|
| 1 | +# Vimana Framework GitHub Actions |
| 2 | + |
| 3 | +This directory contains GitHub Actions workflows for running Vimana Framework plugins in CI/CD environments. |
| 4 | + |
| 5 | +## Available Workflows |
| 6 | + |
| 7 | +### `vimana.yml` - Main Security Testing Pipeline |
| 8 | + |
| 9 | +This workflow provides automated security testing using Vimana Framework plugins, with a focus on the D4M8 Django Web Form Fuzzer. |
| 10 | + |
| 11 | +#### Features: |
| 12 | +- **Plugin-Based Architecture**: Uses Vimana's modular plugin system |
| 13 | +- **D4M8 Integration**: Django Web Form Fuzzer for exception mapping |
| 14 | +- **Multiple Scan Modes**: Blackbox, aggressive, rule-based, and custom data scanning |
| 15 | +- **UV Package Management**: Fast dependency installation using UV |
| 16 | +- **Docker Integration**: Builds and tests Vimana Docker images |
| 17 | +- **Artifact Storage**: Saves scan results as downloadable artifacts |
| 18 | + |
| 19 | +#### Manual Trigger Parameters: |
| 20 | +- `target_url`: The target URL to scan (e.g., http://localhost:8000) |
| 21 | +- `plugin`: Plugin to use (d4m8, viewscan, other_plugins_coming_soon) |
| 22 | +- `scan_mode`: Scan mode for the selected plugin (blackbox, aggressive, rule_based, custom_data) |
| 23 | + |
| 24 | +#### D4M8 Plugin Examples: |
| 25 | + |
| 26 | +**Blackbox Mode:** |
| 27 | +```yaml |
| 28 | +# Discovers and fuzzes available endpoints |
| 29 | +python vimana.py run --plugin d4m8 --target-url http://localhost:8000 |
| 30 | +``` |
| 31 | + |
| 32 | +**Aggressive Mode with Custom Data:** |
| 33 | +```yaml |
| 34 | +# Comprehensive fuzzing with extended scope |
| 35 | +python vimana.py run \ |
| 36 | + --plugin d4m8 \ |
| 37 | + --target-url http://localhost:8000 \ |
| 38 | + --agressive \ |
| 39 | + --xscope \ |
| 40 | + - -data '{"email":"[email protected]","username": "github_user"}' |
| 41 | +``` |
| 42 | +
|
| 43 | +**Rule-Based Scanning:** |
| 44 | +```yaml |
| 45 | +# Uses predefined fuzzing rules |
| 46 | +python vimana.py run --plugin d4m8 --scan-rules |
| 47 | +``` |
| 48 | + |
| 49 | +**Custom Data Fields:** |
| 50 | +```yaml |
| 51 | +# Targeted fuzzing with specific form fields |
| 52 | +python vimana.py run \ |
| 53 | + --plugin d4m8 \ |
| 54 | + --target-url http://localhost:8000 \ |
| 55 | + --data '{"email":"[email protected]","password":"testpass123","username":"admin_user"}' |
| 56 | +``` |
| 57 | + |
| 58 | +#### Usage Examples: |
| 59 | + |
| 60 | +**Manual Execution:** |
| 61 | +1. Go to Actions tab in your repository |
| 62 | +2. Select "Vimana Framework Security Testing" |
| 63 | +3. Click "Run workflow" |
| 64 | +4. Enter your target URL |
| 65 | +5. Select plugin (d4m8 recommended) |
| 66 | +6. Choose scan mode |
| 67 | +7. Click "Run workflow" |
| 68 | + |
| 69 | +**Automated Scanning:** |
| 70 | +The workflow automatically runs on: |
| 71 | +- Push to main/develop branches |
| 72 | +- Pull requests to main branch |
| 73 | + |
| 74 | +#### Available Plugins: |
| 75 | +- **D4M8**: Django Web Form Fuzzer for mapping exceptions |
| 76 | +- **ViewScan**: Code analysis and vulnerability scanning |
| 77 | +- **Other plugins**: Various security testing capabilities (coming soon) |
| 78 | + |
| 79 | +#### Output: |
| 80 | +- Scan results stored in `core/_dbops_/` |
| 81 | +- Log files and reports |
| 82 | +- Docker image with plugin testing |
| 83 | +- SARIF format vulnerability reports (if available) |
| 84 | + |
| 85 | +## Plugin Architecture |
| 86 | + |
| 87 | +Vimana Framework uses a modular plugin architecture: |
| 88 | + |
| 89 | +```bash |
| 90 | +vimana run <plugin_name> <plugin_options> |
| 91 | +``` |
| 92 | + |
| 93 | +Each plugin has specific capabilities and options. The workflow demonstrates how to integrate different plugins into CI/CD pipelines. |
| 94 | + |
| 95 | +## Security Considerations |
| 96 | + |
| 97 | +- Always review scan results before sharing |
| 98 | +- Use appropriate targets (own systems or authorized targets) |
| 99 | +- Follow responsible disclosure practices |
| 100 | +- Consider rate limiting for external targets |
| 101 | +- Ensure legal compliance for security testing |
| 102 | + |
| 103 | +## Customization |
| 104 | + |
| 105 | +You can customize the workflow by: |
| 106 | +- Adding new plugins to the workflow |
| 107 | +- Modifying scan parameters and modes |
| 108 | +- Changing trigger conditions |
| 109 | +- Adjusting resource allocation |
| 110 | +- Adding custom rule files for plugins |
| 111 | + |
| 112 | +## Troubleshooting |
| 113 | + |
| 114 | +Common issues: |
| 115 | +- **Permission errors**: Ensure workflow has necessary permissions |
| 116 | +- **Timeout issues**: Increase timeout for large scans |
| 117 | +- **Plugin dependency issues**: Check plugin requirements |
| 118 | +- **Target accessibility**: Ensure target URL is accessible from GitHub Actions |
| 119 | +- **UV installation**: Verify UV is properly installed and configured |
| 120 | + |
| 121 | +## Future Enhancements |
| 122 | + |
| 123 | +- Additional plugin integrations |
| 124 | +- Custom rule file support |
| 125 | +- Advanced reporting features |
| 126 | +- Multi-target scanning capabilities |
| 127 | +- Integration with security tools (Trivy, etc.) |
0 commit comments