The "Action Baseline" action exposes the allow_issue_writing input that allows controlling whether issues will be opened for alerts or not. This input is missing from this action and this will be a problem if someone does not want to use this feature, eg if they use another tool for issue tracking. The reason is that if Github issues are disabled, the whole action will fail.

I have already opened PR #24 if you think this makes sense and want to add this feature.

Thanks!

Since ZAP vulnerability scans can generate a lot of issues, it might be nice to be able to e.g. ignore any LOW or INFO vulnerabilities. (so that issues are not created)

e.g.

jobs:
  zap_scan_public:
    runs-on: ubuntu-latest
    name: Scan public website
    steps:
      - name: ZAP Scan
        uses: zaproxy/[email protected]
        with:
          issue_title: Vulnerability Scan Results
          token: ${{ secrets.GITHUB_TOKEN }}
          docker_name: owasp/zap2docker-weekly
          target: https://ironpeak.be/
          rules_file_name: .github/zap.ignore
          cmd_options: '-a -s MEDIUM'

I'm trying to set some exclusions by passing some regex to the -z paramater. In the cli, it looks like this

-z "-config globalexcludeurl.url_list.url.regex='(?!http:\\/\\/ete-dev-api.azurewebsites.net)"

however, to pass this to the cli in the yaml is seemingly impossible because the double quotes are stripped regardless of how you pass it in.

I will explain the specific issue using an example from the readme though (as you would assume that should work).

cmd_options: -z "-config view.locale=fr_FR"

in the yaml results in the following being called in the runner (I've redacted a the other args)

run -v /home/****:/zap/wrk/:rw --network=host -z -config view.locale=fr_FR

From what I can tell this is due to the way exec (and argStringToArray) escape strings in the js library. Am I missing something or is this a bug?

Inspired by this PR for Coverage.py, it would be awesome to (have the option to) output a summary of the scan results as markdown, for use in a Job Summary.

As a visual aid, here's what it looks like when I do this for Coverage.py:

The table at the bottom is just markdown piped to $GITHUB_STEP_SUMMARY, but it makes the results much more accessible compared to having to download a zip of the HTML report.

Description

Similar to zaproxy/action-baseline#17, new issues are opened even with existing issues open when providing a GitHub token, as there is a hardcoded check for the GitHub Actions bot. Simply bumping the version of actions-common-scans to 1.0.2 should resolve this issue.

Github Actions complains that Node.js version 12 is deprecated or will be soon:

Node.js 12 actions are deprecated. Please update the following actions to use Node.js 16: zaproxy/[email protected]. For more information see: https://github.blog/changelog/2022-09-22-github-actions-all-actions-will-begin-running-on-node16-instead-of-node12/

Could Node.js version for ZAP scan Github Action be updated to 16?

Error logs

2022-05-17 06:54:46,035 Starting new HTTP connection (1): localhost:56760
2022-05-17 06:54:46,296 http://localhost:56760 "GET http://zap/OTHER/core/other/mdreport/?apikey= HTTP/1.1" 200 10977
FAIL-NEW: 0	FAIL-INPROG: 0	WARN-NEW: 2	WARN-INPROG: 0	INFO: 0	IGNORE: 0	PASS: 112
2022-05-17 06:54:46,305 Trigger hook: zap_pre_shutdown, args: 1
2022-05-17 06:54:46,307 Starting new HTTP connection (1): localhost:56760
2022-05-17 06:54:46,349 http://localhost:56760 "GET http://zap/JSON/core/action/shutdown/?apikey= HTTP/1.1" 200 15
2022-05-17 06:54:46,351 Trigger hook: pre_exit, args: 3
[@octokit/rest] `const Octokit = require("@octokit/rest")` is deprecated. Use `const { Octokit } = require("@octokit/rest")` instead
Scanning process completed, starting to analyze the results!
Error: Bad credentials

Full ZAP action Logs

ZAP_github_action_raw_logs.txt

Github action flow file.

