ZAP DAST Scanner
ZAP DAST Scanner - Reusable Workflow
Runs the ZAP DAST scanner via the argus Python CLI.
Equivalent to: python -m argus scan zap --target
For GHES users: Use the composite action directly instead of this workflow. See: examples/github-enterprise/dast-scanning.yml
uses: huntridge-labs/argus/.github/workflows/scanner-zap.yml@1.1.0
Triggers
- Manual dispatch
- Reusable (called by other workflows)
Permissions
| Scope | Access |
|---|---|
contents |
read |
actions |
read |
packages |
read |
pull-requests |
write |
Inputs
| Input | Description | Required | Default |
|---|---|---|---|
scan_name |
Unique scan identifier (for artifact naming) string | No | zap-scan |
scan_mode |
Target mode: url, docker-run, or compose string | No | url |
scan_type |
ZAP scan type: baseline, full, or api string | No | baseline |
target_url |
Target URL for baseline/full scans string | No | โ |
api_spec |
OpenAPI/Swagger spec URL (for api scans) string | No | โ |
healthcheck_url |
URL to poll until target is ready string | No | โ |
app_image_ref |
Container image (for docker-run mode) string | No | โ |
app_build_context |
Docker build context (for local builds) string | No | โ |
app_dockerfile |
Dockerfile path (for local builds) string | No | โ |
app_image_tag |
Tag for locally built image string | No | โ |
app_ports |
Port mappings (e.g., 8080:8080) string | No | 8080:8080 |
compose_file |
Docker compose file path string | No | docker-compose.yml |
compose_build |
Run docker compose with --build boolean | No | True |
max_duration_minutes |
Max scan duration in minutes number | No | 10 |
rules_file_name |
ZAP rules file to ignore alerts (.tsv) string | No | โ |
cmd_options |
Additional ZAP command-line options string | No | โ |
fail_on_severity |
Fail threshold: none, low, medium, high, critical string | No | none |
allow_failure |
Continue workflow on scan failure boolean | No | False |
post_pr_comment |
Post results as PR comment boolean | No | False |
allow_issue_writing |
Enable ZAP native GitHub Issue creation boolean | No | False |
registry_username |
Registry username (for private images) string | No | โ |
Secrets
| Secret | Description | Required |
|---|---|---|
registry_password |
Registry password/token for private images | No |
Jobs
zap-scan โ ZAP ${{ inputs.scan_type }} scan
Runs on: ubuntu-latest ยท Timeout: 60 minutes ยท Continue on error: Yes
Steps:
- Checkout repository โ
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - Set up Python โ
actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 - Install Argus
- Run scan
- Upload artifacts โ
actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f - Comment PR with results โ
huntridge-labs/argus/.github/actions/comment-pr@1.1.0