action-baseline icon indicating copy to clipboard operation
action-baseline copied to clipboard
verified publisher icon zaproxy

Feature: use in Pull Request

Open hazcod opened this issue 6 years ago • 9 comments

Instead of having an hourly scan or so, developers should receive direct feedback about their fixes in the CI/CD workflow. Allowing us to use zaproxy/action-baseline in a pull_request flow should allow this behavior easily.

IMO, the only thing that needs to be changed is detecting whether we're in a pull request and commenting instead of creating an issue.

hazcod avatar Apr 10 '20 08:04 hazcod

Good suggestion, but I assume this should run in conjunction with locally building the webapp, and then running the baseline scan against the local app.

sshniro avatar Apr 10 '20 10:04 sshniro

Indeed, the url can be extracted from a previous job output variable and used as input to zap.

hazcod avatar Apr 10 '20 10:04 hazcod

I would like to start working on this issue: would like to get some clarifications, @psiinon @thc202

  1. If a user commits to a pull request should we report the new results of ZAP as a comment or comment on the difference between the previous commit and current commit?

Example: Alert x has been newly identified?

sshniro avatar Oct 16 '20 07:10 sshniro

Following the behaviour of other tools (e.g. LGTM), comment always with the difference between the latest changes of the PR and the base branch.

This will have to be done in two steps, e.g. first creates the data and the second adds the comment (using pull_request_target event).

thc202 avatar Oct 16 '20 10:10 thc202

Any update on this? Personally It would be enough for me to see the ZAP output on PR and you don't have to mix in any previous scan results. First step keep it simple and second step you can mix in some extra things like comparing between old commits.

nissessenap avatar May 16 '21 09:05 nissessenap

Did a rather simple version of this that you can definitly improve but at least it runs zap on each PR. Shoulden't be to hard to add rules for zap, one way could be to store them in the repo which you probably should do any way.

https://github.com/XenitAB/opa-bundle-api/pull/3/files

name: ZAP PR Validation

on: pull_request

jobs:
  zap:
    timeout-minutes: 5
    runs-on: ubuntu-latest
    env:
      GO111MODULE: on
    steps:
      - name: Clone repo
        uses: actions/[email protected]
      - name: Setup go
        uses: actions/setup-go@v2
        with:
          go-version: "^1.16.2"
      - name: Run application
        run: |
          go mod download
          timeout 120s go run ./cmd/opa-bundle-api/main.go &
          docker run -t owasp/zap2docker-stable zap-baseline.py -t http://$(ip -f inet -o addr show docker0 | awk '{print $4}' | cut -d '/' -f 1):8080

nissessenap avatar May 17 '21 06:05 nissessenap

Sneaky bump on this issue: I'm looking for this exact functionality; from what I've seen in the docs, so far, it looks like we'd need a single input to be added that lets us add an existing issue id to overwrite :

Every pull request is an issue, but not every issue is a pull request. For this reason, "shared" actions for both features, like manipulating assignees, labels and milestones, are provided within the Issues API.

https://docs.github.com/en/rest/reference/pulls

I'm pretty sure we can get that PR id in the workflow by using the GITHUB_REF variable.

BrandonOldenhof avatar Mar 04 '22 07:03 BrandonOldenhof

@sshniro are you still able to look at this? If not then no problem but we'll unassign you and try to encourage someone else to look at it :)

psiinon avatar Mar 04 '22 10:03 psiinon

Hi @psiinon unfortunately I will be not able to look into this during this month, would highly welcome any contribution from someone else.

sshniro avatar Mar 13 '22 05:03 sshniro