zap_scan:
    runs-on: self-hosted
    name: Scan using ZAP
    steps: 
      - name: 'Git Checkout'
        uses: actions/checkout@v2

      - name: ZAP Scan
        uses: zaproxy/[email protected]
        with:
          token: ${{ secrets.GHE_TOKEN }}
          docker_name: 'owasp/zap2docker-stable'
          target: 'https://xxxxxxxxx'
          cmd_options: '-d'

Thanks in advance

While running a scan, the workflow failed with the message:

2023-01-18T15:29:57.2895700Z Scanning process completed, starting to analyze the results!
2023-01-18T15:29:57.3263850Z [@octokit/rest] `const Octokit = require("@octokit/rest")` is deprecated. Use `const { Octokit } = require("@octokit/rest")` instead
2023-01-18T15:29:57.7910108Z ##[error]You have exceeded a secondary rate limit. Please wait a few minutes before you try again.

Is there something to be done to prevent that?

Now that there's a proposal for zaproxy/zap-extensions#4078, can we reactivate the Sarif export ask? This would make the action safer so sarif reported issues remain hidden to public.
Thx.

Describe the bug
Github Actions task fails when using demonstration code.

To Reproduce
Steps to reproduce the behavior:

1. Inserted following code into github workflow .yml

jobs:
  zap_scan:
    runs-on: ubuntu-latest
    name: Scan the webapplication
    steps:
      - name: Checkout
        uses: actions/checkout@v2
        with:
          ref: master
      - name: ZAP Scan
        uses: zaproxy/[email protected]
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          docker_name: 'owasp/zap2docker-stable'
          target: 'https://www.zaproxy.org/'
          rules_file_name: '.zap/rules.tsv'
          cmd_options: '-a'

Expected behavior
I expect the github action ("[email protected]") to run, and scan the given domain. It does not.

Screenshots

Software versions

• ZAP: [email protected]
• Add-on: Name and version [e.g. Passive Scan Rules Alpha v19. https://www.zaproxy.org/faq/how-do-i-see-what-version-of-an-add-on-extension-i-have-installed/]
• OS: github container ubuntu-latest
• Java: whatever is built into the action container
• Browser: github action runner

Errors from the zap.log file
This isn't captured in the current process.

Additional context
baseline scan action works, just not full scan action.

Would you like to help fix this issue?
I am willing to help and test.

I'm loving the GitHub Action for running ZAP scans, thank you! 💯

One issue is that when running two scans in parallel they're both creating an artifact called zap_scan. So there is a race condition and whichever scan completes first has its artifact overwritten by the scan that finished second. To get around this, after the scan completes I am uploading report_html.html as two differently-named artifacts. However, this still leaves the zap_scan artifact and it is a bit confusing that we have an extra artifact that is essentially a duplicate of one of the other artifacts - although we never know which one. Since artifacts aren't available until after the Action has completed, they cannot be deleted in the Action that created them.

A couple of possibilities are:

1. Have a setting for the name of the artifact (ideal)
2. Have a flag that can turn off the uploading of the zap_scan artifact and users will upload with their own name.

Thank you!

Node 16 is now deprecated and thus soon a deprecation warning will be displayed when this action runs. Please update to Node 20.

Related:

• zaproxy/action-baseline#114
• zaproxy/action-api-scan#29

Hi,

The action starts the container as root:

This causes compatibility issues and is security-wise not the best practice.

Does this have a valid reason, or should it be removed?

Hello!

Using the same context, I ran the AJAX spider from a local GUI instance of ZAP, and again as the GitHub Action - both against the same target - with different results.

