration test issues or artifacts
-    name: "frontend"
-
     # Override GitHub default oc version
     oc_version: "4.13"
 
     # Template parameters/variables to pass
     parameters: -p ZONE=${{ github.event.number }}
 
-    # Run a ZAProxy penetration test against any routes? [true/false]
-    # Requires `name` to be set if enabled/true
-    penetration_test: false
-
     # Run a command after OpenShift deployment and any verifications
     # Useful for cronjobs and migrations
     post_rollout: oc create job "thing-$(date +%s)" --from=cronjob/thing
@@ -91,26 +84,16 @@ Testing has only been done with public containers on ghcr.io (GitHub Container R
     # Useful for consuming other repos, defaults to the current one
     repository: ${{ github.repository }}
 
-    # Create an issue for penetration test results? [true|false]
-    # Default = "true"
-    penetration_test_create_issue: "true"
-
-    # Allow ZAProxy alerts to fail the workflow? [true/false]
-    # Warning: annoying!
-    penetration_test_fail: false
-
-    # Specify GITHUB_TOKEN or Personal Access Token (PAT) for issue writing
-    # Defaults to inheriting from the calling workflow
-    penetration_test_token: ${{ github.token }}
-
-
     ### Deprecated / will fail and provide directions
 
-    # Replaced by `name` param
-    penetration_test_artifact: frontend
-
-    # # Replaced by `name` param
-    penetration_test_issue: frontend
+    # All penetration tests have been deprecated in favour of scheduled jobs or even workflow_dispatch
+    # Please see https://github.com/zaproxy/action-full-scan for the source of the upstream action
+    penetration_test:
+    penetration_test_artifact:
+    penetration_test_create_issue:
+    penetration_test_fail:
+    penetration_test_issue:
+    penetration_test_token:
 ```
 
 # Example, Single Template
@@ -138,7 +121,7 @@ deploys:
 
 # Example, Matrix / Multiple Templates
 
-Deploy multiple templates in parallel.  This time penetration tests are enabled and issues created.  Runs on pull requests (PRs).
+Deploy multiple templates in parallel.  Runs on pull requests (PRs).
 
 ```yaml
 deploys:
@@ -177,7 +160,6 @@ steps:
       parameters:
         -p COMMON_TEMPLATE_VAR=whatever-${{ github.event.number }}
         ${{ matrix.parameters }}
-      penetration_test: true
       triggers: ${{ matrix.triggers }}
 ```
 
@@ -254,12 +236,10 @@ The action will return a boolean (true|false) of whether a deployment has been t
     echo "Triggered = ${{ steps.meaningful_id_name.outputs.triggered }}
 ```
 
-# Route Verification vs Penetration Testing
+# Route Verification
 
 Deployment templates are parsed for a route.  If found, those routes are verified with a curl command for status code 200 (success).  This ensures that applications are accessible from outside their OpenShift namespace/project.
 
-Provide `penetration_test: true` to instead run a penetration test using [OWASP ZAP (Zed Attack Proxy)](https://github.com/zaproxy/action-full-scan) against that route. `penetration_test_fail: false` can be used to fail pipelines where problems are found.  `penetration_test_issue: name` creates or comments on issues and is generally preferable over failing pipelines.
-
 # Troubleshooting
 
 ## Dependabot Pull Requests Failing

action.yml

@@ -1,5 +1,5 @@
 name: OpenShift Deployer
-description: OpenShift deployer with route verification or penetration testing
+description: OpenShift deployer with route verification
 branding:
   icon: package
   color: blue
@@ -23,19 +23,10 @@ inputs:
     required: true
 
