action.yaml

name: AccuKnox ZAP DAST Scan
description: Run a ZAP scan (full or baseline) and upload the reports to the AccuKnox CSPM panel.

inputs:
  target_url:
    description: "The URL of the web application to scan."
    required: true
  accuknox_token:
    description: "Token for authenticating with the AccuKnox CSPM panel."
    required: true
  accuknox_endpoint:
    description: "The URL of the AccuKnox CSPM panel to push the scan results to."
    required: true
  tenant_id:
    description: "The ID of the tenant associated with the CSPM dashboard."
    required: true
  label:
    description: "Label created in AccuKnox SaaS for associating the scan results."
    required: true
  severity_threshold:
    description: "The minimum severity level (e.g., High, Medium, Low, Informational) that will cause the pipeline to fail if present in the report."
    required: true
  scan_type:
    description: "Type of ZAP scan to run: 'baseline' or 'full-scan'."
    required: true
    default: "full-scan"

runs:
  using: "composite"
  steps:
    - name: Set permissions for ZAP output directory
      run: |
        mkdir -p /tmp/zap
        chmod a+w /tmp/zap
        ls -la /tmp/zap
      shell: bash

    - name: Run ZAP Scan
      run: |
        if [ "${{ inputs.scan_type }}" == "baseline" ]; then
          SCAN_COMMAND="zap-baseline.py -t ${{ inputs.target_url }} -J report.json -I"
        else
          SCAN_COMMAND="zap-full-scan.py -t ${{ inputs.target_url }} -J report.json -I"
        fi

        docker run --rm \
          -v /tmp/zap:/zap/wrk \
          -t zaproxy/zap-stable $SCAN_COMMAND
      shell: bash

    - name: View ZAP Report
      run: |
        cat /tmp/zap/report.json
      shell: bash


    - name: Upload ZAP Report to AccuKnox CSPM Panel
      run: |
        response=$(curl --location --request POST "https://${{ inputs.accuknox_endpoint }}/api/v1/artifact/?tenant_id=${{ inputs.tenant_id }}&data_type=ZAP&label_id=${{ inputs.label }}&save_to_s3=false" \
          --header "Tenant-Id: ${{ inputs.tenant_id }}" \
          --header "Authorization: Bearer ${{ inputs.accuknox_token }}" \
          --form "file=@/tmp/zap/report.json")

        echo "Response: $response"
        if [[ "$response" != *"File received successfully"* ]]; then
          echo "Error: Failed to push report to CSPM panel"
          exit 1
        fi
      shell: bash

    - name: Check Severity Level in ZAP Report
      run: |
        # Map severity threshold to risk code (0=Informational, 1=Low, 2=Medium, 3=High)
        case "${{ inputs.severity_threshold }}" in
          High)           RISK_CODE=3 ;;
          Medium)         RISK_CODE=2 ;;
          Low)            RISK_CODE=1 ;;
          Informational)  RISK_CODE=0 ;;
          *)              echo "Invalid severity threshold"; exit 1 ;;
        esac

        # Check if any alerts in the report meet or exceed the threshold risk code
        if jq -e --argjson risk_code "$RISK_CODE" \
             '.site[].alerts[] | select(.riskcode|tonumber >= $risk_code)' /tmp/zap/report.json > /dev/null; then
          echo "Error: Vulnerability with severity ${{ inputs.severity_threshold }} or higher found in ZAP report."
          exit 1
        else
          echo "No vulnerabilities with severity ${{ inputs.severity_threshold }} or higher were found."
        fi
      shell: bash


branding:
  icon: "shield"
  color: "red"