Looking at the logs, it seems that headless Firefox doesn't run properly (see lines marked with >>>):

    2021-04-08T18:29:31.9595748Z ##[group]Run zaproxy/[email protected]
    2021-04-08T18:29:31.9596344Z with:
    2021-04-08T18:29:31.9597018Z   target: ***
    2021-04-08T18:29:31.9598043Z   cmd_options: -j -U "***" -n /zap/wrk/context_file.context
    2021-04-08T18:29:31.9599345Z   token: ***
    2021-04-08T18:29:31.9599882Z   docker_name: owasp/zap2docker-stable
    2021-04-08T18:29:31.9600510Z   issue_title: ZAP Full Scan Report
    2021-04-08T18:29:31.9601004Z   fail_action: false
    2021-04-08T18:29:31.9601962Z ##[endgroup]
    2021-04-08T18:29:32.1172019Z [@octokit/rest] `const Octokit = require("@octokit/rest")` is deprecated. Use `const { Octokit } = require("@octokit/rest")` instead
    2021-04-08T18:29:32.1637719Z starting the program
    2021-04-08T18:29:32.1638910Z github run id :***
    2021-04-08T18:29:32.1699305Z [command]/usr/bin/docker pull owasp/zap2docker-stable -q
    2021-04-08T18:30:02.0991921Z docker.io/owasp/zap2docker-stable:latest
    2021-04-08T18:30:02.1066585Z [command]/usr/bin/docker run --user root -v /home/runner/work/zapscan/zapscan:/zap/wrk/:rw --network=host -t owasp/zap2docker-stable zap-full-scan.py -t *** -J report_json.json -w report_md.md -r report_html.html -j -U *** -n /zap/wrk/context_file.context
    2021-04-08T18:30:05.3880090Z 2021-04-08 18:30:05,382 Could not find custom hooks file at /home/zap/.zap_hooks.py 
    2021-04-08T18:30:09.5078073Z Apr 08, 2021 6:30:09 PM java.util.prefs.FileSystemPreferences$1 run
    2021-04-08T18:30:09.5079905Z INFO: Created user preferences directory.
    2021-04-08T18:31:05.7042972Z WARNING: An illegal reflective access operation has occurred
    2021-04-08T18:31:05.7055145Z WARNING: Illegal reflective access by com.google.inject.internal.cglib.core.$ReflectUtils$2 (file:/root/.ZAP/plugin/spiderAjax-release-23.3.0.zap) to method java.lang.ClassLoader.defineClass(java.lang.String,byte[],int,int,java.security.ProtectionDomain)
    2021-04-08T18:31:05.7071719Z WARNING: Please consider reporting this to the maintainers of com.google.inject.internal.cglib.core.$ReflectUtils$2
    2021-04-08T18:31:05.7098432Z WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
    2021-04-08T18:31:05.7100363Z WARNING: All illegal access operations will be denied in a future release
>>> 2021-04-08T18:31:05.9156533Z 1617906665907	geckodriver	INFO	Listening on 127.0.0.1:19930
    2021-04-08T18:31:06.0734290Z 1617906666063	mozrunner::runner	INFO	Running command: "/usr/lib/firefox/firefox" "--marionette" "-headless" "-foreground" "-no-remote" "-profile" "/tmp/rust_mozprofileLqIPUy"
>>> 2021-04-08T18:31:06.0988290Z Running Firefox as root in a regular user's session is not supported.  ($HOME is /home/zap/ which is owned by zap.)
?   2021-04-08T18:33:15.1767246Z [Fatal Error] :1535:10273: The reference to entity ":after" must end with the ';' delimiter.
?   2021-04-08T18:33:15.6020309Z [Fatal Error] :1535:10273: The reference to entity ":after" must end with the ';' delimiter.
>>> 2021-04-08T18:33:33.8119503Z 1617906813799	geckodriver	INFO	Listening on 127.0.0.1:18313
    2021-04-08T18:33:33.8311320Z 16179061861137891006	8g1e3c8k2o9d	rmiovzerru	nInNeFrO:	:Lriusntneenri	nIgN FoOn	 R1u2n7n.i0n.g0 .c1omma:n2d0:8 2"7/
    2021-04-08T18:33:33.8328587Z usr/lib/firefox/firefox" "--marionette" "-headless" "-foreground" "-no-remote" "-profile" "/tmp/rust_mozprofilejAPd6L"
    2021-04-08T18:33:33.8402455Z 1617906813836	mozrunner::runner	INFO	Running command: "/usr/lib/firefox/firefox" "--marionette" "-headless" "-foreground" "-no-remote" "-profile" "/tmp/rust_mozprofileevzObj"
>>> 2021-04-08T18:33:33.8716712Z Running Firefox as root in a regular user's session is not supported.  ($HOME is /home/zap/ which is owned by zap.)
>>> 2021-04-08T18:33:33.8792493Z Running Firefox as root in a regular user's session is not supported.  ($HOME is /home/zap/ which is owned by zap.)
    2021-04-08T18:36:58.4198768Z Total of 71 URLs

