Firewall Tester Action

This is an internal validation framework used to validate that firewall agents work correctly.
It runs QA tests against firewall agents in a Dockerized environment and checks expected behaviors like startup events, heartbeats, runtime protection.

🚀 Usage

jobs:
  run-firewall-tests:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Run Firewall QA Tests
        uses: AikidoSec/firewall-tester-action@v1
        with:
          dockerfile_path: ./test-app-dockerfiles/Dockerfile.hono

🧩 Inputs

Name	Description
dockerfile_path	Path to the Dockerfile with the Aikido agent installed (required)
extra_args	Extra arguments to pass to the docker run command (--env, -e, and --env-file only are allowed)
extra_build_args	Extra arguments to pass to the docker build command (e.g. --build-arg APP_VERSION=2.0.1)
app_port	The port exposed by the application during Docker runtime
max_parallel_tests	Maximum number of tests to run in parallel (default: 5)
config_update_delay	Delay (in seconds) after updating the config to ensure it's applied (default: 60)
skip_tests	Comma-separated list of tests to skip (e.g. test_allowed_ip,test_sql_injection)
test_timeout	Timeout (in seconds) for each test (default: 60)
sleep_before_test	Number of seconds to wait before starting the test (default: 1)

Update the Action Code

1. Create a new branch

   git checkout -b releases/v1

2. Format, test, and build the action

   npm run all

   This step is important! It will run rollup to build the final JavaScript action code with all dependencies included. If you do not run this step, your action will not work correctly when it is used in a workflow.

3. (Optional) Test your action locally

   The @github/local-action utility can be used to test your action locally. It is a simple command-line tool that "stubs" (or simulates) the GitHub Actions Toolkit. This way, you can run your TypeScript action locally without having to commit and push your changes to a repository.

   The local-action utility can be run in the following ways:

   • Visual Studio Code Debugger

     Make sure to review and, if needed, update .vscode/launch.json

   • Terminal/Command Prompt

     # npx @github/local action <action-yaml-path> <entrypoint> <dotenv-file>
     npx @github/local-action . src/main.ts .env

   You can provide a .env file to the local-action CLI to set environment variables used by the GitHub Actions Toolkit. For example, setting inputs and event payload data used by your action. For more information, see the example file, .env.example, and the GitHub Actions Documentation.

4. Commit your changes

   git add .
   git commit -m "My first action is ready!"

5. Push them to your repository

   git push -u origin releases/v1

6. Create a pull request and get feedback on your action

7. Merge the pull request into the main branch

Your action is now published! 🚀

For information about versioning your action, see Versioning in the GitHub Actions toolkit.

Validate the Action

You can now validate the action by referencing it in a workflow file. For example, ci.yml demonstrates how to reference an action in the same repository.

steps:
  - name: Checkout
    id: checkout
    uses: actions/checkout@v4

  - name: Test Local Action
    id: test-action
    uses: ./
    with:
      milliseconds: 1000

  - name: Print Output
    id: output
    run: echo "${{ steps.test-action.outputs.time }}"

For example workflow runs, check out the Actions tab! :rocket:

Usage

After testing, you can create version tag(s) that developers can use to reference different stable versions of your action. For more information, see Versioning in the GitHub Actions toolkit.

To include the action in a workflow in another repository, you can use the uses syntax with the @ symbol to reference a specific branch, tag, or commit hash.

steps:
  - name: Checkout
    id: checkout
    uses: actions/checkout@v4

  - name: Test Local Action
    id: test-action
    uses: AikidoSec/firewall-tester-action@v1 # Commit with the `v1` tag
    with:
      milliseconds: 1000

  - name: Print Output
    id: output
    run: echo "${{ steps.test-action.outputs.time }}"

Publishing a New Release

This project includes a helper script, script/release designed to streamline the process of tagging and pushing new releases for GitHub Actions.

GitHub Actions allows users to select a specific version of the action to use, based on release tags. This script simplifies this process by performing the following steps:

1. Retrieving the latest release tag: The script starts by fetching the most recent SemVer release tag of the current branch, by looking at the local data available in your repository.
2. Prompting for a new release tag: The user is then prompted to enter a new release tag. To assist with this, the script displays the tag retrieved in the previous step, and validates the format of the inputted tag (vX.X.X). The user is also reminded to update the version field in package.json.
3. Tagging the new release: The script then tags a new release and syncs the separate major tag (e.g. v1, v2) with the new release tag (e.g. v1.0.0, v2.1.2). When the user is creating a new major release, the script auto-detects this and creates a releases/v# branch for the previous major version.
4. Pushing changes to remote: Finally, the script pushes the necessary commits, tags and branches to the remote repository. From here, you will need to create a new release in GitHub so users can easily reference the new tags in their workflows.

Dependency License Management

This template includes a GitHub Actions workflow, licensed.yml, that uses Licensed to check for dependencies with missing or non-compliant licenses. This workflow is initially disabled. To enable the workflow, follow the below steps.

1. Open licensed.yml

2. Uncomment the following lines:

   # pull_request:
   #   branches:
   #     - main
   # push:
   #   branches:
   #     - main

3. Save and commit the changes

Once complete, this workflow will run any time a pull request is created or changes pushed directly to main. If the workflow detects any dependencies with missing or non-compliant licenses, it will fail the workflow and provide details on the issue(s) found.

Updating Licenses

Whenever you install or update dependencies, you can use the Licensed CLI to update the licenses database. To install Licensed, see the project's Readme.

To update the cached licenses, run the following command:

licensed cache

To check the status of cached licenses, run the following command:

licensed status