Feature: specify minimum severity

[hazcod]

Since ZAP vulnerability scans can generate a lot of issues, it might be nice to be able to e.g. ignore any LOW or INFO vulnerabilities. (so that issues are not created)

e.g.

jobs:
  zap_scan_public:
    runs-on: ubuntu-latest
    name: Scan public website
    steps:
      - name: ZAP Scan
        uses: zaproxy/action-full-scan@v0.1.0
        with:
          issue_title: Vulnerability Scan Results
          token: ${{ secrets.GITHUB_TOKEN }}
          docker_name: owasp/zap2docker-weekly
          target: https://ironpeak.be/
          rules_file_name: .github/zap.ignore
          cmd_options: '-a -s MEDIUM'

[psiinon]

You can effectively already do this by setting any rules you are not interested in to IGNORE in your rules file. This is a finer grain control, but will have the same effect. I worry that creating too many options will make the action harder to understand and therefore less useful.

[fguisso]

Can you create an info page here or in ZAP docs with all rules? I found that, but I need to run the scan in my local machine and get the ´gen.conf´. Maybe with it in docs, we can help more people that don't know the ZAP profoundly.

I don't know if rules are updated weekly, in this case, we need some actions to update the docs every time that a rule is added.

My gen.conf generate today:

# zap-full-scan rule configuration file
# Change WARN to IGNORE to ignore rule or FAIL to fail if rule matches
# Active scan rules set to IGNORE will not be run which will speed up the scan
# Only the rule identifiers are used - the names are just for info
# You can add your own messages to each rule by appending them after a tab on each line.
0   WARN    (Directory Browsing - Active/release)
10003   WARN    (Vulnerable JS Library - Passive/release)
10010   WARN    (Cookie No HttpOnly Flag - Passive/release)
10011   WARN    (Cookie Without Secure Flag - Passive/release)
10015   WARN    (Incomplete or No Cache-control and Pragma HTTP Header Set - Passive/release)
10017   WARN    (Cross-Domain JavaScript Source File Inclusion - Passive/release)
10019   WARN    (Content-Type Header Missing - Passive/release)
10020   WARN    (X-Frame-Options Header - Passive/release)
10021   WARN    (X-Content-Type-Options Header Missing - Passive/release)
10023   WARN    (Information Disclosure - Debug Error Messages - Passive/release)
10024   WARN    (Information Disclosure - Sensitive Information in URL - Passive/release)
10025   WARN    (Information Disclosure - Sensitive Information in HTTP Referrer Header - Passive/release)
10026   WARN    (HTTP Parameter Override - Passive/beta)
10027   WARN    (Information Disclosure - Suspicious Comments - Passive/release)
10028   WARN    (Open Redirect - Passive/beta)
10029   WARN    (Cookie Poisoning - Passive/beta)
10030   WARN    (User Controllable Charset - Passive/beta)
10031   WARN    (User Controllable HTML Element Attribute (Potential XSS) - Passive/beta)
10032   WARN    (Viewstate - Passive/release)
10033   WARN    (Directory Browsing - Passive/beta)
10034   WARN    (Heartbleed OpenSSL Vulnerability (Indicative) - Passive/beta)
10035   WARN    (Strict-Transport-Security Header - Passive/beta)
10036   WARN    (HTTP Server Response Header - Passive/beta)
10037   WARN    (Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) - Passive/release)
10038   WARN    (Content Security Policy (CSP) Header Not Set - Passive/beta)
10039   WARN    (X-Backend-Server Header Information Leak - Passive/beta)
10040   WARN    (Secure Pages Include Mixed Content - Passive/release)
10041   WARN    (HTTP to HTTPS Insecure Transition in Form Post - Passive/beta)
10042   WARN    (HTTPS to HTTP Insecure Transition in Form Post - Passive/beta)
10043   WARN    (User Controllable JavaScript Event (XSS) - Passive/beta)
10044   WARN    (Big Redirect Detected (Potential Sensitive Information Leak) - Passive/beta)
10045   WARN    (Source Code Disclosure - /WEB-INF folder - Active/release)
10047   WARN    (HTTPS Content Available via HTTP - Active/beta)
10048   WARN    (Remote Code Execution - Shell Shock - Active/beta)
10050   WARN    (Retrieved from Cache - Passive/beta)
10051   WARN    (Relative Path Confusion - Active/beta)
10052   WARN    (X-ChromeLogger-Data (XCOLD) Header Information Leak - Passive/beta)
10053   WARN    (Apache Range Header DoS (CVE-2011-3192) - Active/beta)
10054   WARN    (Cookie Without SameSite Attribute - Passive/release)
10055   WARN    (CSP - Passive/release)
10056   WARN    (X-Debug-Token Information Leak - Passive/release)
10057   WARN    (Username Hash Found - Passive/release)
