OWASP ZAP with Github Actions

This tutorial demonstrates how to setup a Dynamic Application Security Testing (DAST) scan for a web application using OWASP ZAP Security Scanner in a GitHub Actions workflow.

Step 0: Create a GitHub Actions Workflow and Define the Job

In your GitHub repository, navigate to the Actions tab. Click on 'New workflow' to create a new workflow. Set up the workflow file by copying the following code into the editor:

name: OWASP ZAP Security Scan

on: [push]

jobs:
  zap_scan:
    runs-on: ubuntu-latest
    name: Run DAST scan on the web application

Step 1: Download the Source Code

Add a step to your workflow to download the source code from your repository:

    steps:
      - name: Checkout source code
        uses: actions/checkout@v3

Step 2: Use OWASP ZAP to Scan the Web Application

Add a step to your workflow to run the OWASP ZAP scan:

      - name: Run OWASP ZAP scan
        uses: zaproxy/action-[email protected]
        with:
          docker_name: 'owasp/zap2docker-stable'
          target: http://localhost:3000
          rules_file_name: '.zap/rules.tsv'
          cmd_options: '-a'

Full Code

name: Build code, run unit test, run SAST, SCA, DAST security scans
on: push

jobs:

  zap_scan:
    runs-on: ubuntu-latest
    needs: security
    name: Run DAST scan on the web application
    steps:
      - name: Checkout
        uses: actions/checkout@v2
        with:
          ref: master
      - name: ZAP Scan
        uses: zaproxy/action-[email protected]
        with:
          docker_name: 'owasp/zap2docker-stable'
          target: 'http://testphp.vulnweb.com/'
          rules_file_name: '.zap/rules.tsv'
          cmd_options: '-a'

Step 0: Create a GitHub Actions Workflow and Define the Job​

Step 1: Download the Source Code​

Step 2: Use OWASP ZAP to Scan the Web Application​

Full Code​

Step 0: Create a GitHub Actions Workflow and Define the Job

Step 1: Download the Source Code

Step 2: Use OWASP ZAP to Scan the Web Application

Full Code