Feature: specify minimum severity

[hazcod]

Since ZAP vulnerability scans can generate a lot of issues, it might be nice to be able to e.g. ignore any LOW or INFO vulnerabilities. (so that issues are not created)

e.g.

jobs:
  zap_scan_public:
    runs-on: ubuntu-latest
    name: Scan public website
    steps:
      - name: ZAP Scan
        uses: zaproxy/action-full-scan@v0.1.0
        with:
          issue_title: Vulnerability Scan Results
          token: ${{ secrets.GITHUB_TOKEN }}
          docker_name: owasp/zap2docker-weekly
          target: https://ironpeak.be/
          rules_file_name: .github/zap.ignore
          cmd_options: '-a -s MEDIUM'

[psiinon]

You can effectively already do this by setting any rules you are not interested in to IGNORE in your rules file. This is a finer grain control, but will have the same effect. I worry that creating too many options will make the action harder to understand and therefore less useful.

[fguisso]

Can you create an info page here or in ZAP docs with all rules? I found that, but I need to run the scan in my local machine and get the ´gen.conf´. Maybe with it in docs, we can help more people that don't know the ZAP profoundly.

I don't know if rules are updated weekly, in this case, we need some actions to update the docs every time that a rule is added.

My gen.conf generate today:

# zap-full-scan rule configuration file
# Change WARN to IGNORE to ignore rule or FAIL to fail if rule matches
# Active scan rules set to IGNORE will not be run which will speed up the scan
# Only the rule identifiers are used - the names are just for info
# You can add your own messages to each rule by appending them after a tab on each line.
0	WARN	(Directory Browsing - Active/release)
10003	WARN	(Vulnerable JS Library - Passive/release)
10010	WARN	(Cookie No HttpOnly Flag - Passive/release)
10011	WARN	(Cookie Without Secure Flag - Passive/release)
10015	WARN	(Incomplete or No Cache-control and Pragma HTTP Header Set - Passive/release)
10017	WARN	(Cross-Domain JavaScript Source File Inclusion - Passive/release)
10019	WARN	(Content-Type Header Missing - Passive/release)
10020	WARN	(X-Frame-Options Header - Passive/release)
10021	WARN	(X-Content-Type-Options Header Missing - Passive/release)
10023	WARN	(Information Disclosure - Debug Error Messages - Passive/release)
10024	WARN	(Information Disclosure - Sensitive Information in URL - Passive/release)
10025	WARN	(Information Disclosure - Sensitive Information in HTTP Referrer Header - Passive/release)
10026	WARN	(HTTP Parameter Override - Passive/beta)
10027	WARN	(Information Disclosure - Suspicious Comments - Passive/release)
10028	WARN	(Open Redirect - Passive/beta)
10029	WARN	(Cookie Poisoning - Passive/beta)
10030	WARN	(User Controllable Charset - Passive/beta)
10031	WARN	(User Controllable HTML Element Attribute (Potential XSS) - Passive/beta)
10032	WARN	(Viewstate - Passive/release)
10033	WARN	(Directory Browsing - Passive/beta)
10034	WARN	(Heartbleed OpenSSL Vulnerability (Indicative) - Passive/beta)
10035	WARN	(Strict-Transport-Security Header - Passive/beta)
10036	WARN	(HTTP Server Response Header - Passive/beta)
10037	WARN	(Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) - Passive/release)
10038	WARN	(Content Security Policy (CSP) Header Not Set - Passive/beta)
10039	WARN	(X-Backend-Server Header Information Leak - Passive/beta)
10040	WARN	(Secure Pages Include Mixed Content - Passive/release)
10041	WARN	(HTTP to HTTPS Insecure Transition in Form Post - Passive/beta)
10042	WARN	(HTTPS to HTTP Insecure Transition in Form Post - Passive/beta)
10043	WARN	(User Controllable JavaScript Event (XSS) - Passive/beta)
10044	WARN	(Big Redirect Detected (Potential Sensitive Information Leak) - Passive/beta)
10045	WARN	(Source Code Disclosure - /WEB-INF folder - Active/release)
10047	WARN	(HTTPS Content Available via HTTP - Active/beta)
10048	WARN	(Remote Code Execution - Shell Shock - Active/beta)
10050	WARN	(Retrieved from Cache - Passive/beta)
10051	WARN	(Relative Path Confusion - Active/beta)
10052	WARN	(X-ChromeLogger-Data (XCOLD) Header Information Leak - Passive/beta)
10053	WARN	(Apache Range Header DoS (CVE-2011-3192) - Active/beta)
10054	WARN	(Cookie Without SameSite Attribute - Passive/release)
10055	WARN	(CSP - Passive/release)
10056	WARN	(X-Debug-Token Information Leak - Passive/release)
