activist
activist copied to clipboard
activist-org
OWASP ZAP rules & runners
Contributor checklist
- [x] This pull request is on a separate branch and not the main branch
- [x] I have run the tests for the backend and frontend depending on what's needed for my changes as described in the testing section of the contributing guide
Description
OWASP ZAP Security Scanning Implementation
This PR implements robust OWASP ZAP security scanning to enhance the project's security posture through automated vulnerability detection. The implementation is designed to be unobtrusive while providing comprehensive security coverage.
Key additions include:
1. Enhanced OWASP ZAP workflow:
- Weekly scheduled scans (Mondays at 2 AM UTC)
- Optimized scanning parameters (HIGH attack strength, MEDIUM alert threshold)
- Time-optimized scanning (60-minute timeout, 10 threads)
- Comprehensive reporting with JSON, Markdown, and HTML formats
- Automatic security issue creation for identified vulnerabilities
- Artifact uploads for detailed review and historical tracking
2. Complete ZAP security configuration:
- Custom rules file to reduce false positives (14 optimized rule exceptions)
- Detailed documentation explaining security testing approach in .zap/README.md
- Multiple scanning options via scripts for:
- Local development testing (run_local_scan.sh)
- GitHub Actions local simulation (run_with_act.sh)
- Desktop ZAP integration (run_with_zap_desktop.sh)
3. Developer-friendly additions:
- Simple one-command scan launcher (run-zap-scan.sh)
- Docker Compose setup for ZAP testing
- Configuration files for consistent testing across environments
The PR focuses exclusively on security testing infrastructure without modifying application code. All Docker configurations have been synchronized with upstream/main for consistency. Testing was performed using the provided scripts locally, and through execution of the GitHub workflow.
Related issue
- #ISSUE_NUMBER
Deploy Preview for activist-org canceled.
| Name | Link |
|---|---|
| Latest commit | c8c8198e4b616a7246eacd0301419c9befa88b2f |
| Latest deploy log | https://app.netlify.com/sites/activist-org/deploys/6819331233304600083db4de |
![netlify[bot] avatar](https://avatars.githubusercontent.com/in/13473?v=4 "Published by a pub.dev verified publisher"){kind=small}
Thank you for the pull request! ❤️
The activist team will do our best to address your contribution as soon as we can. If you're not already a member of our public Matrix community, please consider joining! We'd suggest using Element as your Matrix client, and definitely join the General and Development rooms once you're in. Also consider attending our bi-weekly Saturday developer syncs! It'd be great to meet you 😊
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Maintainer Checklist
The following is a checklist for maintainers to make sure this process goes as well as possible. Feel free to address the points below yourself in further commits if you realize that actions are needed :)
-
[x] The TypeScript, pytest and formatting workflows within the PR checks do not indicate new errors in the files changed
-
[x] The Playwright end to end and Zap penetration tests have been ran and are passing (if necessary)
-
[x] The changelog has been updated with a description of the changes for the upcoming release and the corresponding issue (if necessary)
Hey @aasimsyed 👋 One thing I'm noting here is that it seems like you changed your Git email recently and haven't added it to your GitHub account as the commits are not linked 🤔 Do you want to check what you're getting back for git config user.email in your local activist repo (can be set with git config --global user.email "GITHUB_EMAIL"). You can check your GitHub email here :)
Hey @aasimsyed 👋 One thing I'm noting here is that it seems like you changed your Git email recently and haven't added it to your GitHub account as the commits are not linked 🤔 Do you want to check what you're getting back for
git config user.emailin your local activist repo (can be set withgit config --global user.email "GITHUB_EMAIL"). You can check your GitHub email here :)
Hey @andrewtavis ... I think you're right. I don't know how that happened. I will re-push soon.
Hey @aasimsyed 👋 Quick check in to see if we can get the changes finalized before Saturday so that we can hopefully merge these PRs in during the sync? Would be great to see you there! 😊
Hey @aasimsyed 👋 Quick check in to see if we can get the changes finalized before Saturday so that we can hopefully merge these PRs in during the sync? Would be great to see you there! 😊
I made a small change and pushed a new commit. should this do it? I should have my email set correctly now.
Yes you do :) I think I'll try to squash the changes and remove the "other you" as a contributor, which should work 😊 Do you want to maybe send the exact same change to the other PRs and then you'll be logged in each? I hope this works. My assumption is that you should get one commit for each squashed PR 😊
Hope you're able to attend the sync tomorrow! Would be great to talk these over and merge them in. We can do a call over the weekend if not :)
Things to consider based on discussions in the sync:
- We'd ideally remove
rules.tsvas they appear to also be in the YAML file - We'd want to make sure that we're not getting repeat issues on the repo if we switch it to medium and we don't fix an issue within a week (ideally)
Ok @aasimsyed: Most recent commit sends the changes I was working on 😊 Would be great if you could check what were discussed and logged here!
Are we ready for a final review here, @aasimsyed? :)
I may have inadvertently overwritten the changes you made to comments, e.g. "MARK"... you may want to re-check that and then it's ready to go.