-
-
Notifications
You must be signed in to change notification settings - Fork 0
167 lines (141 loc) · 5.18 KB
/
update_patterns.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
name: Update patterns
permissions:
contents: write # Needed for committing changes and pushing updates
statuses: write # Required for updating commit statuses (e.g., CI/CD status)
on:
schedule:
- cron: '0 0 * * *' # Run daily at midnight UTC
workflow_dispatch: # Allow manual trigger
jobs:
update-owasp-waf:
runs-on: ubuntu-latest
steps:
- name: 🚚 Checkout Repository
uses: actions/checkout@v3
with:
fetch-depth: 0 # Full history to avoid shallow clone issues
- name: ⚙️ Set Up Python
uses: actions/setup-python@v4
with:
python-version: '3.11'
- name: 📦 Cache Python Packages
id: cache-pip
uses: actions/cache@v3
with:
path: ~/.cache/pip
key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }}
restore-keys: |
${{ runner.os }}-pip-
- name: 📥 Install Dependencies
if: steps.cache-pip.outputs.cache-hit != 'true'
run: |
python -m pip install --upgrade pip
pip install -r requirements.txt
continue-on-error: false # Fail the workflow if dependencies fail to install
- name: 🕷️ Run OWASP Scraper
run: |
python owasp2json.py
continue-on-error: false
- name: 🔄 Convert OWASP to Nginx WAF
run: |
python json2nginx.py
continue-on-error: false
- name: 🔄 Convert OWASP to Apache WAF
run: |
python json2apache.py
continue-on-error: false
- name: 🔄 Convert OWASP to Traefik WAF
run: |
python json2traefik.py
continue-on-error: false
- name: 🔄 Convert OWASP to HAProxy WAF
run: |
python json2haproxy.py
continue-on-error: false
- name: 🔄 Generate Bad Bot Blockers
run: |
python badbots.py
continue-on-error: false
# Ensure conf files are pushed even if no changes detected
- name: 🚀 Commit and Push OWASP WAF patterns
run: |
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
git add .
git commit -m "Update: [$(date)]" || echo "No changes to commit"
git push
continue-on-error: true # Continue even if no changes are made
- name: 📦 Create Zip Files for Each Web Server
run: |
mkdir -p zips
zip -r zips/nginx_waf.zip waf_patterns/nginx/
zip -r zips/apache_waf.zip waf_patterns/apache/
zip -r zips/traefik_waf.zip waf_patterns/traefik/
zip -r zips/haproxy_waf.zip waf_patterns/haproxy/
- name: 🗑️ Delete Existing 'latest' Tag and Release (if they exist)
run: |
# Delete the local 'latest' tag
if git rev-parse --verify --quiet refs/tags/latest; then
git tag -d latest
fi
# Delete the remote 'latest' tag
git push origin :refs/tags/latest || echo "Tag 'latest' does not exist on remote."
# Delete the 'latest' release (if it exists)
gh release delete latest --yes || echo "Release 'latest' does not exist."
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: 🚀 Create GitHub Release
id: create_release
uses: actions/create-release@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
tag_name: latest # Use "latest" as the tag name
release_name: Latest Release
draft: false
prerelease: false
- name: 📤 Upload Nginx WAF Zip to Release
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ steps.create_release.outputs.upload_url }}
asset_path: zips/nginx_waf.zip
asset_name: nginx_waf.zip
asset_content_type: application/zip
- name: 📤 Upload Apache WAF Zip to Release
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ steps.create_release.outputs.upload_url }}
asset_path: zips/apache_waf.zip
asset_name: apache_waf.zip
asset_content_type: application/zip
- name: 📤 Upload Traefik WAF Zip to Release
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ steps.create_release.outputs.upload_url }}
asset_path: zips/traefik_waf.zip
asset_name: traefik_waf.zip
asset_content_type: application/zip
- name: 📤 Upload HAProxy WAF Zip to Release
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ steps.create_release.outputs.upload_url }}
asset_path: zips/haproxy_waf.zip
asset_name: haproxy_waf.zip
asset_content_type: application/zip
- name: 🧹 Cleanup Cache (Optional)
run: |
rm -rf ~/.cache/pip
if: always() # Run this step even if previous steps fail
- name: 🚨 Notify on Failure (Optional)
if: failure()
run: |
echo "🚨 Workflow failed! Please investigate."
# Slack or email notification logic (add webhook or SMTP integration here).