PermissionError: [Errno 13] Permission denied: '/zap/wrk/

[lumattr]

The same error as this issue is occuring in our github actions. however we cant add the workaround becuase theres no control of the docker parameters. Please could this issue be fixed at the source rather than just working round it.

[psiinon]

Yes, we should look at working around this issue in the ZAP actions if we can. But I think the underlying issue is a docker one rather than a ZAP one. Happy to be proved wrong of course...

[rajesh-soni-accenture]

Hi @psiinon Good Day We're also facing same issue when running zaproxy baseline through Github Action (zaproxy/action-baseline@v0.10.0)

If there's any different docker image which we can pass in docker_name inputs for this action for which this doesn't fails, please let us know.

I'll attache the main logs after removing sensitive contents here.

ghcr.io/zaproxy/zaproxy:stable /usr/bin/docker run -v :/zap/wrk/:rw --network=host -e ZAP_AUTH_HEADER -e ZAP_AUTH_HEADER_VALUE -e ZAP_AUTH_HEADER_SITE -t ghcr.io/zaproxy/zaproxy:stable zap-baseline.py -t -J report_json.json -w report_md.md -r report_html.html Using the Automation Framework

Unable to copy yaml file to /zap/wrk/zap.yaml [Errno 13] Permission denied: '/zap/wrk/zap.yaml' Total of 4 URLs --- Test Path Results --- Automation plan failures: Job report failed to generate report: /zap/wrk/report_html.html Scanning process completed, starting to analyze the results! Failed to locate the json report generated by ZAP Scan!

[thc202]

Can one of you provide the whole logs/output? (Removing any sensitive info.)

[rajesh-soni-accenture]

zap.yaml Permission Denied Logs.txt

Please find attached log file (Removed URLs, File & Jobs Names etc)

[rajesh-soni-accenture]

Hi @thc202 is there update on this issue?

[rajesh-soni-accenture]

Hi @thc202 Good Day Any update on this issue?

[erikpartila]

Hello @thc202 ! Any updates on this ? Is there any workaround ?

[kingthorin]

You don't seem to have permissions to write to the directory you mounted 🤷‍♂️

[erikpartila]

@kingthorin Yes I know. Thats because it runs in GH Actions, so by default you don't have permission to write anywhere outside your pwd (specifically as stated above it tries to write here: /zap/wrk).

[erikpartila]

Also, I am trying to generate a json report file with custom name using -J flag. That tries to access /zap/wrk (where it doesn't have permission to write to) and therefore it crashes. As mentioned above, it would be nice if we could specify custom volume mounting point through some input. cc. @thc202

ERROR [Errno 13] Permission denied: '/zap/wrk/$REPORT_NAME.json' 2024-04-16 15:01:39,850 I/O error: [Errno 13] Permission denied: '/zap/wrk/$REPORT_NAME.json' Traceback (most recent call last): File "/zap/zap-baseline.py", line 606, in main write_report(os.path.join(base_dir, report_json), zap.core.jsonreport()) File "/zap/zap_common.py", line 569, in write_report with open(file_path, mode='wb') as f: PermissionError: [Errno 13] Permission denied: '/zap/wrk/$REPORT_NAME.json'

[sshniro]

As per my previous understanding, this is a limitation imposed by the zaproxy docker images due to how Github executes Github Actions. I would suggest having a dedicated image for Github Actions to allow it to mount to the preferred directory.

[thc202]

https://github.com/zaproxy/action-baseline/issues/118#issuecomment-2059339309

You would have to use a scan hook to write another JSON report, the action needs to know how the JSON report is named to later process the alerts raised.

https://github.com/zaproxy/action-baseline/issues/118#issuecomment-1955956719

Thanks for sharing the logs, I don't know if that case is the same as this one, but we'll fix it and you can try the changes.

https://github.com/zaproxy/action-baseline/issues/118#issuecomment-2068047405

I think it's just a matter of setting up the proper permissions.