Zap Scan from a Github Workflow

Vern Halen

unread,

Feb 14, 2025, 4:40:41 PMFeb 14

to ZAP User Group

Hello,

I'm trying to incorporate a Zap scan of our site into a Github workflow. Here is my current code...

name: OWASP ZAP Scan

on:
push:
branches:
- MYOPS/zap-dev

jobs:
zap-scan:
runs-on: ubuntu-latest

steps:
# Checkout the code (if necessary, for example, to get app URL for testing)

# I don't think I need this, but left in just in case.
- name: Checkout code
uses: actions/checkout@v3

# Set up Docker (ZAP will run in a container)
- name: Set up Docker
uses: docker/setup-buildx-action@v2

# Run OWASP ZAP Scan
- name: Run ZAP Scan
uses: zaproxy/action-f...@v0.12.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
#docker_name: 'ghcr.io/zaproxy/zaproxy:stable' # or :nightly?
docker_name: 'zaproxy/zap-stable'
target: '${{ env.ZAP_URL }}'
rules_file_name: '.zap/rules.tsv'
cmd_options: '-a'
artifact_name: 'myserver_zap_scan'
env:
ZAP_URL: "https://somesite-private.somesite.com"

And here are my questions. For the docker_name, which do I use from the above (that commented or the current active parameter)?

No matter which I use, I see this in the build output...

Error when reading the rules file: /home/runner/work/MyRepo/MyRepo/.zap/rules.tsv

Also, the scan seems really quick as compared to running the scan via the Zap .exe. How can I be sure the Ajax spider is running?

Any help with folding this into our build process is greatly appreciated!

Vern Halen

unread,

Feb 17, 2025, 3:17:52 PMFeb 17

to zaprox...@googlegroups.com

I should add that the workflow scan is running in the zap container shown in code on a ubuntu runner, while I am executing the .exe for comparison from a Windows laptop.

--
ZAP by Checkmarx: https://www.zaproxy.org/
---
You received this message because you are subscribed to the Google Groups "ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/zaproxy-users/343db9e8-45ba-41a6-b617-9ec679e78961n%40googlegroups.com.

Simon Bennetts

unread,

Feb 19, 2025, 11:59:54 AMFeb 19

to ZAP User Group

Error when reading the rules file: /home/runner/work/MyRepo/MyRepo/.zap/rules.tsv

That seems pretty definitive :)

See https://github.com/zaproxy/zaproxy-website/blob/main/.github/workflows/zap-scan.yml for a working example of how to specify a rules file.

Re stable or nightly - that all depends on whether you value stability vs the latest greatest thing.

The stable release should be, you guessed it, stable :)

The nightly release is built every night from the very latest code. Its relatively stable but be warned that sometimes things may break.

Cheers,

Simon

Vern Halen

unread,

Feb 20, 2025, 10:31:29 AMFeb 20

to zaprox...@googlegroups.com

Thank you Simon. I think I tried adding the .tsv to my repo and that error eventually went away. I'm not sure of the contents of that file though. However, making that change did not change the scan results or time. Here is my .tsv contents...

To view this discussion visit https://groups.google.com/d/msgid/zaproxy-users/90257fc4-4102-45f6-b42b-c72abfe1a2b9n%40googlegroups.com.

Simon Bennetts

unread,

Feb 20, 2025, 12:24:05 PMFeb 20

to ZAP User Group

Where did you get that format from?

Its not one we support.

The correct format for the rules_file_name is shown on https://github.com/marketplace/actions/zap-full-scan#rules_file_name

and described in more detail here: https://www.zaproxy.org/docs/docker/baseline-scan/#configuration-file

Cheers,

Simon

Vern Halen

unread,

Feb 26, 2025, 1:06:15 PMFeb 26

to zaprox...@googlegroups.com

Ha Ha, lots of googling and chat gpt. I'll see if I can cobble together a file from the links you provided that will run the most intensive scan.

