Node 16 is now deprecated and thus soon a deprecation warning will be displayed when this action runs. Please update to Node 20.

Related:

• zaproxy/action-api-scan#29
• zaproxy/action-full-scan#80

As per dependabot PRs greysteil/where-is-grey#285

The -x flag does not seem to work when used as is.

Here is the basic config I'm using:

- name: OWASP ZAP
         uses: zaproxy/[email protected]
         with:
           target: "http://localhost:3000"
           fail_action: false
           cmd_options: "-x report_xml.xml"

Here is the error:

Automation plan failures:
	Job report failed to generate report: /zap/wrk/report_xml.xml

Workaround:
Noticed that .json, .html, and .md files are automatically created prior to the scan.

- name: Create XML placeholder file
         run: |
          touch report_xml.xml
          chmod a+w report_xml.xml

This works with the -x flag but it means I have to manually upload the .xml as a separate artifact.

Hello,

I'm providing cmd_options: "-j" to the GitHub action, but this does not seem to result in the Ajax spider being used as I still get "Modern Web Application [10109]" raised.

Is this a bug in the action or in ZAP? Is it related to the automation framework?

Describe the bug
I'm running a fairly standard github action with ZAP baseline
I've got 2 OUTOFSCOPE lines to exclude an error:
10202 OUTOFSCOPE https://master.internal.juriba.com/LoginSplash.aspx?ReturnUrl=%2Fdefault.aspx&sir=1
10202 OUTOFSCOPE https://master.internal.juriba.com/default.aspx

It looks like it's worked in the logs from gitactions:
PASS: Reverse Tabnabbing [10108]
PASS: Modern Web Application [10109]
PASS: Absence of Anti-CSRF Tokens [10202] ⬅️
PASS: Private IP Disclosure [2]
PASS: Session ID in URL Rewrite [3]
PASS: Script Passive Scan Rules [50001]
PASS: Insecure JSF ViewState [90001]

However in the issues report this comes up as an error
Absence of Anti-CSRF Tokens [10202] total: 2:
https://master.internal.juriba.com/LoginSplash.aspx?ReturnUrl=%2Fdefault.aspx&sir=1
https://master.internal.juriba.com/default.aspx

I can use IGNORE to get rid of this error but obviously that is not as good.

Strange that at one point it seemed to work:
Resolved Alerts

Absence of Anti-CSRF Tokens [10202] total: 2:

But now sadly not

To Reproduce
Steps to reproduce the behavior:
Run a zap baseline scan:

zap_scan: runs-on: self-hosted name: Zap Scan steps: - name: Checkout uses: actions/checkout@v2 with: ref: master - name: OWASP ZAP Baseline Scan uses: zaproxy/[email protected] with: target: ‘https://example.com’ rules_file_name: ‘.github/workflows/zap/rules.tsv’

Expected behavior
The Absence of Anti-CSRF Tokens is excluded from the results

Screenshots
If applicable, add screenshots to help explain your problem.

Software versions

• ZAP: Latest version downloaded through docker run
• OS: docker

Errors from the zap.log file
n/a

Would you like to help fix this issue?
May be a user error as I'm new to this way of running zap

ZAP baseline provides hooks to perform an authenticated scan. It would be good to have an example on how to configure it.

Otherwise its not obvious.

Hi ZAProxy team,

First off, amazing work on this! It's really slick and I'm loving how simple it is to use.

We currently use GitHub Enterprise on-premise, with runners that are containerized. This presents a problem when trying to do bind mounts for the /zap/wrk directory, as the container can't bind mount its own filesystem to another container. Would it be feasible to allow overriding the -v argument in the docker command that's currently set to ${workspace}/process.env.GITHUB_WORKSPACE?

