From 64e78024e0ca4e7ef514e01c99c2eb867b569b4e Mon Sep 17 00:00:00 2001
From: simeng-li <simeng@silverhand.io>
Date: Thu, 3 Aug 2023 10:17:14 +0800
Subject: [PATCH] ci(core): disable cloud metadata rule in zap (#4277)

* ci(core): disable cloud metadata rule in zap

disable cloud metadata rule in zap

* fix: update rule files

update rule files

* fix: update the conf file

update the conf file

* fix: revert docker settings

revert docker settings
---
 .github/workflows/pen-tests.yml | 10 +++++++---
 .zap/rules.conf                 |  9 +++++++++
 2 files changed, 16 insertions(+), 3 deletions(-)
 create mode 100644 .zap/rules.conf

diff --git a/.github/workflows/pen-tests.yml b/.github/workflows/pen-tests.yml
index 5e6ea0266..a4f50d8ef 100644
--- a/.github/workflows/pen-tests.yml
+++ b/.github/workflows/pen-tests.yml
@@ -4,10 +4,10 @@ on:
   # Be careful when using the workflow_run trigger
   # https://github.community/t/workflow-run-completed-event-triggered-by-failed-workflow/128001/7
   workflow_run:
-    workflows: [ "Release" ]
+    workflows: ["Release"]
     branches:
       - master
-    types: 
+    types:
       - completed
 
 concurrency:
@@ -20,6 +20,9 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
       - name: Docker Compose up
         run: |
           curl -fsSL https://raw.githubusercontent.com/logto-io/logto/HEAD/docker-compose.yml |\
@@ -32,8 +35,9 @@ jobs:
         uses: zaproxy/action-full-scan@v0.5.1
         with:
           target: http://localhost:3001
-          cmd_options: '-a'
+          cmd_options: "-a"
           fail_action: true
           allow_issue_writing: false
+          rules_file_name: ".zap/rules.conf"
 
       # TODO: send slack message on failure
diff --git a/.zap/rules.conf b/.zap/rules.conf
new file mode 100644
index 000000000..86946965c
--- /dev/null
+++ b/.zap/rules.conf
@@ -0,0 +1,9 @@
+# Mark the following rules as INFO
+
+# CloudFlare will block the metadata endpoint access
+90034	INFO	(Cloud Metadata Potentially Exposed - Active/release)
+
+10096	INFO	(Timestamp Disclosure - Passive/release)
+10063-1	INFO	(Permissions Policy Header Not Set - Passive/beta)
+10055-4	INFO	(CSP - Wildcard Directive)
+40039	INFO	(Web Cache Deception)