Comments (9)
Following the behaviour of other tools (e.g. LGTM), comment always with the difference between the latest changes of the PR and the base branch.
This will have to be done in two steps, e.g. first creates the data and the second adds the comment (using pull_request_target
event).
from action-baseline.
Any update on this?
Personally It would be enough for me to see the ZAP output on PR and you don't have to mix in any previous scan results.
First step keep it simple and second step you can mix in some extra things like comparing between old commits.
from action-baseline.
Good suggestion, but I assume this should run in conjunction with locally building the webapp, and then running the baseline scan against the local app.
from action-baseline.
Indeed, the url can be extracted from a previous job output variable and used as input to zap.
from action-baseline.
I would like to start working on this issue: would like to get some clarifications, @psiinon @thc202
- If a user commits to a pull request should we report the new results of ZAP as a comment or comment on the difference between the previous commit and current commit?
Example: Alert x has been newly identified?
from action-baseline.
Did a rather simple version of this that you can definitly improve but at least it runs zap on each PR.
Shoulden't be to hard to add rules for zap, one way could be to store them in the repo which you probably should do any way.
https://github.com/XenitAB/opa-bundle-api/pull/3/files
name: ZAP PR Validation
on: pull_request
jobs:
zap:
timeout-minutes: 5
runs-on: ubuntu-latest
env:
GO111MODULE: on
steps:
- name: Clone repo
uses: actions/[email protected]
- name: Setup go
uses: actions/setup-go@v2
with:
go-version: "^1.16.2"
- name: Run application
run: |
go mod download
timeout 120s go run ./cmd/opa-bundle-api/main.go &
docker run -t owasp/zap2docker-stable zap-baseline.py -t http://$(ip -f inet -o addr show docker0 | awk '{print $4}' | cut -d '/' -f 1):8080
from action-baseline.
Sneaky bump on this issue: I'm looking for this exact functionality; from what I've seen in the docs, so far, it looks like we'd need a single input
to be added that lets us add an existing issue id to overwrite :
Every pull request is an issue, but not every issue is a pull request. For this reason, "shared" actions for both features, like manipulating assignees, labels and milestones, are provided within the Issues API.
https://docs.github.com/en/rest/reference/pulls
I'm pretty sure we can get that PR id in the workflow by using the GITHUB_REF
variable.
from action-baseline.
@sshniro are you still able to look at this?
If not then no problem but we'll unassign you and try to encourage someone else to look at it :)
from action-baseline.
Hi @psiinon unfortunately I will be not able to look into this during this month, would highly welcome any contribution from someone else.
from action-baseline.
Related Issues (20)
- xml placeholder file not created as part of execution causing -x flag HOT 1
- Update to Node 20
- PermissionError: [Errno 13] Permission denied: '/zap/wrk/ HOT 12
- Show error if rule file not found HOT 2
- Put ignored alerts in a details tag HOT 1
- Option to fail or pass the action based on alerts HOT 4
- Permission issue while Ajax scanning with root user HOT 2
- Octokit problem HOT 29
- Error on fail_action HOT 1
- Capturing the ZAP scan run results and publish into Slack HOT 2
- OUTOFSCOPE doesn't seem to be working HOT 7
- Feature Request: Allow specifying artifact name HOT 6
- `Cannot listen on port 0.0.0.0:60926` error HOT 5
- Cannot turn off GitHub issue filing HOT 7
- GitHub Code Scanning Integration HOT 12
- Automation Framework - compatible with config file / basic auth? HOT 1
- Can't run with Ajax spider HOT 4
- Feature: Allows the use of Docker Volume Mount for /zap/wrk/
- Upgrade to node 16
- Nodejs 12 deprecated, upgrade to Nodejs 16. HOT 10
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from action-baseline.