Merge pull request #1 from sshniro/full

Adding zap full scan github action

Author: psiinon

.gitignore

@@ -80,7 +80,6 @@ typings/
 
 # Nuxt.js build / generate output
 .nuxt
-dist
 
 # Gatsby files
 .cache/

README.md

@@ -1,2 +1,91 @@
-# action-full-scan
-A GitHub Action for running the OWASP ZAP Full scan 
+# ZAP Action Full Scan
+
+A GitHub Action for running the OWASP ZAP [Full Scan](https://www.zaproxy.org/docs/docker/full-scan/) to perform
+Dynamic Application Security Testing (DAST). 
+
+The ZAP full scan action runs the ZAP spider against the specified target (by default with no time limit) followed by an 
+optional ajax spider scan and then a full active scan before reporting the results. The alerts will be maintained as a 
+GitHub issue in the corresponding repository.
+
+## Inputs
+
+### `target`
+
+**Required** The URL of the web application to be scanned. This can be either a publicly available web application or a locally
+accessible URL.
+
+### `docker_name`
+
+**Optional** The name of the docker file to be executed. By default the action runs the stable version of ZAP. But you can 
+configure the parameter to use the weekly builds.
+
+### `rules_file_name`
+
+**Optional** You can also specify a relative path to the rules file to ignore any alerts from the ZAP scan. Make sure to create
+the rules file inside the relevant repository. The following shows a sample rules file configuration.
+Make sure to checkout the repository (actions/checkout@v2) to provide the ZAP rules to the scan action.
+
+```tsv
+10011	IGNORE	(Cookie Without Secure Flag)
+10015	IGNORE	(Incomplete or No Cache-control and Pragma HTTP Header Set)
+``` 
+
+### `cmd_options`
+
+**Optional** Additional command lines options for the full scan script
+
+### `issue_title`
+
+**Optional** The title for the GitHub issue to be created.
+
+### `token`
+
+**Optional** ZAP action uses the default action token provided by GitHub to create and update the issue for the full scan.
+You do not have to create a dedicated token. Make sure to use the GitHub's default action token when running the action(`secrets.GIT_TOKEN`).
+
+## Example usage
+
+** Basic **
+```
+steps:
+  - name: ZAP Scan
+    uses: zaproxy/action-full-scan@v0.1.0
+    with:
+      target: 'https://www.zaproxy.org/'
+```
+
+** Advanced **
+
+```
+on: [push]
+
+jobs:
+  zap_scan:
+    runs-on: ubuntu-latest
+    name: Scan the webapplication
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+        with:
+          ref: master
+      - name: ZAP Scan
+        uses: zaproxy/action-full-scan@v0.1.0
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          docker_name: 'owasp/zap2docker-stable'
+          target: 'https://www.zaproxy.org/'
+          rules_file_name: '.zap/rules.tsv'
+          cmd_options: '-a'
+```
+
+## Localised Alert Details
+
+ZAP is internationalised and alert information is available in many languages.
+
+You can change the language used by this action by changing the locale via the `cmd_options` e.g.: `-z "-config view.locale=fr_FR"`
+
+This is currently only available with the `owasp/zap2docker-weekly` or `owasp/zap2docker-live` Docker images.
+
+See [https://github.com/zaproxy/zaproxy/tree/develop/zap/src/main/dist/lang](https://github.com/zaproxy/zaproxy/tree/develop/zap/src/main/dist/lang) for the full set of locales currently supported.
+
+You can help improve ZAP translations via [https://crowdin.com/project/owasp-zap](https://crowdin.com/project/owasp-zap). 

action.yml

@@ -0,0 +1,30 @@
+name: 'OWASP ZAP Full Scan'
+description: 'Scans the web application with the OWASP ZAP Full Scan'
+branding:
+  icon: 'zap'
+  color: 'blue'
+inputs:
+  token:
+    description: 'GitHub Token to create issues in the repository'
+    required: false
+    default: ${{ github.token }}
+  target:
+    description: 'Target URL'
+    required: true
+  rules_file_name:
+    description: 'Relative path of the ZAP configuration file'
+    required: false
+  docker_name:
+    description: 'The Docker file to be executed'
+    required: true
+    default: 'owasp/zap2docker-stable'
+  cmd_options:
+    description: 'Additional command line options'
+    required: false
+  issue_title:
+    description: 'The title for the GitHub issue to be created'
+    required: false
+    default: 'ZAP Full Scan Report'
+runs:
+  using: 'node12'
+  main: 'dist/index.js'

index.js

@@ -0,0 +1,50 @@
+const core = require('@actions/core');
+const exec = require('@actions/exec');
+const common = require('@zaproxy/actions-common-scans');
+const _ = require('lodash');
+
+// Default file names
+let jsonReportName = 'report_json.json';
+let mdReportName = 'report_md.md';
+let htmlReportName = 'report_html.html';
+
+async function run() {
+
+    try {
+        let workspace = process.env.GITHUB_WORKSPACE;
+        let currentRunnerID = process.env.GITHUB_RUN_ID;
+        let repoName = process.env.GITHUB_REPOSITORY;
+        let token = core.getInput('token');
+        let docker_name = core.getInput('docker_name');
+        let target = core.getInput('target');
+        let rulesFileLocation = core.getInput('rules_file_name');
+        let cmdOptions = core.getInput('cmd_options');
+        let issueTitle = core.getInput('issue_title');
+
+        console.log('starting the program');
+        console.log('github run id :' + currentRunnerID);
+
+        let plugins = [];
+        if (rulesFileLocation) {
+            plugins = await common.helper.processLineByLine(`${workspace}/${rulesFileLocation}`);
+        }
+
+        let command = (`docker run --user root -v ${workspace}:/zap/wrk/:rw --network="host" ` +
+            `-t ${docker_name} zap-full-scan.py -t ${target} -J ${jsonReportName} -w ${mdReportName}  -r ${htmlReportName} ${cmdOptions}`);
+
+        if (plugins.length !== 0) {
+            command = command + ` -c ${rulesFileLocation}`
+        }
+
+        try {
+            await exec.exec(command);
+        } catch (err) {
+            core.setFailed('The ZAP full scan has failed, starting to analyze the alerts. err: ' + err.toString());
+        }
+        await common.main.processReport(token, workspace, plugins, currentRunnerID, issueTitle, repoName);
+    } catch (error) {
+        core.setFailed(error.message);
+    }
+}
+
+run();