Make authentication environment variables available in docker container #9
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
thc202
reviewed
Aug 31, 2022
|
The commit needs to be signed off: https://github.com/zaproxy/action-api-scan/pull/9/checks?check_run_id=7758698351 |
Signed-off-by: Benjamin Schmidt <[email protected]>
thc202
approved these changes
Sep 6, 2022
|
Thank you! |
psiinon
approved these changes
Sep 6, 2022
|
Is there a plan/date we expect this PR to be released? I just went to use it (thanks @ben741!) but realised the latest release is still v0.1.1. |
|
I don't think there is. You can use the changes already though. |
|
@pritchyspritch I'm using it like this and it seems to get the job done (no more 403's): - name: ZAP Scan
# Pin to specific SHA for auth env var support (not yet released)
uses: zaproxy/action-api-scan@57d6fb665bfd818008b02ecafe99bbf4c0503058
with:
target: 'openapi.yaml'
env:
ZAP_AUTH_HEADER_VALUE: "Bearer ${{ secrets.YOUR_API_TOKEN }}" |
|
There's a new version available. |
thc202
added a commit
to thc202/action-baseline
that referenced
this pull request
Oct 31, 2023
Allow to do the scans authenticated with manual auth. Same as zaproxy/action-api-scan#9. Signed-off-by: thc202 <[email protected]>
thc202
added a commit
to thc202/action-full-scan
that referenced
this pull request
Oct 31, 2023
Allow to do the scans authenticated with manual auth. Same as zaproxy/action-api-scan#9. Signed-off-by: thc202 <[email protected]>
thc202
added a commit
to thc202/action-baseline
that referenced
this pull request
Oct 31, 2023
Allow to do the scans authenticated with manual auth. Same as zaproxy/action-api-scan#9. Update changelog and readme for release. Signed-off-by: thc202 <[email protected]>
thc202
added a commit
to thc202/action-full-scan
that referenced
this pull request
Oct 31, 2023
Allow to do the scans authenticated with manual auth. Same as zaproxy/action-api-scan#9. Update changelog and readme for release. Signed-off-by: thc202 <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I noticed some authentication environment variables in the ZAP documentation, but it looks like they can't be set in the current version of the Github Action. This PR would make those env vars available in the docker container.
According to the Docker documentation, the
--env VARsyntax reads the variable from the local environment. If it's not set in the local environment, it won't be set in the container either. This seems to me to be the simplest solution among the options Docker provides, and AFAICT doesn't log the token at any point.I'm fairly new to ZAP, so let me know if there's already a better way to set the Authorization header, or if there's some other way this should be implemented instead of what I've proposed here. Thanks!