GitHub Actions
Integrate ZeroThreat into your CI/CD pipeline using GitHub Actions to automate security scans into your pipelines with github Actions. This guide walks you through the setup process and provides helpful insights to make the integration seamless and secure.
Prerequisites
Before you begin, ensure the following:
Your target application is verified on ZeroThreat.
You’re familiar with the basics of GitHub Actions.
Your GitHub repository has workflows enabled.
Step 1. Enable GitHub Actions Integration in ZeroThreat
Navigate to the Targets (
)section in ZeroThreat.Click on the "Continuous Integration" button (
) for your desired target.
In the CI/CD settings drawer, click "Add GitHub Actions Integration" and confirm.
Once confirmed, a unique ZT_Token will be generated. This token is used to start scans CI/CD for its associated target from the Ci/CD.
Step 2: Choose Scan Settings
Select or create a Scan Profile suitable for your environment.
A scan profile is required for API scans in CI/CD integration. Without it, the integration pipeline cannot start the scan.
If you're scanning authenticated sections of your app, select the appropriate Login Template for authenticated scans.
Make sure to select a working Login template for Authenticated Scan.
Click on the GitHub Actions icon in ZeroThreat to open the GitHub Actions Marketplace, where you’ll find the official ZeroThreat AI DAST Scanner from Marketplace.
Step 3: Setup GitHub Actions Workflow
Open your target's GitHub repository.
Navigate to the Actions tab (
).Click "New Workflow" (
) and select "Simple Workflow" as your starting template.
Name your workflow file (e.g.,
.github/workflows/scan.yml).
Step 4: Configure the Workflow File
Use the following example as a starting point for your workflow configuration. In this guide, for example purposes we're using the workflow_dispatch trigger, which allows you to manually initiate the workflow from the GitHub interface. However, you're free to replace this with any other trigger supported by GitHub Actions, such as push, pull_request, or scheduled events, depending on your automation needs.
name: ZeroThreat Vulnerability Scan Action
on:
workflow_dispatch:
permissions:
contents: read
issues: write
pull-requests: write
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run Custom Action for Vulnerability Scan
uses: zerothreatai/github-action@0.0.3
with:
ZT_TOKEN: ${{ secrets.ZT_TOKEN }}
WAIT_FOR_ANALYSIS: trueUnderstanding WAIT_FOR_ANALYSIS Input:
WAIT_FOR_ANALYSIS Input:true– The GitHub Action will wait for scan completion by polling every 5 minutes and the pipeline will keep running.false(default) – The scan is triggered and the workflow ends immediately.
Step 5: Add ZT_TOKEN as GitHub Secret (optional)
It is recommended and advised to use the ZT_TOKEN as Github Secret and avoid hardcoding or exposing it.
Go to your GitHub repository settings (
).Navigate to Security > Secrets and Variables > Actions.
Click “New repository secret”.
Name it
ZT_TOKENand paste the value generated from ZeroThreat and click "Add Secret".
Step 6: Run the workflow
Since this example uses workflow_dispatch, you can manually start a scan:
Go to the Actions(
)tab in your GitHub repository.Select your new workflow.
Click "Run Workflow".
The workflow will begin and a scan will be triggered in ZeroThreat portal.
Automating with Push or Pull Requests
To automate scans on every code change, you can replace the on: block in the workflow with:
on:
push:
branches: [main]
pull_request:
branches: [main]This will trigger ZeroThreat scans automatically for pushes or pull requests to the main branch.
Troubleshooting
ZT_TOKEN not recognized
Make sure in the workflow yml file the input is named asZT_TOKEN.
Scan doesn’t trigger
Check your on: conditions and CI permissions.
Authenticated scan fails
Make sure a valid login template is selected in ZeroThreat and credentials are valid.
Finished setting up your CI/CD integration? Head over to our guide on Reviewing Scan Reports to learn and analyze different sections of the scan report.
Last updated