1+ apiVersion : tekton.dev/v1beta1
2+ kind : Pipeline
3+ metadata :
4+ name : rapiddast-scan
5+ spec :
6+ description : >-
7+ Implement the RapidDAST scanning task in rh-trex to service as a proof of concept for users.
8+ params :
9+ - description : ' Snapshot of the application'
10+ name : SNAPSHOT
11+ default : ' {"components": [{"name":"test-app", "containerImage": "quay.io/example/repo:latest"}]}'
12+ type : string
13+ tasks :
14+ - name : provision-env
15+ taskRef :
16+ resolver : git
17+ params :
18+ - name : url
19+ value : https://github.com/konflux-ci/build-definitions.git
20+ - name : revision
21+ value : main
22+ - name : pathInRepo
23+ value : task/eaas-provision-space/0.1/eaas-provision-space.yaml
24+ params :
25+ - name : ownerName
26+ value : $(context.pipelineRun.name)
27+ - name : ownerUid
28+ value : $(context.pipelineRun.uid)
29+ - name : deploy-app
30+ runAfter : [provision-env]
31+ params :
32+ - name : SNAPSHOT
33+ value : $(params.SNAPSHOT)
34+ taskSpec :
35+ params :
36+ - name : SNAPSHOT
37+ description : Expected output of the application endpoint
38+ - default : ' default'
39+ name : NAMESPACE
40+ description : Namespace of the application under test
41+ - default : " "
42+ name : PORT
43+ description : Application endpoint Port
44+ results :
45+ - name : APP_URL
46+ description : APP URL
47+ steps :
48+ - name : deploy-component
49+ image : registry.redhat.io/openshift4/ose-cli:latest
50+ env :
51+ - name : SNAPSHOT
52+ value : $(params.SNAPSHOT)
53+ - name : KUBECONFIG_VALUE
54+ valueFrom :
55+ secretKeyRef :
56+ name : " $(tasks.provision-env.results.secretRef)"
57+ key : kubeconfig
58+ - name : CLIENT_ID
59+ valueFrom :
60+ secretKeyRef :
61+ name : ocm
62+ key : client_id
63+ - name : CLIENT_SEC
64+ valueFrom :
65+ secretKeyRef :
66+ name : ocm
67+ key : client_secret
68+ script : |
69+ #!/usr/bin/env bash
70+ cat <<< "$KUBECONFIG_VALUE" > /tmp/cfg
71+ dnf -y install jq git
72+ export KUBECONFIG=/tmp/cfg
73+
74+ COMPONENT_NAME=$(echo -n ${SNAPSHOT} | jq -r .components[0].name)
75+
76+ echo "Deploying component ${COMPONENT_NAME}..."
77+ COMPONENT_NAME=$(echo -n ${SNAPSHOT} | jq -r .components[0].name)
78+
79+ TARGET_COMPONENT_NAME="/tmp/rh-trex"
80+ REPO_URL=$(echo $SNAPSHOT | jq -r '.components[] | .source.git.url')
81+ REPO_COMMIT=$(echo $SNAPSHOT | jq -r '.components[] | .source.git.revision')
82+ REPO_IMG=$(echo $SNAPSHOT | jq -r '.components[] | .containerImage')
83+ git clone $REPO_URL $TARGET_COMPONENT_NAME
84+ cd $TARGET_COMPONENT_NAME
85+ git checkout $REPO_COMMIT
86+ rev=$(echo ${REPO_IMG#*/})
87+ image_reg=$(echo ${REPO_IMG%%/*})
88+ image_tag=$(echo ${rev#*:})
89+ image_rep=$(echo ${rev%:*})
90+ mkdir -p /tmp/templates/
91+ for i in $(ls templates/*yml); do j=${i#*/}; outf=${j%.*};oc process --kubeconfig /tmp/cfg --filename="$i" --local="true" --ignore-unknown-parameters="true" --param="ENVIRONMENT"=development --param="GLOG_V"=10 --param="DATABASE_HOST"=trex-db.$(oc project --short) --param="DATABASE_NAME"=rhtrex --param="DATABASE_PASSWORD"=foobar-bizz-buzz --param="DATABASE_PORT"=5432 --param="DATABASE_USER"=trex --param="DATABASE_SSLMODE"=disable --param="ENABLE_SENTRY"=false --param="SENTRY_KEY"=TODO --param="JWKS_URL"=https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/certs --param="OCM_SERVICE_CLIENT_ID"=${CLIENT_ID} --param="OCM_SERVICE_CLIENT_SECRET"=${CLIENT_SEC} --param="OCM_BASE_URL"=https://api.integration.openshift.com --param="IMAGE_REGISTRY="$image_reg --param="IMAGE_REPOSITORY="$image_rep --param="IMAGE_TAG="$image_tag > /tmp/templates/${outf}.json; done
92+ oc apply --kubeconfig /tmp/cfg -f /tmp/templates/db-template.json
93+ sleep 60
94+ oc apply --kubeconfig /tmp/cfg -f /tmp/templates/secrets-template.json
95+ oc apply --kubeconfig /tmp/cfg -f /tmp/templates/service-template.json
96+ sleep 60
97+ oc get --kubeconfig /tmp/cfg all
98+ oc get --kubeconfig /tmp/cfg events
99+ oc describe --kubeconfig /tmp/cfg pod -l app=trex
100+ oc logs --kubeconfig /tmp/cfg -l app=trex
101+ name : setup-test
102+ runAfter : [deploy-app]
103+ taskSpec :
104+ results :
105+ - name : authenticated_url
106+ description : " The authenticated URL for the Dinosaur API"
107+ - name : config_path
108+ description : " Path to the RapiDAST configuration file"
109+ sidecars :
110+ - name : port-forward
111+ image : registry.redhat.io/openshift4/ose-cli:latest
112+ env :
113+ - name : KUBECONFIG_VALUE
114+ valueFrom :
115+ secretKeyRef :
116+ name : " $(tasks.provision-env.results.secretRef)"
117+ key : kubeconfig
118+ - name : OCM_TOKEN
119+ valueFrom :
120+ secretKeyRef :
121+ name : ocm
122+ key : ocmtoken
123+ ports :
124+ - containerPort : 8000
125+ script : |
126+ #!/usr/bin/env bash
127+ set -ex
128+ cat <<< "$KUBECONFIG_VALUE" > /tmp/cfg
129+ export KUBECONFIG=/tmp/cfg
130+
131+ echo "Starting port-forward for service/trex on port 8000..."
