search

GSA-TTS / FAC

GSA's Federal Audit Clearinghouse
Other
18 stars 5 forks source link

OWASP-ZAP: Take job artifacts and upload to security tab #1654

Open asteel-gsa opened 11 months ago

asteel-gsa commented 11 months ago

ZAP Scans, since using the Github Action, now generate artifacts in html, md and json formatting. Attempting to follow ZAP Automation, specifically automation framework and Reports addon that handles sarif formatting, I have been unable to get the .sarif necessary to upload to the security tab. Sending this piece into backlog, as we have three different reports now that detail ZAP scans.

./zap.sh -addonupdate\
    -addoninstall reports \
    -cmd -autorun zap.yaml 
      # - name: Run OWASP-ZAP
      #   run: docker run -v $(pwd):/zap/wrk/:rw --user root -t owasp/zap2docker-stable zap-baseline.py -t https://fac-dev.app.cloud.gov/ -c zap.conf zap.sh -cmd -addonupdate; zap.sh -addonupdate -addoninstall reports -cmd -autorun ./zap.yaml -I

      # - name: Upload ZAP scan results to GitHub Security tab
      #   uses: github/codeql-action/upload-sarif@v2
      #   with:
      #     sarif_file: '/zap/wrk/zap-report.sarif'
# zap.yaml

  - type: report
    parameters:
      template: sarif-json
      reportDir: /zap/wrk/
      reportFile: zap-report.sarif
      reportTitle: Zap Scan
      displayReport: true
    risks:
      - high
      - medium
      - low
      - info
    confidences:
      - high
      - medium
      - low
      - falsepositive
    sections: all
    sites:
      - https://fac-dev.app.cloud.gov
      - https://fac-staging.app.cloud.gov
      - https://app.fac.gov
asteel-gsa commented 11 months ago

https://github.com/GSA-TTS/FAC/issues/1397#issuecomment-1671952524