Merge branch 'main' into bad-login-endpoint

swarkentin · web-flow · commit 13afeba724ca · 2022-01-31T09:35:23.000-07:00
diff --git a/.github/workflows/mapi.yml b/.github/workflows/mapi.yml
@@ -50,10 +50,9 @@ jobs:
       with:
         name: mapi-sarif
         path: mapi.sarif
-        
 
     # Upload SARIF file (only available on public repos or github enterprise)
     - name: Upload SARIF file
       uses: github/codeql-action/upload-sarif@v1
       with:
-        sarif_file: mapi.sarif
+        sarif_file: mapi.sarif
diff --git a/LICENSE b/LICENSE
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2022 ForAllSecure
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/README.md b/README.md
@@ -1,6 +1,6 @@
 # Mayhem for API: Example CI integration
 
-[![Mayhem for API](https://mayhem4api.forallsecure.com/static/media/logo.f8497128.svg)](http://mayhem4api.forallsecure.com/signup)
+[![Mayhem for API](https://mayhem4api.forallsecure.com/downloads/img/mapi-logo-full-color.svg)](http://mayhem4api.forallsecure.com/signup)
 
 ## About Mayhem for API
 
@@ -17,8 +17,7 @@ our job easier!
 and PRs. We make it easy, and provide results right in your PRs where
 you want them. Adding Mayhem for API to a DevOps pipeline is easy.
 
-Want to try it? Start a [30-day free
-trial](http://mayhem4api.forallsecure.com/signup).
+Want to try it? [Sign up for free](http://mayhem4api.forallsecure.com/signup)!
 
 ## Example GitHub Actions Integration
 
@@ -28,19 +27,12 @@ for API.
 ### Starting a Mayhem for API scan in Github Actions
 
 To scan your API with Mayhem for API in CI, you need to:
-1) Download the Mayhem for API CLI
-2) Start your API
-3) Start the Mayhem for API scan
+1) Start your API
+2) Start the Mayhem for API scan
 
 In GitHub actions, those steps translate to:
 
 ```yaml
-    # Download Mayhem for API CLI for linux (also available for windows and Mac
-    - name: Download API fuzzer CLI
-      run: |
-        curl -s -LO https://mayhem4api.forallsecure.com/downloads/cli/latest/linux-musl/mapi
-        chmod +x ./mapi
-
     # Run API in test mode. We configured test mode to output stacktraces in
     # the error responses to improve the output of Mayhem for API.
     - name: Run API
@@ -49,51 +41,74 @@ In GitHub actions, those steps translate to:
       run: uvicorn src.main:app &
 
     # Run Mayhem for API
-    - name: Mayhem for API Scan
-      env:
-        MAPI_TOKEN: ${{ secrets.MAPI_TOKEN }}
-      run: ./mapi run fastapi 10 --url http://localhost:8000/ --sarif results.sarif --html results.html http://localhost:8000/openapi.json || true
+    - name: Run Mayhem for API to check for vulnerabilities
+      uses: ForAllSecure/mapi-action@v1
+      with:
+        mapi-token: ${{ secrets.MAPI_TOKEN }}
+        api-url: http://localhost:8000
+        api-spec: http://localhost:8000/openapi.json
 ```
 
 This repo contains a [full example](.github/workflows/mapi.yml) for
 reference.
 
-## Results
+# Reports
 
-Mayhem for API outputs reports in multiple formats (jUnit, SARIF, HTML).
-In this instance, we requested a HTML report and a SARIF report.
+Mayhem for API generate reports when you pass `sarif-report` or
+`html-report` to the input. Make sure to pass `continue-on-error` to the
+Mayhem for API step if you want to process the reports in follow-up
+steps.
 
-### Artifact HTML Report
+## Artifact HTML Report
 
 ![HTML Report](https://mayhem4api.forallsecure.com/downloads/img/sample-report.png)
 
 To artifact the report in your build, add this step to your pipeline:
 
 ```yaml
-    # Archive HTML report
-    - name: Archive code coverage results
-      uses: actions/upload-artifact@v2
-      with:
-        name: mapi-report
-        path: results.html
+- name: Run Mayhem for API to check for vulnerabilities
+  uses: ForAllSecure/mapi-action@v1
+  continue-on-error: true
+  with:
+    mapi-token: ${{ secrets.MAPI_TOKEN }}
+    api-url: http://localhost:8000 # <- update this
+    api-spec: your-openapi-spec-or-postman-collection.json # <- update this
+    html-report: mapi.html
+
+# Archive HTML report
+- name: Archive Mayhem for API report
+  uses: actions/upload-artifact@v2
+  with:
+    name: mapi-report
+    path: mapi.html
 ```
 
-## Upload SARIF
+## GitHub Code Scanning support
 
 ![Mayhem for API issue in your
 PR](http://mayhem4api.forallsecure.com/downloads/img/sarif-github.png)
 
-Uploading SARIF to GitHub allows you to see any issue found by Mayhem
-for API right on your PR! This currently requires you to have a GitHub
-Enterprise Plan or have a public repository. To upload the SARIF report,
-add this step to your pipeline:
+Uploading SARIF reports to GitHub allows you to see any issue found by
+Mayhem for API right on your PR, as well as in the "Security" tab of
+your repository. This currently requires you to have a GitHub Enterprise
+Plan or have a public repository. To upload the SARIF report, add this
+step to your pipeline:
 
 ```yaml
-    # Upload SARIF file (only available on public repos or github enterprise)
-    - name: Upload SARIF file
-      uses: github/codeql-action/upload-sarif@v1
-      with:
-        sarif_file: results.sarif
+- name: Run Mayhem for API to check for vulnerabilities
+  uses: ForAllSecure/mapi-action@v1
+  continue-on-error: true
+  with:
+    mapi-token: ${{ secrets.MAPI_TOKEN }}
+    api-url: http://localhost:8000 # <- update this
+    api-spec: your-openapi-spec-or-postman-collection.json # <- update this
+    sarif-report: mapi.sarif
+
+# Upload SARIF file (only available on public repos or github enterprise)
+- name: Upload SARIF file
+  uses: github/codeql-action/upload-sarif@v1
+  with:
+    sarif_file: mapi.sarif
 ```
 
 If your API server sends back stacktraces in the 500 Internal Server