10057	WARN	(Username Hash Found - Passive/release)
10058	WARN	(GET for POST - Active/beta)
10061	WARN	(X-AspNet-Version Response Header - Passive/release)
10062	WARN	(PII Disclosure - Passive/beta)
10095	WARN	(Backup File Disclosure - Active/beta)
10096	WARN	(Timestamp Disclosure - Passive/release)
10097	WARN	(Hash Disclosure - Passive/beta)
10098	WARN	(Cross-Domain Misconfiguration - Passive/release)
10104	WARN	(User Agent Fuzzer - Active/beta)
10105	WARN	(Weak Authentication Method - Passive/release)
10106	WARN	(HTTP Only Site - Active/beta)
10107	WARN	(Httpoxy - Proxy Header Misuse - Active/beta)
10108	WARN	(Reverse Tabnabbing - Passive/beta)
10109	WARN	(Modern Web Application - Passive/beta)
10202	WARN	(Absence of Anti-CSRF Tokens - Passive/release)
2	WARN	(Private IP Disclosure - Passive/release)
20012	WARN	(Anti-CSRF Tokens Check - Active/beta)
20014	WARN	(HTTP Parameter Pollution - Active/beta)
20015	WARN	(Heartbleed OpenSSL Vulnerability - Active/beta)
20016	WARN	(Cross-Domain Misconfiguration - Active/beta)
20017	WARN	(Source Code Disclosure - CVE-2012-1823 - Active/beta)
20018	WARN	(Remote Code Execution - CVE-2012-1823 - Active/beta)
20019	WARN	(External Redirect - Active/release)
3	WARN	(Session ID in URL Rewrite - Passive/release)
30001	WARN	(Buffer Overflow - Active/release)
30002	WARN	(Format String Error - Active/release)
30003	WARN	(Integer Overflow Error - Active/beta)
40003	WARN	(CRLF Injection - Active/release)
40008	WARN	(Parameter Tampering - Active/release)
40009	WARN	(Server Side Include - Active/release)
40012	WARN	(Cross Site Scripting (Reflected) - Active/release)
40013	WARN	(Session Fixation - Active/beta)
40014	WARN	(Cross Site Scripting (Persistent) - Active/release)
40016	WARN	(Cross Site Scripting (Persistent) - Prime - Active/release)
40017	WARN	(Cross Site Scripting (Persistent) - Spider - Active/release)
40018	WARN	(SQL Injection - Active/release)
40019	WARN	(SQL Injection - MySQL - Active/beta)
40020	WARN	(SQL Injection - Hypersonic SQL - Active/beta)
40021	WARN	(SQL Injection - Oracle - Active/beta)
40022	WARN	(SQL Injection - PostgreSQL - Active/beta)
40023	WARN	(Possible Username Enumeration - Active/beta)
40024	WARN	(SQL Injection - SQLite - Active/beta)
40025	WARN	(Proxy Disclosure - Active/beta)
40026	WARN	(Cross Site Scripting (DOM Based) - Active/beta)
40027	WARN	(SQL Injection - MsSQL - Active/beta)
40028	WARN	(ELMAH Information Leak - Active/release)
40029	WARN	(Trace.axd Information Leak - Active/beta)
40032	WARN	(.htaccess Information Leak - Active/release)
40034	WARN	(.env Information Leak - Active/beta)
40035	WARN	(Hidden File Finder - Active/beta)
41	WARN	(Source Code Disclosure - Git  - Active/beta)
42	WARN	(Source Code Disclosure - SVN - Active/beta)
43	WARN	(Source Code Disclosure - File Inclusion - Active/beta)
50000	WARN	(Script Active Scan Rules - Active/release)
50001	WARN	(Script Passive Scan Rules - Passive/release)
6	WARN	(Path Traversal - Active/release)
7	WARN	(Remote File Inclusion - Active/release)
90001	WARN	(Insecure JSF ViewState - Passive/release)
90011	WARN	(Charset Mismatch - Passive/release)
90017	WARN	(XSLT Injection - Active/beta)
90019	WARN	(Server Side Code Injection - Active/release)
90020	WARN	(Remote OS Command Injection - Active/release)
90021	WARN	(XPath Injection - Active/beta)
90022	WARN	(Application Error Disclosure - Passive/release)
90023	WARN	(XML External Entity Attack - Active/beta)
90024	WARN	(Generic Padding Oracle - Active/beta)
90025	WARN	(Expression Language Injection - Active/beta)
90026	WARN	(SOAP Action Spoofing - Active/alpha)
90027	WARN	(Cookie Slack Detector - Active/beta)
90028	WARN	(Insecure HTTP Method - Active/beta)
90029	WARN	(SOAP XML Injection - Active/alpha)
90030	WARN	(WSDL File Detection - Passive/alpha)
90033	WARN	(Loosely Scoped Cookie - Passive/release)
90034	WARN	(Cloud Metadata Potentially Exposed - Active/beta)

[thc202]

You mean like this one https://www.zaproxy.org/docs/alerts/ ?

[fguisso]

Exactly, thanks! Can you add this link in GH Actions please?

[marvelredddy]

How can i report after i get alerts. Actually Bug bounty Platforms need Impact with POC . How can i report. Any suggestions.

[kingthorin]

In that case you're the "expert" not ZAP.

Also the User Group is a much better place for discussion not our issue tracker.