Skip to content

chore: upload zap scan artifacts with different names for different scanned images #2594

chore: upload zap scan artifacts with different names for different scanned images

chore: upload zap scan artifacts with different names for different scanned images #2594

Workflow file for this run

name: 'Security web scan for zot'
on:
push:
branches:
- main
pull_request:
branches:
- main
release:
types:
- published
permissions:
contents: read
jobs:
zap_scan:
runs-on: ubuntu-latest
name: Scan ZOT using ZAP
strategy:
matrix:
flavor: [zot-linux-amd64-minimal, zot-linux-amd64]
steps:
- name: Install go
uses: actions/setup-go@v5
with:
cache: false
go-version: 1.23.x
- name: Checkout
uses: actions/checkout@v4
- name: Build zot
run: |
echo "Building $FLAVOR"
cd $GITHUB_WORKSPACE
if [[ $FLAVOR == "zot-linux-amd64-minimal" ]]; then
make binary-minimal
else
make binary
fi
ls -l bin/
env:
FLAVOR: ${{ matrix.flavor }}
- name: Bringup zot server
run: |
# upload images, zot can serve OCI image layouts directly like so
mkdir /tmp/zot
skopeo copy --format=oci docker://busybox:latest oci:/tmp/zot/busybox:latest
# start zot
if [[ $FLAVOR == "zot-linux-amd64-minimal" ]]; then
./bin/${{ matrix.flavor }} serve examples/config-conformance.json &
else
./bin/${{ matrix.flavor }} serve examples/config-ui.json &
fi
# wait until service is up
while true; do x=0; curl -f http://localhost:8080/v2/ || x=1; if [ $x -eq 0 ]; then break; fi; sleep 1; done
env:
FLAVOR: ${{ matrix.flavor }}
- name: ZAP Scan Rest API
uses: zaproxy/[email protected]
with:
token: ${{ secrets.GITHUB_TOKEN }}
docker_name: 'ghcr.io/zaproxy/zaproxy:stable'
target: 'http://localhost:8080/v2/'
rules_file_name: '.zap/rules.tsv'
cmd_options: '-a -j'
allow_issue_writing: false
fail_action: true
artifact_name: zap_scan_${{ matrix.flavor }}