swarkentin · April 4, 2023 16:22
diff --git a/gistfile1.txt b/gistfile1.txt
 name: 'Mayhem for API'
 on:
  workflow_call:
  push:
  pull_request:
  workflow_dispatch:

 env:
  DEFAULT_JDK_VERSION: 8

 jobs:
  build:
    ##################################################
    # Build
    ##################################################
    name: Scan
    runs-on: ubuntu-latest
    steps:
      # Check out source
      - uses: actions/checkout@v2

      - name: Build Docker Image(s)
        run: docker build -t openmeetings:mapi --build-arg BUILD_TYPE=mysql .

      - name: Run API
        run: docker run -t --rm -p 5080:5080 -d --name openmeetings-mapi openmeetings:mapi

      - name: Wait for server to start
        run: timeout 360 bash -c 'until curl --fail localhost:5080/openmeetings/services/info/health; do docker ps && sleep 10; done'

      # Fetch the access token for the initial user directly from
      # the database.
      - name: Get token for initial user
        run: |
         token=$( curl --location \
          -X GET \
          "http://localhost:5080/openmeetings/services/user/login?user=om_admin&pass=1Q2w3e4r5t%5Ey" | jq -j ".serviceResult.message")
          echo "AUTH_TOKEN=$token" >> "$GITHUB_ENV"

      ##################################################
      # Mayhem
      #
      # Run Mayhem for API. This will start a new run
      # against the REST API actively running on the
      # container launched earlier.
      #
      # Results will be collected in SAIRF formatted and
      # submitted to the codeql--action in order to report
      # API issues that are discovered.
      ##################################################
      - name: Run Mayhem for API to check for vulnerabilities
        uses: ForAllSecure/mapi-action@v1
        continue-on-error: true
        with:
          mapi-token: ${{ secrets.MAPI_TOKEN }}
          api-url: http://localhost:5080/openmeetings/services
          api-spec: https://openmeetings.apache.org/swagger/apache-openmeetings-6.3.0-swagger.json
          target: mayhemheroes/openmeetings-docker
          duration: 1min
          sarif-report: mapi.sarif
          html-report: mapi.html
          #
          # Keycloak REST APIs are generated from HTML and then manually
          # adjusted for each version. This means that the specification
          # will not be as accurate as one generated from source or maintained
          # by hand. The InvalidResponseSpec rule is ignored in order to
          # reduce the number of warnings raised against this generated
          # specification.
          #
          # https://github.com/ccouzens/keycloak-openapi
          #
          run-args: |
            --concurrency
            4
            --resource-hint
            .*QUERY sid:${{ env.AUTH_TOKEN }}


      ##################################################
      # Report
      #
      # An HTML report containing the the results of the
      # run are archived for later viewing, and a SARIF
      # (Static Analysis Results Interchange Format)
      # report produced and passed to codeQL. codeQL will
      # report any issues discovered in your Action results
      ##################################################
      - name: Archive Mayhem for API report
        uses: actions/upload-artifact@v2
        with:
          name: mapi-report
          path: mapi.html

      - name: Archive Mayhem for API SARIF report
        uses: actions/upload-artifact@v2
        with:
          name: sarif-report
          path: mapi.sarif

      # Upload SARIF file (only available on public repos or github enterprise)
      - name: Upload SARIF file
        uses: github/codeql-action/upload-sarif@v1
        with:
          sarif_file: mapi.sarif

      # Clean up docker
      - name: Stop containers
        if: always()
        run: docker rm -f openmeetings-mapi

      # Prune old docker volumes
      - name: Prune volumes
        if: always()
        run: docker volume prune -f
	name: 'Mayhem for API'
	on:
	workflow_call:
	push:
	pull_request:
	workflow_dispatch:

	env:
	DEFAULT_JDK_VERSION: 8

	jobs:
	build:
	##################################################
	# Build
	##################################################
	name: Scan
	runs-on: ubuntu-latest
	steps:
	# Check out source
	- uses: actions/checkout@v2

	- name: Build Docker Image(s)
	run: docker build -t openmeetings:mapi --build-arg BUILD_TYPE=mysql .

	- name: Run API
	run: docker run -t --rm -p 5080:5080 -d --name openmeetings-mapi openmeetings:mapi

	- name: Wait for server to start
	run: timeout 360 bash -c 'until curl --fail localhost:5080/openmeetings/services/info/health; do docker ps && sleep 10; done'

	# Fetch the access token for the initial user directly from
	# the database.
	- name: Get token for initial user
	run: \|
	token=$( curl --location \
	-X GET \
	"http://localhost:5080/openmeetings/services/user/login?user=om_admin&pass=1Q2w3e4r5t%5Ey" \| jq -j ".serviceResult.message")
	echo "AUTH_TOKEN=$token" >> "$GITHUB_ENV"

	##################################################
	# Mayhem
	#
	# Run Mayhem for API. This will start a new run
	# against the REST API actively running on the
	# container launched earlier.
	#
	# Results will be collected in SAIRF formatted and
	# submitted to the codeql--action in order to report
	# API issues that are discovered.
	##################################################
	- name: Run Mayhem for API to check for vulnerabilities
	uses: ForAllSecure/mapi-action@v1
	continue-on-error: true
	with:
	mapi-token: ${{ secrets.MAPI_TOKEN }}
	api-url: http://localhost:5080/openmeetings/services
	api-spec: https://openmeetings.apache.org/swagger/apache-openmeetings-6.3.0-swagger.json
	target: mayhemheroes/openmeetings-docker
	duration: 1min
	sarif-report: mapi.sarif
	html-report: mapi.html
	#
	# Keycloak REST APIs are generated from HTML and then manually
	# adjusted for each version. This means that the specification
	# will not be as accurate as one generated from source or maintained
	# by hand. The InvalidResponseSpec rule is ignored in order to
	# reduce the number of warnings raised against this generated
	# specification.
	#
	# https://github.com/ccouzens/keycloak-openapi
	#
	run-args: \|
	--concurrency
	4
	--resource-hint
	.*QUERY sid:${{ env.AUTH_TOKEN }}


	##################################################
	# Report
	#
	# An HTML report containing the the results of the
	# run are archived for later viewing, and a SARIF
	# (Static Analysis Results Interchange Format)
	# report produced and passed to codeQL. codeQL will
	# report any issues discovered in your Action results
	##################################################
	- name: Archive Mayhem for API report
	uses: actions/upload-artifact@v2
	with:
	name: mapi-report
	path: mapi.html

	- name: Archive Mayhem for API SARIF report
	uses: actions/upload-artifact@v2
	with:
	name: sarif-report
	path: mapi.sarif

	# Upload SARIF file (only available on public repos or github enterprise)
	- name: Upload SARIF file
	uses: github/codeql-action/upload-sarif@v1
	with:
	sarif_file: mapi.sarif

	# Clean up docker
	- name: Stop containers
	if: always()
	run: docker rm -f openmeetings-mapi

	# Prune old docker volumes
	- name: Prune volumes
	if: always()
	run: docker volume prune -f