OWASP Zap scan - mitigate flakey rate limited error

[marcellmueller]

Description of the Tech Debt

The OWASP Zap scan in our CI regularly fails because of rate limiting. We have gotten quite used to it but this is wasting a lot of time as we have to regularly re-run the job. We should fix this save time, avoid toil and ensure that we can deploy to dev automatically once a PR is merged into main and passes all checks again.

Some ideas to mitigate this:

• Use a retry action and make this set retry once or twice before it fails
• Only run OWASP zap on merge to main? There are some risks to this however, such as merging in unsafe code and then being blocked going to prod until we fixed it.

[Sepehr-Sobhani]

Not tested but we might be able to use github actions strategy and handle the failure to re-run the action multiple times:

Something like:

jobs:
  zap-scan:
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        include:
          - attempt: 1
          - attempt: 2
          - attempt: 3
     ....
continue-on-error: ${{ matrix.attempt != 3 }}