|
| 1 | +# This workflow uses actions that are not certified by GitHub. |
| 2 | +# They are provided by a third-party and are governed by |
| 3 | +# separate terms of service, privacy policy, and support |
| 4 | +# documentation. |
| 5 | +# |
| 6 | +# This workflow starts your API and fuzzes it with ForAllSecure Mayhem for API |
| 7 | +# to find reliability, performance and security issues before they reach |
| 8 | +# production. |
| 9 | +# |
| 10 | +# To use this workflow, you will need to: |
| 11 | +# |
| 12 | +# 1. Create a Mayhem for API account at |
| 13 | +# https://mayhem4api.forallsecure.com/signup |
| 14 | +# |
| 15 | +# 2. Create a service account token `mapi organization service-account create |
| 16 | +# <org-name> <service-account-name>` |
| 17 | +# |
| 18 | +# 3. Add the service account token as a secret in GitHub called "MAPI_TOKEN" |
| 19 | +# |
| 20 | +# 4. Update the "Start your API" step to run your API in the background before |
| 21 | +# starting the Mayhem for API scan, and update the `api-url` & `api-spec` |
| 22 | +# field. |
| 23 | +# |
| 24 | +# If you have any questions, please contact us at [email protected] |
| 25 | + |
| 26 | +name: "Mayhem for API" |
| 27 | + |
| 28 | +on: |
| 29 | + push: |
| 30 | + branches: [ "main" ] |
| 31 | + pull_request: |
| 32 | + # The branches below must be a subset of the branches above |
| 33 | + branches: [ "main" ] |
| 34 | + |
| 35 | +jobs: |
| 36 | + mayhem-for-api: |
| 37 | + name: Mayhem for API |
| 38 | + # Mayhem for API runs on linux, mac and windows |
| 39 | + runs-on: ubuntu-latest |
| 40 | + permissions: |
| 41 | + actions: read |
| 42 | + contents: read |
| 43 | + security-events: write |
| 44 | + steps: |
| 45 | + - uses: actions/checkout@v3 |
| 46 | + |
| 47 | + # Run your API in the background. Ideally, the API would run in debug |
| 48 | + # mode & send stacktraces back on "500 Internal Server Error" responses |
| 49 | + # (don't do this in production though!) |
| 50 | + - name: Start your API |
| 51 | + run: ./run_your_api.sh & # <- ✏️ update this |
| 52 | + |
| 53 | + - name: Mayhem for API |
| 54 | + uses: ForAllSecure/mapi-action@193b709971cc377675e33284aecbf9229853e010 |
| 55 | + continue-on-error: true |
| 56 | + with: |
| 57 | + mapi-token: ${{ secrets.MAPI_TOKEN }} |
| 58 | + api-url: http://localhost:8080 # <- ✏️ update this |
| 59 | + api-spec: http://localhost:8080/openapi.json # <- ✏️ update this |
| 60 | + duration: 60 |
| 61 | + sarif-report: mapi.sarif |
| 62 | + |
| 63 | + - name: Upload SARIF file |
| 64 | + uses: github/codeql-action/upload-sarif@v2 |
| 65 | + with: |
| 66 | + sarif_file: mapi.sarif |
0 commit comments