Pass SSL certificate with ZAP

[Ben Reger]

Hey together,

The application I want to scan via ZAP need a ssl certificate. I use ZAP in a docker container which I start via a GitHub workflow. Do you know any way to pass a ssl certificate?

Kind regards,

Ben

[Ben R]

I have a small addition. This is part of my GitHub workflow where I want to use ZAP. However, I'm not sure if I've implemented the certificate transfer correctly. The certificate and passphrase are stored as secrets in GitHub.

      # ── ZAP Baseline
      - name: ZAP Baseline Scan
        if: ${{ inputs.scan_type == 'baseline' }}
        uses: zaproxy/action-...@v0.14.0
        with:
          docker_name: ${{ env.DOCKER_IMAGE }}
          target: ${{ inputs.target }}
          cmd_options: >
            ${{ env.CMD_OPTIONS_BASE }}
            ${{ inputs.use_client_cert != 'false' && format(
              '-z "-config certificate.use=true -config certificate.pkcs12.path={0} -config certificate.pkcs12.password={1} -config certificate.persist=false"',
              steps.cert.outputs.cert_cont_path,
              secrets.ZAP_CLIENT_CERT_PASS
            ) || '' }}

[James L]

Hey Ben,

You might want to try using the -configfile option instead of passing the cert through cmd_options. I use it to point ZAP to a small config file (for example zap.conf) that contains lines like:

certificate.use=true certificate.pkcs12.path=/zap/wrk/client.p12 certificate.pkcs12.password=changeme

That way ZAP loads all your settings at startup, and you don’t have to deal with long quoted -config strings in the workflow. It’s worked well for me in CI setups like GitHub Actions.

Cheers,
James

[Simon Bennetts]

Also see https://www.zaproxy.org/docs/desktop/addons/automation-framework/environment/#configs

This allows you to specify the config options directly in the plan.

You can test it with the ZAP Desktop, that way you should be able to work out if the settings are doing what you need.

Cheers,

Simon