ci(core): disable cloud metadata rule in zap (#4277)

* ci(core): disable cloud metadata rule in zap disable cloud metadata rule in zap * fix: update rule files update rule files * fix: update the conf file update the conf file * fix: revert docker settings revert docker settings
2024-12-16 20:26:19 -05:00 · 2023-08-03 10:17:14 +08:00 · 2023-08-03 10:17:14 +08:00 · 64e78024e0
commit 64e78024e0
parent 7ce014d033
2 changed files with 16 additions and 3 deletions
--- a/.github/workflows/pen-tests.yml
+++ b/.github/workflows/pen-tests.yml
@ -20,6 +20,9 @@ jobs:
    runs-on: ubuntu-latest

    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
      - name: Docker Compose up
        run: |
          curl -fsSL https://raw.githubusercontent.com/logto-io/logto/HEAD/docker-compose.yml |\
@ -32,8 +35,9 @@ jobs:
        uses: zaproxy/action-full-scan@v0.5.1
        with:
          target: http://localhost:3001
-          cmd_options: '-a'
+          cmd_options: "-a"
          fail_action: true
          allow_issue_writing: false
+          rules_file_name: ".zap/rules.conf"

      # TODO: send slack message on failure
--- a/.zap/rules.conf
+++ b/.zap/rules.conf
@ -0,0 +1,9 @@
+# Mark the following rules as INFO
+
+# CloudFlare will block the metadata endpoint access
+90034	INFO	(Cloud Metadata Potentially Exposed - Active/release)
+
+10096	INFO	(Timestamp Disclosure - Passive/release)
+10063-1	INFO	(Permissions Policy Header Not Set - Passive/beta)
+10055-4	INFO	(CSP - Wildcard Directive)
+40039	INFO	(Web Cache Deception)