PermissionError: [Errno 13] Permission denied: '/zap/wrk/ about action-baseline HOT 12 CLOSED

@kingthorin Yes I know. Thats because it runs in GH Actions, so by default you don't have permission to write anywhere outside your pwd (specifically as stated above it tries to write here: /zap/wrk).

from action-baseline.

Also, I am trying to generate a json report file with custom name using -J flag. That tries to access /zap/wrk (where it doesn't have permission to write to) and therefore it crashes.
As mentioned above, it would be nice if we could specify custom volume mounting point through some input. cc. @thc202

ERROR [Errno 13] Permission denied: '/zap/wrk/$REPORT_NAME.json' 2024-04-16 15:01:39,850 I/O error: [Errno 13] Permission denied: '/zap/wrk/$REPORT_NAME.json' Traceback (most recent call last): File "/zap/zap-baseline.py", line 606, in main write_report(os.path.join(base_dir, report_json), zap.core.jsonreport()) File "/zap/zap_common.py", line 569, in write_report with open(file_path, mode='wb') as f: PermissionError: [Errno 13] Permission denied: '/zap/wrk/$REPORT_NAME.json'

from action-baseline.

Yes, we should look at working around this issue in the ZAP actions if we can.
But I think the underlying issue is a docker one rather than a ZAP one.
Happy to be proved wrong of course...

from action-baseline.

Hi @psiinon Good Day
We're also facing same issue when running zaproxy baseline through Github Action (zaproxy/[email protected])

If there's any different docker image which we can pass in docker_name inputs for this action for which this doesn't fails, please let us know.

I'll attache the main logs after removing sensitive contents here.

ghcr.io/zaproxy/zaproxy:stable
/usr/bin/docker run -v <Runner_Workspace_Path>:/zap/wrk/:rw --network=host -e ZAP_AUTH_HEADER -e ZAP_AUTH_HEADER_VALUE -e ZAP_AUTH_HEADER_SITE -t ghcr.io/zaproxy/zaproxy:stable zap-baseline.py -t <Target_URL> -J report_json.json -w report_md.md -r report_html.html
Using the Automation Framework
Unable to copy yaml file to /zap/wrk/zap.yaml [Errno 13] Permission denied: '/zap/wrk/zap.yaml'
Total of 4 URLs

--- Test Path Results ---

Automation plan failures:
Job report failed to generate report: /zap/wrk/report_html.html
Scanning process completed, starting to analyze the results!
Failed to locate the json report generated by ZAP Scan!

from action-baseline.

Can one of you provide the whole logs/output? (Removing any sensitive info.)

from action-baseline.

zap.yaml Permission Denied Logs.txt

Please find attached log file (Removed URLs, File & Jobs Names etc)

from action-baseline.

Hi @thc202 is there update on this issue?

from action-baseline.

Hi @thc202 Good Day
Any update on this issue?

from action-baseline.

Hello @thc202 !
Any updates on this ? Is there any workaround ?

from action-baseline.

You don't seem to have permissions to write to the directory you mounted 🤷‍♂️

from action-baseline.

As per my previous understanding, this is a limitation imposed by the zaproxy docker images due to how Github executes Github Actions. I would suggest having a dedicated image for Github Actions to allow it to mount to the preferred directory.

from action-baseline.

#118 (comment)

You would have to use a scan hook to write another JSON report, the action needs to know how the JSON report is named to later process the alerts raised.

#118 (comment)

Thanks for sharing the logs, I don't know if that case is the same as this one, but we'll fix it and you can try the changes.

#118 (comment)

I think it's just a matter of setting up the proper permissions.

from action-baseline.