DevSlop pixi-crs - Integration of OWASP ModSecurity CRS into a CI Pipeline
This repository is one of DevSlop's modules as described in devslop.github.io.
This repository integrates the WAF ModSecurity with the OWASP ModSecurity Core Rule Set (CRS) and its testing into different CI Pipelines.
Currently the following Pipelines are implemented:
- Google Cloud Provider
- Azure Pipeline
- GitHub Actions
The CI Pipelines test (with TestCafe) DevSlop's vulnerable web application Pixi without and with the CRS.
By adding and testing the WAF in the Continuous Integration (CI) pipeline, we provide the application developer early feedback. The application developers get feedback about how their application will react when behind a WAF. We assure that Pixi’s legitimate traffic is not blocked by the WAF, and that illegitimate traffic is.
Building Blocks of the pixi-crs Pipelines and how they are implemented
|Start Pixi||docker-compose up||docker-compose up||docker-compose up||docker-compose up||docker-compose up|
|Start CRS||docker run||same docker-compose||same docker-compose||same docker-compose||same docker-compose|
|ModSec Tuning||docker cp||Volume docker-compose||Volume docker-compose||Volume docker-compose||Volume docker-compose|
|Start Testcafe||Testcafe Docker||npm install testcafe||Testcafe Docker||Testcafe Docker||Testcafe Docker|
|Log Analysis||docker exec cat logfile||docker exec cat logfile||docker exec cat logfile||docker exec cat logfile||docker exec cat logfile|
Local Startup of Pixi and CRS
If you want to start Pixi and the CRS locally you can run:
docker-compose --env-file compose-local.env up -d
Description of the CI Pipeline
- Pixi-CRS goes to the Cloud: 6 part blog posts series
- DevSlop Blog Post on dev.to describing the CircleCI pixi-crs Pipeline
- DevSlop Blog Post on dev.to describing how the CRS protects Pixi
Blog Post about Pixi's vulnerabilities and the CRS
Also see Testcafe tests of known vulnerabilities in Pixi in this branch.