   ### Typical / recommended
-  name:
-    description: Name for any penetration test issues or artifacts; e.g. frontend
-    default: "name_unset"
   oc_version:
     description: Non-default OpenShift version; e.g. 4.13
   parameters:
     description: Template parameters/variables to pass (e.g. -p ZONE=...)
-  penetration_test:
-    description: Run a ZAProxy penetration test against any routes? [true|false]
-    default: "false"
-  penetration_test_fail:
-    description: Allow ZAProxy alerts to fail the workflow? [true|false]
-    default: "false"
   post_rollout:
     description: Post deployment command; e.g. oc create job "thing-$(date +%s)" --from=cronjob/thing
   timeout:
@@ -57,12 +48,7 @@ inputs:
   repository:
     description: Optionally, specify a different repo to clone
     default: ${{ github.repository }}
-  penetration_test_create_issue:
-    description: Create an issue with penetration test results?  [true|false]
-    default: "true"
-  penetration_test_token:
-    description: Specify token (GH or PAT), instead of inheriting one from the calling workflow
-    default: ${{ github.token }}
+
   verification_retry_attempts:
     description: Number of times to attempt deployment verification
     default: "3"
@@ -71,10 +57,14 @@ inputs:
     default: "10"
 
   ### Deprecated
-  penetration_test_artifact:
-    description: Provide a name to attach ZAProxy scan artifacts to workflows; e.g. frontend, backend
-  penetration_test_issue:
-    description: Provide a name to enable ZAProxy issue creation; e.g. frontend, backend
+  # All penetration tests have been deprecated in favour of scheduled jobs
+  penetration_test:
+    default: ''
+  # penetration_test_fail:
+  # penetration_test_create_issue:
+  # penetration_test_token:
+  # penetration_test_artifact:
+  # penetration_test_issue:
 
 outputs:
   triggered:
@@ -99,9 +89,11 @@ runs:
         fi
 
         # Deprecation notices
-        if [ ! -z ${{ inputs.penetration_test_artifact }} ]||[ ! -z ${{ inputs.penetration_test_issue }} ]; then
-          echo -e "Params penetration_test_artifact and penetration_test_issue have been deprecated. \n"
-          echo -e "Please use param: name instead.  Exiting.\n"
+        if [ ! -z ${{ inputs.penetration_test }} ]; then
+          echo -e "All penetration testing has been deprecated.  Instead we recommend running in a scheduled job. \n"
+          echo -e "Please see https://github.com/zaproxy/action-full-scan for the source action.\n"
+          echo -e "An example of a scheduled job with ZAP penetration testing can be found here:"
+          echo -e "  => https://github.com/bcgov/quickstart-openshift/blob/main/.github/workflows/scheduled.yml\n"
           exit 1
         fi
 
@@ -112,7 +104,6 @@ runs:
         triggers: ${{ inputs.triggers }}
         diff_branch: ${{ inputs.diff_branch }}
 
-
     # Override OpenShift version, if specified
     - name: Override OpenShift version
       if: ${{ inputs.oc_version }}
@@ -193,8 +184,7 @@ runs:
 
     - name: Route Verification
       if: steps.vars.outputs.url &&
-        ( steps.diff.outputs.triggered == 'true' )&&
-        ( inputs.penetration_test != 'true' )
+        ( steps.diff.outputs.triggered == 'true' )
       shell: bash
       run: |
         # Expand for route verification
@@ -221,20 +211,6 @@ runs:
         done
         echo -e "\nRoute verification failed"
         exit 1
-
-    - name: Penetration Test
-      if: steps.vars.outputs.url &&
-        ( steps.diff.outputs.triggered == 'true' )&&
-        ( inputs.penetration_test == 'true' )
-      uses: zaproxy/[email protected]
-      with:
-        allow_issue_writing: "${{ inputs.penetration_test_create_issue }}"
-        artifact_name: "zap_${{ inputs.name }}"
-        cmd_options: "-a"
-        fail_action: "${{ inputs.penetration_test_fail }}"
-        issue_title: "ZAP: ${{ inputs.name }}"
-        target: https://${{ steps.vars.outputs.url }}
-        token: "${{ inputs.penetration_test_token }}"
     
     - name: Post-Deployment
       if: inputs.post_rollout != '' && steps.diff.outputs.triggered == 'true'