Skip to content
/ action-api-scan Public
forked from zaproxy/action-full-scan

A GitHub Action for running the OWASP ZAP Full scan

License

Apache-2.0 license
0 stars 56 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

DarkLighting/action-api-scan

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

44 Commits
dist
dist
 
 
.gitignore
.gitignore
 
 
CHANGELOG.md
CHANGELOG.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
action.yml
action.yml
 
 
index.js
index.js
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 

Repository files navigation

ZAP Action API Scan

A GitHub Action for running the OWASP ZAP API Scan to perform Dynamic Application Security Testing (DAST).

The ZAP api scan action uses the api definition to scan before reporting the results. The alerts will be maintained as a GitHub issue in the corresponding repository.

WARNING this action will perform attacks on the target website. You should only scan targets that you have permission to test. You should also check with your hosting company and any other services such as CDNs that may be affected before running this action. ZAP will also submit forms which could result in a large number of messages via, for example, 'Contact us' or 'comment' forms.

Inputs

api_definition

Required The file/URL where to find the definition of the api to be scanned. This can be either a publicly available endpoint or a local repository file.

format

Required You need to specify the format which is used in the api definition. The available options are "openapi", "soap" or "graphql".

docker_name

Optional The name of the docker file to be executed. By default the action runs the stable version of ZAP. But you can configure the parameter to use the weekly builds.

cmd_options

Optional Additional command lines options for the full scan script

issue_title

Optional The title for the GitHub issue to be created.

token

Optional ZAP action uses the default action token provided by GitHub to create and update the issue for the full scan. You do not have to create a dedicated token. Make sure to use the GitHub's default action token when running the action(secrets.GIT_TOKEN).

fail_action

Optional By default ZAP Docker container will fail with an exit code, if it identifies any alerts. Set this option to true if you want to fail the status of the GitHub Scan if ZAP identifies any alerts during the scan.

-- From this point on, this file is still in WIP stage

Example usage

** Basic **

steps:
  - name: ZAP Scan
    uses: zaproxy/[email protected]
    with:
      target: 'https://www.zaproxy.org/'

** Advanced **

on: [push]

jobs:
  zap_scan:
    runs-on: ubuntu-latest
    name: Scan the webapplication
    steps:
      - name: Checkout
        uses: actions/checkout@v2
        with:
          ref: master
      - name: ZAP Scan
        uses: zaproxy/[email protected]
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          docker_name: 'owasp/zap2docker-stable'
          target: 'https://www.zaproxy.org/'
          rules_file_name: '.zap/rules.tsv'
          cmd_options: '-a'

Localised Alert Details

ZAP is internationalised and alert information is available in many languages.

You can change the language used by this action by changing the locale via the cmd_options e.g.: -z "-config view.locale=fr_FR"

This is currently only available with the owasp/zap2docker-weekly or owasp/zap2docker-live Docker images.

See https://github.com/zaproxy/zaproxy/tree/develop/zap/src/main/dist/lang for the full set of locales currently supported.

You can help improve ZAP translations via https://crowdin.com/project/owasp-zap.

About

A GitHub Action for running the OWASP ZAP Full scan

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

2 tags

Packages

No packages published

Languages

  • JavaScript 100.0%