Comments (5)
navpreet-securitas
commented on June 12, 2024
3
Hi
We are facing same issue , where GH issue is getting created again even though GH issue is present.
It works well when using default GITHUB_TOKEN , but if we use PAT token(with required permissions on repo) as below:
id: baseline
uses: zaproxy/[email protected]
with:
token: ${{ secrets.ZAP_TOKEN }}
target: 'https://www.example.com'
rules_file_name: 'rules.tsv'
it is not able to find existing open issue. Probably because of :
if ( issue["state"] === "open" && issue["user"]!["login"] === "github-actions[bot]" )
https://github.com/zaproxy/actions-common/blob/master/src/index.ts#LL73C1-L74C1
Since we are using PAT token it creates issue with another username in previous runs and username is verified as above it fails to get issue.
Why we are using PAT token instead of default GITHUB_TOKEN because we want to trigger another workflow which create jira ticket , whenever a GH issue is created by base zap scan workflow.
https://docs.github.com/en/actions/using-workflows/triggering-a-workflow#triggering-a-workflow-from-a-workflow
@sshniro any suggestions how to workaround this or fixes coming for this. maybe token can be used to identify user used for zap scan / issue creation and then verify that user in actions-common.
from action-baseline.
sshniro
commented on June 12, 2024
I assume this is due to the fact that the runner could not read the previous report and executing the create new issue workflow. I'll check and update you on this.
Line 133 in 08af42e
from action-baseline.
sshniro
commented on June 12, 2024
Hi @hazcod, I assume this is an isolated event, as the new scans (for 2 days) did not create a new issue: ironpeakservices/ironpeak.be#42
I will add more logs to figure out what went wrong.
from action-baseline.
navpreet-securitas
commented on June 12, 2024
Quoted message
Hi We are facing same issue , where GH issue is getting created again even though GH issue is present. It works well when using default GITHUB_TOKEN , but if we use PAT token(with required permissions on repo) as below:
id: baseline uses: zaproxy/[email protected] with: token: ${{ secrets.ZAP_TOKEN }} target: 'https://www.example.com' rules_file_name: 'rules.tsv'it is not able to find existing open issue. Probably because of :
if ( issue["state"] === "open" && issue["user"]!["login"] === "github-actions[bot]" )https://github.com/zaproxy/actions-common/blob/master/src/index.ts#LL73C1-L74C1Since we are using PAT token it creates issue with another username in previous runs and username is verified as above it fails to get issue. Why we are using PAT token instead of default GITHUB_TOKEN because we want to trigger another workflow which create jira ticket , whenever a GH issue is created by base zap scan workflow. https://docs.github.com/en/actions/using-workflows/triggering-a-workflow#triggering-a-workflow-from-a-workflow
@sshniro any suggestions how to workaround this or fixes coming for this. maybe token can be used to identify user used for zap scan / issue creation and then verify that user in actions-common.
probably this can be used:
getting user by using token passed and then comparing with OR condition ( along with github-actions[bot])
// Octokit.js
// https://github.com/octokit/core.js#readme
const octokit = new Octokit({
auth: 'YOUR-TOKEN'
})
await octokit.request('GET /user', {
headers: {
'X-GitHub-Api-Version': '2022-11-28'
}
})
https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user
from action-baseline.
Den4200
commented on June 12, 2024
Thanks so much!
from action-baseline.
Related Issues (20)
- xml placeholder file not created as part of execution causing -x flag HOT 1
- Support User access token to create the issue HOT 2
- Hide the Docker clone logs
- Show error if rule file not found HOT 2
- Put ignored alerts in a details tag HOT 1
- Option to fail or pass the action based on alerts HOT 4
- Permission issue while Ajax scanning with root user HOT 2
- Octokit problem HOT 29
- Error on fail_action HOT 1
- Capturing the ZAP scan run results and publish into Slack HOT 2
- OUTOFSCOPE doesn't seem to be working HOT 7
- Feature Request: Allow specifying artifact name HOT 6
- `Cannot listen on port 0.0.0.0:60926` error HOT 5
- Cannot turn off GitHub issue filing HOT 7
- GitHub Code Scanning Integration HOT 12
- Automation Framework - compatible with config file / basic auth? HOT 1
- Can't run with Ajax spider HOT 4
- Feature: Allows the use of Docker Volume Mount for /zap/wrk/
- Upgrade to node 16
- Nodejs 12 deprecated, upgrade to Nodejs 16. HOT 10
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from action-baseline.