apache openmeetings integrate Mayhem for API

gistfile1.txt

name: 'Mayhem for API'
on:
  workflow_call:
  push:
  pull_request:
  workflow_dispatch:

env:
  DEFAULT_JDK_VERSION: 8

jobs:
  build:
    ##################################################
    # Build
    ##################################################
    name: Scan
    runs-on: ubuntu-latest
    steps:
      # Check out source
      - uses: actions/checkout@v2

      - name: Build Docker Image(s)
        run: docker build -t openmeetings:mapi --build-arg BUILD_TYPE=mysql .

      - name: Run API
        run: docker run -t --rm -p 5080:5080 -d --name openmeetings-mapi openmeetings:mapi

      - name: Wait for server to start
        run: timeout 360 bash -c 'until curl --fail localhost:5080/openmeetings/services/info/health; do docker ps && sleep 10; done'

      # Fetch the access token for the initial user directly from
      # the database.
      - name: Get token for initial user
        run: |
         token=$( curl --location \
          -X GET \
          "http://localhost:5080/openmeetings/services/user/login?user=om_admin&pass=1Q2w3e4r5t%5Ey" | jq -j ".serviceResult.message")
          echo "AUTH_TOKEN=$token" >> "$GITHUB_ENV"

      ##################################################
      # Mayhem
      #
      # Run Mayhem for API. This will start a new run
      # against the REST API actively running on the
      # container launched earlier.
      #
      # Results will be collected in SAIRF formatted and
      # submitted to the codeql--action in order to report
      # API issues that are discovered.
      ##################################################
      - name: Run Mayhem for API to check for vulnerabilities
        uses: ForAllSecure/mapi-action@v1
        continue-on-error: true
        with:
          mapi-token: ${{ secrets.MAPI_TOKEN }}
          api-url: http://localhost:5080/openmeetings/services
          api-spec: https://openmeetings.apache.org/swagger/apache-openmeetings-6.3.0-swagger.json
          target: mayhemheroes/openmeetings-docker
          duration: 1min
          sarif-report: mapi.sarif
          html-report: mapi.html
          #
          # Keycloak REST APIs are generated from HTML and then manually
          # adjusted for each version. This means that the specification
          # will not be as accurate as one generated from source or maintained
          # by hand. The InvalidResponseSpec rule is ignored in order to
          # reduce the number of warnings raised against this generated
          # specification.
          #
          # https://github.com/ccouzens/keycloak-openapi
          #
          run-args: |
            --concurrency
            4
            --resource-hint
            .*QUERY sid:${{ env.AUTH_TOKEN }}


      ##################################################
      # Report
      #
      # An HTML report containing the the results of the
      # run are archived for later viewing, and a SARIF
      # (Static Analysis Results Interchange Format)
      # report produced and passed to codeQL. codeQL will
      # report any issues discovered in your Action results
      ##################################################
      - name: Archive Mayhem for API report
        uses: actions/upload-artifact@v2
        with:
          name: mapi-report
          path: mapi.html

      - name: Archive Mayhem for API SARIF report
        uses: actions/upload-artifact@v2
        with:
          name: sarif-report
          path: mapi.sarif

      # Upload SARIF file (only available on public repos or github enterprise)
      - name: Upload SARIF file
        uses: github/codeql-action/upload-sarif@v1
        with:
          sarif_file: mapi.sarif

      # Clean up docker
      - name: Stop containers
        if: always()
        run: docker rm -f openmeetings-mapi

      # Prune old docker volumes
      - name: Prune volumes
        if: always()
        run: docker volume prune -f