This repository integrates OWASP ZAP (Zed Attack Proxy) into a GitHub Actions workflow to perform automated security scanning of a web application whenever a push event occurs. OWASP ZAP is an open-source security scanner that helps identify vulnerabilities in web applications, such as:
- SQL Injection
- Cross-Site Scripting (XSS)
- Broken Authentication
- Security Misconfigurations
- Sensitive Data Exposure
The GitHub Actions workflow (.github/workflows/owasp-zap.yml) automates the security scanning process by:
- Checking out the repository to access necessary files.
- Running OWASP ZAP Full Scan inside a Docker container.
- Scanning the target web application using OWASP ZAP.
- Applying custom rules (if defined) to manage scan results.
- Logging and reporting vulnerabilities found during the scan.
The OWASP ZAP scanning workflow is defined as follows:
- name: ZAP Scan
uses: zaproxy/action-full-scan@v0.12.0
with:
docker_name: 'ghcr.io/zaproxy/zaproxy:stable'
target: 'http://testphp.vulnweb.com/'
rules_file_name: '.zap/rules.tsv'
cmd_options: '-a'- Trigger: Runs automatically on each
pushevent. - ZAP Scan Action: Uses
zaproxy/action-full-scanto scan the target. - Target URL: The web application to be scanned (currently
http://testphp.vulnweb.com/). - Rules File:
.zap/rules.tsvcan be used to modify alert rules and ignore false positives. - Command Options (
-a): Runs in aggressive mode for a more thorough scan.
- Spidering & Crawling:
- ZAP first crawls the target website to discover pages and input fields.
- Active Scanning:
- Sends active payloads to form fields, URLs, and headers to detect vulnerabilities.
- Passive Scanning:
- Analyzes HTTP responses for security weaknesses without sending active attacks.
- Reporting & Alerts:
- Generates a report listing discovered vulnerabilities and their severity levels (e.g., High, Medium, Low, Informational).
After the workflow completes, the scan results can be accessed via:
- GitHub Actions Logs
Integrating OWASP ZAP into GitHub Actions enhances security automation by identifying vulnerabilities early in the development cycle. By regularly scanning your web application, you can mitigate risks and improve security posture before deployment.
For more details, refer to the OWASP ZAP Documentation.