Skip to main content

Run a DAST Scan using ZAProxy

Following is an example GitHub Action to run a ZAProxy (DAST) scan on your application, and send the results to the Start Left Platform. This Action leverages the official zaproxy/action-af Action for running ZAP Automation Framework plans. The action requires a file path to the Automation Framework plan to run.

Getting Started

The first step to perform a DAST scan is to create a Domain/URL asset in the SLS Platform. To do this, click on Assets in the side menu, then the New Asset button and select Domain. Enter the URL which will be the target of the scan. The new asset must be mapped to a product to be able to view the results.

Create a configuration file for the ZAP Automation Framework

The action below uses the .github/workflows/zap/zap-env.yaml file to configure the ZAP Automation Framework. This file should be created in your repository using the example below as a starting point. 
env:
  contexts:
  - name: baseline
    urls:
    - ${TARGET_URL}
    # includePaths:
    # excludePaths:
    # authentication:
        # method:  # String, one of 'manual', 'http', 'form', 'json' or 'script'
  parameters:
    failOnError: true
    progressToStdout: false
jobs:
- type: passiveScan-config
  parameters:
    enableTags: false
    maxAlertsPerRule: 10
- type: spider
  parameters:
    maxDuration: 5
- type: passiveScan-wait  # Passive scan wait for the passive scanner to finish
  parameters:
    maxDuration: 5
- type: report
  parameters: 
    reportDescription: '' 
    reportDir: /zap/wrk/ 
    reportFile: dast.sarif 
    reportTitle: ZAP Scanning Report 
    template: sarif-json
See the https://www.zaproxy.org/docs/automate/automation-framework/ for more information on configuring the ZAP Automation Framework plan. Start Left utilizes the SARIF (Static Analysis Results Interchange) report format to present scanning results from a wide range of static code analysis tools. As DAST scans are not static they can’t be directly mapped to individual lines in the original source file but only to a specific URL or endpoint of the application.

Setup the Github Action to run a scan

Setup the required secrets and variables.

  1. Navigate to Repo Settings -> Secrets and Variables -> Actions
  2. Select Variables then New repository variable and add the following:
  • SCAN_URL - the value should be set to the Target URL you want to scan.
  1. Then select Secrets then New repository secret and add the following:
  • SLS_API_KEY - The API Key is available on the Account details page in Start Left.
  • SLS_SCAN_KEY - The Asset Scan Key is available on the Asset details page for the Domain (URL) Asset.

Create the Github Action.

  1. Create the dast.yml under Actions -> New Workflow then choose set up a workflow yourself
  2. Replace main.yml with a meaningful name e.g. dast.yml
  3. Paste the script below into the file contents:
name: DAST Scan

on:
  # Scan on-demand through GitHub Actions interface:
  workflow_dispatch: {}
  # Schedule the CI job (this method uses cron syntax):
  schedule:
    - cron: '33 13 * * 4' # Sets schedule to scan every Wed at 13:33 UTC.
    # It is recommended to change the schedule to a random time.

jobs:
  dast-run:
    runs-on: ubuntu-latest

    steps:
      # Fetch project source with GitHub Actions Checkout.
      - uses: actions/checkout@v4
      
      - name: ZAP Scan using Automation Framework
        uses: zaproxy/[email protected]
        env:
          TARGET_URL: ${{ vars.SCAN_URL }}
          #ZAP_AUTH_HEADER: Authorization
          #ZAP_AUTH_HEADER_VALUE: xxx
        with:
          plan: '.github/workflows/zap/zap-env.yaml'
          docker_env_vars: |
            TARGET_URL

      - name: SLS File Upload
        uses: tauruseer/[email protected]     
        with:
          scan-key: ${{ secrets.SLS_SCAN_KEY }}  # this must match the Asset ID
          api-key: ${{ secrets.SLS_API_KEY }}
          file-path: dast.sarif.json
  1. Commit changes.
  2. Run the scan.
This Action leverages the Start Left File Upload from the Github Marketplace to upload the SARIF report to the Start Left Platform. The action requires the following parameters:
  • scan-key - the Asset Scan Key for the Domain (URL) Asset.
  • api-key - the API Key for your Start Left account.
  • file-path - the path to the SARIF report file. This should match the reportDir and reportFile parameters in the ZAP Automation Framework plan.