ci: add ZAP Baseline Scan to CI/CD pipeline

[OM-JADHAV25]

Proposed change

Resolves #3154

This PR adds ZAP Baseline Scan to the CI/CD pipeline to introduce automated security scanning for the Nest application.

The scan runs against the staging environment after deployment and performs a passive security analysis.
For the initial iteration, the scan is configured as non-blocking to avoid disrupting the pipeline while findings are reviewed.

Implementation follows the official ZAP Baseline Scan documentation:

• https://github.com/zaproxy/action-baseline
• https://www.zaproxy.org/docs/docker/baseline-scan/

Checklist

• Required: I read and followed the contributing guidelines
• Required: I ran make check-test locally and all tests passed
• I used AI for code, documentation, or tests in this PR

[coderabbitai]

Summary by CodeRabbit

• Chores
  • Added automated ZAP baseline security scan to the staging deployment pipeline; the scan runs after staging deploy and is non-blocking so deployments continue regardless of findings.
  • Scan report is always archived as a pipeline artifact (named with the run ID) for review.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

Walkthrough

Adds a new CI job run-zap-baseline-scan to the staging sequence in .github/workflows/run-ci-cd.yaml that runs an OWASP ZAP Baseline Scan against the staging target and uploads zap-report.html as an artifact (upload runs unconditionally).

Changes

Cohort / File(s)	Summary
ZAP Baseline Scan — Staging .github/workflows/run-ci-cd.yaml	Added job run-zap-baseline-scan (needs: deploy-staging-nest-proxy) running on ubuntu-latest with permissions: contents: read. Steps: run zaproxy/action-baseline pinned to a commit with token, target, options, allow_issue_writing: false, fail_action: false; then upload zap-report.html as artifact named zap-baseline-scan-report-${{ github.run_id }} using actions/upload-artifact with if: always().

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• ci: move permissions to job level #3118: Adjusts job-level permissions in .github/workflows/run-ci-cd.yaml, which overlaps with adding a permissions-scoped ZAP job.

Suggested reviewers

• kasya

Pre-merge checks and finishing touches

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title accurately and concisely describes the main change: adding ZAP Baseline Scan to the CI/CD pipeline, which matches the changeset.
Description check	✅ Passed	The description is directly related to the changeset, explaining the purpose of adding ZAP Baseline Scan to CI/CD with relevant context and implementation details.
Linked Issues check	✅ Passed	The PR successfully implements the requirement from issue #3154 by adding ZAP baseline scan integration to the CI/CD pipeline as requested.
Out of Scope Changes check	✅ Passed	All changes are scoped to adding the ZAP Baseline Scan job to the CI/CD workflow and uploading artifacts, which directly aligns with the linked issue requirements.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 71e599e and 66d3982.

📒 Files selected for processing (1)

• .github/workflows/run-ci-cd.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/run-ci-cd.yaml

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.github/workflows/run-ci-cd.yaml (1)

571-594: Well-implemented ZAP baseline scan with minor suggestions.

The implementation correctly follows the PR objectives: runs after staging deployment, is non-blocking, and uploads reports for review. The configuration with fail_action: false and allow_issue_writing: false is appropriate for initial iteration.

Consider these improvements for consistency with other staging jobs:

1. Add environment: staging declaration (other staging jobs like deploy-staging-nest and build-staging-images include this at lines 270, 425, 542)
2. Add timeout-minutes: 10 or similar to prevent indefinite hangs

🔎 Suggested improvements for consistency

 zap-baseline-scan:
   name: ZAP Baseline Scan
+  environment: staging
+  if: |
+    github.repository == 'OWASP/Nest' &&
+    github.ref == 'refs/heads/main'
   needs:
     - deploy-staging-nest-proxy
   permissions:
     contents: read
   runs-on: ubuntu-latest
   steps:
     - name: Run ZAP Baseline Scan
       uses: zaproxy/action-baseline@v0.15.0
       with:
         token: ${{ secrets.GITHUB_TOKEN }}
         target: 'https://nest.owasp.dev'
         allow_issue_writing: false
         fail_action: false
         cmd_options: '-a -r zap-report.html'

     - name: Upload ZAP report
       if: always()
       uses: actions/upload-artifact@v4
       with:
         name: zap-baseline-scan-report-${{ github.run_id }}
         path: zap-report.html
+  timeout-minutes: 15

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1d41170 and 5bdf06d.