To view this discussion visit https://groups.google.com/d/msgid/zaproxy-users/2262d111-aa8a-4fa5-a7b5-32fec4b96c31n%40googlegroups.com.

Vern Halen

unread,

Feb 26, 2025, 1:17:12 PMFeb 26

to zaprox...@googlegroups.com

Not sure if I'm missing a deeper reference to creating a .tsv file but how about this one...

# ZAP Configuration File (TSV Format)
# Each line consists of "key<TAB>value"

# Enable all passive scan rules
pscanrules.enabled true

# Enable all active scan rules
ascanrules.enabled true

# Maximum scan depth (increase for thorough scanning)
spider.maxDepth 10

# Spider maximum children (more URLs, deeper crawling)
spider.maxChildren 500

# Enable AJAX Spider (for dynamic content)
spider.ajax true

# Enable experimental scanning rules
ascanrules.experimental true

# Perform scanning in a recursive manner
spider.recurse true

# Allow ZAP to attack both HTTP and HTTPS targets
connection.allowUnsafeSslRenegotiation true

# Set the scan policy to high strength for all tests
ascan.policy strength-high

# Enable all scanning categories
ascan.categories XSS, SQLInjection, RemoteFileInclude, PathTraversal, ServerSideInclude, BufferOverflow, InformationDisclosure, ServerSecurityMisconfiguration, CrossOriginResourceSharing, InsecureDeserialization, ApplicationLogic

# Maximum scan duration (in seconds, 0 for unlimited)
ascan.maxDuration 0

# Enable forced browsing (for hidden directories)
forcedBrowse.enabled true

# Set scan threads to maximum for performance
ascan.threads 10
spider.threads 10

# Enable passive scan during spidering
spider.passiveScan true

# Set alert threshold to low (report all issues)
alert.threshold low

Also, how does using a .tsv file differ from using the cmd_options in the GitHub action. The current cmd_options options I was passing... cmd_options: '-a -j -l INFO -d'

Simon Bennetts

unread,

Mar 3, 2025, 7:49:17 AMMar 3

to ZAP User Group

Er ... no :P

It looks like you want to have a relatively fine grained control over your scan.

In which case I recommend you use the Automation Framework: https://www.zaproxy.org/docs/automate/automation-framework/

Cheers,

Simon

Vern Halen

unread,

Mar 4, 2025, 10:55:55 AMMar 4

to zaprox...@googlegroups.com

I don't know that I would say I want something fine grained. I'm sort of cobbling together an interim scan from a Github workflow until our larger security framework is hashed out.

I'm just wondering why zaproxy/action-f...@v0.12.0 doesn't seem to be working. Is the use of that completely different from implementing the Automation Framework?

I'm also wondering if the AF will provide different results through the Github workflow.

I did have a realization about this while thinking about it. To run the scan against our site, I need OpenVPN. I'm guessing the differences in my results from the Github Workflow are

due to the fact that OpenVPN may need to be configured and running on the Windows VM/Github runner.

To view this discussion visit https://groups.google.com/d/msgid/zaproxy-users/697757b3-05f3-4a5e-b69d-07a060b7be95n%40googlegroups.com.

psiinon

unread,

Mar 4, 2025, 11:25:33 AMMar 4

to zaprox...@googlegroups.com

That is likely to make a big difference :)

The reason I said you might need a more fine grained option is because it look like you are trying to set things like the number of spider and active scan threads.

You _can_ do that via the ZAP "-config" option but theres no error checking - if you make a mistake (or the LLM you are using does;) then you'll probably never know.

If you use the Automation Framework then you'll see that its much better documented, and if you mistype a config option then theres a much better chance of you getting a warning about it.

To view this discussion visit https://groups.google.com/d/msgid/zaproxy-users/CAA64tsmRZQdk_ZMASQ1BgQhoZUje6s3n6saZZFwvsG4QMMjVRg%40mail.gmail.com.