A GitHub Action for running the ZAP Full scan
License: Apache License 2.0
The Zed Attack Proxy (ZAP) is one of the worldβs most popular free security tools and is actively maintained by a dedicated international team of volunteers. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. It's also a great tool for experienced pentesters to use for manual security testing.
For more details about ZAP see the new ZAP website at zaproxy.org
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
This was deprecated on April 14, 2024 and will not be usable on November 30, 2024. I hope it's an easy upgrade and that the breaking changes don't impact this work.
Hi
Could you create a new version tag? The current version v.1.0 is missing the fail_action param which is described in the readme.
May the readme example could be expanded also with all options:
ZAP
- name: ZAP Scan
uses: zaproxy/[email protected]
with:
token: ${{ secrets.GITHUB_TOKEN }}
docker_name: 'owasp/zap2docker-stable'
target: 'https://www.zaproxy.org/'
rules_file_name: '.zap/rules.tsv'
cmd_options: '-a'
fail_action: true
When running the Zap Full Scan against our resources, the scan works normally (producing some findings), but creating the Github Issue fails with:
Validation Failed: {"resource":"Issue","code":"custom","field":"body","message":"body is too long (maximum is 65536 characters)"}
I was hoping for there to be a way to cap the body of the issue being created, maybe?
Github Actions complains that Node.js version 12 is deprecated or will be soon:
Node.js 12 actions are deprecated. Please update the following actions to use Node.js 16: zaproxy/[email protected]. For more information see: https://github.blog/changelog/2022-09-22-github-actions-all-actions-will-begin-running-on-node16-instead-of-node12/
Could Node.js version for ZAP scan Github Action be updated to 16?
Describe the bug
Github Actions task fails when using demonstration code.
To Reproduce
Steps to reproduce the behavior:
jobs:
zap_scan:
runs-on: ubuntu-latest
name: Scan the webapplication
steps:
- name: Checkout
uses: actions/checkout@v2
with:
ref: master
- name: ZAP Scan
uses: zaproxy/[email protected]
with:
token: ${{ secrets.GITHUB_TOKEN }}
docker_name: 'owasp/zap2docker-stable'
target: 'https://www.zaproxy.org/'
rules_file_name: '.zap/rules.tsv'
cmd_options: '-a'
Expected behavior
I expect the github action ("[email protected]") to run, and scan the given domain. It does not.
Screenshots
Software versions
Errors from the zap.log file
This isn't captured in the current process.
Additional context
baseline scan action works, just not full scan action.
Would you like to help fix this issue?
I am willing to help and test.
Node 16 is now deprecated and thus soon a deprecation warning will be displayed when this action runs. Please update to Node 20.
Related:
Hi,
The action starts the container as root:
Line 43 in 7a8da6d
This causes compatibility issues and is security-wise not the best practice.
Does this have a valid reason, or should it be removed?
Similar to zaproxy/action-baseline#17, new issues are opened even with existing issues open when providing a GitHub token, as there is a hardcoded check for the GitHub Actions bot. Simply bumping the version of actions-common-scans to 1.0.2 should resolve this issue.
The "Action Baseline" action exposes the allow_issue_writing input that allows controlling whether issues will be opened for alerts or not. This input is missing from this action and this will be a problem if someone does not want to use this feature, eg if they use another tool for issue tracking. The reason is that if Github issues are disabled, the whole action will fail.
I have already opened PR #24 if you think this makes sense and want to add this feature.
Thanks!
An error is being thrown when trying to run a full scan via Github Actions. The errors started happening today without any changes to the workflow.
Scan completes correctly
zaproxy/[email protected]
No response
No response
I'm loving the GitHub Action for running ZAP scans, thank you! π―
One issue is that when running two scans in parallel they're both creating an artifact called zap_scan. So there is a race condition and whichever scan completes first has its artifact overwritten by the scan that finished second. To get around this, after the scan completes I am uploading report_html.html as two differently-named artifacts. However, this still leaves the zap_scan artifact and it is a bit confusing that we have an extra artifact that is essentially a duplicate of one of the other artifacts - although we never know which one. Since artifacts aren't available until after the Action has completed, they cannot be deleted in the Action that created them.
A couple of possibilities are:
Thank you!
Hello!
Using the same context, I ran the AJAX spider from a local GUI instance of ZAP, and again as the GitHub Action - both against the same target - with different results.
Looking at the logs, it seems that headless Firefox doesn't run properly (see lines marked with >>>):
2021-04-08T18:29:31.9595748Z ##[group]Run zaproxy/[email protected]
2021-04-08T18:29:31.9596344Z with:
2021-04-08T18:29:31.9597018Z target: ***
2021-04-08T18:29:31.9598043Z cmd_options: -j -U "***" -n /zap/wrk/context_file.context
2021-04-08T18:29:31.9599345Z token: ***
2021-04-08T18:29:31.9599882Z docker_name: owasp/zap2docker-stable
2021-04-08T18:29:31.9600510Z issue_title: ZAP Full Scan Report
2021-04-08T18:29:31.9601004Z fail_action: false
2021-04-08T18:29:31.9601962Z ##[endgroup]
2021-04-08T18:29:32.1172019Z [@octokit/rest] `const Octokit = require("@octokit/rest")` is deprecated. Use `const { Octokit } = require("@octokit/rest")` instead
2021-04-08T18:29:32.1637719Z starting the program
2021-04-08T18:29:32.1638910Z github run id :***
2021-04-08T18:29:32.1699305Z [command]/usr/bin/docker pull owasp/zap2docker-stable -q
2021-04-08T18:30:02.0991921Z docker.io/owasp/zap2docker-stable:latest
2021-04-08T18:30:02.1066585Z [command]/usr/bin/docker run --user root -v /home/runner/work/zapscan/zapscan:/zap/wrk/:rw --network=host -t owasp/zap2docker-stable zap-full-scan.py -t *** -J report_json.json -w report_md.md -r report_html.html -j -U *** -n /zap/wrk/context_file.context
2021-04-08T18:30:05.3880090Z 2021-04-08 18:30:05,382 Could not find custom hooks file at /home/zap/.zap_hooks.py
2021-04-08T18:30:09.5078073Z Apr 08, 2021 6:30:09 PM java.util.prefs.FileSystemPreferences$1 run
2021-04-08T18:30:09.5079905Z INFO: Created user preferences directory.
2021-04-08T18:31:05.7042972Z WARNING: An illegal reflective access operation has occurred
2021-04-08T18:31:05.7055145Z WARNING: Illegal reflective access by com.google.inject.internal.cglib.core.$ReflectUtils$2 (file:/root/.ZAP/plugin/spiderAjax-release-23.3.0.zap) to method java.lang.ClassLoader.defineClass(java.lang.String,byte[],int,int,java.security.ProtectionDomain)
2021-04-08T18:31:05.7071719Z WARNING: Please consider reporting this to the maintainers of com.google.inject.internal.cglib.core.$ReflectUtils$2
2021-04-08T18:31:05.7098432Z WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
2021-04-08T18:31:05.7100363Z WARNING: All illegal access operations will be denied in a future release
>>> 2021-04-08T18:31:05.9156533Z 1617906665907 geckodriver INFO Listening on 127.0.0.1:19930
2021-04-08T18:31:06.0734290Z 1617906666063 mozrunner::runner INFO Running command: "/usr/lib/firefox/firefox" "--marionette" "-headless" "-foreground" "-no-remote" "-profile" "/tmp/rust_mozprofileLqIPUy"
>>> 2021-04-08T18:31:06.0988290Z Running Firefox as root in a regular user's session is not supported. ($HOME is /home/zap/ which is owned by zap.)
? 2021-04-08T18:33:15.1767246Z [Fatal Error] :1535:10273: The reference to entity ":after" must end with the ';' delimiter.
? 2021-04-08T18:33:15.6020309Z [Fatal Error] :1535:10273: The reference to entity ":after" must end with the ';' delimiter.
>>> 2021-04-08T18:33:33.8119503Z 1617906813799 geckodriver INFO Listening on 127.0.0.1:18313
2021-04-08T18:33:33.8311320Z 16179061861137891006 8g1e3c8k2o9d rmiovzerru nInNeFrO: :Lriusntneenri nIgN FoOn R1u2n7n.i0n.g0 .c1omma:n2d0:8 2"7/
2021-04-08T18:33:33.8328587Z usr/lib/firefox/firefox" "--marionette" "-headless" "-foreground" "-no-remote" "-profile" "/tmp/rust_mozprofilejAPd6L"
2021-04-08T18:33:33.8402455Z 1617906813836 mozrunner::runner INFO Running command: "/usr/lib/firefox/firefox" "--marionette" "-headless" "-foreground" "-no-remote" "-profile" "/tmp/rust_mozprofileevzObj"
>>> 2021-04-08T18:33:33.8716712Z Running Firefox as root in a regular user's session is not supported. ($HOME is /home/zap/ which is owned by zap.)
>>> 2021-04-08T18:33:33.8792493Z Running Firefox as root in a regular user's session is not supported. ($HOME is /home/zap/ which is owned by zap.)
2021-04-08T18:36:58.4198768Z Total of 71 URLs
You can see Total of 71 URLs at the end, whereas ZAP Desktop found upwards of 1000.
I also marked a couple lines above with ? because I'm not sure whether they're relevant to this issue, and Fatal Error sounds serious.
Inspired by this PR for Coverage.py, it would be awesome to (have the option to) output a summary of the scan results as markdown, for use in a Job Summary.
As a visual aid, here's what it looks like when I do this for Coverage.py:
The table at the bottom is just markdown piped to $GITHUB_STEP_SUMMARY, but it makes the results much more accessible compared to having to download a zip of the HTML report.
I want to use a hook script like here to create custom HTTP headers.
Locally it's:
sudo docker run --rm -v ${PWD}:/zap/wrk -t owasp/zap2docker-stable zap-full-scan.py -t http://target/ --hook "hook.py" -z "-addoninstall jython"
hook.py points to a script file:
zap.script.load('Add Header Script', 'httpsender', 'python : jython', '/zap/wrk/add_header_request.py')
Similar parameter: "rules_file_name".
