Reputation: 1
Owasp Zap and GitHub Action
We have integrated OWASP ZAP in GitHub Action CI/CD. After scanning a web application, we then relayed the issues to the developers. After the developers have assessed the issues, they found out that some of the issues found are false positives. So the problem is, how do we configure ZAP to mark those issues as False Positives on the next run in the pipeline? We are using the stable version of OWASP ZAP Docker image. All of your inputs are much welcome, thank you!
I tried integrating a Jason rule file but GitHub ignore to take that into consideration
Upvotes: 0
Views: 1213
Answers (1)
Reputation: 1528
According to the documentation you can use a rules file.
- https://github.com/zaproxy/action-baseline#rules_file_name
- https://github.com/zaproxy/action-full-scan/#rules_file_name
- https://github.com/zaproxy/action-api-scan/#rules_file_name
rules_file_name
Optional You can also specify a relative path to the rules file to ignore any alerts from the ZAP scan. Make sure to create the rules file inside the relevant repository. The following shows a sample rules file configuration. Make sure to checkout the repository (actions/checkout@v2) to provide the ZAP rules to the scan action.
10011 IGNORE (Cookie Without Secure Flag)
10015 IGNORE (Incomplete or No Cache-control and Pragma HTTP Header Set)
Note: This TSV rule file controls only the result of the run it doesn't prevent any of the rules from actually being evaluated.
For further details on ZAP automation options refer to: https://www.zaproxy.org/docs/automate/
Upvotes: 0
Related Questions
- How to add images to README.md on GitHub?
- Download a single folder or directory from a GitHub repository
- GitHub Error Message - Permission denied (publickey)
- GitHub relative link in Markdown file
- How do I update or sync a forked repository on GitHub?
- Create a tag in a GitHub repository
- How to install an npm package from GitHub directly
- Git push requires username and password