Merge pull request #28 from PrivateBin/owasp-scan

Create OWASP GitHub Action

.github/workflows/owasp.yml

@@ -0,0 +1,48 @@
+# This is a basic workflow to help you get started with Actions
+
+name: Security-scan
+
+# Controls when the action will run. 
+on:
+  schedule:
+    - cron: '0 3 * * *' # everyday at 03:00 UTC
+  pull_request:
+    branches: master
+  push:
+    branches: master
+    tags: '*'
+
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+
+# A workflow run is made up of one or more jobs that can run sequentially or in parallel
+jobs:
+  # This workflow contains a single job called "build"
+  build:
+    # The type of runner that the job will run on
+    runs-on: ubuntu-latest
+
+    # Steps represent a sequence of tasks that will be executed as part of the job
+    steps:
+      # Runs a single command using the runners shell
+      - name: Pull and start docker
+        run: docker run -d --read-only -p 8080:8080 privatebin/nginx-fpm-alpine
+
+      # Run OWASP scan
+      - name: OWASP ZAP Full Scan
+        uses: zaproxy/action-full-scan@v0.2.0
+        with:
+          # GitHub Token to create issues in the repository
+          #token: # optional, default is ${{ github.token }}
+          # Target URL
+          target: http://localhost:8080 
+          # Relative path of the ZAP configuration file
+          #rules_file_name: # optional
+          # The Docker file to be executed
+          #docker_name: # default is owasp/zap2docker-stable
+          # Additional command line options
+          #cmd_options: # optional
+          # The title for the GitHub issue to be created
+          #issue_title: # optional, default is ZAP Full Scan Report
+          # The action status will be set to fail if ZAP identifies any alerts during the full scan
+          #fail_action: # optional