fix/ ZAP Scan

[jlkravitz]

#962 moved the API spec, this fixes it and attempts to use a new job introduced in ZAP's automation framework that supports updating the exit codes: zaproxy/action-af#12

Summary by CodeRabbit

• New Features
  • Expanded automated security scanning to cover additional APIs and environments.
• Tests
  • Updated OpenAPI-based scans with correct targets and contexts for more accurate coverage.
  • Introduced explicit exit handling for scan jobs to standardize CI outcomes.
• Chores
  • Simplified manual security scan script by removing an unnecessary pre-scan copy step.

[coderabbitai]

Walkthrough

Updates the ZAP automation configuration to add a new internal API OpenAPI job, set the state API target URL and context, and define an exitStatus job. Removes a pre-run file copy step from the manual scan script; other logic remains unchanged.

Changes

Cohort / File(s)	Summary of edits
ZAP Automation Config owasp-zap/data/test-automation.yml	Added state-api URL to contexts/includePaths; updated external OpenAPI job with targetUrl, context: test, user: ""; added new internal OpenAPI job (apiFile for internal spec, targetUrl https://api.test.compactconnect.org, context: test, user: ""); added top-level exitStatus job with warnExitValue: 0.
Manual Scan Script owasp-zap/manual-scan.sh	Removed step copying official API spec into ZAP data; retained token retrieval, docker run, and exit handling.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor CI as CI Runner
  participant ZAP as ZAP Automation
  participant Ctx as Test Context
  participant StateAPI as state-api.test.compactconnect.org
  participant InternalAPI as api.test.compactconnect.org
  participant Exit as exitStatus

  CI->>ZAP: Start automation plan
  ZAP->>Ctx: Load "test" context (includePaths updated)
  note right of Ctx: Changed: state-api URL added

  ZAP->>StateAPI: OpenAPI scan (external)<br/>targetUrl set, context:test, user:""
  note right of StateAPI: Changed: targetUrl/context/user configured

  ZAP->>InternalAPI: OpenAPI scan (internal)<br/>apiFile (internal spec), context:test
  note right of InternalAPI: New: internal OpenAPI job

  ZAP->>Exit: Evaluate warnExitValue = 0
  Exit-->>CI: Return status

Loading

sequenceDiagram
  autonumber
  actor Dev as Developer
  participant Script as manual-scan.sh
  participant Auth as Token Provider
  participant Docker as Docker/ZAP

  Dev->>Script: Run manual scan
  %% Old step (removed)
  rect rgba(255,230,230,0.5)
  note over Script: Removed step
  Script-x Script: Copy official API spec to ZAP data
  end

  Script->>Auth: Retrieve token
  Auth-->>Script: Token

  Script->>Docker: docker run ... (invoke ZAP)
  Docker-->>Script: Exit code
  Script-->>Dev: Propagate exit

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

In burrows of CI, I thump with delight,
New scans hop forth, two APIs in sight.
Exit rules tidy, no copies to stash—
I twitch my whiskers at streamlined bash.
With paws on the pipeline, I nudge and I cheer:
“ZAP to it, friends—your path is clear!” 🐇⚡️

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled
• Linear integration is disabled

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between eff539c and 34865a8.

📒 Files selected for processing (1)

• owasp-zap/manual-scan.sh (0 hunks)

💤 Files with no reviewable changes (1)

• owasp-zap/manual-scan.sh

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch zap-scan-fix

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbit in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbit in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbit gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbit read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbit help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbit ignore or @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbit summary or @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbit or @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

.github/workflows/zap-scan-test.yml (1)

10-10: LGTM: run ZAP on PRs to development as well.

This broadens coverage appropriately. Optional: to save CI minutes, add a paths filter to only trigger when owasp-zap/**, backend specs, or workflow files change.

Example:

 on:
   pull_request:
     branches:
       - main
       - development
+    paths:
+      - 'owasp-zap/**'
+      - 'backend/compact-connect/docs/**'
+      - '.github/workflows/zap-scan-test.yml'

owasp-zap/manual-scan.sh (1)

5-5: Keep the manual scan plan and the copied OAS path consistent (currently the copy is unused).

You copy the internal spec to owasp-zap/data/latest-oas30.json, but test-automation.yml imports from /zap/wrk/backend/compact-connect/docs/internal/api-specification/latest-oas30.json. The copy is dead weight unless the plan reads that location.

Option A — remove the copy line from the manual script.

Option B — point the plan to the copied file for manual runs:

-    apiFile: /zap/wrk/backend/compact-connect/docs/internal/api-specification/latest-oas30.json
+    apiFile: /zap/wrk/owasp-zap/data/latest-oas30.json

Additional hardening for the script:

- set -e
+ set -euo pipefail

If you intend to rely on the new exitStatus job during manual runs, ensure the image has the AF add-on version that supports it; otherwise consider zaproxy/zap-weekly.

Would you like me to align the plan and script in this PR (and add pipefail), or do you prefer to keep the copy for local/manual workflows?

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled
• Linear integration is disabled

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 70ac139 and 449e466.

⛔ Files ignored due to path filters (1)

• owasp-zap/authenticator/yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (3)

• .github/workflows/zap-scan-test.yml (1 hunks)
• owasp-zap/data/test-automation.yml (2 hunks)
• owasp-zap/manual-scan.sh (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: ZapScan

🔇 Additional comments (2)

owasp-zap/data/test-automation.yml (2)

48-53: LGTM: internal OpenAPI job paths/host align with the new internal spec location.

apiFile points to /zap/wrk/backend/.../internal/... and targetUrl to https://api.test.compactconnect.org, which is already in scope via includePaths/urls. No blockers here.

---

115-117: Verify exitStatus support for zaproxy/action-af and zaproxy/zap-stable

Before relying on the exitStatus job to enforce your exit-code gating, please confirm both of the following:

• zaproxy/action-af
  • You’re currently on zaproxy/action-af@v0.1.0. Check the Action’s release notes or changelog for the version that introduced exitStatus support. If v0.1.0 predates that change, bump to the first tag where exitStatus is documented.
• zaproxy/zap-stable Docker image
  • The stock zaproxy/zap-stable:latest image may bundle an older Automation Framework add-on. Inspect its installed AF add-on version (via the ZAP UI Help → About → Add-ons or the ZAP API) and ensure it matches or exceeds the version that added exitStatus support. If not, either switch to the weekly build (zaproxy/zap-weekly) or add a startup step to update the AF add-on.

File: owasp-zap/data/test-automation.yml
Lines: 115–117

- type: exitStatus
  parameters:
    warnExitValue: 0

Optional refinements once support is confirmed:

• Explicitly set infoExitValue and errorExitValue to make the intended behavior self-documenting.
• Add a comment clarifying your gating policy (“warnings don’t fail the build, errors do,” etc.).

[jusdino]

Looks good - just want to confirm one item:

[jlkravitz]

@isabeleliassen this should be good to merge!