From:

let workspace = process.env.GITHUB_WORKSPACE; 
let command = ('docker run -v ${workspace}:/zap/wrk/:rw --network="host"  +

To:

<Check for storagesrc variable, if not set, default to process.env.GITHUB_WORKSPACE>
let command = ('docker run -v ${storagesrc}:/zap/wrk/:rw --network="host"  +

For example, if we could pass the name of a docker volume or our own path, that would resolve this issue. Other may run into this if they are using their own containerized/on-prem environments, so it may be useful in other cases as well.

The same error as this issue is occuring in our github actions. however we cant add the workaround becuase theres no control of the docker parameters. Please could this issue be fixed at the source rather than just working round it.

Unless they fail for some reason?
Just to make the logs less chatty.

When setting fail_action per the documentation I get the following warning.

##[warning]Unexpected input(s) 'fail_action', valid inputs are ['token', 'target', 'rules_file_name', 'docker_name', 'cmd_options', 'issue_title']
Run zaproxy/[email protected]
  with:
    target: http://***.com
    rules_file_name: .github/workflows/zap_rules.conf
    cmd_options: -a
    fail_action: false
    token: ***
    docker_name: owasp/zap2docker-stable
    issue_title: ZAP Scan Baseline Report
  env:
    DEVELOPER_DIR: /Applications/Xcode_11.2.app/Contents/Developer
    JAVA_VERSION: 1.8
    FLUTTER_CHANNEL: stable
    FLUTTER_WEB_CHANNEL: beta
    FLUTTER_VERSION: 1.20.0
    FLUTTER_HOME: /opt/hostedtoolcache/flutter/1.21.0-9.2.pre-beta/x64

and I get the following result:

FAIL-NEW: 0	FAIL-INPROG: 0	WARN-NEW: 4	WARN-INPROG: 0	INFO: 0	IGNORE: 3	PASS: 52
[@octokit/rest] `const Octokit = require("@octokit/rest")` is deprecated. Use `const { Octokit } = require("@octokit/rest")` instead
##[error]The ZAP Baseline scan has failed, starting to analyze the alerts. err: Error: The process '/usr/bin/docker' failed with exit code 2

Hi 👋

I have a use case to capture the action run result and publish it into slack, not sure if anyone has done that. Thanks!

First time seeing this error in the github action run.

10217 [ZAP-DownloadInstaller] ERROR org.zaproxy.zap.control.AddOnInstaller - An error occurred while installing the add-on: websocket
java.security.InvalidParameterException: ScriptType already registered: websocketfuzzerprocessor
...

11741 [ZAP-daemon] ERROR org.parosproxy.paros.core.proxy.ProxyServer - Cannot listen on port 0.0.0.0:60926 - try specifying a different port for ZAP to use
Cannot listen on port 0.0.0.0:60926 - try specifying a different port for ZAP to use

Would be very nice to be able to specify the issue title via a GitHub Action argument.

Currently, the action fails if it finds any alerts in the report. This will trigger an email for the failed action. It will be good to make this behavior configurable.

  fail_action:
    description: 'Fail or pass the action based on alerts'
    required: false
    default: false

Hi, when I trigger module I got this:

FAIL-NEW: 0	FAIL-INPROG: 0	WARN-NEW: 8	WARN-INPROG: 0	INFO: 0	IGNORE: 0	PASS: 43
[@octokit/rest] `const Octokit = require("@octokit/rest")` is deprecated. Use `const { Octokit } = require("@octokit/rest")` instead
##[error]The ZAP Baseline scan has failed, starting to analyze the alerts. err: Error: The process '/usr/bin/docker' failed with exit code 2
Alerts present in the current report: true
Process completed successfully and a new issue #2 has been created for the ZAP Scan.

It seems that the importing library @octokit/rest is wrong.

Currently, the action checks for the latest bot comment to find the latest runner ID.
But users can also use their personal access token to create the issues. Due to this, the action ends of creating new issues per scan, as it cannot find a matching comment by the bot.

Scanning with the github action, I got the following annotation.

