Use this GitHub Action together with GitHub Advanced Security to run a ZAProxy (DAST) scan on your application, and present the results in the GitHub Advanced Security UI.
This Action leverages the official zaproxy/action-baseline Action which supports various options like custom rule sets and target url.
GitHub Advanced Security utilizes the SARIF (Static Analysis Results Interchange) format to present code scanning results of a wide range of static code analysis tools. As DAST scans are not static they can't be directly mapped to individual lines in the original source file but only to a specific URL or endpoint of the application.
This Actions maps the DAST results of ZAProxy to SARIF on a best effort basis to ensure developers get the DAST-related information they need to make informed decisions about the security risks in an application.
After the scan completes, all results are presented in the Security -> Code Scanning Alerts tab, which allows users to filter for specific security tools, rules, and branches:
All results that fall under the same rule are captured within a single overview:
💡 Previews are not available as DAST scans can't map a scan result to a specific file in the repository.
The easiest way to get started is by running this scan against a URL that is publicly available. Or, in case you use self-hosted Action runners, that is available within the network of your runner.
Example workflow:
name: ZAProxy scan
on:
push:
branches: [ main ]
workflow_dispatch:
jobs:
dast-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/[email protected]
- name: ZAP Scan
uses: zaproxy/[email protected]
with:
target: 'https://www.zaproxy.org' # Target url for the scan
- name: Create sarif file from zaproxy results
uses: SvanBoxel/zaproxy-to-ghas@main
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: results.sarifWhen running this workflow the following happens:
- First, the code is checked out.
- Then, it runs the ZAProxy scan on a defined target url.
- After the scan completes, it runs this Action to map the ZAProxy results to SARIF.
- Finally, it uploads the results to GitHub.
Results can be manually inspected by downloading the zap_scan artifact that contains the original scan results, and ZAProxy-sarif-report which contains the SARIF output of the scan.
If your application leverages containers you have another option for deploying and scanning with DAST. After you deploy your docker to a container registry, you can use the image as a service in the context of your workflow.
Example workflow:
name: ZAProxy scan
on:
push:
branches: [ main ]
workflow_dispatch:
jobs:
build-image:
## Build your image here
publish-image:
## Publish your image to a container registry here
dast-scan:
services:
website:
image: yeasy/simple-web # Point to the container image of your application
ports:
- 80:80
runs-on: ubuntu-latest
steps:
- uses: actions/[email protected]
- name: ZAP Scan
uses: zaproxy/[email protected]
with:
target: 'http://localhost' # Runs within the context of your workflow
- name: Create sarif file from zaproxy results
uses: SvanBoxel/zaproxy-to-ghas@main
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: results.sarifThis Action offers you the ability to run the scan as part of a PR in the developer workflow. There are a couple of ways to do this. The easiest way is add the pull_request event to your workflow:
name: ZAProxy scan
on:
push:
branches: [ main ]
pull_request: # Run on every pull request that targets the main branch
branches: [ main ]
workflow_dispatch:
jobs:
# See examples in `Use with public-facing URLs` and `Use with containers`After the scan completes, all results will be visible in the Checks tab of the scanned pull request:
💡 Alternatively you can hook into some of the other GitHub events to trigger a scan. Only want to run the DAST scan when a specific label is added? Use the
labelevent.
Contributions are always welcome. Please follow the steps below to get started.
Install the dependencies
$ npm installBuild the typescript and package it for distribution
$ npm run build && npm run packageRun the tests ✔️
$ npm test
PASS ./index.test.js
✓ test runs (95ms)
...Actions are run from GitHub repos so we will checkin the packed dist folder.
Then run ncc and push the results:
$ npm run package
$ git add dist
$ git commit -a -m "prod dependencies"The action is now updated! 🚀