Merge pull request #28 from githubabcs-devops/feature/update11

CalinL · web-flow · commit 333daf12eb3c · 2025-04-21T13:13:11.000-04:00
Update DAST ZAP workflow to start application if not running and fix SBOM workflow permissions
diff --git a/.github/workflows/DAST-ZAP-Zed-Attach-Proxy-Checkmarx.yml b/.github/workflows/DAST-ZAP-Zed-Attach-Proxy-Checkmarx.yml
@@ -39,6 +39,7 @@ jobs:
           if ! curl -s --head --request GET ${{ env.ZAP_TARGET }} | grep "200 OK" > /dev/null; then
             echo "Application is not running. Building and starting the application..."
             docker build ./src/webapp01 --file ./src/webapp01/Dockerfile -t ${{ env.imageName }}:${{ env.tag }}
+            echo "Starting the application..."
             docker run -d --rm -p ${{ env.HOST_PORT }}:${{ env.CONTAINER_PORT }} ${{ env.imageName }}:${{ env.tag }}
           else
             echo "Application is already running."
diff --git a/.github/workflows/SAST-Kubesec.yml b/.github/workflows/SAST-Kubesec.yml
@@ -18,8 +18,8 @@ permissions:
   actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
 
 jobs:
-  kubesec-scan:
-    name: Kubesec Scan
+  kubesec-scan-1:
+    name: Kubesec Scan 1
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
@@ -38,6 +38,13 @@ jobs:
         uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: kubesec-results.sarif
+      
+  kubesec-scan-2:
+    name: Kubesec Scan 2
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
 
       - name: Run kubesec scanner (score-5-pod-serviceaccount.yaml)
         uses: controlplaneio/kubesec-action@43d0ddff5ffee89a6bb9f29b64cd865411137b14
diff --git a/.github/workflows/SCA-Anchore-Syft-SBOM.yml b/.github/workflows/SCA-Anchore-Syft-SBOM.yml
@@ -1,7 +1,7 @@
 # https://github.com/anchore/syft
 # https://github.com/anchore/sbom-action
 
-name: CSA - Anchore Syft SBOM Scan
+name: SCA - Anchore Syft SBOM Scan
 
 on:
   push:
@@ -35,10 +35,10 @@ jobs:
         uses: anchore/sbom-action@bb716408e75840bbb01e839347cd213767269d4a
         with:
           image: "${{ env.imageName }}:${{ env.tag }}"
-          artifact-name: image.spdx.json
+          artifact-name: sbom.spdx
           dependency-snapshot: true
       
       - name: SBOM upload 
         uses: advanced-security/spdx-dependency-submission-action@v0.1.1
         with:
-          filePath: "image.spdx.json"
+          filePath: "sbom.spdx"
diff --git a/.github/workflows/SCA-Microsoft-SBOM.yml b/.github/workflows/SCA-Microsoft-SBOM.yml
@@ -12,7 +12,7 @@ env:
   DOTNET_VERSION: '9.0.x'                       # set this to the dot net version to use
 
 permissions:
-  contents: read
+  contents: write
   id-token: write # required to upload artifacts
 
 jobs:
