zaproxy / action-baseline Goto Github PK
View Code? Open in Web Editor NEWA GitHub Action for running the ZAP Baseline scan
License: Apache License 2.0
A GitHub Action for running the ZAP Baseline scan
License: Apache License 2.0
Hi π
I have a use case to capture the action run result and publish it into slack, not sure if anyone has done that. Thanks!
Would be very nice to be able to specify the issue title via a GitHub Action argument.
Hi folks,
We are mostly interested in this tool so that we don't have to run the Docker container by hand. But, we don't want this to automatically file issues to our GitHub repo - we are totally satisfied with it just spitting out an artifact that we can stash after scanning.
How can we get to the point with this Action where it doesn't require you to file an Issue to the repo?
Hello,
I'm providing cmd_options: "-j"
to the GitHub action, but this does not seem to result in the Ajax spider being used as I still get "Modern Web Application [10109]" raised.
Is this a bug in the action or in ZAP? Is it related to the automation framework?
ππ½ ZAproxy team,
Thank you for building this Action. I took the liberty to create an actions that maps the ZAProxy results to SARIF so they can be displayed in the GitHub Advanced Security UI.
You can check it out here: https://github.com/SvanBoxel/zaproxy-to-ghas
Optionally we could decide to merge this action into zaproxy/action-baseline
so it becomes easier for users to leverage this scanning utility.
Disclaimer: I know, SARIF isnβt made for DAST results, but having the ability to view all security results through a single pane of glass can be very beneficial.
The -x
flag does not seem to work when used as is.
Here is the basic config I'm using:
- name: OWASP ZAP
uses: zaproxy/[email protected]
with:
target: "http://localhost:3000"
fail_action: false
cmd_options: "-x report_xml.xml"
Here is the error:
Automation plan failures:
Job report failed to generate report: /zap/wrk/report_xml.xml
Workaround:
Noticed that .json
, .html
, and .md
files are automatically created prior to the scan.
- name: Create XML placeholder file
run: |
touch report_xml.xml
chmod a+w report_xml.xml
This works with the -x
flag but it means I have to manually upload the .xml as a separate artifact.
First time seeing this error in the github action run.
10217 [ZAP-DownloadInstaller] ERROR org.zaproxy.zap.control.AddOnInstaller - An error occurred while installing the add-on: websocket
java.security.InvalidParameterException: ScriptType already registered: websocketfuzzerprocessor
...
11741 [ZAP-daemon] ERROR org.parosproxy.paros.core.proxy.ProxyServer - Cannot listen on port 0.0.0.0:60926 - try specifying a different port for ZAP to use
Cannot listen on port 0.0.0.0:60926 - try specifying a different port for ZAP to use
The same error as this issue is occuring in our github actions. however we cant add the workaround becuase theres no control of the docker parameters. Please could this issue be fixed at the source rather than just working round it.
Instead of creating one big security ticket, it might be nice to create separate GitHub tickets per vulnerability category that's found if the total amount of security vulnerabilities is below a threshold.
e.g. if amount if categories < 10, create a github issue per category.
Security: Timestamp Disclosure - Unix
Security: CSP Scanner: Notices
Security: Reverse Tabnabbing
Hi, when I trigger module I got this:
FAIL-NEW: 0 FAIL-INPROG: 0 WARN-NEW: 8 WARN-INPROG: 0 INFO: 0 IGNORE: 0 PASS: 43
[@octokit/rest] `const Octokit = require("@octokit/rest")` is deprecated. Use `const { Octokit } = require("@octokit/rest")` instead
##[error]The ZAP Baseline scan has failed, starting to analyze the alerts. err: Error: The process '/usr/bin/docker' failed with exit code 2
Alerts present in the current report: true
Process completed successfully and a new issue #2 has been created for the ZAP Scan.
It seems that the importing library @octokit/rest is wrong.
ZAP baseline provides hooks to perform an authenticated scan. It would be good to have an example on how to configure it.
Node 16 is now deprecated and thus soon a deprecation warning will be displayed when this action runs. Please update to Node 20.
Related:
I'm using the ZAP baseline action to scan an application that, in the testing environment, is protected by basic auth.
I documented how to do this here: https://adrianhesketh.com/2020/07/07/owasp-baseline-scan-with-basic-auth-in-docker-github-actions/
It requires the use of a config file:
replacer.full_list(0).description=auth1
replacer.full_list(0).enabled=true
replacer.full_list(0).matchtype=REQ_HEADER
replacer.full_list(0).matchstr=Authorization
replacer.full_list(0).regex=false
replacer.full_list(0).replacement=Basic dXNlcjpwYXNzd29yZAo=
And setting the parameter to use it.
When I tried out the same approach this year, I got the following errors:
Digest: sha256:e2b5720d9cccfea0f2aa3b3e83bc1acd26345b949fcc3a4e60aa916cb2d5989f
Status: Downloaded newer image for owasp/zap2docker-stable:latest
2021-11-29 12:12:25,469 Could not find custom hooks file at /home/zap/.zap_hooks.py
Using the Automation Framework
Downloading add-on from: https://github.com/zaproxy/zap-extensions/releases/download/pscanrulesBeta-v27/pscanrulesBeta-beta-27.zap
Add-on downloaded to: /home/zap/.ZAP/plugin/pscanrulesBeta-beta-27.zap
Automation plan failures:
Job spider failed to access URL https://xxxxxx/ status code returned : 404 expected 200
2021-11-29 12:12:45,217 Failed to access summary file /home/zap/zap_out.json
However, bypassing the Automation Framework with the --autooff
flag got me the expected results - a working scan.
docker run -v $(pwd):/zap/wrk/ -t owasp/zap2docker-stable zap-baseline.py \
-t https://xxxxxxxxxxxxxxx \
-z "-configfile /zap/wrk/zap/options.prop" --autooff
Not sure how to proceed....
Add an optional 'Command line options'? param which would allow anyone to specify any additional baseline options: https://github.com/zaproxy/zaproxy/wiki/ZAP-Baseline-Scan#usage
Eg that could be set to -a -j -config aaa=bbb
to
aaa=bbb
in the configs (meaningless example;)Otherwise its not obvious.
I use a single workflow file to run zap scans on multiple sites. Each site is its own job so they can fail or succeed independently. However, since the artifact name is hard-coded, only the report of the last job to complete is saved.
Would the project be open to a adding support for specifying the artifact name as an option? I'd be glad to submit PRs both here and in actions-common to add this.
GitHub Actions are requesting a migration of all actions from node12 to node16.
https://github.blog/changelog/2022-09-22-github-actions-all-actions-will-begin-running-on-node16-instead-of-node12/
As a result we're receiving warnings in our workflows from this action:
Node.js 12 actions are deprecated. For more information see: https://github.blog/changelog/2022-09-22-github-actions-all-actions-will-begin-running-on-node16-instead-of-node12/. Please update the following actions to use Node.js 16: zaproxy/action-baseline
Feedback on zaproxy/zaproxy-website#88
Scanning with the github action, I got the following annotation.
Scan the target with ZAP Baseline X
Node.js 12 actions are deprecated. Please update the following actions to use Node.js 16: zaproxy/[email protected]. For more information see: https://github.blog/changelog/2022-09-22-github-actions-all-actions-will-begin-running-on-node16-instead-of-node12/.
Please upgrade this action to the newer version.
Unless they fail for some reason?
Just to make the logs less chatty.
As per dependabot PRs greysteil/where-is-grey#285
Instead of having an hourly scan or so, developers should receive direct feedback about their fixes in the CI/CD workflow.
Allowing us to use zaproxy/action-baseline in a pull_request
flow should allow this behavior easily.
IMO, the only thing that needs to be changed is detecting whether we're in a pull request and commenting instead of creating an issue.
When setting fail_action per the documentation I get the following warning.
##[warning]Unexpected input(s) 'fail_action', valid inputs are ['token', 'target', 'rules_file_name', 'docker_name', 'cmd_options', 'issue_title']
Run zaproxy/[email protected]
with:
target: http://***.com
rules_file_name: .github/workflows/zap_rules.conf
cmd_options: -a
fail_action: false
token: ***
docker_name: owasp/zap2docker-stable
issue_title: ZAP Scan Baseline Report
env:
DEVELOPER_DIR: /Applications/Xcode_11.2.app/Contents/Developer
JAVA_VERSION: 1.8
FLUTTER_CHANNEL: stable
FLUTTER_WEB_CHANNEL: beta
FLUTTER_VERSION: 1.20.0
FLUTTER_HOME: /opt/hostedtoolcache/flutter/1.21.0-9.2.pre-beta/x64
and I get the following result:
FAIL-NEW: 0 FAIL-INPROG: 0 WARN-NEW: 4 WARN-INPROG: 0 INFO: 0 IGNORE: 3 PASS: 52
[@octokit/rest] `const Octokit = require("@octokit/rest")` is deprecated. Use `const { Octokit } = require("@octokit/rest")` instead
##[error]The ZAP Baseline scan has failed, starting to analyze the alerts. err: Error: The process '/usr/bin/docker' failed with exit code 2
Somehow the path has the repo twice, I believe because of actions/runner#2058
Line 14 in f00f834
My action is:
name: OWASP Zap Daily Live Check
on:
workflow_dispatch:
schedule:
