From c1786275f7ff243464b071041fe932373d43a566 Mon Sep 17 00:00:00 2001
From: Juri Burakov <31932344+JuriBurakov@users.noreply.github.com>
Date: Tue, 5 Oct 2021 18:50:44 +0300
Subject: [PATCH] Create mayhem-for-api-analysis.yml

---
 .github/workflows/mayhem-for-api-analysis.yml | 66 +++++++++++++++++++
 1 file changed, 66 insertions(+)
 create mode 100644 .github/workflows/mayhem-for-api-analysis.yml

diff --git a/.github/workflows/mayhem-for-api-analysis.yml b/.github/workflows/mayhem-for-api-analysis.yml
new file mode 100644
index 0000000..c87f68f
--- /dev/null
+++ b/.github/workflows/mayhem-for-api-analysis.yml
@@ -0,0 +1,66 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+#
+# This workflow starts your API and fuzzes it with ForAllSecure Mayhem for API
+# to find reliability, performance and security issues before they reach
+# production.
+#
+# To use this workflow, you will need to:
+#
+# 1. Create a Mayhem for API account at
+#    https://mayhem4api.forallsecure.com/signup
+#
+# 2. Create a service account token `mapi organization service-account create
+#    <org-name> <service-account-name>`
+#
+# 3. Add the service account token as a secret in GitHub called "MAPI_TOKEN"
+#
+# 4. Update the "Start your API" step to run your API in the background before
+#    starting the Mayhem for API scan, and update the `api-url` & `api-spec`
+#    field.
+#
+# If you have any questions, please contact us at mayhem4api@forallsecure.com
+
+name: "Mayhem for API"
+
+on:
+  push:
+    branches: [ main, upload-artifact ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ main ]
+
+jobs:
+  mayhem-for-api:
+    name: Mayhem for API
+    # Mayhem for API runs on linux, mac and windows
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    steps:
+      - uses: actions/checkout@v2
+
+      # Run your API in the background. Ideally, the API would run in debug
+      # mode & send stacktraces back on "500 Internal Server Error" responses
+      # (don't do this in production though!)
+      - name: Start your API
+        run: ./run_your_api.sh & # <- ✏️ update this
+
+      - name: Mayhem for API
+        uses: ForAllSecure/mapi-action@193b709971cc377675e33284aecbf9229853e010
+        continue-on-error: true
+        with:
+          mapi-token: ${{ secrets.MAPI_TOKEN }}
+          api-url: http://localhost:8080 # <- ✏️ update this
+          api-spec: http://localhost:8080/openapi.json # <- ✏️ update this
+          duration: 60
+          sarif-report: mapi.sarif
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: mapi.sarif