Scan the target with ZAP Baseline X

Node.js 12 actions are deprecated. Please update the following actions to use Node.js 16: zaproxy/[email protected]. For more information see: https://github.blog/changelog/2022-09-22-github-actions-all-actions-will-begin-running-on-node16-instead-of-node12/.

Please upgrade this action to the newer version.

Somehow the path has the repo twice, I believe because of actions/runner#2058

My action is:

name: OWASP Zap Daily Live Check

on:
  workflow_dispatch:

  schedule:
    # Run once daily, at 03:00.
    - cron: '3 0 * * *'

jobs:
  remote-test:
    runs-on: ubuntu-latest

    steps:
      - name: OWASP Zap Baseline Scan
        uses: zaproxy/[email protected]
        with:
          target: ${{ secrets.OWASP_CHECK_URL }}
          rules_file_name: 'owasp-zap-ignore.conf'

Error log:

Error when reading the rules file: /home/runner/work/<repo>/<repo>/owasp-zap-ignore.conf
/usr/bin/touch report_json.json report_md.md report_html.html
/usr/bin/chmod a+w report_json.json report_md.md report_html.html
/usr/bin/docker pull ghcr.io/zaproxy/zaproxy:stable -q
ghcr.io/zaproxy/zaproxy:stable
/usr/bin/docker run -v /home/runner/work/<repo>/<repo>:/zap/wrk/:rw --network=host -e ZAP_AUTH_HEADER -e ZAP_AUTH_HEADER_VALUE -e ZAP_AUTH_HEADER_SITE -t ghcr.io/zaproxy/zaproxy:stable zap-baseline.py -t *** -J report_json.json -w report_md.md -r report_html.html

Set up job, (when running the action above) reports:

Current runner version: '2.315.0'
Operating System
  Ubuntu
  2.04.4
  LTS
Runner Image
  Image: ubuntu-22.04
  Version: 20240422.1.0
  Included Software: https://github.com/actions/runner-images/blob/ubuntu22/20240422.1/images/ubuntu/Ubuntu2204-Readme.md
  Image Release: https://github.com/actions/runner-images/releases/tag/ubuntu22%2F20240422.1
Runner Image Provisioner
  2.0.
GITHUB_TOKEN Permissions
  Actions: write
  Attestations: write
  Checks: write
  Contents: write
  Deployments: write
  Discussions: write
  Issues: write
  Metadata: read
  Packages: write
  Pages: write
  PullRequests: write
  RepositoryProjects: write
  SecurityEvents: write
  Statuses: write
Secret source: Actions
Prepare workflow directory
Prepare all required actions
Getting action download info
Download action repository 'zaproxy/[email protected]'
Complete job name: remote-test

Feedback on zaproxy/zaproxy-website#88

• Make the site a link and remove square brackets, eg
  • Site: www.zaproxy.org
• Include the html report in the zap file
• Include up to 5? example links under each alert type (could be optional?)
• Tweak the format, eg from
  • Alert[10035] count(20): Strict-Transport-Security Header Not Set
  • to something like
  • Strict-Transport-Security Header Not Set [10035] total: 20
    • https://www.example.com/ex1
    • https://www.example.com/ex2

Instead of creating one big security ticket, it might be nice to create separate GitHub tickets per vulnerability category that's found if the total amount of security vulnerabilities is below a threshold.

e.g. if amount if categories < 10, create a github issue per category.
Security: Timestamp Disclosure - Unix
Security: CSP Scanner: Notices
Security: Reverse Tabnabbing

Hi folks,

We are mostly interested in this tool so that we don't have to run the Docker container by hand. But, we don't want this to automatically file issues to our GitHub repo - we are totally satisfied with it just spitting out an artifact that we can stash after scanning.

How can we get to the point with this Action where it doesn't require you to file an Issue to the repo?

Instead of having an hourly scan or so, developers should receive direct feedback about their fixes in the CI/CD workflow.
Allowing us to use zaproxy/action-baseline in a pull_request flow should allow this behavior easily.

