Use this GitHub Action together with GitHub Advanced Security to run a ZAProxy (DAST) scan on your application, and present the results in the GitHub Advanced Security UI.
This Action leverages the official zaproxy/action-baseline Action which supports various options like custom rule sets and target url.
GitHub Advanced Security utilizes the SARIF (Static Analysis Results Interchange) format to present code scanning results of a wide range of static code analysis tools. As DAST scans are not static they can't be directly mapped to individual lines in the original source file but only to a specific URL or endpoint of the application.
This Actions maps the DAST results of ZAProxy to SARIF on a best effort basis to ensure developers get the DAST-related information they need to make informed decisions about the security risks in an application.
After the scan completes, all results are presented in the Security
-> Code Scanning Alerts
tab, which allows users to filter for specific security tools, rules, and branches:
All results that fall under the same rule are captured within a single overview:
๐ก Previews are not available as DAST scans can't map a scan result to a specific file in the repository.
To use this Action you need to have the following permissions:
permissions:
security_events: write
repository_contents: read
actions: read
The easiest way to get started is by running this scan against a URL that is publicly available. Or, in case you use self-hosted Action runners, that is available within the network of your runner.
Example workflow:
name: ZAProxy scan
on:
push:
branches: [ main ]
workflow_dispatch:
jobs:
dast-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/[email protected]
- name: ZAP Scan
uses: zaproxy/[email protected]
with:
target: 'https://www.zaproxy.org' # Target url for the scan
- name: Create sarif file from zaproxy results
uses: SvanBoxel/zaproxy-to-ghas@main
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: results.sarif
When running this workflow the following happens:
- First, the code is checked out.
- Then, it runs the ZAProxy scan on a defined target url.
- After the scan completes, it runs this Action to map the ZAProxy results to SARIF.
- Finally, it uploads the results to GitHub.
Results can be manually inspected by downloading the zap_scan
artifact that contains the original scan results, and ZAProxy-sarif-report
which contains the SARIF output of the scan.
If your application leverages containers you have another option for deploying and scanning with DAST. After you deploy your docker to a container registry, you can use the image as a service in the context of your workflow.
Example workflow:
name: ZAProxy scan
on:
push:
branches: [ main ]
workflow_dispatch:
jobs:
build-image:
## Build your image here
publish-image:
## Publish your image to a container registry here
dast-scan:
services:
website:
image: yeasy/simple-web # Point to the container image of your application
ports:
- 80:80
runs-on: ubuntu-latest
steps:
- uses: actions/[email protected]
- name: ZAP Scan
uses: zaproxy/[email protected]
with:
target: 'http://localhost' # Runs within the context of your workflow
- name: Create sarif file from zaproxy results
uses: SvanBoxel/zaproxy-to-ghas@main
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: results.sarif
This Action offers you the ability to run the scan as part of a PR in the developer workflow. There are a couple of ways to do this. The easiest way is add the pull_request
event to your workflow:
name: ZAProxy scan
on:
push:
branches: [ main ]
pull_request: # Run on every pull request that targets the main branch
branches: [ main ]
workflow_dispatch:
jobs:
# See examples in `Use with public-facing URLs` and `Use with containers`
After the scan completes, all results will be visible in the Checks
tab of the scanned pull request:
๐ก Alternatively you can hook into some of the other GitHub events to trigger a scan. Only want to run the DAST scan when a specific label is added? Use the
label
event.
Contributions are always welcome. Please follow the steps below to get started.
Install the dependencies
$ npm install
Build the typescript and package it for distribution
$ npm run build && npm run package
Push the changes to your feature branch and wait for the tests to pass โ๏ธ
Actions are run from GitHub repos so we will checkin the packed dist folder.
Then run ncc and push the results:
$ npm run package
$ git add dist
$ git commit -a -m "prod dependencies"
The action is now updated! ๐