feat: scheduled penetration tests (#1463)

.github/workflows/merge.yml

@@ -43,7 +43,6 @@ jobs:
           parameters:
             -p ZONE=test -p NAME=${{ github.event.repository.name }}
             ${{ matrix.parameters }}
-          penetration_test: true
           name: ${{ matrix.name }}
           penetration_test_token: ${{ secrets.GITHUB_TOKEN }}
           verification_path: ${{ matrix.verification_path }}
@@ -179,7 +178,6 @@ jobs:
           parameters:
             -p ZONE=prod -p NAME=${{ github.event.repository.name }}
             ${{ matrix.parameters }}
-          penetration_test: false
           verification_path: ${{ matrix.verification_path }}
 
   cleanup-prod:

.github/workflows/pentests.yml

@@ -0,0 +1,29 @@
+name: Penetration Tests
+
+on:
+  schedule: [cron: "0 11 * * 6"] # 3 AM PST = 12 PM UDT, Saturdays
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  zap_scan:
+    runs-on: ubuntu-latest
+    name: Penetration Tests
+    env:
+      DOMAIN: apps.silver.devops.gov.bc.ca
+      PREFIX: ${{ github.event.repository.name }}-test
+    strategy:
+      matrix:
+        name: [backend, frontend]
+    steps:
+      - name: ZAP Scan
+        uses: zaproxy/[email protected]
+        with:
+          allow_issue_writing: true
+          artifact_name: "zap_${{ matrix.name }}"
+          cmd_options: "-a"
+          issue_title: "ZAP: ${{ matrix.name }}"
+          target: https://${{ env.PREFIX }}-${{ matrix.name }}.${{ env.DOMAIN }}s

.github/workflows/pr-open.yml

@@ -108,7 +108,6 @@ jobs:
           oc_server: ${{ vars.OC_SERVER }}
           oc_token: ${{ secrets.OC_TOKEN }}
           overwrite: ${{ matrix.overwrite }}
-          penetration_test: false
           parameters:
             -p ZONE=${{ github.event.number }} -p NAME=${{ github.event.repository.name }}
             ${{ matrix.parameters }}