ci(core): disable cloud metadata rule in zap (#4277)

* ci(core): disable cloud metadata rule in zap

disable cloud metadata rule in zap

* fix: update rule files

update rule files

* fix: update the conf file

update the conf file

* fix: revert docker settings

revert docker settings

.github/workflows/pen-tests.yml

@@ -4,10 +4,10 @@ on:
   # Be careful when using the workflow_run trigger
   # https://github.community/t/workflow-run-completed-event-triggered-by-failed-workflow/128001/7
   workflow_run:
-    workflows: [ "Release" ]
+    workflows: ["Release"]
     branches:
       - master
-    types: 
+    types:
       - completed
 
 concurrency:
@@ -20,6 +20,9 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
       - name: Docker Compose up
         run: |
           curl -fsSL https://raw.githubusercontent.com/logto-io/logto/HEAD/docker-compose.yml |\
@@ -32,8 +35,9 @@ jobs:
         uses: zaproxy/action-full-scan@v0.5.1
         with:
           target: http://localhost:3001
-          cmd_options: '-a'
+          cmd_options: "-a"
           fail_action: true
           allow_issue_writing: false
+          rules_file_name: ".zap/rules.conf"
 
       # TODO: send slack message on failure

.zap/rules.conf

@@ -0,0 +1,9 @@
+# Mark the following rules as INFO
+
+# CloudFlare will block the metadata endpoint access
+90034	INFO	(Cloud Metadata Potentially Exposed - Active/release)
+
+10096	INFO	(Timestamp Disclosure - Passive/release)
+10063-1	INFO	(Permissions Policy Header Not Set - Passive/beta)
+10055-4	INFO	(CSP - Wildcard Directive)
+40039	INFO	(Web Cache Deception)