• Stars
    star
    215
  • Rank 183,925 (Top 4 %)
  • Language
    JavaScript
  • License
    Apache License 2.0
  • Created over 4 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A GitHub Action for running the OWASP ZAP Full scan

ZAP Action Full Scan

A GitHub Action for running the OWASP ZAP Full Scan to perform Dynamic Application Security Testing (DAST).

The ZAP full scan action runs the ZAP spider against the specified target (by default with no time limit) followed by an optional ajax spider scan and then a full active scan before reporting the results. The alerts will be maintained as a GitHub issue in the corresponding repository.

WARNING this action will perform attacks on the target website. You should only scan targets that you have permission to test. You should also check with your hosting company and any other services such as CDNs that may be affected before running this action. ZAP will also submit forms which could result in a large number of messages via, for example, 'Contact us' or 'comment' forms.

Inputs

target

Required The URL of the web application to be scanned. This can be either a publicly available web application or a locally accessible URL.

docker_name

Optional The name of the docker file to be executed. By default the action runs the stable version of ZAP. But you can configure the parameter to use the weekly builds.

rules_file_name

Optional You can also specify a relative path to the rules file to ignore any alerts from the ZAP scan. Make sure to create the rules file inside the relevant repository. The following shows a sample rules file configuration. Make sure to checkout the repository (actions/checkout@v2) to provide the ZAP rules to the scan action.

10011	IGNORE	(Cookie Without Secure Flag)
10015	IGNORE	(Incomplete or No Cache-control and Pragma HTTP Header Set)

cmd_options

Optional Additional command lines options for the full scan script

allow_issue_writing

Optional By default the action will file the report to the GitHub issue using the issue_title input. Set this to false if you don't want the issue to be created or updated.

issue_title

Optional The title for the GitHub issue to be created.

token

Optional ZAP action uses the default action token provided by GitHub to create and update the issue for the full scan. You do not have to create a dedicated token. Make sure to use the GitHub's default action token when running the action(secrets.GITHUB_TOKEN).

fail_action

Optional By default ZAP Docker container will fail with an exit code, if it identifies any alerts. Set this option to true if you want to fail the status of the GitHub Scan if ZAP identifies any alerts during the scan.

Example usage

** Basic **

steps:
  - name: ZAP Scan
    uses: zaproxy/[email protected]
    with:
      target: 'https://www.zaproxy.org/'

** Advanced **

on: [push]

jobs:
  zap_scan:
    runs-on: ubuntu-latest
    name: Scan the webapplication
    steps:
      - name: Checkout
        uses: actions/checkout@v2
        with:
          ref: master
      - name: ZAP Scan
        uses: zaproxy/[email protected]
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          docker_name: 'owasp/zap2docker-stable'
          target: 'https://www.zaproxy.org/'
          rules_file_name: '.zap/rules.tsv'
          cmd_options: '-a'

Localised Alert Details

ZAP is internationalised and alert information is available in many languages.

You can change the language used by this action by changing the locale via the cmd_options e.g.: -z "-config view.locale=fr_FR"

This is currently only available with the owasp/zap2docker-weekly or owasp/zap2docker-live Docker images.

See https://github.com/zaproxy/zaproxy/tree/develop/zap/src/main/dist/lang for the full set of locales currently supported.

You can help improve ZAP translations via https://crowdin.com/project/owasp-zap.

More Repositories

1

zaproxy

The ZAP core project
Java
11,390
star
2

zap-extensions

ZAP Add-ons
Java
767
star
3

community-scripts

A collection of ZAP scripts provided by the community - pull requests very welcome!
JavaScript
713
star
4

action-baseline

A GitHub Action for running the OWASP ZAP Baseline scan
JavaScript
267
star
5

zap-hud

The OWASP ZAP Heads Up Display (HUD)
Java
248
star
6

zap-core-help

The help files for the ZAP core
HTML
199
star
7

zap-api-python

ZAP Python API
Python
159
star
8

zest

Java
91
star
9

zap-api-go

ZAP Go API
Go
55
star
10

zaproxy-website

The source of OWASP ZAP website
HTML
50
star
11

zap-api-java

ZAP Java API
Java
41
star
12

zap-api-nodejs

JavaScript
38
star
13

zap-api-dotnet

ZAP Dot NET API
C#
34
star
14

action-api-scan

A GitHub Action for running the OWASP ZAP API scan
JavaScript
32
star
15

zap-api-docs

ZAP API Documentation
JavaScript
26
star
16

zap-admin

ZAP Admin
Java
23
star
17

action-af

A GitHub Action for running ZAP Automation Framework plans
JavaScript
15
star
18

fuzzdb-offensive

OWASP ZAP add-on containing the web-backdoors and attack files from FuzzDB
PHP
15
star
19

zaproxy-test

ZAP test code
Java
14
star
20

front-end-tracker

JavaScript
14
star
21

zaproxy.github.io

ZAP Website
HTML
14
star
22

zap-swag

Artwork for all official ZAP swag - posters, stickers, t-shirts etc
13
star
23

zap-api-rust

Rust
12
star
24

browser-extension

TypeScript
8
star
25

auth-examples

A set of authentication and session management examples
3
star
26

addon-java

Template repository for ZAP add-ons written in Java
Java
2
star
27

gradle-plugin-add-on

A Gradle plugin to (help) build ZAP add-ons
Java
2
star
28

zap-libs

Libraries required by ZAP and its add-ons that we dont want to store in the other repos
2
star
29

zap-core-help-fil_PH

The help files for the OWASP ZAP core - Filipino
1
star
30

zap-api-php

1
star
31

gradle-plugin-crowdin

A Gradle plugin to integrate with Crowdin.
Java
1
star
32

cla

ZAP Contributor License Agreement files
1
star