Error when reading the rules file: /home/runner/work/<repo>/<repo>/owasp-zap-ignore.conf

[soderlind]

Somehow the path has the repo twice, I believe because of actions/runner#2058

action-baseline/index.js

Line 14 in f00f834

let workspace = process.env.GITHUB_WORKSPACE;

My action is:

name: OWASP Zap Daily Live Check

on:
  workflow_dispatch:

  schedule:
    # Run once daily, at 03:00.
    - cron: '3 0 * * *'

jobs:
  remote-test:
    runs-on: ubuntu-latest

    steps:
      - name: OWASP Zap Baseline Scan
        uses: zaproxy/[email protected]
        with:
          target: ${{ secrets.OWASP_CHECK_URL }}
          rules_file_name: 'owasp-zap-ignore.conf'

Error log:

Error when reading the rules file: /home/runner/work/<repo>/<repo>/owasp-zap-ignore.conf
/usr/bin/touch report_json.json report_md.md report_html.html
/usr/bin/chmod a+w report_json.json report_md.md report_html.html
/usr/bin/docker pull ghcr.io/zaproxy/zaproxy:stable -q
ghcr.io/zaproxy/zaproxy:stable
/usr/bin/docker run -v /home/runner/work/<repo>/<repo>:/zap/wrk/:rw --network=host -e ZAP_AUTH_HEADER -e ZAP_AUTH_HEADER_VALUE -e ZAP_AUTH_HEADER_SITE -t ghcr.io/zaproxy/zaproxy:stable zap-baseline.py -t *** -J report_json.json -w report_md.md -r report_html.html

Set up job, (when running the action above) reports:

Current runner version: '2.315.0'
Operating System
  Ubuntu
  2.04.4
  LTS
Runner Image
  Image: ubuntu-22.04
  Version: 20240422.1.0
  Included Software: https://github.com/actions/runner-images/blob/ubuntu22/20240422.1/images/ubuntu/Ubuntu2204-Readme.md
  Image Release: https://github.com/actions/runner-images/releases/tag/ubuntu22%2F20240422.1
Runner Image Provisioner
  2.0.
GITHUB_TOKEN Permissions
  Actions: write
  Attestations: write
  Checks: write
  Contents: write
  Deployments: write
  Discussions: write
  Issues: write
  Metadata: read
  Packages: write
  Pages: write
  PullRequests: write
  RepositoryProjects: write
  SecurityEvents: write
  Statuses: write
Secret source: Actions
Prepare workflow directory
Prepare all required actions
Getting action download info
Download action repository 'zaproxy/[email protected]'
Complete job name: remote-test

[monishbb]

I am facing the same issue, I have tried even changing the action file but still zap is not able to read the file

[kingthorin]

You don't seem to have checked out your repo.

[monishbb]

I have checked out the repo @kingthorin and I have found the root case for this issue, this issue comes up in the way the action actually tries to parse your rules file.

The message will always be Error when reading the rules file since this is in the catch block of processLineByLine function.

The problem:
Your rules file has wrong type of spacing, you need to use only tabs not spaces between the columns since it splits it by \t and hence fails when you use spaces instead, so make sure in your rules file:

# MAKE SURE TO ONLY USE TAB SPACING BETWEEN EACH COLUMN OR THE ACTION FAILS TO READ THE RULES
10055	IGNORE	CSP

I was able to resolve my issue after fixing my spaces to tabs.