feat: add tier 1 customization env variables #99
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: Verify Images | |
| on: | |
| pull_request: | |
| branches: | |
| - main | |
| permissions: | |
| contents: read | |
| env: | |
| REGISTRY: "ghcr.io" | |
| REPO: "coreruleset/coraza-crs" | |
| jobs: | |
| prepare: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| targets: ${{ steps.generate.outputs.targets }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| - name: List targets | |
| id: generate | |
| uses: docker/bake-action/subaction/list-targets@aefd381cbaa93c62a1e8b02194ae420cc36269d2 # v4 | |
| build: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - prepare | |
| strategy: | |
| matrix: | |
| target: ${{ fromJson(needs.prepare.outputs.targets) }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| with: | |
| fetch-depth: 1 | |
| # https://github.com/docker/setup-qemu-action | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3 | |
| # https://github.com/docker/setup-buildx-action | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 | |
| with: | |
| driver-opts: image=moby/buildkit:master | |
| - name: Build images | |
| uses: docker/bake-action@849707117b03d39aba7924c50a10376a69e88d7d # v4.1.0 | |
| with: | |
| files: | | |
| ./docker-bake.hcl | |
| targets: ${{ matrix.target }} | |
| set: | | |
| *.platform=linux/amd64 | |
| ${{ matrix.target }}.tags=${{ env.REGISTRY }}/${{ env.REPO }}:${{ matrix.target }} | |
| load: true | |
| push: false | |
| - name: Run ${{ matrix.target }} | |
| run: | | |
| echo "Starting container ${{ matrix.target }}" | |
| docker run --pull "never" -d --name ${{ matrix.target }}-test "${{ env.REGISTRY }}/${{ env.REPO }}:${{ matrix.target }}" | |
| docker logs ${{ matrix.target }}-test | |
| - name: Verify ${{ matrix.target }} | |
| run: | | |
| [ $(docker inspect ${{ matrix.target }}-test --format='{{.State.Running}}') = 'true' ] | |
| - name: Verify audit log directories (${{ matrix.target }}) | |
| if: startsWith(matrix.target, 'caddy-alpine') | |
| run: | | |
| echo "Checking default audit log directories exist and are writable..." | |
| docker exec ${{ matrix.target }}-test sh -c ' | |
| test -d /var/log/coraza/audit \ | |
| || { echo "FAIL: /var/log/coraza/audit does not exist"; exit 1; } | |
| test -w /var/log/coraza/audit \ | |
| || { echo "FAIL: /var/log/coraza/audit is not writable"; exit 1; } | |
| test -d /var/log/caddy \ | |
| || { echo "FAIL: /var/log/caddy does not exist"; exit 1; } | |
| test -w /var/log/caddy \ | |
| || { echo "FAIL: /var/log/caddy is not writable"; exit 1; } | |
| echo "OK: audit log directories exist and are writable" | |
| ' | |
| - name: Verify custom CORAZA_AUDIT_STORAGE_DIR is created at runtime (${{ matrix.target }}) | |
| run: | | |
| echo "Checking entrypoint creates a custom CORAZA_AUDIT_STORAGE_DIR at runtime..." | |
| docker run -d --pull "never" --name ${{ matrix.target }}-custom-audit-test \ | |
| -e CORAZA_AUDIT_STORAGE_DIR=/tmp/custom-audit-test \ | |
| "${{ env.REGISTRY }}/${{ env.REPO }}:${{ matrix.target }}" | |
| sleep 3 | |
| docker exec ${{ matrix.target }}-custom-audit-test test -d /tmp/custom-audit-test \ | |
| && echo "OK: custom CORAZA_AUDIT_STORAGE_DIR created by entrypoint" \ | |
| || { echo "FAIL: custom CORAZA_AUDIT_STORAGE_DIR not created by entrypoint"; \ | |
| docker rm -f ${{ matrix.target }}-custom-audit-test || true; exit 1; } | |
| docker rm -f ${{ matrix.target }}-custom-audit-test || true | |
| - name: Verify audit log file is written on attack (${{ matrix.target }}) | |
| run: | | |
| echo "Starting container with file-based audit log..." | |
| docker run -d --pull "never" --name ${{ matrix.target }}-attack-test \ | |
| -p 18080:8080 \ | |
| -e CORAZA_AUDIT_ENGINE=On \ | |
| -e CORAZA_AUDIT_LOG=/var/log/coraza/audit/audit.log \ | |
| "${{ env.REGISTRY }}/${{ env.REPO }}:${{ matrix.target }}" | |
| echo "Waiting for server to start..." | |
| sleep 5 | |
| echo "Sending XSS attack payload to trigger a CRS rule..." | |
| curl -s -o /dev/null "http://localhost:18080/?search=%3Cscript%3Ealert%281%29%3C%2Fscript%3E" || true | |
| echo "Checking that audit log file was created with content..." | |
| docker exec ${{ matrix.target }}-attack-test sh -c ' | |
| test -f /var/log/coraza/audit/audit.log \ | |
| || { echo "FAIL: audit log file was not created"; exit 1; } | |
| test -s /var/log/coraza/audit/audit.log \ | |
| || { echo "FAIL: audit log file is empty"; exit 1; } | |
| echo "OK: audit log file exists and contains data" | |
| ' | |
| docker rm -f ${{ matrix.target }}-attack-test || true | |
| - name: Verify concurrent audit logging on attack (${{ matrix.target }}) | |
| run: | | |
| echo "Starting container with concurrent audit logging..." | |
| docker run -d --pull "never" --name ${{ matrix.target }}-concurrent-test \ | |
| -p 18081:8080 \ | |
| -e CORAZA_AUDIT_ENGINE=On \ | |
| -e CORAZA_AUDIT_LOG=/var/log/coraza/audit.log \ | |
| -e CORAZA_AUDIT_LOG_TYPE=Concurrent \ | |
| -e CORAZA_AUDIT_STORAGE_DIR=/var/log/coraza/audit \ | |
| "${{ env.REGISTRY }}/${{ env.REPO }}:${{ matrix.target }}" | |
| echo "Waiting for server to start..." | |
| sleep 5 | |
| echo "Sending XSS attack payload to trigger a CRS rule..." | |
| curl -s -o /dev/null "http://localhost:18081/?search=%3Cscript%3Ealert%281%29%3C%2Fscript%3E" || true | |
| echo "Checking that concurrent audit log files were created in storage directory..." | |
| docker exec ${{ matrix.target }}-concurrent-test sh -c ' | |
| find /var/log/coraza/audit -type f 2>/dev/null | grep -q . \ | |
| || { echo "FAIL: no per-transaction audit log files found in /var/log/coraza/audit"; exit 1; } | |
| echo "OK: concurrent audit log files found in /var/log/coraza/audit:" | |
| find /var/log/coraza/audit -type f 2>/dev/null | |
| ' || { | |
| echo "--- Container logs for debugging ---" | |
| docker logs ${{ matrix.target }}-concurrent-test 2>&1 | tail -50 | |
| docker rm -f ${{ matrix.target }}-concurrent-test || true | |
| exit 1 | |
| } | |
| docker rm -f ${{ matrix.target }}-concurrent-test || true |