Use this action to scan a web application with the open-source Zed Attack Proxy (ZAP) dynamic application security testing (DAST) scanner.
| Input name | Data type | Required? | Description |
|---|---|---|---|
|
String |
Yes |
The ZAP server URL. |
|
String |
Yes |
The ZAP token. |
|
String |
Yes |
The application environment name. |
|
String |
Yes |
The authorization type. Supported types are:
|
|
String |
Yes |
The application paths to scan. |
|
String |
Yes |
The application URL. |
|
String |
Yes |
Either |
|
String |
Required only if |
The form field name of the application username. |
|
String |
Required only if |
The form field name of the application password. |
|
String |
Required only if |
The application username. |
|
String |
Required only if |
The application password. |
|
String |
Required only if |
The application sign-in page GET URL. |
|
String |
Required only if |
The application sign-in page target URL. |
|
String |
Required only if |
The application signed-in indicator. |
|
String |
Required only if |
The application signed-out indicator. |
|
String |
Required only if |
The regular expressions to include in context. |
|
String |
Required only if |
The regular expressions to exclude from context. |
|
String |
Required only if |
The application sign-in URI. |
|
String |
Required only if |
The application sign-in hostname. |
|
String |
Required only if |
The application redirect URI. |
|
String |
Required only if |
The ZAP domain. |
|
String |
Required only if |
The ZAP client ID. |
|
String |
Required only if |
The ZAP client secret. |
The following display an example of each authorization type in use.
In the case of auth-type: "noauth":
- name: Scan with ZAP noauth
uses: cloudbees-io/zap-dast-scan-environment@v1
with:
zap-url: https://example.com
token: ${{ secrets.ZAP_CLIENT_SECRET }}
environment: "Development"
auth-type: "noauth"
paths: "/components"
url: "https://url.com"
contextAvailable: "false"In the case of auth-type: "UsernamePasswordAuth":
- name: Scan with ZAP user passwd
uses: cloudbees-io/zap-dast-scan-environment@v1
with:
zap_url: "http://zap:8080/"
token: ${{ secrets.ZAP_CLIENT_SECRET }}
environment: "Development"
url: "https://example.io/ui"
authType: "UsernamePasswordAuth"
paths: "/components,/home,/analytics"
contextAvailable: "true"
userNameFormFieldName: "username"
passwordFormFieldName: "password"
username: "riqsvc01"
password: PASSWORD
loginPageGetUrl: "https://url.io/ui/api/v1/access/auth/login?_spring_security_remember_me=false"
loginPageTargetUrl: "https://uel.io/ui/api/v1/access/auth/login?_spring_security_remember_me=false"
loggedInIndicator: "<a href=\"logout.jsp\"></a>"
loggedOutIndicator: "LoginForm"
includeInContextRegexes: "https://url.io.*"
excludeFromContextRegexes: "https://url.io/ui/logout.*"|
Note
|
If
|
In the case of auth-type: "auth0":
- name: Scan with ZAP auth0
uses: cloudbees-io/zap-dast-scan-environment@v1
with:
zap_url: "http://url:8080/"
token: ${{ secrets.ZAP_TOKEN }}
environment: "Development"
uth-type: "auth0"
paths: "/dashboard,/organisations,/standards"
contextAvailable: "false"
firstGetURI: "/u/login"
loginHostname: "https://url.com"
loggedInIndicator: "<a href=\"logout.jsp\"><\\/a>"
loggedOutIndicator: "\\\\bLog in to cbcqa to continue to Platform UI\\\\b"
redirectURI: "https://url.com/"
includeInContextRegexes: "https://url.com.*,https://url.eu.auth0.com.*"
excludeFromContextRegexes: "https://accounts.google.com/o/oauth2/auth.*"This code is made available under the MIT license.
-
Learn more about using actions in CloudBees workflows.
-
Learn about the CloudBees platform.