{"id":14384347,"url":"https://github.com/zaproxy/action-full-scan","last_synced_at":"2025-08-23T17:31:46.211Z","repository":{"id":39885256,"uuid":"254410599","full_name":"zaproxy/action-full-scan","owner":"zaproxy","description":"A GitHub Action for running the ZAP Full scan ","archived":false,"fork":false,"pushed_at":"2024-09-26T10:50:29.000Z","size":1802,"stargazers_count":279,"open_issues_count":8,"forks_count":53,"subscribers_count":12,"default_branch":"master","last_synced_at":"2024-10-30T09:06:03.325Z","etag":null,"topics":["actions","dast","devsecops","github-actions","security"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/zaproxy.png","metadata":{"funding":{"custom":["https://owasp.org/donate/?reponame=www-project-zap\u0026title=OWASP+ZAP"],"github":"OWASP"},"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-04-09T15:33:58.000Z","updated_at":"2024-10-28T13:48:11.000Z","dependencies_parsed_at":"2023-02-05T22:15:16.077Z","dependency_job_id":"acbb1e8d-4d06-4948-a2d2-2493e30f20e2","html_url":"https://github.com/zaproxy/action-full-scan","commit_stats":{"total_commits":43,"total_committers":7,"mean_commits":6.142857142857143,"dds":0.5348837209302326,"last_synced_commit":"9d8d415c14cc2d12d03850eb89c049d513b31e92"},"previous_names":[],"tags_count":13,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zaproxy%2Faction-full-scan","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zaproxy%2Faction-full-scan/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zaproxy%2Faction-full-scan/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zaproxy%2Faction-full-scan/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/zaproxy","download_url":"https://codeload.github.com/zaproxy/action-full-scan/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":230716473,"owners_count":18269766,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["actions","dast","devsecops","github-actions","security"],"created_at":"2024-08-28T18:01:19.414Z","updated_at":"2025-08-23T17:31:46.196Z","avatar_url":"https://github.com/zaproxy.png","language":"JavaScript","funding_links":["https://owasp.org/donate/?reponame=www-project-zap\u0026title=OWASP+ZAP","https://github.com/sponsors/OWASP"],"categories":["JavaScript"],"sub_categories":[],"readme":"# ZAP Action Full Scan\n\nA GitHub Action for running the ZAP [Full Scan](https://www.zaproxy.org/docs/docker/full-scan/) to perform\nDynamic Application Security Testing (DAST). \n\nThe ZAP full scan action runs the ZAP spider against the specified target (by default with no time limit) followed by an \noptional ajax spider scan and then a full active scan before reporting the results. The alerts will be maintained as a \nGitHub issue in the corresponding repository.\n\n**WARNING** this action will perform attacks on the target website.\nYou should only scan targets that you have permission to test.\nYou should also check with your hosting company and any other services such as CDNs that may be affected before running this action.\nZAP will also submit forms which could result in a [large number of messages](https://www.zaproxy.org/faq/how-can-i-prevent-zap-from-sending-me-1000s-of-emails-via-a-contact-us-form/) via, for example, 'Contact us' or 'comment' forms.\n\n## Inputs\n\n### `target`\n\n**Required** The URL of the web application to be scanned. This can be either a publicly available web application or a locally\naccessible URL.\n\n### `docker_name`\n\n**Optional** The name of the docker file to be executed. By default the action runs the stable version of ZAP. But you can \nconfigure the parameter to use the weekly builds.\n\n### `rules_file_name`\n\n**Optional** You can also specify a relative path to the rules file to ignore any alerts from the ZAP scan. Make sure to create\nthe rules file inside the relevant repository. The following shows a sample rules file configuration.\nMake sure to checkout the repository (actions/checkout@v2) to provide the ZAP rules to the scan action.\n\n```tsv\n10011\tIGNORE\t(Cookie Without Secure Flag)\n10015\tIGNORE\t(Incomplete or No Cache-control and Pragma HTTP Header Set)\n``` \n\n### `cmd_options`\n\n**Optional** Additional command lines options for the full scan script\n\n### `allow_issue_writing`\n\n**Optional** By default the action will file the report to the GitHub issue using the `issue_title` input.\nSet this to false if you don't want the issue to be created or updated.\n\n### `issue_title`\n\n**Optional** The title for the GitHub issue to be created.\n\n### `token`\n\n**Optional** ZAP action uses the default action token provided by GitHub to create and update the issue for the full scan.\nYou do not have to create a dedicated token. Make sure to use the GitHub's default action token when running the action(`secrets.GITHUB_TOKEN`).\n\n### `fail_action`\n\n**Optional** By default ZAP Docker container will fail with an [exit code](https://github.com/zaproxy/zaproxy/blob/efb404d38280dc9ecf8f88c9b0c658385861bdcf/docker/zap-full-scan.py#L31), \nif it identifies any alerts. Set this option to `true` if you want to fail the status of the GitHub Scan if ZAP identifies any alerts during the scan.\n\n### `artifact_name`\n\n**Optional** By default the full scan action will attach the report to the build with the name `zap_scan`. Set this to a different string to name it something else. Consult [GitHub's documentation](https://github.com/actions/toolkit/blob/main/packages/artifact/docs/additional-information.md#non-supported-characters) for which artifact names are allowed.\n\n## Environment variables\n\nIf set, the following [ZAP authentication environment variables](https://www.zaproxy.org/docs/authentication/handling-auth-yourself/#authentication-env-vars)\nwill be copied into the docker container:\n\n- `ZAP_AUTH_HEADER_VALUE`\n- `ZAP_AUTH_HEADER`\n- `ZAP_AUTH_HEADER_SITE`\n\n## Example usage\n\n** Basic **\n```\nsteps:\n  - name: ZAP Scan\n    uses: zaproxy/action-full-scan@v0.12.0\n    with:\n      target: 'https://www.zaproxy.org/'\n```\n\n** Advanced **\n\n```\non: [push]\n\njobs:\n  zap_scan:\n    runs-on: ubuntu-latest\n    name: Scan the webapplication\n    steps:\n      - name: Checkout\n        uses: actions/checkout@v4\n        with:\n          ref: master\n      - name: ZAP Scan\n        uses: zaproxy/action-full-scan@v0.12.0\n        with:\n          token: ${{ secrets.GITHUB_TOKEN }}\n          docker_name: 'ghcr.io/zaproxy/zaproxy:stable'\n          target: 'https://www.zaproxy.org/'\n          rules_file_name: '.zap/rules.tsv'\n          cmd_options: '-a'\n```\n\n## Localised Alert Details\n\nZAP is internationalised and alert information is available in many languages.\n\nYou can change the language used by this action by changing the locale via the `cmd_options` e.g.: `-z \"-config view.locale=fr_FR\"`\n\nSee [https://github.com/zaproxy/zaproxy/tree/develop/zap/src/main/dist/lang](https://github.com/zaproxy/zaproxy/tree/develop/zap/src/main/dist/lang) for the full set of locales currently supported.\n\nYou can help improve ZAP translations via [https://crowdin.com/project/zaproxy](https://crowdin.com/project/zaproxy). \n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fzaproxy%2Faction-full-scan","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fzaproxy%2Faction-full-scan","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fzaproxy%2Faction-full-scan/lists"}