IMO, the only thing that needs to be changed is detecting whether we're in a pull request and commenting instead of creating an issue.

GitHub Actions are requesting a migration of all actions from node12 to node16.
https://github.blog/changelog/2022-09-22-github-actions-all-actions-will-begin-running-on-node16-instead-of-node12/

As a result we're receiving warnings in our workflows from this action:

Node.js 12 actions are deprecated. For more information see: https://github.blog/changelog/2022-09-22-github-actions-all-actions-will-begin-running-on-node16-instead-of-node12/. Please update the following actions to use Node.js 16: zaproxy/action-baseline

I'm using the ZAP baseline action to scan an application that, in the testing environment, is protected by basic auth.

I documented how to do this here: https://adrianhesketh.com/2020/07/07/owasp-baseline-scan-with-basic-auth-in-docker-github-actions/

It requires the use of a config file:

replacer.full_list(0).description=auth1
replacer.full_list(0).enabled=true
replacer.full_list(0).matchtype=REQ_HEADER
replacer.full_list(0).matchstr=Authorization
replacer.full_list(0).regex=false
replacer.full_list(0).replacement=Basic dXNlcjpwYXNzd29yZAo=

And setting the parameter to use it.

When I tried out the same approach this year, I got the following errors:

Digest: sha256:e2b5720d9cccfea0f2aa3b3e83bc1acd26345b949fcc3a4e60aa916cb2d5989f                                       
Status: Downloaded newer image for owasp/zap2docker-stable:latest                                                     
2021-11-29 12:12:25,469 Could not find custom hooks file at /home/zap/.zap_hooks.py                                   
Using the Automation Framework                                                                                        
Downloading add-on from: https://github.com/zaproxy/zap-extensions/releases/download/pscanrulesBeta-v27/pscanrulesBeta-beta-27.zap                                                                                                          
Add-on downloaded to: /home/zap/.ZAP/plugin/pscanrulesBeta-beta-27.zap                                                
Automation plan failures:                            
        Job spider failed to access URL https://xxxxxx/ status code returned : 404 expected 200   
2021-11-29 12:12:45,217 Failed to access summary file /home/zap/zap_out.json  

However, bypassing the Automation Framework with the --autooff flag got me the expected results - a working scan.

docker run -v $(pwd):/zap/wrk/ -t owasp/zap2docker-stable zap-baseline.py \
    -t https://xxxxxxxxxxxxxxx \
    -z "-configfile /zap/wrk/zap/options.prop" --autooff

Not sure how to proceed....

👋🏽 ZAproxy team,

Thank you for building this Action. I took the liberty to create an actions that maps the ZAProxy results to SARIF so they can be displayed in the GitHub Advanced Security UI.

You can check it out here: https://github.com/SvanBoxel/zaproxy-to-ghas

Optionally we could decide to merge this action into zaproxy/action-baseline so it becomes easier for users to leverage this scanning utility.

Disclaimer: I know, SARIF isn’t made for DAST results, but having the ability to view all security results through a single pane of glass can be very beneficial.

Ongoing open issue has been identified #41
172
Alerts present in the current report: true
173
Process completed successfully and a new issue #42 has been created for the ZAP Scan.

https://github.com/ironPeakServices/ironpeak.be/runs/578941295?check_suite_focus=true

I use a single workflow file to run zap scans on multiple sites. Each site is its own job so they can fail or succeed independently. However, since the artifact name is hard-coded, only the report of the last job to complete is saved.

Would the project be open to a adding support for specifying the artifact name as an option? I'd be glad to submit PRs both here and in actions-common to add this.

• Artifact name hard-coded in actions-common

Add an optional 'Command line options'? param which would allow anyone to specify any additional baseline options: https://github.com/zaproxy/zaproxy/wiki/ZAP-Baseline-Scan#usage
Eg that could be set to -a -j -config aaa=bbb to

• use the alpha scan rules
• use the ajax spider
• set aaa=bbb in the configs (meaningless example;)