This repository is one of DevSlop's modules as described in devslop.github.io.
This repository integrates the WAF ModSecurity with the OWASP ModSecurity Core Rule Set (CRS) and its testing into different CI Pipelines.
Currently the following Pipelines are implemented:
- CircleCI
- AWS
- Google Cloud Provider
- Azure Pipeline
- GitHub Actions
The CI Pipelines test (with TestCafe) DevSlop's vulnerable web application Pixi without and with the CRS.
By adding and testing the WAF in the Continuous Integration (CI) pipeline, we provide the application developer early feedback. The application developers get feedback about how their application will react when behind a WAF. We assure that Pixi’s legitimate traffic is not blocked by the WAF, and that illegitimate traffic is.
| CircleCI | AWS | GCP | Azure | GitHub Actions | |
|---|---|---|---|---|---|
| Code File | .circleci/config.yml | buildspec.yml | cloudbuild.yaml | azure-pipelines.yml | .github/workflows/pixi-crs-ci.yml |
| Start Pixi | docker-compose up | docker-compose up | docker-compose up | docker-compose up | docker-compose up |
| Start CRS | docker run | same docker-compose | same docker-compose | same docker-compose | same docker-compose |
| ModSec Tuning | docker cp | Volume docker-compose | Volume docker-compose | Volume docker-compose | Volume docker-compose |
| Start Testcafe | Testcafe Docker | npm install testcafe | Testcafe Docker | Testcafe Docker | Testcafe Docker |
| Log Analysis | docker exec cat logfile | docker exec cat logfile | docker exec cat logfile | docker exec cat logfile | docker exec cat logfile |
If you want to start Pixi and the CRS locally you can run:
docker-compose --env-file compose-local.env up -d
Then you can reach Pixi directly: http://localhost:8000/. And the WAF with Pixi as the backend: http://localhost:8080/.
- Pixi-CRS goes to the Cloud: 6 part blog posts series
- DevSlop Blog Post on dev.to describing the CircleCI pixi-crs Pipeline
- DevSlop Blog Post on dev.to describing how the CRS protects Pixi
Also see Testcafe tests of known vulnerabilities in Pixi in this branch.