📒 Files selected for processing (1)

• .github/workflows/run-ci-cd.yaml

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-12-21T19:03:59.068Z

Learnt from: ahmedxgouda
Repo: OWASP/Nest PR: 1139
File: .github/workflows/setup-backend-environment/action.yaml:16-27
Timestamp: 2025-12-21T19:03:59.068Z
Learning: Composite actions (runs: using: composite) execute as steps within the calling job's context and can access the job context, including job.services.* properties (e.g., job.services.<service_id>.id, job.services.<service_id>.ports). Service containers must be defined at the job level, but a composite action's steps can reference them via the job context.

Applied to files:

• .github/workflows/run-ci-cd.yaml

🔇 Additional comments (1)

.github/workflows/run-ci-cd.yaml (1)

580-580: No action required — v0.15.0 is the latest stable version.

The zaproxy/action-baseline version in use is current with no known security advisories. Standard security practices apply: ensure you have permission to scan target URLs and use GitHub Secrets for sensitive data rather than storing them in repository files.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5bdf06d and 71e599e.

📒 Files selected for processing (1)

• .github/workflows/run-ci-cd.yaml

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-12-21T19:03:59.068Z

Learnt from: ahmedxgouda
Repo: OWASP/Nest PR: 1139
File: .github/workflows/setup-backend-environment/action.yaml:16-27
Timestamp: 2025-12-21T19:03:59.068Z
Learning: Composite actions (runs: using: composite) execute as steps within the calling job's context and can access the job context, including job.services.* properties (e.g., job.services.<service_id>.id, job.services.<service_id>.ports). Service containers must be defined at the job level, but a composite action's steps can reference them via the job context.

Applied to files:

• .github/workflows/run-ci-cd.yaml

[OM-JADHAV25]

Hii @arkid15r

I initially used zaproxy/action-baseline@v0.15.0 (i.e latest version), but Sonar failed the Quality Gate since it requires GitHub Actions to be pinned to a full commit SHA. I updated it to the SHA corresponding to v0.15.0, which resolved the Sonar warning. However, CodeRabbit is now suggesting reverting back to the version tag.

Could you please advise which approach you’d prefer for OWASP Nest?

CodeRabbit also suggested adding a timeout-minutes to the ZAP Baseline Scan job to align with other jobs and avoid potential hangs. If so, what timeout would you recommend?

If any other changes are needed, please let me know -- I’ll update them accordingly.

Thanks!!

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[arkid15r]

I'm wondering why it's that hard to follow the guidelines and run code quality checks locally 🤷‍♂️

[OM-JADHAV25]

@arkid15r I'm really sorry about that -- I did run the checks locally and they passed at the time. The issue was around the version tag vs commit SHA usage. After seeing your update and how it was handled in the workflow, I understood the preferred approach. Thanks for the guidance !!! and will try my best to contribute effectively and better to OWASP Nest !!

[arkid15r]

@arkid15r I'm really sorry about that -- I did run the checks locally and they passed at the time. The issue was around the version tag vs commit SHA usage. After seeing your update and how it was handled in the workflow, I understood the preferred approach. Thanks for the guidance !!! and will try my best to contribute effectively and better to OWASP Nest !!

63b9a56#diff-a280dcee078c7a8e6a03991e799754b56572bbde31aceb69c9a5bd3faef378dcR297

[OM-JADHAV25]

@arkid15r I'm really sorry about that -- I did run the checks locally and they passed at the time. The issue was around the version tag vs commit SHA usage. After seeing your update and how it was handled in the workflow, I understood the preferred approach. Thanks for the guidance !!! and will try my best to contribute effectively and better to OWASP Nest !!

63b9a56#diff-a280dcee078c7a8e6a03991e799754b56572bbde31aceb69c9a5bd3faef378dcR297

@arkid15r ohh, about this -- apologies from my side !!!, actually that mistake happened after commiting correct quality code in github and then after editing the file directly on GitHub which i bymistakely deleted that blank line, but i ensure that from now onwards i will take care of this things and always run code quality checks locally before every commit !!!

-- inconvenience regretted