You can see Total of 71 URLs at the end, whereas ZAP Desktop found upwards of 1000.

I also marked a couple lines above with ? because I'm not sure whether they're relevant to this issue, and Fatal Error sounds serious.

Add the necessary input variables to configure the ZAP authentication toggles to perform authenticated scans in your pipeline.

.e.g.

  zap_scan_cluster:
    runs-on: ubuntu-latest
    name: Scan k8s cluster
    steps:
      - name: ZAP Scan
        uses: zaproxy/[email protected]
        with:
          issue_title: Vulnerability Scan Results
          token: ${{ secrets.GITHUB_TOKEN }}
          docker_name: owasp/zap2docker-weekly
          target: https://cluster.ironpeak.be/
          rules_file_name: .github/zap.ignore
          cmd_options: '-a'
          
          http_login_form: '/app/login'
          http_login_http_username: 'testuser'
          http_login_http_password: ${{ secrets.ZAP_USER_PW }}

I want to use a hook script like here to create custom HTTP headers.

Locally it's:

sudo docker run --rm -v ${PWD}:/zap/wrk -t owasp/zap2docker-stable zap-full-scan.py -t http://target/ --hook "hook.py" -z "-addoninstall jython"

hook.py points to a script file:

zap.script.load('Add Header Script', 'httpsender', 'python : jython', '/zap/wrk/add_header_request.py')

Similar parameter: "rules_file_name".

Hey,

It would be really helpfull to get the PDF version of the report into the artifact.

Here is the google group conversation related : https://groups.google.com/g/zaproxy-users/c/5YY6m3G8b8A/m/eqqxEAN4AQAJ

Thanks in advance 😃

Hi
Could you create a new version tag? The current version v.1.0 is missing the fail_action param which is described in the readme.

• Difference between master/v0.1.0
• Useful commit with the missing param

May the readme example could be expanded also with all options:

      - name: ZAP Scan
        uses: zaproxy/[email protected]
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          docker_name: 'owasp/zap2docker-stable'
          target: 'https://www.zaproxy.org/'
          rules_file_name: '.zap/rules.tsv'
          cmd_options: '-a'
          fail_action: true

Since GitHub now supports SARIF files which contain security issues (now primarily used for code scanning), would be cool to re-use this for ZAP.

ZAP should support exporting findings to SARIF.

When running the Zap Full Scan against our resources, the scan works normally (producing some findings), but creating the Github Issue fails with:

Validation Failed: {"resource":"Issue","code":"custom","field":"body","message":"body is too long (maximum is 65536 characters)"}

I was hoping for there to be a way to cap the body of the issue being created, maybe?

Describe the bug

An error is being thrown when trying to run a full scan via Github Actions. The errors started happening today without any changes to the workflow.

Steps to reproduce the behavior

1. Run an Owasp Zap Full scan using a Github Action zaproxy/[email protected]
2. Scan fails with an error

Expected behavior

Scan completes correctly

Software versions

zaproxy/[email protected]

Screenshots

No response

Errors from the zap.log file

Zap Log.txt

Additional context

No response

Would you like to help fix this issue?

• Yes

Hi team,

Would it be possible to set the maximum run time on the active scan which is followed by a spider with the cmd options?