ci: update OWASP ZAP workflow and improve SQL Server readiness checks (#9) (#10)

Author: Som3a99

.github/workflows/owasp-zap.yml

@@ -31,19 +31,19 @@ jobs:
           --health-interval 15s
           --health-timeout 10s
           --health-retries 10
-          --health-start-period 40s
+          --health-start-period 60s
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v4
 
       - name: Setup .NET
-        uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0
+        uses: actions/setup-dotnet@v4
         with:
           dotnet-version: 8.0.x
 
       - name: Cache NuGet packages
-        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+        uses: actions/cache@v4
         with:
           path: ~/.nuget/packages
           key: ${{ runner.os }}-nuget-${{ hashFiles('**/*.csproj') }}
@@ -54,16 +54,23 @@ jobs:
           dotnet restore CompanyManagementSystem.sln
           dotnet publish ERP.PL/ERP.PL.csproj --configuration Release --no-restore --output ./publish
 
-      - name: Wait for SQL Server to be ready
+      - name: Wait for SQL Server to be truly ready
         run: |
-          echo "Waiting for SQL Server to accept connections..."
-          for i in $(seq 1 30); do
-            if nc -z localhost 1433 2>/dev/null; then
-              echo "SQL Server is accepting connections!"
+          echo "Waiting for SQL Server to accept SQL queries..."
+          for i in $(seq 1 40); do
+            if /opt/mssql-tools18/bin/sqlcmd -S localhost,1433 -U sa -P 'TestP@ssw0rd123!' -C -Q 'SELECT 1' -b > /dev/null 2>&1; then
+              echo "SQL Server is ready! (attempt $i)"
               break
+            elif /opt/mssql-tools/bin/sqlcmd -S localhost,1433 -U sa -P 'TestP@ssw0rd123!' -Q 'SELECT 1' -b > /dev/null 2>&1; then
+              echo "SQL Server is ready via mssql-tools! (attempt $i)"
+              break
+            fi
+            if [ $i -eq 40 ]; then
+              echo "::error::SQL Server did not become ready in time."
+              exit 1
             fi
-            echo "Attempt $i: SQL Server not ready yet..."
-            sleep 3
+            echo "Attempt $i/40: SQL Server not ready yet, waiting 5s..."
+            sleep 5
           done
 
       - name: Start application
@@ -73,7 +80,8 @@ jobs:
           ConnectionStrings__DefaultConnection: "Server=localhost,1433;Database=ERPDB_ZAP;User Id=sa;Password=TestP@ssw0rd123!;TrustServerCertificate=True;"
           Database__ApplyMigrationsOnStartup: "true"
           Seed__Mode: "None"
-          Logging__LogLevel__Default: "Warning"
+          Logging__LogLevel__Default: "Information"
+          Logging__LogLevel__Microsoft_EntityFrameworkCore: "Warning"
         run: |
           cd publish
           dotnet ERP.PL.dll > ../app.log 2>&1 &
@@ -85,34 +93,37 @@ jobs:
           echo "Waiting for application to become healthy..."
           READY=false
           for i in $(seq 1 60); do
-            if curl -sf -o /dev/null -m 5 http://localhost:5000/health 2>/dev/null; then
-              echo "Application is healthy and ready! (attempt $i)"
+            HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" -m 5 http://localhost:5000/health 2>/dev/null || echo "000")
+            if [ "$HTTP_CODE" = "200" ]; then
+              echo "Application is healthy and ready! (attempt $i, HTTP $HTTP_CODE)"
               READY=true
               break
             fi
 
-            # Check if process is still running
             if ! kill -0 $APP_PID 2>/dev/null; then
               echo "::error::Application process exited unexpectedly!"
-              echo "=== Application Logs ==="
+              echo "=== Full Application Logs ==="
               cat app.log || true
               exit 1
             fi
 
-            echo "Attempt $i/60: Waiting for health check..."
+            echo "Attempt $i/60: health check returned HTTP $HTTP_CODE, waiting 5s..."
             sleep 5
           done
 
           if [ "$READY" != "true" ]; then
             echo "::error::Application did not become healthy within 5 minutes"
-            echo "=== Application Logs ==="
-            tail -100 app.log || true
+            echo "=== Full Application Logs ==="
+            tail -150 app.log || true
             kill $APP_PID 2>/dev/null || true
             exit 1
           fi
 
+          echo "Verifying port 5000 is listening..."
+          ss -tlnp | grep :5000 || netstat -tlnp | grep :5000 || true
+
       - name: Run OWASP ZAP Baseline Scan
-        uses: zaproxy/action-baseline@de8ad967d3548d44ef623df22cf95c3b0baf8b25 # v0.15.0
+        uses: zaproxy/action-baseline@v0.14.0
         with:
           target: "http://localhost:5000"
           rules_file_name: ".zap/rules.tsv"
@@ -132,15 +143,15 @@ jobs:
 
       - name: Upload application logs
         if: always()
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@v4
         with:
           name: app-logs
           path: app.log
           if-no-files-found: ignore
 
       - name: Upload ZAP Report
         if: always()
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@v4
         with:
           name: zap-security-report
           path: |

ERP.PL/Program.cs

@@ -149,9 +149,11 @@ public static async Task Main(string[] args)
             builder.Services.AddAntiforgery(options =>
             {
                 options.HeaderName = "X-CSRF-TOKEN";
-                // Use HTTPS only in production; allow HTTP in development
+                // Use HTTPS only in production; allow HTTP in development/testing
                 options.Cookie.HttpOnly = true;
-                options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
+                options.Cookie.SecurePolicy = builder.Environment.IsProduction()
+                    ? CookieSecurePolicy.Always
+                    : CookieSecurePolicy.SameAsRequest;
                 options.Cookie.SameSite = SameSiteMode.Strict;
             });
 
@@ -265,7 +267,9 @@ public static async Task Main(string[] args)
             builder.Services.ConfigureApplicationCookie(options =>
             {
                 options.Cookie.HttpOnly = true; // Prevent XSS access to cookie
-                options.Cookie.SecurePolicy = CookieSecurePolicy.Always; // HTTPS only
+                options.Cookie.SecurePolicy = builder.Environment.IsProduction()
+                    ? CookieSecurePolicy.Always
+                    : CookieSecurePolicy.SameAsRequest;
                 options.Cookie.SameSite = SameSiteMode.Strict; // Prevent CSRF
                 options.ExpireTimeSpan = TimeSpan.FromMinutes(30); // Session timeout
                 options.SlidingExpiration = true; // Extend on activity
@@ -430,10 +434,7 @@ public static async Task Main(string[] args)
                 pattern: "{controller=Home}/{action=Index}/{id?}");
             #endregion
 
-            if (!app.Environment.IsEnvironment("Testing"))
-            {
-                await ApplyDatabaseMigrationsAndSeedAsync(app);
-            }
+            await ApplyDatabaseMigrationsAndSeedAsync(app);
 
             app.Run();
         }