@@ -42,6 +42,45 @@ The [Nullify DAST](https://docs.nullify.ai/features/api-scanning) GitHub Action
4242| local | Run the scan from the GitHub action instead of on Nullify Cloud | ` false ` | false |
4343| image-label | Label to identify the Docker image being tested | ` false ` | |
4444
45+ ### Authentication Parameters
46+
47+ | Name | Description | Required | Default |
48+ | ---------------------| ----------------------------------------------------------------------------| ----------| ---------|
49+ | auth-method | Authentication method to use (basic, bearer, session, oauth2, jwt, custom) | ` false ` | bearer |
50+ | auth-username | Username for Basic Auth authentication | ` false ` | |
51+ | auth-password | Password for Basic Auth authentication | ` false ` | |
52+ | auth-token | Token for Bearer Token, JWT, or OAuth2 authentication | ` false ` | |
53+ | auth-client-id | Client ID for OAuth2 authentication | ` false ` | |
54+ | auth-client-secret | Client Secret for OAuth2 authentication | ` false ` | |
55+ | auth-token-url | Token URL for OAuth2 authentication | ` false ` | |
56+ | auth-scope | Scope for OAuth2 authentication | ` false ` | |
57+ | auth-login-url | URL to perform login for session-based authentication | ` false ` | |
58+ | auth-login-body | JSON body to send for session-based authentication login | ` false ` | |
59+ | auth-login-selector | CSS selector to extract session token/cookie from login response | ` false ` | |
60+ | auth-custom-headers | JSON string of custom headers for authentication | ` false ` | |
61+ | auth-custom-params | JSON string of custom query parameters for authentication | ` false ` | |
62+
63+ ### Role-Based Authorization Testing Parameters
64+
65+ | Name | Description | Required | Default |
66+ | -----------------------| --------------------------------------------| ----------| ---------|
67+ | user-1-role | Role name for user 1 | ` false ` | |
68+ | user-1-description | Custom description for user 1 | ` false ` | |
69+ | user-1-username | Username for user 1 (basic auth) | ` false ` | |
70+ | user-1-password | Password for user 1 (basic auth) | ` false ` | |
71+ | user-1-token | Token for user 1 (bearer auth) | ` false ` | |
72+ | user-1-client-id | Client ID for user 1 (OAuth2) | ` false ` | |
73+ | user-1-client-secret | Client Secret for user 1 (OAuth2) | ` false ` | |
74+ | user-1-token-url | Token URL for user 1 (OAuth2) | ` false ` | |
75+ | user-1-scope | Scope for user 1 (OAuth2) | ` false ` | |
76+ | user-1-login-url | Login URL for user 1 (session auth) | ` false ` | |
77+ | user-1-login-body | Login body for user 1 (session auth) | ` false ` | |
78+ | user-1-login-selector | Login selector for user 1 (session auth) | ` false ` | |
79+ | user-1-custom-headers | Custom headers for user 1 (custom auth) | ` false ` | |
80+ | user-1-custom-params | Custom parameters for user 1 (custom auth) | ` false ` | |
81+
82+ * Note: Parameters for user-2, user-3, and user-4 follow the same pattern as user-1.*
83+
4584Often the ` target-host ` is a staging environment in a private network.
4685In this case, deploy a GitHub Action runner in the same private network then set ` local: 'true' ` to run the scan from the GitHub action.
