ZAP DAST Scanner
ZAP DAST Scanner - Reusable Workflow
THIN WRAPPER: This workflow delegates to the scanner-zap composite action. All scanning logic is in: .github/actions/scanner-zap/action.yml
For GHES users: Use the composite action directly instead of this workflow. See: examples/github-enterprise/dast-scanning.yml
uses: huntridge-labs/argus/.github/workflows/scanner-zap.yml@0.6.7
Triggers
- Manual dispatch
- Reusable (called by other workflows)
Permissions
| Scope | Access |
|---|---|
contents |
read |
actions |
read |
packages |
read |
pull-requests |
write |
Inputs
| Input | Description | Required | Default |
|---|---|---|---|
scan_name |
Unique scan identifier (for artifact naming) string | No | zap-scan |
scan_mode |
Target mode: url, docker-run, or compose string | No | url |
scan_type |
ZAP scan type: baseline, full, or api string | No | baseline |
target_url |
Target URL for baseline/full scans string | No | โ |
api_spec |
OpenAPI/Swagger spec URL (for api scans) string | No | โ |
healthcheck_url |
URL to poll until target is ready string | No | โ |
app_image_ref |
Container image (for docker-run mode) string | No | โ |
app_build_context |
Docker build context (for local builds) string | No | โ |
app_dockerfile |
Dockerfile path (for local builds) string | No | โ |
app_image_tag |
Tag for locally built image string | No | โ |
app_ports |
Port mappings (e.g., 8080:8080) string | No | 8080:8080 |
compose_file |
Docker compose file path string | No | docker-compose.yml |
compose_build |
Run docker compose with --build boolean | No | True |
max_duration_minutes |
Max scan duration in minutes number | No | 10 |
rules_file_name |
ZAP rules file to ignore alerts (.tsv) string | No | โ |
cmd_options |
Additional ZAP command-line options string | No | โ |
fail_on_severity |
Fail threshold: none, low, medium, high, critical string | No | none |
allow_failure |
Continue workflow on scan failure boolean | No | False |
post_pr_comment |
Post results as PR comment boolean | No | False |
allow_issue_writing |
Enable ZAP native GitHub Issue creation boolean | No | False |
registry_username |
Registry username (for private images) string | No | โ |
Secrets
| Secret | Description | Required |
|---|---|---|
registry_password |
Registry password/token for private images | No |
Jobs
zap-scan โ ZAP ${{ inputs.scan_type }} scan
Runs on: ubuntu-latest ยท Timeout: 60 minutes ยท Continue on error: Yes
Steps:
- Checkout repository โ
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - Run ZAP Scanner โ
huntridge-labs/argus/.github/actions/scanner-zap@0.6.7
Actions used:
- ๐ท๏ธ
scanner-zapโ ZAP DAST Scanner
All Composite Actions Referenced
- ๐ท๏ธ
scanner-zapโ ZAP DAST Scanner