Skip to content

ZAP DAST Scanner

ZAP DAST Scanner - Reusable Workflow

Runs the ZAP DAST scanner via the argus Python CLI. Equivalent to: python -m argus scan zap --target

For GHES users: Use the composite action directly instead of this workflow. See: examples/github-enterprise/dast-scanning.yml

uses: huntridge-labs/argus/.github/workflows/scanner-zap.yml@1.8.1

Triggers

  • Manual dispatch
  • Reusable (called by other workflows)

Permissions

Scope Access
contents read
actions read
packages read
pull-requests write

Inputs

Input Description Required Default
scan_name Unique scan identifier (for artifact naming) string No zap-scan
scan_mode Target mode: url, docker-run, or compose string No url
scan_type ZAP scan type: baseline, full, or api string No baseline
target_url Target URL for baseline/full scans string No โ€”
api_spec OpenAPI/Swagger spec URL (for api scans) string No โ€”
healthcheck_url URL to poll until target is ready string No โ€”
app_image_ref Container image (for docker-run mode) string No โ€”
app_build_context Docker build context (for local builds) string No โ€”
app_dockerfile Dockerfile path (for local builds) string No โ€”
app_image_tag Tag for locally built image string No โ€”
app_ports Port mappings (e.g., 8080:8080) string No 8080:8080
compose_file Docker compose file path string No docker-compose.yml
compose_build Run docker compose with --build boolean No True
max_duration_minutes Max scan duration in minutes number No 10
rules_file_name ZAP rules file to ignore alerts (.tsv) string No โ€”
cmd_options Additional ZAP command-line options string No โ€”
fail_on_severity Fail threshold: none, low, medium, high, critical string No none
allow_failure Continue workflow on scan failure boolean No False
post_pr_comment Post results as PR comment boolean No False
allow_issue_writing Enable ZAP native GitHub Issue creation boolean No False
registry_username Registry username (for private images) string No โ€”

Secrets

Secret Description Required
registry_password Registry password/token for private images No

Jobs

zap-scan โ€” ZAP ${{ inputs.scan_type }} scan

Runs on: ubuntu-latest ยท Timeout: 60 minutes ยท Continue on error: Yes

Steps:

  1. Checkout repository โ€” actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
  2. Set up Python โ€” actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1
  3. Install Argus โ€” huntridge-labs/argus/.github/actions/setup-argus@1.8.1
  4. Run scan
  5. Upload artifacts โ€” actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
  6. Comment PR with results โ€” huntridge-labs/argus/.github/actions/comment-pr@1.8.1