Use this GitHub Action together with GitHub Advanced Security to run a ZAProxy (DAST) scan on your application, and present the results in the GitHub Advanced Security UI.

This Action leverages the official zaproxy/action-baseline Action which supports various options like custom rule sets and target url.

• Background
• What is looks like
• Getting started
  • Required permissions
  • Use with (public-facing) URLs
  • Use with containers
  • Use with Pull Requests
• Development
• Publish to a distribution branch

GitHub Advanced Security utilizes the SARIF (Static Analysis Results Interchange) format to present code scanning results of a wide range of static code analysis tools. As DAST scans are not static they can't be directly mapped to individual lines in the original source file but only to a specific URL or endpoint of the application.

This Actions maps the DAST results of ZAProxy to SARIF on a best effort basis to ensure developers get the DAST-related information they need to make informed decisions about the security risks in an application.

After the scan completes, all results are presented in the Security -> Code Scanning Alerts tab, which allows users to filter for specific security tools, rules, and branches:

All results that fall under the same rule are captured within a single overview:

💡 Previews are not available as DAST scans can't map a scan result to a specific file in the repository.

To use this Action you need to have the following permissions:

permissions:
  security_events: write
  repository_contents: read
  actions: read

The easiest way to get started is by running this scan against a URL that is publicly available. Or, in case you use self-hosted Action runners, that is available within the network of your runner.

Example workflow:

name: ZAProxy scan

on:
  push:
    branches: [ main ]
  workflow_dispatch:

jobs:
  dast-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/[email protected]
      - name: ZAP Scan
        uses: zaproxy/[email protected]
        with:
          target: 'https://www.zaproxy.org' # Target url for the scan
      - name: Create sarif file from zaproxy results
        uses: SvanBoxel/zaproxy-to-ghas@main
      - name: Upload SARIF file
        uses: github/codeql-action/upload-sarif@v1
        with:
          sarif_file: results.sarif

When running this workflow the following happens:

• First, the code is checked out.
• Then, it runs the ZAProxy scan on a defined target url.
• After the scan completes, it runs this Action to map the ZAProxy results to SARIF.
• Finally, it uploads the results to GitHub.

Results can be manually inspected by downloading the zap_scan artifact that contains the original scan results, and ZAProxy-sarif-report which contains the SARIF output of the scan.

If your application leverages containers you have another option for deploying and scanning with DAST. After you deploy your docker to a container registry, you can use the image as a service in the context of your workflow.

Example workflow:

name: ZAProxy scan

on:
  push:
    branches: [ main ]
  workflow_dispatch:

jobs:
  build-image:
    ## Build your image here
  publish-image:
    ## Publish your image to a container registry here
  dast-scan:
    services:
      website:
        image: yeasy/simple-web # Point to the container image of your application
        ports:
          - 80:80
    runs-on: ubuntu-latest
    steps:
      - uses: actions/[email protected]
      - name: ZAP Scan
        uses: zaproxy/[email protected]
        with:
          target: 'http://localhost' # Runs within the context of your workflow
      - name: Create sarif file from zaproxy results
        uses: SvanBoxel/zaproxy-to-ghas@main
      - name: Upload SARIF file
        uses: github/codeql-action/upload-sarif@v1
        with:
          sarif_file: results.sarif

This Action offers you the ability to run the scan as part of a PR in the developer workflow. There are a couple of ways to do this. The easiest way is add the pull_request event to your workflow:

name: ZAProxy scan

on:
  push:
    branches: [ main ]
  pull_request: # Run on every pull request that targets the main branch
    branches: [ main ]
  workflow_dispatch:

jobs:
  # See examples in `Use with public-facing URLs` and `Use with containers`

After the scan completes, all results will be visible in the Checks tab of the scanned pull request:

💡 Alternatively you can hook into some of the other GitHub events to trigger a scan. Only want to run the DAST scan when a specific label is added? Use the label event.

Contributions are always welcome. Please follow the steps below to get started.

Install the dependencies

$ npm install

Build the typescript and package it for distribution

$ npm run build && npm run package

Push the changes to your feature branch and wait for the tests to pass ✔️

Actions are run from GitHub repos so we will checkin the packed dist folder.

Then run ncc and push the results:

$ npm run package
$ git add dist
$ git commit -a -m "prod dependencies"

The action is now updated! 🚀