Running ZAP API SCAN as a github action using servers with paths in OPENAPI specification

[Christoffer Nielsen]

Hi,

I'm experiencing issues when trying to run the ZAP API SCAN github action with an OPENAPI specification containing servers with urls containing paths.

The server urls look something like this (some content removed since it's company specific):

servers:
- url: https://api-garden-dev.company.com/company/team/service
description: Dev server
- url: https://api-garden-stage.company.com/company/team/service
description: Stage server
- url: https://api-garden.company.com/company/team/service
description: Production Server

I'm also running the github action with a context because I only want to run the ZAP API SCAN against one environment for now. It looks like this:

- name: Start ZAP API Scan
uses: github-organization/action-api-scan@9c5fc1684752c5b4877df896051ae4fe395cb049
with:
target: "openapi.yaml"
format: openapi
allow_issue_writing: false
#token: ${{ secrets.GITHUB_TOKEN }} # This is only needed if issues are to be created.
cmd_options: '-d -n zap.context'

And the context essentially contains include and exclude regexps to limit what urls that it should run against, like this:

<incregexes>https://api-garden-dev.company.com/company/team/service.*</incregexes>

<excregexes>https://api-garden-stage.company.com/company/team/service.*</excregexes>

<excregexes>https://api-garden.company.com/company/team/service.*</excregexes>

So what I'm expecting to happen is that the ZAP API SCAN should run against https://api-garden-dev.company.com/company/team/service and all subsequent paths and nothing else. But it seems like the target is actually https://api-garden-dev.company.com based on the github action logs.

And because of this I seem to get the following error:

[ZAP-IO-Server-1-1] WARN org.zaproxy.zap.extension.api.API - Bad request to API endpoint [/JSON/ascan/action/scan/] from [127.0.0.1]:

330 org.zaproxy.zap.extension.api.ApiException: URL_NOT_IN_CONTEXT (url)

If I change the include regexp to <incregexes>https://api-garden-dev.company.com.*</incregexes> then it starts to work, but then it will also scan alot of unwanted urls. What am I doing wrong, any help is much appreciated. Thanks in advance! Best regards, Christoffer

[Simon Bennetts]

Hiya,

The packaged scans are a bit restrictive. If you have simple use cases then they work fine, but if you need to do more complicated things then they struggle.

For your case I'd use the Automation Framework (AF) GitHub action: https://github.com/marketplace/actions/zap-automation-framework-scan

This will give you much more flexibility.

This AF plan is equivalent to the packaged API scan: https://github.com/zaproxy/community-scripts/blob/main/other/af-plans/ApiScanExample.yaml

It looks a bit complicated but thats mostly due to the inline scripts.

Cheers,

Simon