GitHub action with ICTU/zap-baseline?

[tony]

Hi! Thank you for this project!

Is there any examples / possibilities this can be used in a GitHub action similar to ZAProxy's actions (action-baseline, action-api-scan, action-full-scan, common, more)?

[dicksnel]

Hi @tony , I think this could work by looking at the readme. You can set the docker_name to this docker image. I don't know how the cmd_options param works exactly, but I guess you may be able to pass the extra parameters for the authentication part here.

I will try to run some tests and see if this could work next week.

[isaru66]

@dicksnel thanks you for your project, it work wonderfully... let me share my github action yaml file, as I also working to use your project with some of my clients as well.

The website that I would like to scan have Single Sign-On (on difference domain ) as authentication. I am using CURL to follow redirection , then using ictu/zap2docker-weekly to fill-in login form and back to scan the site.

basically we can use zaproxy/action-full-scan@v0.3.0 directly and just change the image, then passing extra parameter in.

btw In Github Action, we still have issue with ajaxSpider ... T-T . see issue at. https://github.com/zaproxy/action-baseline/issues/33

name: "OWASZAP Fullscan Testing"

on:
  workflow_dispatch:

env:
  URL: https://yourwebsite.net

jobs:
  zap_scan:
    runs-on: ubuntu-latest
    name: OWASZAP scanning
    steps:
      - name: CURL to follow redirection
        id: target_url  ## in my case : target has SAML service for auth, thus the login url is on difference page
        run: |
          LOGINURL=`curl -vkL -o /dev/null -w %{url_effective} ${{ env.URL }}`
          echo $LOGINURL
          echo "::set-output name=LOGINURL::$LOGINURL"
      - name: ZAP Scan
        uses: zaproxy/action-full-scan@v0.3.0
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          docker_name: 'ictu/zap2docker-weekly'
          target: '${{ env.URL }}'
          cmd_options: >
            --hook=/zap/auth_hook.py 
            -z "auth.loginurl=${{steps.target_url.outputs.LOGINURL}} 
            auth.username=${{secrets.ZAP_USERNAME}} 
            auth.password=${{secrets.ZAP_PASSWORD}}
            auth.username_field=username 
            auth.password_field=password 
            auth.submit_field=submit 
            auth.include='${{ env.URL }}/*' 
            auth.exclude='.*logout.*,${{ env.URL }}/logout.php'

[isaru66]

Almost forgot. I found one issue in Github Action environment regarding Firefox webdriver.

Thus, I endup forking this repo and switching to chrome headless for login instead. https://github.com/isaru66/zap-baseline/commit/dc12b867b9c324c3f1205b476facb73a834b7bc0

[dicksnel]

@isaru66 very vool! I will look into switching to Chrome headless.

[tony]

@isaru66 It may be worth PRing that. The reason why is (correct me if I'm mistaken), without using Chrome Headless like in your change at https://github.com/isaru66/zap-baseline/commit/dc12b867b9c324c3f1205b476facb73a834b7bc0, -J / ajax spidering won't work, right?

Also in lieu of that, do you release that commit under the same license as zap-baseline? (https://github.com/ICTU/zap-baseline/blob/master/LICENSE)?

[tony]

@isaru66 One more detail I suppose: if we forked ICTU/zap-baseline with your commit, we'd need to push our own docker image and place it in docker_name, right?

[isaru66]

@tony ... it is more complicated thing, the reason that ajax spider won't work in Github Action is due to zap-action-full-scan run docker image as root user.

Specifically: https://github.com/zaproxy/action-full-scan/blob/master/index.js line: 43

and when you run as root in github runner, the firefox headless is not work currently. Though of my commit as a dirty fix to make it work by switching to chrome headless for ICTU/zap-baseline ... if you want ajax spider also working, it might better to patch https://github.com/zaproxy/action-full-scan/blob/master/index.js and run as non root user instead.

So, I am not quite sure what is the right way to do this ... I just make it work :) . but i think it better to change https://github.com/zaproxy/action-full-scan/blob/master/index.js to run as non-root, then ICTU/zap-baseline and ajax spider should be running.

[tony]

@isaru66 Thank you for your reply!

Also noted on line 43 of index.js: https://github.com/zaproxy/action-full-scan/blob/a1f5a339f6ec6ff9a89b7b2ce890c471c6a5e4a1/index.js#L43

I ended up using your commit (hopefully that's okay, let me know!) and it's working great for me.

i think it better to change https://github.com/zaproxy/action-full-scan/blob/master/index.js to run as non-root, then ICTU/zap-baseline and ajax spider should be running.

Agreed on this! A permanent solution in the long run would be to update the actions themselves in the zaproxy repository. I'm starting to get involved there.

[isaru66]

@tony yeah that ok for short-term fix :)

[tony]

@isaru66 Thank you! :)

[dicksnel]

@isaru66 do you mean -J does not work with the Chrome driver? Or is this only for the Github Action?

If the normal scans works (non Github Action) we could PR the Chrome driver to replace Firefox.

[isaru66]

@dicksnel this only relate to github action as they run the process using root user in docker run. normal scan ( running docker run directly) , firefox headless still working fine.

I think the better place to fix this might be running as non-root from github-action , I don't know why it need to be run as root on github-action side.

[dicksnel]

@isaru66 I created an issue https://github.com/zaproxy/action-full-scan/issues/29

Let's see what reason there is to run as root and if it can be fixed. I'll open this issue again if there is progress.