# Run once daily, at 03:00.
- cron: '3 0 * * *'
jobs:
remote-test:
runs-on: ubuntu-latest
steps:
- name: OWASP Zap Baseline Scan
uses: zaproxy/[email protected]
with:
target: ${{ secrets.OWASP_CHECK_URL }}
rules_file_name: 'owasp-zap-ignore.conf'
Error log:
Error when reading the rules file: /home/runner/work/<repo>/<repo>/owasp-zap-ignore.conf
/usr/bin/touch report_json.json report_md.md report_html.html
/usr/bin/chmod a+w report_json.json report_md.md report_html.html
/usr/bin/docker pull ghcr.io/zaproxy/zaproxy:stable -q
ghcr.io/zaproxy/zaproxy:stable
/usr/bin/docker run -v /home/runner/work/<repo>/<repo>:/zap/wrk/:rw --network=host -e ZAP_AUTH_HEADER -e ZAP_AUTH_HEADER_VALUE -e ZAP_AUTH_HEADER_SITE -t ghcr.io/zaproxy/zaproxy:stable zap-baseline.py -t *** -J report_json.json -w report_md.md -r report_html.html
Set up job, (when running the action above) reports:
Current runner version: '2.315.0'
Operating System
Ubuntu
2.04.4
LTS
Runner Image
Image: ubuntu-22.04
Version: 20240422.1.0
Included Software: https://github.com/actions/runner-images/blob/ubuntu22/20240422.1/images/ubuntu/Ubuntu2204-Readme.md
Image Release: https://github.com/actions/runner-images/releases/tag/ubuntu22%2F20240422.1
Runner Image Provisioner
2.0.
GITHUB_TOKEN Permissions
Actions: write
Attestations: write
Checks: write
Contents: write
Deployments: write
Discussions: write
Issues: write
Metadata: read
Packages: write
Pages: write
PullRequests: write
RepositoryProjects: write
SecurityEvents: write
Statuses: write
Secret source: Actions
Prepare workflow directory
Prepare all required actions
Getting action download info
Download action repository 'zaproxy/[email protected]'
Complete job name: remote-test
Describe the bug
I'm running a fairly standard github action with ZAP baseline
I've got 2 OUTOFSCOPE lines to exclude an error:
10202 OUTOFSCOPE https://master.internal.juriba.com/LoginSplash.aspx?ReturnUrl=%2Fdefault.aspx&sir=1
10202 OUTOFSCOPE https://master.internal.juriba.com/default.aspx
It looks like it's worked in the logs from gitactions:
PASS: Reverse Tabnabbing [10108]
PASS: Modern Web Application [10109]
PASS: Absence of Anti-CSRF Tokens [10202] β¬
οΈ
PASS: Private IP Disclosure [2]
PASS: Session ID in URL Rewrite [3]
PASS: Script Passive Scan Rules [50001]
PASS: Insecure JSF ViewState [90001]
However in the issues report this comes up as an error
Absence of Anti-CSRF Tokens [10202] total: 2:
https://master.internal.juriba.com/LoginSplash.aspx?ReturnUrl=%2Fdefault.aspx&sir=1
https://master.internal.juriba.com/default.aspx
I can use IGNORE to get rid of this error but obviously that is not as good.
Strange that at one point it seemed to work:
Resolved Alerts
Absence of Anti-CSRF Tokens [10202] total: 2:
But now sadly not
To Reproduce
Steps to reproduce the behavior:
Run a zap baseline scan:
zap_scan: runs-on: self-hosted name: Zap Scan steps: - name: Checkout uses: actions/checkout@v2 with: ref: master - name: OWASP ZAP Baseline Scan uses: zaproxy/[email protected] with: target: βhttps://example.comβ rules_file_name: β.github/workflows/zap/rules.tsvβ
Expected behavior
The Absence of Anti-CSRF Tokens is excluded from the results
Screenshots
If applicable, add screenshots to help explain your problem.
Software versions
Errors from the zap.log file
n/a
Would you like to help fix this issue?
May be a user error as I'm new to this way of running zap
Currently, the action fails if it finds any alerts in the report. This will trigger an email for the failed action. It will be good to make this behavior configurable.
fail_action:
description: 'Fail or pass the action based on alerts'
required: false
default: false
Ongoing open issue has been identified #41
172
Alerts present in the current report: true
173
Process completed successfully and a new issue #42 has been created for the ZAP Scan.
https://github.com/ironPeakServices/ironpeak.be/runs/578941295?check_suite_focus=true
Hi ZAProxy team,
First off, amazing work on this! It's really slick and I'm loving how simple it is to use.
We currently use GitHub Enterprise on-premise, with runners that are containerized. This presents a problem when trying to do bind mounts for the /zap/wrk directory, as the container can't bind mount its own filesystem to another container. Would it be feasible to allow overriding the -v argument in the docker command that's currently set to ${workspace}/process.env.GITHUB_WORKSPACE?
From:
let workspace = process.env.GITHUB_WORKSPACE;
let command = ('docker run -v ${workspace}:/zap/wrk/:rw --network="host" +
To:
<Check for storagesrc variable, if not set, default to process.env.GITHUB_WORKSPACE>
let command = ('docker run -v ${storagesrc}:/zap/wrk/:rw --network="host" +
For example, if we could pass the name of a docker volume or our own path, that would resolve this issue. Other may run into this if they are using their own containerized/on-prem environments, so it may be useful in other cases as well.
Currently, the action checks for the latest bot comment to find the latest runner ID.
But users can also use their personal access token to create the issues. Due to this, the action ends of creating new issues per scan, as it cannot find a matching comment by the bot.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. πππ
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google β€οΈ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.