10058   WARN    (GET for POST - Active/beta)
10061   WARN    (X-AspNet-Version Response Header - Passive/release)
10062   WARN    (PII Disclosure - Passive/beta)
10095   WARN    (Backup File Disclosure - Active/beta)
10096   WARN    (Timestamp Disclosure - Passive/release)
10097   WARN    (Hash Disclosure - Passive/beta)
10098   WARN    (Cross-Domain Misconfiguration - Passive/release)
10104   WARN    (User Agent Fuzzer - Active/beta)
10105   WARN    (Weak Authentication Method - Passive/release)
10106   WARN    (HTTP Only Site - Active/beta)
10107   WARN    (Httpoxy - Proxy Header Misuse - Active/beta)
10108   WARN    (Reverse Tabnabbing - Passive/beta)
10109   WARN    (Modern Web Application - Passive/beta)
10202   WARN    (Absence of Anti-CSRF Tokens - Passive/release)
2   WARN    (Private IP Disclosure - Passive/release)
20012   WARN    (Anti-CSRF Tokens Check - Active/beta)
20014   WARN    (HTTP Parameter Pollution - Active/beta)
20015   WARN    (Heartbleed OpenSSL Vulnerability - Active/beta)
20016   WARN    (Cross-Domain Misconfiguration - Active/beta)
20017   WARN    (Source Code Disclosure - CVE-2012-1823 - Active/beta)
20018   WARN    (Remote Code Execution - CVE-2012-1823 - Active/beta)
20019   WARN    (External Redirect - Active/release)
3   WARN    (Session ID in URL Rewrite - Passive/release)
30001   WARN    (Buffer Overflow - Active/release)
30002   WARN    (Format String Error - Active/release)
30003   WARN    (Integer Overflow Error - Active/beta)
40003   WARN    (CRLF Injection - Active/release)
40008   WARN    (Parameter Tampering - Active/release)
40009   WARN    (Server Side Include - Active/release)
40012   WARN    (Cross Site Scripting (Reflected) - Active/release)
40013   WARN    (Session Fixation - Active/beta)
40014   WARN    (Cross Site Scripting (Persistent) - Active/release)
40016   WARN    (Cross Site Scripting (Persistent) - Prime - Active/release)
40017   WARN    (Cross Site Scripting (Persistent) - Spider - Active/release)
40018   WARN    (SQL Injection - Active/release)
40019   WARN    (SQL Injection - MySQL - Active/beta)
40020   WARN    (SQL Injection - Hypersonic SQL - Active/beta)
40021   WARN    (SQL Injection - Oracle - Active/beta)
40022   WARN    (SQL Injection - PostgreSQL - Active/beta)
40023   WARN    (Possible Username Enumeration - Active/beta)
40024   WARN    (SQL Injection - SQLite - Active/beta)
40025   WARN    (Proxy Disclosure - Active/beta)
40026   WARN    (Cross Site Scripting (DOM Based) - Active/beta)
40027   WARN    (SQL Injection - MsSQL - Active/beta)
40028   WARN    (ELMAH Information Leak - Active/release)
40029   WARN    (Trace.axd Information Leak - Active/beta)
40032   WARN    (.htaccess Information Leak - Active/release)
40034   WARN    (.env Information Leak - Active/beta)
40035   WARN    (Hidden File Finder - Active/beta)
41  WARN    (Source Code Disclosure - Git  - Active/beta)
42  WARN    (Source Code Disclosure - SVN - Active/beta)
43  WARN    (Source Code Disclosure - File Inclusion - Active/beta)
50000   WARN    (Script Active Scan Rules - Active/release)
50001   WARN    (Script Passive Scan Rules - Passive/release)
6   WARN    (Path Traversal - Active/release)
7   WARN    (Remote File Inclusion - Active/release)
90001   WARN    (Insecure JSF ViewState - Passive/release)
90011   WARN    (Charset Mismatch - Passive/release)
90017   WARN    (XSLT Injection - Active/beta)
90019   WARN    (Server Side Code Injection - Active/release)
90020   WARN    (Remote OS Command Injection - Active/release)
90021   WARN    (XPath Injection - Active/beta)
90022   WARN    (Application Error Disclosure - Passive/release)
90023   WARN    (XML External Entity Attack - Active/beta)
90024   WARN    (Generic Padding Oracle - Active/beta)
90025   WARN    (Expression Language Injection - Active/beta)
90026   WARN    (SOAP Action Spoofing - Active/alpha)
90027   WARN    (Cookie Slack Detector - Active/beta)
90028   WARN    (Insecure HTTP Method - Active/beta)
90029   WARN    (SOAP XML Injection - Active/alpha)
90030   WARN    (WSDL File Detection - Passive/alpha)
90033   WARN    (Loosely Scoped Cookie - Passive/release)
90034   WARN    (Cloud Metadata Potentially Exposed - Active/beta)

[thc202]

You mean like this one https://www.zaproxy.org/docs/alerts/ ?

[fguisso]

Exactly, thanks! Can you add this link in GH Actions please?

[marvelredddy]

How can i report after i get alerts. Actually Bug bounty Platforms need Impact with POC . How can i report. Any suggestions.

[kingthorin]

In that case you're the "expert" not ZAP.

Also the User Group is a much better place for discussion not our issue tracker.