OWASP ZAP Setup - EL-Kae/SAST_DAST_Tools GitHub Wiki

Below is the step by step process to set up our DAST tool on a repo. Advanced security should be turned on by default but if not those steps are included here. In this example we will be enabling this tool on an imaginary repo.

1. We must first create the DAST_WEB_URL variable. From the Github repo page, go to 'Settings > Secrets > Actions' and click on the 'New repository secret' button.

2. The 'Name' field should be 'DAST_WEB_URL' or else this Github action will not recognize it.

3. The 'Value' field should contain the test URL that ZAP will scan.

4. Click on the green 'Add secret' button once this is done.

5. Go to the repo’s specific setting "Settings" > "Code security and analysis”.

6. Click on the “Enable” button for “Github Advanced Security”.

7. Then agree to the prompt by clicking “Enable Advanced Security for this repository”.

8. Next to “Code scanning” click on the “Set up” button, this will redirect you to the code scanning page.

9. Click on “Set up this workflow” in the “CodeQL Analysis” box.

10. Once in the editor, delete the entire file and replace the content with this template from this repo.

11. This is the master file that should be used in repositories that pertains to a web application. The file should be named "dast.yml".

12. Once you’re done editing the file click on the green “Start commit” button.

13. Give a description of what was done.

14. And lastly commit your changes by clicking on the green “Commit new file” button.

15. Once the file has been created and pushed to the default branch, the action should start automatically.

16. Wait for the run to finish and view your results.

17. This process described above only needs to be done once, when a staging environment is live. Once done, the scan will run every time there is new code pushed to the default branch or a pull request is merged. Set it and forget it.