-
-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make authentication environment variables available in docker container #9
Conversation
The commit needs to be signed off: https://github.com/zaproxy/action-api-scan/pull/9/checks?check_run_id=7758698351 |
Signed-off-by: Benjamin Schmidt <[email protected]>
Thank you! |
Is there a plan/date we expect this PR to be released? I just went to use it (thanks @ben741!) but realised the latest release is still v0.1.1. |
I don't think there is. You can use the changes already though. |
@pritchyspritch I'm using it like this and it seems to get the job done (no more 403's): - name: ZAP Scan
# Pin to specific SHA for auth env var support (not yet released)
uses: zaproxy/action-api-scan@57d6fb665bfd818008b02ecafe99bbf4c0503058
with:
target: 'openapi.yaml'
env:
ZAP_AUTH_HEADER_VALUE: "Bearer ${{ secrets.YOUR_API_TOKEN }}" |
There's a new version available. |
Allow to do the scans authenticated with manual auth. Same as zaproxy/action-api-scan#9. Signed-off-by: thc202 <[email protected]>
Allow to do the scans authenticated with manual auth. Same as zaproxy/action-api-scan#9. Signed-off-by: thc202 <[email protected]>
Allow to do the scans authenticated with manual auth. Same as zaproxy/action-api-scan#9. Update changelog and readme for release. Signed-off-by: thc202 <[email protected]>
Allow to do the scans authenticated with manual auth. Same as zaproxy/action-api-scan#9. Update changelog and readme for release. Signed-off-by: thc202 <[email protected]>
I noticed some authentication environment variables in the ZAP documentation, but it looks like they can't be set in the current version of the Github Action. This PR would make those env vars available in the docker container.
According to the Docker documentation, the
--env VAR
syntax reads the variable from the local environment. If it's not set in the local environment, it won't be set in the container either. This seems to me to be the simplest solution among the options Docker provides, and AFAICT doesn't log the token at any point.I'm fairly new to ZAP, so let me know if there's already a better way to set the Authorization header, or if there's some other way this should be implemented instead of what I've proposed here. Thanks!