4786
@@ -70,6 +109,89 @@ jobs:
70109 target-host : ' api.myapp1234.dev'
71110` ` `
72111
112+ ## Authentication Examples
113+
114+ ### Basic Auth Example
115+
116+ ` ` ` yaml
117+ name : nullify-dast-basic-auth
118+ on :
119+ push :
120+ branches :
121+ - main
122+ jobs :
123+ nullify-dast :
124+ name : Nullify DAST with Basic Auth
125+ runs-on : ubuntu-20.04
126+ steps :
127+ - name : Checkout code
128+ uses : actions/checkout@v2
129+ - name : Run Nullify vulnerability scanner
130+ uses : nullify-platform/dast-action@main
131+ with :
132+ app-name : ' My REST API'
133+ spec-path : ' openapi.json'
134+ target-host : ' api.myapp1234.dev'
135+ auth-method : ' basic'
136+ auth-username : ${{ secrets.API_USERNAME }}
137+ auth-password : ${{ secrets.API_PASSWORD }}
138+ local : ' true'
139+ ` ` `
140+
141+ ### OAuth2 Example
142+
143+ ` ` ` yaml
144+ name : nullify-dast-oauth
145+ on :
146+ schedule :
147+ - cron : ' 0 0 * * 1' # Run weekly on Mondays
148+ jobs :
149+ nullify-dast :
150+ name : Nullify DAST with OAuth2
151+ runs-on : ubuntu-20.04
152+ steps :
153+ - name : Checkout code
154+ uses : actions/checkout@v2
155+ - name : Run Nullify vulnerability scanner
156+ uses : nullify-platform/dast-action@main
157+ with :
158+ app-name : ' My OAuth API'
159+ spec-path : ' openapi.json'
160+ target-host : ' api.myapp1234.dev'
161+ auth-method : ' oauth2'
162+ auth-client-id : ${{ secrets.OAUTH_CLIENT_ID }}
163+ auth-client-secret : ${{ secrets.OAUTH_CLIENT_SECRET }}
164+ auth-token-url : ' https://auth.myapp1234.dev/oauth/token'
165+ auth-scope : ' read write'
166+ local : ' true'
167+ ` ` `
168+
169+ ### Session-based Authentication Example
170+
171+ ` ` ` yaml
172+ name : nullify-dast-session
173+ on :
174+ pull_request :
175+ jobs :
176+ nullify-dast :
177+ name : Nullify DAST with Session Auth
178+ runs-on : ubuntu-20.04
179+ steps :
180+ - name : Checkout code
181+ uses : actions/checkout@v2
182+ - name : Run Nullify vulnerability scanner
183+ uses : nullify-platform/dast-action@main
184+ with :
185+ app-name : ' My Web App'
186+ spec-path : ' openapi.json'
187+ target-host : ' app.myapp1234.dev'
188+ auth-method : ' session'
189+ auth-login-url : ' https://app.myapp1234.dev/login'
190+ auth-login-body : ' {"username":"${{ secrets.APP_USERNAME }}","password":"${{ secrets.APP_PASSWORD }}"}'
191+ auth-login-selector : ' response.headers.set-cookie'
192+ local : ' true'
193+ ` ` `
194+
73195## Example Usage (Enterprise Tier)
74196
75197Enterprise tier customers have a custom domain name for the Nullify API.
@@ -98,3 +220,46 @@ jobs:
98220 spec-path: 'openapi.json'
99221 target-host: 'api.myapp1234.dev'
100222` ` `
223+
224+ # ## Authorization Model Assessment
225+
226+ For authorization testing, you can provide multiple users with different roles to verify access controls :
227+ **Important**: When using `auth-users`, any other single-user authentication parameters (like `auth-token`, `auth-username`, etc.) will be ignored.
228+
229+ # ## Role-Based Authorization with Individual User Parameters
230+
231+ ` ` ` yaml
232+ name: nullify-dast-rbac
233+ on:
234+ schedule:
235+ - cron: '0 0 * * 1' # Run weekly on Mondays
236+ jobs:
237+ nullify-dast:
238+ name: Nullify DAST with Role-Based Access Control Testing
239+ runs-on: ubuntu-20.04
240+ steps:
241+ - name: Checkout code
242+ uses: actions/checkout@v2
243+ - name: Run Nullify vulnerability scanner
244+ uses: nullify-platform/dast-action@main
245+ with:
246+ app-name: 'My Role-Based API'
247+ spec-path: 'openapi.json'
248+ target-host: 'api.myapp1234.dev'
249+ # Admin user with bearer token
250+ user-1-role: 'admin'
251+ user-1-description: 'Administrator with full system access. User belongs to the internal platform team to occasionaly perform system maintanence activities.'
252+ user-1-token: ${{ secrets.ADMIN_TOKEN }}
253+ # Regular user with basic auth
254+ user-2-role: 'user'
255+ user-2-description: 'Standard user with limited permissions.'
256+ user-2-username: ${{ secrets.USER_USERNAME }}
257+ user-2-password: ${{ secrets.USER_PASSWORD }}
258+ # API client with OAuth2
259+ user-3-role: 'api-client'
260+ user-3-client-id: ${{ secrets.CLIENT_ID }}
261+ user-3-client-secret: ${{ secrets.CLIENT_SECRET }}
262+ user-3-token-url: 'https://auth.myapp1234.dev/oauth/token'
263+ user-3-scope: 'read write'
264+ local: 'true'
265+ ` ` `
0 commit comments