search

dotCMS / core

Headless/Hybrid Content Management System for Enterprises
http://dotcms.com
Other
846 stars 465 forks source link

Creating Pentest Automation Using GitHub Workflow #25291

Closed TommyB13 closed 1 year ago

TommyB13 commented 1 year ago

Parent Issue

No response

User Story

As a developer, I want to be able to automate penetration testing using a workflow in GitHub Actions, so I can generate reports of potential vulnerabilities.

Acceptance Criteria

The workflow must successfully run a penetration test on the latest version of dotCMS at a specified time and push the results to a separate repository where the results will be stored.

Proposed Objective

Security & Privacy

Proposed Priority

Priority 3 - Average

External Links... Slack Conversations, Support Tickets, Figma Designs, etc.

No response

Assumptions & Initiation Needs

In order for the workflow to run, an AWS server must be set up with dotCMS running via docker and it must be set up as a self-hosted runner with the repository so that the workflow can run on the server.

Quality Assurance Notes & Workarounds

No response

Sub-Tasks & Estimates

No response

sfreudenthaler commented 9 months ago

stale. @mbiuki can revisit and decide to refresh this card, drop it, or merge with another card where applicable

mbiuki commented 9 months ago

This was a research and it is completed by hiring a Summer intern in 2023. All findings and presentation slides are put here: https://drive.google.com/drive/folders/1Og9cwhMyD8JCsEpmS04b4NdhfiC7JUdW?usp=drive_link This ticket may be closed.

mbiuki commented 8 months ago

@sfreudenthaler this was an interesting project - please review.

sfreudenthaler commented 8 months ago

Lots of interesting stuff in this prototype. Ultimately what is the proposed flow here? Who is the audience for triage and remediation?

  1. Not sure what the false positive rate looks like today and what would be acceptable
  2. Is there overlap/redundancy with other security testing we're doing?
  3. the branch never got merged back to master... What are the implications there? and crucially. Is the prototype now considered "stale"? (FWIW I think the concept or the Automate & Conquer deck are still very much valid
  4. Who would review the findings?
  5. Would the findings block merge?
  6. Could the reporting python be modified to create github issues automatically?
  7. As noted in the deck... the Nikto Scan Report and I'm concerned that it's not going to be actionable for engineers Image