Comments (12)
There any action here? @psiinon
This is very helpful as be able to show these results in the Advanced Security UI (acknowledging the disclaimer)
from action-baseline.
@SvanBoxel thank you for creating this and telling us about it :)
It looks very interesting - we'll have a look at it and get back to you asap!
from action-baseline.
This would be fantastic. I would love to see this action enable sarif output as well so an intermediate step/action is not needed.
from action-baseline.
Ran into this requirement recently so I took a quick stab at hacking out a solution to let us proceed and I'd very much like to help make this be part of the main action without requiring an additional action to be used.
My understanding is that this would require changes to this repo (#110) & zaproxy
(zaproxy/zaproxy#8005)
In my case I had to create a new docker image with these files updated (zap-baseline.py
and zap_common.py
) to confirm that the entire scenario works correctly.
Would gladly take suggestions / work on produtionizing the code if this path doesn't seem to out there.. would require input from folks who are far more knowledgable than I (@psiinon or any others)
from action-baseline.
With a scan hook you could create the report without doing changes everywhere: https://www.zaproxy.org/docs/docker/scan-hooks/
from action-baseline.
With a scan hook you could create the report without doing changes everywhere: https://www.zaproxy.org/docs/docker/scan-hooks/
Wondering if that solve makes sense for folks supporting 100s of applications and needing to add that hook.py file to all repos. Was mostly hoping for it to be supported with a command line option
from action-baseline.
The hook can be created by the workflow and one can use reusable workflows, so no need to add a file to 100s repos.
It's not necessary to add a command line option when this can be implemented just in the action (or the common package).
from action-baseline.
ack. My issue with that solution is that it requires something beyond the baseline scan options that come out of the box. Seems like a workaround to use a hook rather than have something supported properly in the main action.
Definitely not a fan of that solution but if the guidance is to not support sairf within the baseline scan in the future I guess we will go with the gross hook solve / keep rolling our own docker image + maintain our own fork
from action-baseline.
What do you want to use? The action or the packaged scan? Both?
from action-baseline.
My understanding from the docs was that "GitHub Actions wrap the above packaged scans "
(Baseline, Full Scan, API Scan)
What do you want to use? The action or the packaged scan? Both?
doesn't the action-baseline
action use the Baseline
packaged scan? I believe that's the reason I had to make changes to both the repos to support the new -S
option for sarif support. I'd like to improve the baseline action and if that requires changes to the packaged scan then I think that work should be done in parallel.. even if there is a sunset plan for the old packaged scans to be unified with the automation framework it looks like there is still work being done zap-baseline.py
to attempt to use the AF when possible
https://github.com/zaproxy/zaproxy/blob/main/docker/zap-baseline.py#L344-L352
Ideally it would be great to have sarif support figured out in the action here now and then make the change to move the AF completely seamless and update the old zap-baseline.py
to fully use the automation framework when the time is right.. obviously I'm naive to priorities, etc for the team but as someone who is selfishly trying to use ZAP at scale we'd like have this a default / configurable behavior at the action level.
from action-baseline.
Looks like a SARIF report exporter is already part of ZAP. See
- https://www.zaproxy.org/docs/desktop/addons/report-generation/report-sarif-json/
- https://github.com/zaproxy/zap-extensions/tree/main/addOns/reports/src/main/java/org/zaproxy/addon/reports/sarif
Sadly I didn't find a way/documentation to use it.
from action-baseline.
Find an idea at GSA-TTS/FAC#1654
from action-baseline.
Related Issues (20)
- xml placeholder file not created as part of execution causing -x flag HOT 1
- Update to Node 20
- PermissionError: [Errno 13] Permission denied: '/zap/wrk/ HOT 12
- Show error if rule file not found HOT 2
- Put ignored alerts in a details tag HOT 1
- Option to fail or pass the action based on alerts HOT 4
- Permission issue while Ajax scanning with root user HOT 2
- Octokit problem HOT 29
- Error on fail_action HOT 1
- Capturing the ZAP scan run results and publish into Slack HOT 2
- OUTOFSCOPE doesn't seem to be working HOT 7
- Feature Request: Allow specifying artifact name HOT 6
- `Cannot listen on port 0.0.0.0:60926` error HOT 5
- Cannot turn off GitHub issue filing HOT 7
- Automation Framework - compatible with config file / basic auth? HOT 1
- Can't run with Ajax spider HOT 4
- Feature: Allows the use of Docker Volume Mount for /zap/wrk/
- Upgrade to node 16
- Nodejs 12 deprecated, upgrade to Nodejs 16. HOT 10
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from action-baseline.