Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GitHub Code Scanning Integration #63

Open
SvanBoxel opened this issue Sep 28, 2021 · 12 comments
Open

GitHub Code Scanning Integration #63

SvanBoxel opened this issue Sep 28, 2021 · 12 comments

Comments

@SvanBoxel
Copy link

SvanBoxel commented Sep 28, 2021

👋🏽 ZAproxy team,

Thank you for building this Action. I took the liberty to create an actions that maps the ZAProxy results to SARIF so they can be displayed in the GitHub Advanced Security UI.

You can check it out here: https://github.com/SvanBoxel/zaproxy-to-ghas

Optionally we could decide to merge this action into zaproxy/action-baseline so it becomes easier for users to leverage this scanning utility.

Disclaimer: I know, SARIF isn’t made for DAST results, but having the ability to view all security results through a single pane of glass can be very beneficial.

@psiinon
Copy link
Member

psiinon commented Sep 28, 2021

@SvanBoxel thank you for creating this and telling us about it :)
It looks very interesting - we'll have a look at it and get back to you asap!

@brentufkes
Copy link

There any action here? @psiinon

This is very helpful as be able to show these results in the Advanced Security UI (acknowledging the disclaimer)

@derekmurawsky
Copy link

This would be fantastic. I would love to see this action enable sarif output as well so an intermediate step/action is not needed.

@DanBradbury
Copy link

Ran into this requirement recently so I took a quick stab at hacking out a solution to let us proceed and I'd very much like to help make this be part of the main action without requiring an additional action to be used.

My understanding is that this would require changes to this repo (#110) & zaproxy (zaproxy/zaproxy#8005)

In my case I had to create a new docker image with these files updated (zap-baseline.py and zap_common.py) to confirm that the entire scenario works correctly.

Would gladly take suggestions / work on produtionizing the code if this path doesn't seem to out there.. would require input from folks who are far more knowledgable than I (@psiinon or any others)

@thc202
Copy link
Member

thc202 commented Aug 14, 2023

With a scan hook you could create the report without doing changes everywhere: https://www.zaproxy.org/docs/docker/scan-hooks/

@DanBradbury
Copy link

With a scan hook you could create the report without doing changes everywhere: https://www.zaproxy.org/docs/docker/scan-hooks/

Wondering if that solve makes sense for folks supporting 100s of applications and needing to add that hook.py file to all repos. Was mostly hoping for it to be supported with a command line option

@thc202
Copy link
Member

thc202 commented Aug 14, 2023

The hook can be created by the workflow and one can use reusable workflows, so no need to add a file to 100s repos.

It's not necessary to add a command line option when this can be implemented just in the action (or the common package).

@DanBradbury
Copy link

ack. My issue with that solution is that it requires something beyond the baseline scan options that come out of the box. Seems like a workaround to use a hook rather than have something supported properly in the main action.

Definitely not a fan of that solution but if the guidance is to not support sairf within the baseline scan in the future I guess we will go with the gross hook solve / keep rolling our own docker image + maintain our own fork

@thc202
Copy link
Member

thc202 commented Aug 14, 2023

What do you want to use? The action or the packaged scan? Both?

@DanBradbury
Copy link

My understanding from the docs was that "GitHub Actions wrap the above packaged scans " (Baseline, Full Scan, API Scan)

What do you want to use? The action or the packaged scan? Both?

doesn't the action-baseline action use the Baseline packaged scan? I believe that's the reason I had to make changes to both the repos to support the new -S option for sarif support. I'd like to improve the baseline action and if that requires changes to the packaged scan then I think that work should be done in parallel.. even if there is a sunset plan for the old packaged scans to be unified with the automation framework it looks like there is still work being done zap-baseline.py to attempt to use the AF when possible
https://github.com/zaproxy/zaproxy/blob/main/docker/zap-baseline.py#L344-L352

Ideally it would be great to have sarif support figured out in the action here now and then make the change to move the AF completely seamless and update the old zap-baseline.py to fully use the automation framework when the time is right.. obviously I'm naive to priorities, etc for the team but as someone who is selfishly trying to use ZAP at scale we'd like have this a default / configurable behavior at the action level.

@elgohr
Copy link

elgohr commented Oct 5, 2023

Looks like a SARIF report exporter is already part of ZAP. See

Sadly I didn't find a way/documentation to use it.

@elgohr
Copy link

elgohr commented Oct 5, 2023

Find an idea at GSA-TTS/FAC#1654

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

7 participants