Hey,
It would be really helpfull to get the PDF version of the report into the artifact.
Here is the google group conversation related : https://groups.google.com/g/zaproxy-users/c/5YY6m3G8b8A/m/eqqxEAN4AQAJ
Thanks in advance π
Hi team,
Would it be possible to set the maximum run time on the active scan which is followed by a spider with the cmd options?
Now that there's a proposal for zaproxy/zap-extensions#4078, can we reactivate the Sarif export ask? This would make the action safer so sarif reported issues remain hidden to public.
Thx.
Since ZAP vulnerability scans can generate a lot of issues, it might be nice to be able to e.g. ignore any LOW or INFO vulnerabilities. (so that issues are not created)
e.g.
jobs:
zap_scan_public:
runs-on: ubuntu-latest
name: Scan public website
steps:
- name: ZAP Scan
uses: zaproxy/[email protected]
with:
issue_title: Vulnerability Scan Results
token: ${{ secrets.GITHUB_TOKEN }}
docker_name: owasp/zap2docker-weekly
target: https://ironpeak.be/
rules_file_name: .github/zap.ignore
cmd_options: '-a -s MEDIUM'While running a scan, the workflow failed with the message:
2023-01-18T15:29:57.2895700Z Scanning process completed, starting to analyze the results!
2023-01-18T15:29:57.3263850Z [@octokit/rest] `const Octokit = require("@octokit/rest")` is deprecated. Use `const { Octokit } = require("@octokit/rest")` instead
2023-01-18T15:29:57.7910108Z ##[error]You have exceeded a secondary rate limit. Please wait a few minutes before you try again.
Is there something to be done to prevent that?
Error logs
2022-05-17 06:54:46,035 Starting new HTTP connection (1): localhost:56760
2022-05-17 06:54:46,296 http://localhost:56760 "GET http://zap/OTHER/core/other/mdreport/?apikey= HTTP/1.1" 200 10977
FAIL-NEW: 0 FAIL-INPROG: 0 WARN-NEW: 2 WARN-INPROG: 0 INFO: 0 IGNORE: 0 PASS: 112
2022-05-17 06:54:46,305 Trigger hook: zap_pre_shutdown, args: 1
2022-05-17 06:54:46,307 Starting new HTTP connection (1): localhost:56760
2022-05-17 06:54:46,349 http://localhost:56760 "GET http://zap/JSON/core/action/shutdown/?apikey= HTTP/1.1" 200 15
2022-05-17 06:54:46,351 Trigger hook: pre_exit, args: 3
[@octokit/rest] `const Octokit = require("@octokit/rest")` is deprecated. Use `const { Octokit } = require("@octokit/rest")` instead
Scanning process completed, starting to analyze the results!
Error: Bad credentials
Full ZAP action Logs
ZAP_github_action_raw_logs.txt
Github action flow file.
zap_scan:
runs-on: self-hosted
name: Scan using ZAP
steps:
- name: 'Git Checkout'
uses: actions/checkout@v2
- name: ZAP Scan
uses: zaproxy/[email protected]
with:
token: ${{ secrets.GHE_TOKEN }}
docker_name: 'owasp/zap2docker-stable'
target: 'https://xxxxxxxxx'
cmd_options: '-d'Thanks in advance
Since GitHub now supports SARIF files which contain security issues (now primarily used for code scanning), would be cool to re-use this for ZAP.
ZAP should support exporting findings to SARIF.
I'm trying to set some exclusions by passing some regex to the -z paramater. In the cli, it looks like this
-z "-config globalexcludeurl.url_list.url.regex='(?!http:\\/\\/ete-dev-api.azurewebsites.net)"
however, to pass this to the cli in the yaml is seemingly impossible because the double quotes are stripped regardless of how you pass it in.
I will explain the specific issue using an example from the readme though (as you would assume that should work).
cmd_options: -z "-config view.locale=fr_FR"
in the yaml results in the following being called in the runner (I've redacted a the other args)
run -v /home/****:/zap/wrk/:rw --network=host -z -config view.locale=fr_FR
From what I can tell this is due to the way exec (and argStringToArray) escape strings in the js library. Am I missing something or is this a bug?
Add the necessary input variables to configure the ZAP authentication toggles to perform authenticated scans in your pipeline.
.e.g.
zap_scan_cluster:
runs-on: ubuntu-latest
name: Scan k8s cluster
steps:
- name: ZAP Scan
uses: zaproxy/[email protected]
with:
issue_title: Vulnerability Scan Results
token: ${{ secrets.GITHUB_TOKEN }}
docker_name: owasp/zap2docker-weekly
target: https://cluster.ironpeak.be/
rules_file_name: .github/zap.ignore
cmd_options: '-a'
http_login_form: '/app/login'
http_login_http_username: 'testuser'
http_login_http_password: ${{ secrets.ZAP_USER_PW }}
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. πππ
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google β€οΈ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.