ZAP Baseline/Automation Framework with GitActions
584 views
Skip to first unread message
Michael Alexander
Jun 14, 2022, 3:54:26 PM6/14/22
to OWASP ZAP User Group
I am fairly new to GitActions and ZAP.
I am having difficulties using the ZAP Baseline scan with the Automation Framework within GitActions to recognize other configuration files within my repository .zap folder. I am able to get a general scan to operate, pass/fail, it's only when I try to have more granular control by using directives within either a .tsv file (rules_file_name: '.zap/rules.tsv') or a .yml file is where I'm having issues.
As an example, below are snippets of my .github/workflows/build.yml, rules.tsv, and configuration.yml (my environment file for the AF).
I have not been able to find any good examples of utilizing the rules_file_name or the configFile within the ZAP site around the context of GitActions. I'm wondering if it is implied that I need to copy these repo files to the runner server in the /zap/wrk folders prior to running the scan?
I have followed the examples found on the Marketplace
https://github.com/marketplace/actions/owasp-zap-baseline-scan
name: OWASP Baseline Scan
steps:
- uses: zaproxy/action-...@v0.7.0
name: Zap Scan
with:
target: 'https://dev.myorgdomain.com/'
docker_name: "owasp/zap2docker-stable"
rules_file_name: '.zap/rules.tsv'
cmd_options: '-a "-configFile .zap/configuration.yml"'
fail_action: true
I am having difficulties using the ZAP Baseline scan with the Automation Framework within GitActions to recognize other configuration files within my repository .zap folder. I am able to get a general scan to operate, pass/fail, it's only when I try to have more granular control by using directives within either a .tsv file (rules_file_name: '.zap/rules.tsv') or a .yml file is where I'm having issues.
As an example, below are snippets of my .github/workflows/build.yml, rules.tsv, and configuration.yml (my environment file for the AF).
I have not been able to find any good examples of utilizing the rules_file_name or the configFile within the ZAP site around the context of GitActions. I'm wondering if it is implied that I need to copy these repo files to the runner server in the /zap/wrk folders prior to running the scan?
I have followed the examples found on the Marketplace
https://github.com/marketplace/actions/owasp-zap-baseline-scan
However, I'll get:
Error when reading the rules file: /home/runner/work/pasphp/pasphp/.zap/rules.tsv
Any advice would be of great help.
---------------------
.github/workflows/build.yml ---
---------------------
.github/workflows/build.yml ---
name: OWASP Baseline Scan
steps:
- uses: zaproxy/action-...@v0.7.0
name: Zap Scan
with:
target: 'https://dev.myorgdomain.com/'
docker_name: "owasp/zap2docker-stable"
rules_file_name: '.zap/rules.tsv'
cmd_options: '-a "-configFile .zap/configuration.yml"'
fail_action: true
rules.tsv ---
10015 IGNORE (Incomplete or No Cache-control and Pragma HTTP Header Set)
10096 IGNORE (Timestamp Disclosure - Unix)
10015 IGNORE (Re-examine Cache-control Directives)
etc...
configuration.yml ---
env: # The environment, mandatory
contexts : # List of 1 or more contexts, mandatory
- name: context 1 # Name to be used to refer to this context in other jobs, mandatory
urls: # A mandatory list of top level urls, everything under each url will be included
includePaths: # An optional list of regexes to include
excludePaths: # An optional list of regexes to exclude
etc...
10015 IGNORE (Incomplete or No Cache-control and Pragma HTTP Header Set)
10096 IGNORE (Timestamp Disclosure - Unix)
10015 IGNORE (Re-examine Cache-control Directives)
etc...
configuration.yml ---
env: # The environment, mandatory
contexts : # List of 1 or more contexts, mandatory
- name: context 1 # Name to be used to refer to this context in other jobs, mandatory
urls: # A mandatory list of top level urls, everything under each url will be included
includePaths: # An optional list of regexes to include
excludePaths: # An optional list of regexes to exclude
etc...
Simon Bennetts
Jun 15, 2022, 3:09:25 AM6/15/22
to OWASP ZAP User Group
Have you looked at these blog posts, both reference working public examples:
- https://www.zaproxy.org/blog/2020-04-09-automate-security-testing-with-zap-and-github-actions/
- https://www.zaproxy.org/blog/2020-05-15-dynamic-application-security-testing-with-zap-and-github-actions/
Cheers,
Simon
Reply all
Reply to author
Forward
0 new messages