CloudBees action: Scan with ZAP

2 minute read

Use this action to scan a web application with the open-source Zed Attack Proxy (ZAP) dynamic application security testing (DAST) scanner.

All CloudBees action repositories are listed at CloudBees, Inc. on GitHub.

Inputs

Table 1. Input details
Input name Data type Required? Description

zap-url

String

Yes

The ZAP server URL.

token

String

Yes

The ZAP token.

environment

String

Yes

The application environment name.

auth-type

String

Yes

The authorization type. Supported types are:

  • None ("noauth")

  • Username/password ("UsernamePasswordAuth")

  • Auth0 ("auth0")

paths

String

Yes

The application paths to scan.

url

String

Yes

The application URL.

context-available

String

Yes

Either true or false. Defaults to false.

app-username-form-field-name

String

Required only if auth-type: "UsernamePasswordAuth".

The form field name of the application username.

app-password-form-field-name

String

Required only if auth-type: "UsernamePasswordAuth".

The form field name of the application password.

app-username

String

Required only if auth-type: "UsernamePasswordAuth".

The application username.

app-password

String

Required only if auth-type: "UsernamePasswordAuth".

The application password.

loginPageGetUrl

String

Required only if auth-type: "UsernamePasswordAuth".

The application sign-in page GET URL.

loginPageTargetUrl

String

Required only if auth-type: "UsernamePasswordAuth".

The application sign-in page target URL.

loggedInIndicator

String

Required only if auth-type: "UsernamePasswordAuth" or auth-type: "auth0".

The application signed-in indicator.

loggedOutIndicator

String

Required only if auth-type: "UsernamePasswordAuth" or auth-type: "auth0".

The application signed-out indicator.

includeInContextRegexes

String

Required only if auth-type: "UsernamePasswordAuth" or auth-type: "auth0".

The regular expressions to include in context.

excludeFromContextRegexes

String

Required only if auth-type: "UsernamePasswordAuth" or auth-type: "auth0".

The regular expressions to exclude from context.

firstGetURI

String

Required only if auth-type: "auth0".

The application sign-in URI.

loginHostname

String

Required only if auth-type: "auth0".

The application sign-in hostname.

redirectURI

String

Required only if auth-type: "auth0".

The application redirect URI.

domain

String

Required only if auth-type: auth0 and context-available:true.

The ZAP domain.

client-id

String

Required only if auth-type: auth0 and context-available:true.

The ZAP client ID.

client-secret

String

Required only if auth-type: auth0 and context-available:true.

The ZAP client secret.

Usage examples

The following display an example of each authorization type in use.

No authorization

In the case of auth-type: "noauth":

      - name: Scan with ZAP noauth
        uses: cloudbees-io/zap-dast-scan-environment@v1
        with:
          zap-url: https://example.com
          token: ${{ secrets.ZAP_CLIENT_SECRET }}
          environment: "Development"
          auth-type: "noauth"
          paths: "/components"
          url: "https://url.com"
          contextAvailable: "false"

Username/password authorization

In the case of auth-type: "UsernamePasswordAuth":

      - name: Scan with ZAP user passwd
        uses: cloudbees-io/zap-dast-scan-environment@v1
        with:
          zap_url: "http://zap:8080/"
          token: ${{ secrets.ZAP_CLIENT_SECRET }}
          environment: "Development"
          url: "https://example.io/ui"
          authType: "UsernamePasswordAuth"
          paths: "/components,/home,/analytics"
          contextAvailable: "true"
          userNameFormFieldName: "username"
          passwordFormFieldName: "password"
          username: "riqsvc01"
          password:  PASSWORD
          loginPageGetUrl: "https://url.io/ui/api/v1/access/auth/login?_spring_security_remember_me=false"
          loginPageTargetUrl: "https://uel.io/ui/api/v1/access/auth/login?_spring_security_remember_me=false"
          loggedInIndicator: "<a href=\"logout.jsp\"></a>"
          loggedOutIndicator: "LoginForm"
          includeInContextRegexes: "https://url.io.*"
          excludeFromContextRegexes: "https://url.io/ui/logout.*"

Auth0 authorization

If contextAvailable: "true", then each of the following keywords require a set value:

  • client-id

  • domain

  • client-secret

In the case of auth-type: "auth0":

      - name: Scan with ZAP auth0
        uses: cloudbees-io/zap-dast-scan-environment@v1
        with:
          zap_url: "http://url:8080/"
          token: ${{ secrets.ZAP_TOKEN }}
          environment: "Development"
          uth-type: "auth0"
          paths: "/dashboard,/organisations,/standards"
          contextAvailable: "false"
          firstGetURI: "/u/login"
          loginHostname: "https://url.com"
          loggedInIndicator: "<a href=\"logout.jsp\"><\\/a>"
          loggedOutIndicator: "\\\\bLog in to cbcqa to continue to Platform UI\\\\b"
          redirectURI: "https://url.com/"
          includeInContextRegexes: "https://url.com.*,https://url.eu.auth0.com.*"
          excludeFromContextRegexes: "https://accounts.google.com/o/oauth2/auth.*"