Skip to content

chore: fix pen tests CI #7479

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
+14 −1
Open

chore: fix pen tests CI #7479

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Loading
Loading status checks…
chore: fix pen tests CI
@darcyYe
darcyYe committed Jun 23, 2025

Verified

This commit was signed with the committer’s verified signature.
darcyYe Darcy Ye
GPG key ID: B46F4C07EDEFC610
Verified
Learn about vigilant mode
commit 931b56bbb6350864a754d468207a9d6e02e32d27
15 changes: 14 additions & 1 deletion .zap/rules.conf
View file
Original file line number Diff line number Diff line change
@@ -3,15 +3,28 @@
# CloudFlare will block the metadata endpoint access
90034 IGNORE (Cloud Metadata Potentially Exposed - Active/release)

# Not applicable to the cloud appliaction
# Not applicable to the cloud application
10096 IGNORE (Timestamp Disclosure - Passive/release)
40039 IGNORE (Web Cache Deception)

# TODO
10063 IGNORE (Permissions Policy Header Not Set - Passive/beta)

# The applicationInsights endpoint will be removed
# CSP policies are required for Google One Tap, reCAPTCHA, and CDN resources
10055 IGNORE (CSP - Wildcard Directive)
10055 IGNORE (CSP: script-src unsafe-hashes)
10055 IGNORE (CSP: script-src unsafe-inline)
10055 IGNORE (CSP: style-src unsafe-inline)

# Experience app is rendered under the root path. No hidden files are exposed. A 404 experience page will be returned.
40035 IGNORE (Hidden File Found - Active/release)

# Auth status page requires specific headers for iframe storage access
10020 IGNORE (X-Frame-Options Header Not Set)
10021 IGNORE (X-Content-Type-Options Header Missing)
10049 IGNORE (Storable and Cacheable Content)
10038 IGNORE (Content Security Policy (CSP) Header Not Set)

# Cross-origin headers are disabled for Google One Tap iframe compatibility
90004 IGNORE (Insufficient Site Isolation Against Spectre Vulnerability)
Comment on lines +16 to +30
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a way to ignore these rules conditionally?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should not ignore all these rules globally. Should add these headers to the auth status page as well.

Unchanged files with check annotations Beta

View file
Dockerfile
###### [STAGE] Build ######
FROM node:22-alpine as builder

Check warning on line 2 in Dockerfile

GitHub Actions / main-dockerize

The 'as' keyword should match the case of the 'from' keyword 

FromAsCasing: 'as' and 'FROM' keywords' casing do not match
More info: https://docs.docker.com/go/dockerfile/rule/from-as-casing/
WORKDIR /etc/logto
ENV CI=true
RUN rm -rf .scripts pnpm-*.yaml packages/cloud
###### [STAGE] Seal ######
FROM node:22-alpine as app

Check warning on line 41 in Dockerfile

GitHub Actions / main-dockerize

The 'as' keyword should match the case of the 'from' keyword 

FromAsCasing: 'as' and 'FROM' keywords' casing do not match
More info: https://docs.docker.com/go/dockerfile/rule/from-as-casing/
WORKDIR /etc/logto
COPY --from=builder /etc/logto .
RUN mkdir -p /etc/logto/packages/cli/alteration-scripts && chmod g+w /etc/logto/packages/cli/alteration-scripts