132+ oc port-forward --address=0.0.0.0 --kubeconfig /tmp/cfg svc/trex 8000:8000
133+ steps :
134+ - name : get-url
135+ image : registry.redhat.io/openshift4/ose-cli:latest
136+ env :
137+ - name : OCM_TOKEN
138+ valueFrom :
139+ secretKeyRef :
140+ name : ocm
141+ key : ocmtoken
142+ script : |
143+ #!/usr/bin/env bash
144+ set -ex
145+
146+ # wait for port-forward to be ready
147+ timeout 5m bash -c 'until echo > /dev/tcp/localhost/8000; do sleep 2s; done' || {
148+ echo "[ERROR] Port-forward is not ready. Exiting."
149+ exit 1
150+ }
151+
152+ BASE_URL="http://127.0.0.1:8000"
153+ CONFIG_PATH="/workspace/config.yaml"
154+
155+ wget -O /tmp/ocm https://github.com/openshift-online/ocm-cli/releases/download/v1.0.3/ocm-linux-amd64
156+ chmod +x /tmp/ocm
157+ export PATH=$PATH:/tmp
158+
159+ dnf install -y jq
160+
161+ /tmp/ocm login --token=${OCM_TOKEN} --url=${BASE_URL}
162+
163+ AUTH_RESPONSE=$(/tmp/ocm get /api/rh-trex/v1/dinosaurs)
164+
165+ # Print the response to the logs
166+ echo "${AUTH_RESPONSE}" | jq '.items[]' || echo "No dinosaurs found or failed to parse the response."
167+
168+ AUTH_URL="${BASE_URL}/api/rh-trex/v1/dinosaurs"
169+ echo -n "${AUTH_URL}" | tee $(results.authenticated_url.path)
170+ echo -n "${CONFIG_PATH}" | tee $(results.config_path.path)
171+ name : run-rapiddast
172+ image : quay.io/redhatproductsecurity/rapidast:latest
173+ env :
174+ - name : OCM_TOKEN
175+ valueFrom :
176+ secretKeyRef :
177+ name : ocm
178+ key : ocmtoken
179+ script : |
180+ #!/usr/bin/env bash
181+ set -ex
182+
183+ curl -L -o /tmp/ocm https://github.com/openshift-online/ocm-cli/releases/download/v1.0.3/ocm-linux-amd64
184+ chmod +x /tmp/ocm
185+ export PATH=$PATH:/tmp
186+
187+ AUTH_URL=$(cat /tekton/results/authenticated_url)
188+ CONFIG_PATH="/workspace/config.yaml"
189+ RESULTS_DIR="/tmp/results"
190+ LOCAL_OPENAPI_PATH="/workspace/openapi.yaml"
191+
192+ # Fetch the local `openapi.yaml` file from the repository
193+ curl -L -o ${LOCAL_OPENAPI_PATH} https://raw.githubusercontent.com/jencull/rh-trex/main/openapi/openapi.yaml || {
194+ echo "[ERROR] Failed to download the OpenAPI spec from the repository."
195+ exit 1
196+ }
197+
198+ mkdir -p ${RESULTS_DIR}
199+ chmod o+w ${RESULTS_DIR}
200+
201+ # Create the RapiDAST configuration file
202+ cat <<EOF > ${CONFIG_PATH}
203+ config:
204+ configVersion: 5
205+
206+ application:
207+ shortName: "test-app"
208+ url: "${AUTH_URL}" # Base URL for the application under test
209+
210+ general:
211+ authentication:
212+ type: http_header
213+ parameters:
214+ name: Authorization
215+ value_from_var: OCM_TOKEN
216+
217+ scanners:
218+ zap:
219+ apiScan:
220+ apis:
221+ apiFile: "${LOCAL_OPENAPI_PATH}" # Path to the OpenAPI spec
222+ resultsDir: "${RESULTS_DIR}" # Directory to store scan results
223+ activeScan:
224+ policy: "API-scan-minimal" # predefined minimal policy for active scanning
225+ report:
226+ format: ["json", "html"] # Generate JSON and HTML reports
227+ miscOptions:
228+ zapPort: 8080 # Default ZAP port
229+ memMaxHeap: "2048m" # Reduced heap size for minimal application
230+ EOF
231+
232+ # run scan
233+ ./rapidast.py --config ${CONFIG_PATH}
234+
235+ echo "RapiDAST scan completed. Checking results..."
236+ FINAL_RESULTS_DIR=$(find ./results -type d -name "DAST-*" -print -quit)
237+ if [ -z "$FINAL_RESULTS_DIR" ]; then
238+ echo "[ERROR] No results directory found. Check the scan configuration."
239+ exit 1
240+ fi
241+
242+ echo "[INFO] Results found in: ${FINAL_RESULTS_DIR}"
243+ ls -l ${FINAL_RESULTS_DIR}
0 commit comments