Deploy containers (Docker Hub) and DAST Scan

Proyecto Dev Sec Ops #111

Workflow file for this run

.github/workflows/deploy-and-dast.yml at 722648a

	name: Deploy containers (Docker Hub) and DAST Scan

	on:
	push:
	branches: [ main ]
	workflow_dispatch:

	env:
	RG_NAME: rg-devsecopsuc
	LOCATION: eastus2

	FRONTEND_APP: frontend-web-devsecopsuc
	AUTH_APP: auth-service-devsecopsuc
	ROOMS_APP: rooms-service-devsecopsuc

	# Nuevos dominios reales (usados por ZAP o pruebas manuales)
	AUTH_URL: https://auth-service-devsecopsuc-f7asb3addcfpf6b7.eastus2-01.azurewebsites.net
	ROOMS_URL: https://rooms-service-devsecopsuc-cpehdmf5b7hrhydg.eastus2-01.azurewebsites.net
	FRONTEND_URL: https://frontend-web-devsecopsuc-gjaqc5bkaabpazeh.eastus2-01.azurewebsites.net

	IMAGE_TAG: latest

	jobs:
	build-and-deploy:
	runs-on: ubuntu-latest
	name: Build & Deploy to Azure (Docker Hub)

	steps:
	- name: 📦 Checkout code
	uses: actions/checkout@v4

	- name: 🔑 Azure Login (for Key Vault)
	uses: azure/login@v2
	with:
	creds: ${{ secrets.AZURE_CREDENTIALS }}

	# === Solo carga los secretos necesarios (DockerHub) desde Key Vault ===
	- name: 🔐 Load Docker secrets from Azure Key Vault (CLI)
	id: get-secrets
	run: \|
	echo "Fetching Docker secrets from Key Vault (kv-devsecopsuc)..."
	DOCKER_USER=$(az keyvault secret show --name "DOCKERHUB-USER" --vault-name "kv-devsecopsuc" --query value -o tsv)
	DOCKER_PASS=$(az keyvault secret show --name "DOCKERHUB-TOKEN" --vault-name "kv-devsecopsuc" --query value -o tsv)
	echo "docker_user=$DOCKER_USER" >> $GITHUB_OUTPUT
	echo "docker_pass=$DOCKER_PASS" >> $GITHUB_OUTPUT

	- name: 🧱 Login to Docker Hub
	uses: docker/login-action@v3
	with:
	registry: docker.io
	username: ${{ steps.get-secrets.outputs.docker_user }}
	password: ${{ steps.get-secrets.outputs.docker_pass }}

	# === Build & Push each image to Docker Hub ===
	- name: 🏗️ Build and Push auth-service
	uses: docker/build-push-action@v5
	with:
	context: .
	file: Unidad2_DespliegueSeguro/docker/Dockerfile.auth
	push: true
	tags: \|
	${{ steps.get-secrets.outputs.docker_user }}/auth-service:${{ env.IMAGE_TAG }}

	- name: 🏗️ Build and Push rooms-service
	uses: docker/build-push-action@v5
	with:
	context: .
	file: Unidad2_DespliegueSeguro/docker/Dockerfile.rooms
	push: true
	tags: \|
	${{ steps.get-secrets.outputs.docker_user }}/rooms-service:${{ env.IMAGE_TAG }}

	- name: 🏗️ Build and Push frontend-web
	uses: docker/build-push-action@v5
	with:
	context: .
	file: Unidad2_DespliegueSeguro/docker/Dockerfile.frontend
	push: true
	tags: \|
	${{ steps.get-secrets.outputs.docker_user }}/frontend-web:${{ env.IMAGE_TAG }}

	# === Deploy each container to its own App Service ===
	- name: 🔑 Azure Login
	uses: azure/login@v2
	with:
	creds: ${{ secrets.AZURE_CREDENTIALS }}

	- name: 🚀 Deploy auth-service
	run: \|
	az webapp config container set \
	--name $AUTH_APP \
	--resource-group $RG_NAME \
	--docker-custom-image-name ${{ steps.get-secrets.outputs.docker_user }}/auth-service:${IMAGE_TAG} \
	--docker-registry-server-url https://index.docker.io/v1/ \
	--docker-registry-server-user ${{ steps.get-secrets.outputs.docker_user }} \
	--docker-registry-server-password ${{ steps.get-secrets.outputs.docker_pass }}

	- name: 🚀 Deploy rooms-service
	run: \|
	az webapp config container set \
	--name $ROOMS_APP \
	--resource-group $RG_NAME \
	--docker-custom-image-name ${{ steps.get-secrets.outputs.docker_user }}/rooms-service:${IMAGE_TAG} \
	--docker-registry-server-url https://index.docker.io/v1/ \
	--docker-registry-server-user ${{ steps.get-secrets.outputs.docker_user }} \
	--docker-registry-server-password ${{ steps.get-secrets.outputs.docker_pass }}

	- name: 🚀 Deploy frontend-web
	run: \|
	az webapp config container set \
	--name $FRONTEND_APP \
	--resource-group $RG_NAME \
	--docker-custom-image-name ${{ steps.get-secrets.outputs.docker_user }}/frontend-web:${IMAGE_TAG} \
	--docker-registry-server-url https://index.docker.io/v1/ \
	--docker-registry-server-user ${{ steps.get-secrets.outputs.docker_user }} \
	--docker-registry-server-password ${{ steps.get-secrets.outputs.docker_pass }}

	# === ZAP Scan after deploy ===
	dast-scan:
	runs-on: ubuntu-latest
	needs: build-and-deploy
	name: OWASP ZAP DAST Scan

	steps:
	- uses: actions/checkout@v4

	- name: 🧰 Prepare environment
	run: \|
	mkdir -p zap-output
	chmod 777 zap-output

	- name: 🧪 Run OWASP ZAP Baseline Scan
	env:
	TARGET_URL: ${{ env.FRONTEND_URL }}
	run: \|
	docker pull ghcr.io/zaproxy/zaproxy:stable
	echo "Scanning $TARGET_URL ..."
	docker run --rm \
	-v $GITHUB_WORKSPACE/zap-output:/zap/wrk \
	ghcr.io/zaproxy/zaproxy:stable \
	zap-baseline.py \
	-t $TARGET_URL \
	-r zap_report.html \
	-J zap_report.json \
	-w zap_report.md \
	-m 5 \
	-a \|\| true

	- name: 📤 Upload ZAP Reports
	if: always()
	uses: actions/upload-artifact@v4
	with:
	name: ZAP-DAST-Reports
	path: zap-output

	- name: 📝 Summarize ZAP in job summary
	if: always()
	run: \|
	echo "## ZAP Baseline Summary" >> $GITHUB_STEP_SUMMARY
	echo "" >> $GITHUB_STEP_SUMMARY
	echo "Target: ${{ env.FRONTEND_URL }}" >> $GITHUB_STEP_SUMMARY
	echo "Artifacts: ZAP-DAST-Reports (HTML/JSON/MD)" >> $GITHUB_STEP_SUMMARY

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Proyecto Dev Sec Ops #111

Workflow file

Proyecto Dev Sec Ops #111

Uh oh!

Workflow file for this run