Rate limits in baseline scan GitHub action

Alexander García Fernández

unread,

Nov 16, 2023, 5:40:44 AM11/16/23

to ZAP User Group

Hi all!!

I'm trying to configure the baseline scan GitHub action, but I don't see any option to rate limit the requests.

The web application that I'm trying to scan, have some rate limits configured. When I've done some tests with ZAP Desktop application, I've seen the web application start to reject requests due to the rate limits. I've used the Network -> Reate Limit option to solve this problem and scan the entire web application.

But now, I want to do the same with the baseline scan GitHub action, but I don't see any option to configure reate limits. Am I missing something? Is there an option to configure the rate limits?

Thank you,

Best regards

Message has been deleted

Alexander García Fernández

unread,

Nov 22, 2023, 10:43:24 AM11/22/23

to ZAP User Group

No one has implemented rate limits on github action for baseline scan?

Simon Bennetts

unread,

Nov 22, 2023, 10:45:47 AM11/22/23

to ZAP User Group

You should be able to set this via a config option: https://www.zaproxy.org/faq/how-do-you-find-out-what-key-to-use-to-set-a-config-value-on-the-command-line/

Cheers,

Simon

Alexander García Fernández

unread,

Dec 15, 2023, 6:58:26 AM12/15/23

to ZAP User Group

Thanks Simon for the help.

It seems that baseline scan action don't accepts -configfile option. I am getting the following error:

The command that I'm using is the following:

cmd_options: '-n infrastructure/security/zap/context-file.context -configfile infrastructure/security/zap/configfile'

It is like that is not using my configfile.

Any thoughts?

Thank you,

Best regards

Simon Bennetts

unread,

Dec 19, 2023, 7:37:53 AM12/19/23

to ZAP User Group

Its difficult to tell without knowing the full options you are specifying to ZAP.

The baseline scan expects a /zap/wrk/ directory to be mounted if you supply command line args, and will look in there first for those files.

Can you mount a directory with your config files to /zap/wrk ?

If so then just specify the filenames rather than adding any paths.

Cheers,

Simon

Alexander García Fernández

unread,

Dec 20, 2023, 7:38:12 AM12/20/23

to ZAP User Group

Hi,

I solved the problem sending the parameters in the cmd_options in the workflow, without config file:

cmd_options:
            '-j -U "username" -n infrastructure/security/zap/context.context -z "-config ratelimit.rules.rule.description=example.com \
            -config ratelimit.rules.rule.enabled=true \
            -config ratelimit.rules.rule.matchStr=example.com \
            -config ratelimit.rules.rule.regex=false \
            -config ratelimit.rules.rule.reqsPerSec=3 \
            -config ratelimit.rules.rule.groupBy=HOST \
            -config scanner.hostPerScan=1 \
            -config scanner.threadPerHost=1 \
            -config scanner.delayInMs=0 \
            -config scanner.maxResults=1000"'